Another Laudable Online Voting Architecture Concept But…
Gregory Miller
Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system. But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it. The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article. I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.
First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software. The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client. We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients. This is one of the well known ingredients.
There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system. This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works). For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.
At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill. As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”
So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today. And it has to have the ability to do both:
- a normal local boot into a full service mobile device OS to work as a phone browser, etc.; and
- a boot from an external physical device with the boot image for something else.
One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc. That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.
Now for the “But…” part of this. Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem. From what we can tell, Citrix is moving in that direction.
So to summarize, at the end of the day,
- Do we believe Citrix has a solution for iVoting? No.
- Do we believe the author of both articles referenced here, Ahmed Sallam (now since departed from Citrix and CEO of DeepSAFE) has a credible vision and concept for online voting? Yes.
- Do we believe that concept is complete and in terms of what we understand about the totality of the problem? No.
- Will the hardware root of trust (hardware layer security below the operating system), such as the elegant model embodied in iOS and articulated by the NIST Guidelines be a key ingredient going forward? Yes.
- Are we (anyone) there yet for a voting App/system? No.