republique-et-canton-de-geneve / chvote-1-0 Goto Github PK

View Code? Open in Web Editor NEW

737.0 42.0 74.0 2.28 MB

Electronic vote system, version 1.

Home Page: https://republique-et-canton-de-geneve.github.io/chvote-1-0

License: GNU Affero General Public License v3.0

Shell 0.20% Batchfile 0.02% Java 72.98% CSS 0.79% Groovy 26.00%

electronic-voting e-voting switzerland geneva java geneve

chvote-1-0's Introduction

CHVote

CHVote aims to be an opensource, publicly owned evoting system. It is the result of the collaboration between the Geneva State Chancellery and the Geneva IT Department.

CHVote is currently used by 4 cantons in Switzerland: Basel-City, Bern, Geneva and Luzern, either for votations or elections.

Released components
System overview
Compiling and running
Contributing
- Pull request policies
- Security
Licence
Future

Released components

The following components are released as opensource software:

The offline administration application
Various utility libraries needed by this application

The goals of the offline administration application are to:

generate the keys responsible for encrypting and decrypting the stored ballots, using passphrases from the electoral board;
test the generated keys and the passphrases;
decrypt the ballots.

The security objective of having an offline application is to ensure that the private key able to decrypt the ballots is never known to any system other than the offline application and its offline laptop.

The offline administration application is a key component of the evoting system in that it is the only one responsible for creating and using the private decryption key.

System overview

Please read the system overview documentation to learn how the published components contribute to the evoting system. You'll get an overview on the following themes:

the election process;
the system architecture including focuses on the ballot box cryptography and the use of the offline administration application;
the security concept.

Compiling and running

Preconditions

The following software must be installed to compile and run the application:

Oracle JDK 8
Maven 3
JCE Unlimited Strength Jurisdiction Policy Files for Java 8 (see the UnlimitedJCEPolicyJDK8/README.txt file in the downloaded ZIP archive for installation instructions into your JDK instance).

We do not provide support for the use of OpenJDK/OpenJFX.

Compiling

Compile and install the 3 modules in this sequence:

cd $PROJECT_ROOT/base-pom
mvn clean install

cd $PROJECT_ROOT/commons-base
mvn clean install

cd $PROJECT_ROOT/admin-offline
mvn clean install

Some JDK distributions do not come with the Monocle classes used by the headless GUI tests. If you're running into those cases (java.lang.AbstractMethodError: com.sun.glass.ui.monocle.NativePlatform.createInputDeviceRegistry appearing in the test logs), use the following command to skip the GUI tests:

cd $PROJECT_ROOT/admin-offline
mvn -P skipJavaFXTests clean install

Running

Run the application with maven:

cd $PROJECT_ROOT/admin-offline
mvn exec:java -Dexec.mainClass="ch.ge.ve.offlineadmin.OfflineAdminApp"

Contributing

CHVote is opensourced with the main purpose of transparency to build confidence in the system.

Contributions are also welcomed, either using pull requests or by submitting issues in github. The CHVote community manager will take care of those inputs, lead exchanges around them, and actions could take place according to their relevance, their criticality, and the CHVote development roadmap.

Pull request policies

The master branch is dedicated to mirror the state of the production code.

Please use the development branch for pull requests modifying the source code.
You can however use the master branch for pull requests concerning the documentation only.

Security

In case of vulnerability discovery, please use the following email address for coordinated disclosure: [email protected].

Licence

CHVote components are released under AGPL 3.0.

Future

The second generation of CHVote has been under active development in 2017 and 2018. The project has since been discontinued and will not be put into production. It aimed to provide end-to-end encryption with individual and universal verifiabilities. Its source code is published here: https://chvote2.gitlab.io.

chvote-1-0's People

Contributors

Stargazers

Watchers

chvote-1-0's Issues

Final Version

According to various sources, this e-voting platform will be discontinued by the Canton of Geneva. The last commits are several months old. In the meantime, have there been any changes that haven't been pushed yet? If so, this would be a good time before Canton Geneva runs out of time or money to maintain this repository.

It would be great if all the code would be available here. According to the motto: Public Money, Public Code!

consider publishing the threat model

from https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/docs/system-overview.md#threat-assessment:

The threats to the evoting system are modeled and rated, and include attacker profiles from outside and inside the organization. Furthermore, the abuse cases are built and maintained.

I believe it would be very welcome to have the threat model published along with the system overview documentation. While the architecture and code seems well documented, the motivations driving the security design are crucial and mostly missing.

This would lead to a more efficient and smooth collaboration from the community, allowing to focus security review on the most critical (publicly available) parts of the system depending on the rating and priorities.

For example, #15 raises interesting questions regarding the passwords. Humans are notoriously bad at picking good passwords (especially repeatedly) and there is a consensus that arbitrary composition rules are near useless (humorously depicted in https://xkcd.com/936/). It is then understandable that this topic raises concern. But if overall the passwords are low priority targets in the threat model — and it is clearly stated, then a lengthy discussion about them may be avoided saving everyone's time and energy.

Use Tags please

Please use GitHub to schedule releases using tags as well as branches for feature work-flow & discovery. It helps open the repo up as projects are not being used and internal issues don't seem to be getting tracked.

HSTS Preloading

To prevent users from ending up on the unencrypted HTTP version of the website, evote-ch.ch may be submitted to the HSTS preloading list. It would ensure that most popular browsers will always use HTTPS to access the evote-ch.ch.

