Wednesday, November 04, 2009

sha1sum as Program Integrity Verifier for the PCOS and CCS Pograms (Nov 05 09)

I am a Linux user. Linux is the best operating system for techie people. It is so good an operating system that even the Smartmatic PCOS PROGRAM runs on uClinux, and the Smartmatic CCS program runs on SuSE Linux. The computers that we should trust to run our national and local elections run on Linux!

Linux comes in several flavors, called distributions. A distribution consists of the Linux operating system kernel, together with a selection of utilities that, together with the kernel, makes a complete usable operating system. My favorite Linux distributions are Ubuntu (a derivative of Debian) and Fedora (from which RedHat is derived). The trouble with any Linux distribution is that Linux and the utilities are updated (source code improvements are made) on a regular basis, and the distributions are also updated to catch up with source code improvements. As a result of these improvements, a new version of Fedora, version 12, is coming in a few days, even before I could get familiar with the great features of version 11. So I have decided to change my Fedora distribution to CentOS, an enterprise Linux distribution that is based on RedHat, one that does not get updated as frequently as Fedora. We say that CentOS is built upon a reasonably stable source code base.

I decided to download the CentOS version 5.4 installer DVD from the Argonne National Laboratories mirror at the URL:

The download took a few hours, since the DVD is about 3.9GB in size. To make sure that there were no errors in downloading, I also downloaded the sha1 hash/checksum file:

This sha1sum.txt file contains the sha1 hash values of the CD/DVD files that you can download from Argonne. The specific sha1 hash value that I am interested in is the line in that file that reads:

d2b36d3f017b2684ac920fab87aaf741bba16ca8  CentOS-5.4-i386-bin-DVD.iso

Now I need to make sure that the DVD that I downloaded does not contain any errors, that I downloaded a correct copy of the CentOS installation DVD. In order to check the correctness of the downloaded DVD (verify the integrity of my download), I just run the "sha1sum" program as follows:

sha1sum CentOS-5.4-i386-bin-DVD.iso

After some wait, the sha1sum program prints out the sha1 hash value of the DVD as follows:

d2b36d3f017b2684ac920fab87aaf741bba16ca8 CentOS-5.4-i386-bin-DVD.iso

Comparing with the sha1 hash value from the file sha1sum.txt, I am able to confirm that my DVD installer is correct and is an authentic copy of the original CentOS installer from Argonne. Now I am happy that I can install CentOS on my laptop.

How does this integrity verifier work for our election programs: PCOS and CCS? This is my suggestion, which COMELEC may or may not implement. After all this is just a suggestion. After the election programs that will run on the PCOS and CCS computers have been source-code reviewed and approved by the Filipino IT community, and after successful testing by SysTest Labs, in front of representatives from all political parties, SysTest Labs will compute the sha1 hash values of the PCOS and CCS programs, using the Linux sha1sum program as illustrated earlier. These two hash values will be printed out and given to all watchers and BEI and BOC personnel. Then on election day, to verify that the programs that have been approved are the ones running on the PCOS and CCS computers, the BEI and BOC personnel will just run the sha1sum program on the PCOS and CCS election programs, respectively. If the sha1sum program prints out a sha1 hash value that is equal to the sha1 hash value of the approved programs given out by SysTest Labs, then the PCOS and CCS programs will be accepted as authentic, since they pass the integrity verifier.

With a program integrity verifier like this, confidence in automated elections will be enhanced, and people will start to trust COMELEC.

No comments: