Learn more about demokratian security and the false sense of security offered by some encryption-based systems.

Learn more about demokratian security and the false sense of security offered by some encryption-based systems.

There is no such thing as absolute security on the Internet, and this extends to online voting, but DEMOKRATIAN has tried to reduce the possibilities of fraudulent use of the platform as much as possible.

The DEMOKRATIAN application is aimed at censuses, i.e. only people who are registered can vote. Voter lists are precisely one of the points where fraud can be committed in any election, whether in person or online, so it is necessary that the censuses are reliable, and that the authority that verifies the census has the appropriate filters and controls.A common temptation in online voting is, thinking of facilitating the vote to the largest number of people, to open a form so that everyone can sign up to vote by entering some data such as the ID number which is easily falsifiable. This action should be avoided if it does not involve a control system to verify that the registered person actually exists. This is one of the points where more fraud can exist in online voting.

In DEMOKRATIAN the vote is absolutely separated from the voter, i.e. in the database where the votes are stored both data are separated and there is no possibility of linking one data with another. Contrary to other voting systems that keep this data linked and therefore need complicated encryption systems to prevent the orientation of the voter's vote from being known, entrusting this security to "external authorities".In that sense DEMOKRATIAN has been created with traditional voting models in mind, in which once you put your vote in the ballot box it cannot be modified nor can it be known that the voter has voted (although for the sake of individual verifiability there is a possibility that does not compromise privacy, which is explained below).

DEMOKRATIAN has prioritized transparency above all else, anyone can see that the votes are what they are and can be listed directly from the database without the need for complicated programs or decryption systems that generate a lot of insecurity for the user with low computer skills because it is not clear that the algorithms can not be changing data.

To prevent votes from being illegally entered into the database, several security systems have been created. On the one hand, a second copy of the data is stored, these are encrypted in a unidirectional way (hash) with the sha 256 algorithm, and then the data comparison verifies if there are differences between the original and the encrypted copy. This type of encryption, unlike asymmetric encryption, does not allow decryption, so the data is secure.

When the votes are counted, the application generates a list of all the votes in the database, checks if there is a copy in the encrypted table generating an error mark if it does not exist and indicates in the list next to each vote, a unique random code that has been generated and delivered at the time of the vote to each voter so that the voter can verify that his vote is still there unchanged, even any voter could make his own count with the list of all votes.

In addition, a third copy (in a separate file and with restricted access) of the data is stored on the server itself, so that if someone has access to the database, a copy with more difficult access would remain.

Additionally, a hash of a secret combination of the last 5 votes is stored in each vote, which allows a new data integrity check.

Finally, the system has another layer of security, very advisable for the sake of transparency, which can be enabled by the voting administrator, and it is the sending of an anonymous mail with each vote at the moment it is generated, to independent voting officers (which logically will be limited in number), that is to say, a mail is sent in which there is no reference of the voter with the numerical data of his vote, it would be a kind of "paper copy" of each vote. For the use of this system the mailbox of the voting officers must be enabled so that it does not reject the mails as spam.

Throughout the voting process the vote is not encrypted on the client computer because it can have several drawbacks including attacks by "Man-in-the-middle", so it is recommended to use secure SSH servers for the information to travel encrypted. Some people consider that the data should be encrypted on the client to prevent a malicious administrator can modify the code and capture the vote data, this is completely unnecessary and only creates a false sense of security because if there is a malicious administrator could change the code for the client to send double data, encrypted and unencrypted. (In any case this would be solved with the ability to audit at all times the code that is running on the server by independent programmers).

As mentioned above, one method of verifying the integrity of the vote by the voter (individual verifiability), is that at the end of the voting process, the system delivers a unique alphanumeric key that the voter can save so that later, when the voting is finished, and all the votes that have been used in the tally are listed, the voter can verify that his/her vote is there. Another method (it can be enabled at the administrator's choice) is that the voter, when he/she is performing the voting process, enters a key of his/her choice (the system ensures that it is unique), which is unidirectionally encrypted (it cannot be decrypted) and once the voting process is finished, when the results are public, he/she can enter his/her key to verify that his/her vote is correctly registered.

Any computer system is as a rule insecure, it depends largely on the integrity of system administrators, whatever measures are implemented to secure it. Other voting systems "trust" everything to complicated encryption systems, but even with asymmetric or double key encryption systems there are the same vulnerabilities to illegal vote inclusion since the public keys, which encrypt the vote, are accessible at all times on the server, or chain of servers if mixnet type systems are used, which are really designed for obfuscation.