Why have all the digital signatures from the Election Returns been stripped?
By Joel Disini 21 May 2013 Facebook Notes
Something is not right with the way the Comelec is conducting the elections. If you go over to http://2013electionresults.comelec.gov.ph and check the ERs (Election Returns) from each precinct you will find that the digital signatures on each ER have been stripped. Digital signatures are absolutely necessary to ensure that the ERs are authentic and have not been tampered with.
Each PCOS machine (Precinct Count Optical Scan – which is the device used to scan the ballots, tabulate them, and transmit the results via GSM modem and/or onto a CF card ) is supposed to be equipped with a private key and a public key. The private key is embedded within the PCOS and is used to sign (and optionally encrypt) the election results generated by the PCOS. The public key should be published (preferably on a publicly accessible website, such as comelec.gov.ph), so that the public can verify the authenticity of any ERs generated by the PCOS machines. (Otherwise, how will Comelec know if the ERs they receive from the precincts have not been sent by a rogue PCOS? How else will the Municipal Centers who receive the CF cards containing ERs then determine that said ERs are authentic and that the CF cards have not been switched?)
For as long as the private key(s) are stored securely inside the PCOS and assuming (1) there is no way to hack into the PCOS to reveal the private key, and assuming that (2) no copies of the private keys have been kept by Comelec or Smartmatic or some other party, then it will be practically impossible for anyone to fabricate fake ERs and thus steal the election. Let me repeat that, as it bears repeating. For as long as the PCOS machines have been programmed properly and for as long as proper security measures were taken during the key generation/registration/embedding/signing process, then it will be impossible for anyone to steal the election.
Allow me to explain.
A 2048 key is mind-numbingly difficult to crack. It is estimated that a desktop computer will take 6400 trillion years to figure out the private key of a given public key. You can check out the math here http://www.digicert.com/TimeTravel/math.htm. Private and Public keys, on the other hand, while impossible to crack, can be generated quite easily by a desktop computer using free open-source software, such as OpenSSL.
The process of generating the keys and storing the private keys in the PCOS machines should be witnessed not just by Smartmatic and Comelec, but interested third parties such as the BEI (Board of Election Inspectors) and representatives of each political party. The people witnessing the process should ensure that all traces of the private key, once embedded in the PCOS, is erased. If a USB drive was used to copy the private key into the PCOS, then that too must be wiped clean. Ideally, some testing of the PCOS is done (by a qualified third party) to ensure that the PCOS is secure and cannot be tampered with. To be safe, the source code should also be reviewed, to make sure there is no back door inside that allows an insider to enter a predefined set of keystrokes (or scan a predefined document) that will trigger the back door (where the private key can be divulged, replaced, or the election results themselves can be edited).
Once the voting is over, the PCOS machines should generate the ERs, sign them (using their unique private keys), and then transmit them to the Comelec server, to the Transparency Server (monitored by the PPCRV, Rappler, etc), and to the Municipal Centers. When the servers receive the ERs from a PCOS, they should check their authenticity (by looking up the corresponding PCOS public keys and verifying that they match the digital signatures). If everything checks out, the comelec server should then publish the digitally signed election results on the comelec website.
In this manner, even if there are transmission delays, and horse-trading over the election results, it will not be possible to tamper with the results. Someone can of course generate new public key & private key pairs, and then generate fake ERs using the fake private keys. They would have to somehow tamper with the database of public keys used by the Comelec server, as well as the Database used by Transparency Server to pull off this stunt. Lastly, they would have to hack into the comelec website and replace the list of public keys with their own set of fake public keys. One way to avoid this (other than relying on the public to spot the hacker’s attempts) is to have the BEI and all the Political Parties sign the list of public keys. This way, it would be impossible for the list of public keys to be replaced without being detected. The only way to “beat” the system would then be to physically destroy the PCOS machines, or the comelec & Transparency Server.
So what can be done to prevent cheating in this current election?
1) Comelec must IMMEDIATELY publish the list of precincts and their corresponding PCOS public keys. There is no reason for the Comelec not to do this, other than to buy time to generate new public key/private key pairs for precincts that have yet to report their results.
2) They must publish the digital signatures that come with each ER. Again, there is no reason for the Comelec not to do this, unless some of the published ERs have already been tampered with.
3) The PCOS machines and their CF cards must be secured. If someone has already generated a new set of private keys, then we can detect the fraud by reviewing the source code for the PCOS machines, especially the part where the PCOS writes to the CF card & signs the results, determine where the private Key is stored within the PCOS, then write new code to access this location. Doing this will not be trivial, and it may take a lot of trial and error, but there are 78T PCOS machines, so we have enough machines to experiment on. The embedded private key can now be compared with the published public key and see if they match. If they do not match, then there is cause to believe that some fraud has taken place.
Any attempts to reset the PCOS machines and erase their CF cards should be deemed highly questionable.
4) Of course if unique private keys were never embedded into the PCOS machines, then Smartmatic needs to hauled into court, as there is absolutely no reason why they should stick us with machines using ancient technology. Their existing SAES voting machines already use 2048 public keys. And the cost to implement PKI (public key infrastructure) is minimal – as there is a lot of open source code available to generate keys, sign and encrypt documents, etc.
In fact, if Comelec deliberately asked Smartmatic to deliver PCOS machines without any PKI, Smartmatic should have immediately known that something foul was afoot. This would be the equivalent of asking a Private Security company to watch over a bank, and requiring them to use mobile Phones and walkie-talkies with known transmission problems, or to use CCTV cameras that fail to record, or to use bows and arrows instead of guns!
We shouldn’t wait any longer for someone to file an electoral complaint, or for someone to gather evidence of cheating before springing into action. We already have all the evidence we need – as all the digital security measures to prevent cheating have been turned off!