InetVote: Register to Vote (3)

James F. Carter, UCLA-Mathnet, 2004-10-10

Now you have the script to create your secret key and Certificate Signing Request. Here are the steps to execute the script:

  1. If you are a truly paranoid and well-trained computer user you will scan the script you received with virus protection software, and will view the script (it's a simple text file, though with a rather long line), understand what it's doing, and verify that no harmful activities are going to occur. If the script is not to your liking, e.g. you prefer different filenames or wish to use full path names, or if you need to translate the script to work with different crypto software, you may edit it to suit you.

  2. You need to protect your secret key! Do not let anyone become you by wielding the secret key. You need a good passphrase to protect it. Choose the passphrase now, before running the script. If you have a good one (see guidelines below) that you use frequently on your computer, and that hackers have probably not stolen, that would be a good choice.

    However, if you're creating a new passphrase here are some guidelines.

    Words in English or another language
    • The passphrase should be at least 20 letters long.
    • 30 letters is about the maximum for accurate typing.
    • The phrase should have no relation to yourself.
    • Do not use the name of anyone you know including pets and celebrities.
    • Do not use your birthplace or childhood street address.
    • Bartlett's Familiar Quotations is used by hackers; pick only an obscure quotation.
    • Scattering digits or punctuation and changing case creatively are helpful but do not give that much extra strengh; length is your best defense.
    Truly random password
    • Roll dice or use a password generating program to get a truly random password.
    • 11 bytes are needed for adequate strength, assuming they are chosen from upper and lower case letters, digits and punctuation.

    You also need to remember the passphrase on election day. A CIA agent would be expected to be able to memorize a passphrase and to be sure of remembering it weeks or months in the future, but it isn't reasonable to expect millions of average citizens to accomplish this. If you have a safe, or a deposit box at a bank, write down the passphrase and put it in the safe. If not, hide it the same way you might hide a supply of cash. Make a backup copy of your voting-related files including the secret key, and put it in a different deposit box or hiding place. Make the backup on removable media such as a floppy disc, a writeable CD or a USB key. If the backup copy is stolen, it does nobody any good unless they have also obtained the passphrase for the secret key.

  3. Move the script you received (register.sh, unless you renamed it) to your voting-related files directory (folder), if not deposited there in the download process.

  4. Now execute the script. Use or start up a shell session (console window). Windows® users should start the Cygwin shell by double-clicking on its icon. Change to the directory for your voting-related files, and then run the script through /bin/sh. (You may vary the instructions, e.g. use different directories or a full path name, but the form given is the easiest for beginners to follow.)

    cd $HOME/votefiles
    /bin/sh register.sh

    The OpenSSL program will generate a new secret key and write it to register.key (unless you edited the script to change the filenames). It will ask for your passphrase. It wants to see it twice, to guard against typing mistakes, and what you type will not be visible. The Certificate Signing Request will also be signed with the secret key and written to register.csr.

  5. Now send the Certificate Signing Request to the Registrar of Voters by using the form below. You will receive in return a certificate by which the Registrar of Voters affirms your right to vote in the coming election. Save this certificate to a file on disc, with your other voting-related files. The suggested filename, used in the examples futher on, is register.usr. You will need to sign and present it on election day to receive a ballot.

    In this form use the choose button to find and select your Certificate Signing Request, called register.csr. On Microsoft® Windows® (Microsoft Internet Explorer web browser) ypu can open the file finder and then drag and drop the file's icon from the folder display into the file finder. Try it on competitor web browsers also; it's likely to work.

    Submit Certificate Signing Request
    The filename is typically register.csr


  6. Next Step: After you save your certificate to a file on disc, you need to verify that you can actually submit your ballot on election day. Proceed to Online Voting and go through the whole procedure of submitting a sample ballot.

How to Cheat

The major cheating opportunity on this page is to hack into the victim's computer, install spyware that will reveal the passphrase for his secret key when he enters it, and then steal the key and certificate. A potential victim with competently installed anti-virus software, who keeps his machine up to date with the latest security patches and who does not execute programs from untrusted sources, will only be vulnerable to cutting-edge exploits, i.e. he will be nearly invulnerable. However, a hacker can run a massive parallel attack on the sheep (easily victimized persons) among computer users, and likely could capture a significant number of certificates and secret keys, though getting both the key and its passphrase is somewhat harder.

If a thief can physically obtain the backup copy of the certificate, its secret key, and the passphrase for that key, then he can impersonate the victim and vote. Unfortunately, most voters do not have safe deposit boxes. However, thievery is risky and time-consuming, and it isn't likely that enough identities could be physically stolen to seriously influence an election.