Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday August 26 2019, @05:06PM   Printer-friendly
from the not-the-way-to-do-it dept.

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election.

Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election.

Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes.

"It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month.

"Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added.

The block-chain based electronic voting system of Moscow's parliament is basically insecure, like in, totally broken. https://t.co/EafAAYXkpB pic.twitter.com/ISNcuPDvFu

— Lukasz Olejnik (@lukOlejnik)

What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further.

"Without having read the protocol, it is hard to tell precisely the consequences, because, although we believe that this weak encryption scheme is used to encrypt the ballots, it is unclear how easy it is for an attacker to have the correspondence between the ballots and the voters," the French researcher said.

"In the worst case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote."

Moscow's blockchain voting system is a first of its kind. It was developed in-house by the Moscow Department of Information Technology, and works as a "smart contract" on top of the Ethereum blockchain platform.

The voting system is set to go live on September 8, and will run for 12 hours, in sync with the official voting session.

[...] Following Gaudry's discovery, the Moscow Department of Information Technology promised to fix the reported issue -- the use of a weak private key.

"We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024."

Gaudry, who discovered that Moscow officials modified the ElGamal encryption scheme to use three weaker private keys instead of one, couldn't explain why the IT department chose this route.

"This is a mystery," the French researcher said. "The only possible explanation we can think of is that the designers thought this would compensate for the too small key sizes of the primes involved. But 3 primes of 256 bits are really not the same as one prime of 768 bits."

However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by DannyB on Monday August 26 2019, @05:10PM (3 children)

    by DannyB (5839) Subscriber Badge on Monday August 26 2019, @05:10PM (#885710) Journal

    Does this mean that the testing of their voting system was a success?

    (American voting system vendors take note.)

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1, Troll) by aristarchus on Tuesday August 27 2019, @01:33AM

    by aristarchus (2645) on Tuesday August 27 2019, @01:33AM (#885888) Journal

    (American voting system vendors take note.)

    since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further.

    Yes, the same tactic the Chinese use: they speak Chinese, and write it as well. Americans cannot investigate any further. It is kind of like the SoylentNews submission policy: Submissions not in Anglais cannot be considered further, because the Eds don't understand them.

  • (Score: 3, Insightful) by Thexalon on Tuesday August 27 2019, @03:26AM

    by Thexalon (636) on Tuesday August 27 2019, @03:26AM (#885921)

    Yeah, it sounds like the correct headline is "Moscow's Blockchain Voting System Cracked By Somebody Besides The FSB A Month Before Election"

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 2) by legont on Tuesday August 27 2019, @06:40AM

    by legont (4179) on Tuesday August 27 2019, @06:40AM (#885978)

    It looks like the initiall commit was 40 days ago and they are providing a set of sample data to decrypt every 12 hours. "Experts" could still make some more money, I guess.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.