According to Microsoft’s 2021 Digital Defense Report, 79% of nation-state attackers target government agencies, NGOs and think tanks. This reality has pushed cybersecurity to the fore for most government agencies – including election offices. When election security is on the table, people regularly talk about encryption, but few ever mention encryption’s better half – digital signatures. This primer can help you understand the basics of digital signatures so you can better trust election technology.
Voting systems rely on well-vetted security methods to protect data throughout the election lifecycle: ballot layout information, voting machine programming, vote casting and election results tabulation. Encryption and digital signatures are the two primary mechanisms to deliver this layer of information security.
Encryption is used to obscure information, preserving its confidentiality by preventing unauthorized persons from viewing it. If you don’t possess the required decryption credentials, the information is gibberish. Digital signatures, on the other hand, ensure the authenticity of protected information. The two work together in voting systems to help safeguard the information.
The digital signature is first among equals as a cryptographic technique to maintain the integrity of election information. Digital signatures provide strong assurance that the information came from the expected source and has not been changed since it was originally authored.
The term digital signature is sometimes confused with, or used interchangeably with, the term electronic signature. While digital signatures are a form of electronic signature, not all electronic signatures are digital signatures. Digital signatures are a sophisticated tool that produces a unique hash (an encrypted string of alpha-numeric characters generated from a mathematical algorithm) for each file. A digital signature also carries data that proves the origin of the signed information.
The election lifecycle contains several dataflows within the voting system, including:
- Import of election information, such as candidate name and party affiliation;
- Jurisdiction geography (precinct boundaries, relationships, splits);
- Voting machine serial numbers, locations, precinct assignments;
- Files for the voting machines, central count scanners and ballot printers;
- Sample ballot generation;
- Pre-election test results, tabulation reports from scanners, cast-vote records, aggregated results, ballot images, event logs; and
- Records for auditing the election.
Digital signatures preserve the integrity of these items. It can also protect the integrity of the software running the back-office ballot layout and central scanning systems, and the software on the voting machines.
Much of the data in election systems are public records, such as ballot layouts and election results. Thus, they need protection but not necessarily encryption. To maintain the integrity of the election, however, we need verifiable evidence that those files – and items such as tally reports and voting machine configuration files – are indeed genuine and unaltered. We must be able to validate that the information came from a known and expected source and that it has not been changed since it was initially created. Digital signatures do this.
Digital signatures protect against threats to voting systems, such as attempts to introduce malicious software onto components. How? The engineering team that creates and manages the voting system software (and software updates) digitally signs it when it’s completed. When the software is loaded, the component looks for and verifies the signature prior to accepting that new software.
Similarly, when a system component generates data – such as a ballot layout package, a configuration file or a results report – the information is digitally signed. Any downstream component receiving that data checks the signature. If the signature doesn’t match the original, the component rejects the information and prevents it from moving downstream.
These authentication functions are automated and transparent to system users – unless a signature does not match. If that occurs the system halts the operation in progress and requests human intervention to resolve the mismatch. This is how an attempt to sabotage the election system would be found.
For information that leaves the system, such as results reports, operators can validate the reports’ integrity by reviewing the digital signature in the report and comparing it to the signature values shown by the voting system.
When you hear about the use of cryptography in voting systems, don’t just think of encryption – think about digital signatures. Encryption receives more attention and is more widely known as an information protection tool, but digital signatures address a larger segment of the election lifecycle. Digital signatures are the unsung heroes of voting system security, working against threats to both the system software and the election data and thereby delivering election integrity.