Same key used in encrypt() and BuildMAC()

You do not appear to be using separate keys for AES encryption and the HMAC.

BuildMAC()

mac.init(config.getSecretKey());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/commons-base/commons-crypto/src/main/java/ch/ge/ve/commons/crypto/SensitiveDataCryptoUtils.java#L180

encrypt()

SecretKey secretKey = config.getSecretKey();
cipher.init(Cipher.ENCRYPT_MODE, secretKey, SecureRandomFactory.createPRNG());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/commons-base/commons-crypto/src/main/java/ch/ge/ve/commons/crypto/SensitiveDataCryptoUtils.java#L272

Set a strict Referrer-Policy

After submitting a vote, the voter gets redirected to the website of the Canton. As some of these websites use Google Analytics and other tracking tools, it's possible to identify voters by analyzing the HTTP referrer. The referrer URL is unique to that extent that it allows to distinguish between regular visitors of evote-ch.ch and voters who actually submitted a vote.

By setting the HTTP header Referrer-Policy to no-referrer (or strict-origin), this leak can be prevented.

FYI: This repo has been added to the GitHub showcases under Government apps

I contacted GitHub yesterday (16 Dec) requesting them to add this repo to this showcase: https://github.com/showcases/government

Just FYI. :)

Update password specifications

CHVote currently requires a password length of 9-10 characters. On top of that, your composition rules state that the password must contain at least one uppercase character, one lowercase character and one digit. This is not a good password guideline and I think this needs to be updated.

private static boolean isPasswordValid(String newValue) {
     // Length should be between 9 and 10 (incl)
     boolean validLength = newValue.length() >= 9 && newValue.length() <= 10;
     // Password should contain at least one upper, one lower and one digit
     boolean validPattern = newValue.matches(".*[A-Z].*") && newValue.matches(".*[a-z].*") && newValue.matches(".*[0-9].*");
     return validLength && validPattern;
}

Link: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L56-L62

In case you missed it, NIST updated their password guidelines here: https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers

Verifiers SHOULD permit user-chosen memorized secrets to be at least 64 characters in length.

All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets; Unicode [ISO/ISC 10646:2014] characters SHOULD be accepted as well.

Verifiers SHOULD NOT impose other composition rules (mixtures of different character types, for example) on memorized secrets.

Support deterministic builds of whole environment

First off, this is really rad. Just wanted to say that. Thanks Geneva!

I've only looked briefly, so maybe this is already underway.

The idea would be to generate the environments used to carry out all these procedures in a totally deterministic way. So build all the tools used from source, and verify signatures, and provide an environment that citizens can rebuild and check those signatures themselves.

This would be similar to how the Bitcoin build process works, and the tools they've built to support that:
https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md

arePasswordsEqualAndValid() is vulnerable to timing attacks

The equals() method performs a character-by-character comparison, which terminates as soon as two characters do not match. This form of comparison is therefore vulnerable to timing attacks:

return stringProperty1.getValueSafe().equals(stringProperty2.getValueSafe()) && isPasswordValid(stringProperty1.getValueSafe());

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L195

This comparison is then performed here:

private BooleanBinding bindForValidity(boolean withConfirmation, TextField electionOfficer1Password, TextField electionOfficer2Password, Label errorMessage, Node confirmButton) {
        BooleanBinding passwordsValid = Bindings.createBooleanBinding(
                () -> withConfirmation ? arePasswordsEqualAndValid(electionOfficer1Password.textProperty(), electionOfficer2Password.textProperty()) : isPasswordValid(electionOfficer1Password.getText()),
                electionOfficer1Password.textProperty(),
                electionOfficer2Password.textProperty());
        passwordsValid.addListener((observable, werePasswordsValid, arePasswordsValid) -> {
            confirmButton.setDisable(!arePasswordsValid);
            errorMessage.setVisible(!arePasswordsValid && withConfirmation);
        });
        return passwordsValid;
    }

Link to source code: https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/admin-offline/src/main/java/ch/ge/ve/offlineadmin/controller/PasswordDialogController.java#L171

Unfortunately, I do not know how significant this issue is since you do not have a clear threat model (#17).

Broken http => https redirect handling

Sorry if I'm reporting this issue in the incorrect place. Hopefully you can help me route it.

http://www.evote-ch.ch/vd incorrectly redirects to https://doc.evote-ch.chvd (note the lack of slash between ch and vd).

If an attacker is able to purchase the chvd top level domain (very unlikely), they could theoretically compromise the election process.

$ curl -v 'http://www.evote-ch.ch/vd'
*   Trying 160.53.75.136...
* TCP_NODELAY set
* Connected to www.evote-ch.ch (160.53.75.136) port 80 (#0)
> GET /vd HTTP/1.1
> Host: www.evote-ch.ch
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 28 Jan 2019 07:21:27 GMT
< Location: https://doc.evote-ch.chvd
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: TS01e3dc2d=0175768efa8072e65a48d44dfa6c49612c22053b2e1ee970b4397f6c52294d0bf01bf66d65e1a81ae78af0e5c9a493202ec2f7d145; Path=/
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://doc.evote-ch.chvd">here</a>.</p>
</body></html>
* Connection #0 to host www.evote-ch.ch left intact
$

Needs additional i18n translations

In order to catch as wide an audience as possible, internationalisation is imperative.