captcha doc

13
A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires that the user type the letters or digits of a distorted image that appears on the screen. A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:

Upload: sahilakhan

Post on 28-Mar-2015

145 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: captcha doc

A CAPTCHA is a type of challenge-response test used in computing to

ensure that the response is not generated by a computer. The process usually

involves one computer (a server) asking a user to complete a simple test

which the computer is able to generate and grade. Because other computers

are unable to solve the CAPTCHA, any user entering a correct solution is

presumed to be human. Thus, it is sometimes described as a reverse Turing

test, because it is administered by a machine and targeted to a human, in

contrast to the standard Turing test that is typically administered by a human

and targeted to a machine. A common type of CAPTCHA requires that the

user type the letters or digits of a distorted image that appears on the screen.

A CAPTCHA is a program that can generate and grade tests that humans can

pass but current computer programs cannot. For example, humans can read

distorted text as the one shown below, but current computer programs can't:

The term CAPTCHA (for Completely Automated Turing Test To Tell

Computers and Humans Apart) was coined in 2000 by Luis von Ahn,

Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon

Page 2: captcha doc

University. At the time, they developed the first CAPTCHA to be used by

Yahoo.

Applications of CAPTCHAs

CAPTCHAs have several applications for practical security, including (but

not limited to):

Preventing Comment Spam in Blogs. Most bloggers are familiar

with programs that submit bogus comments, usually for the purpose

of raising search engine ranks of some website (e.g., "buy penny

stocks here"). This is called comment spam. By using a CAPTCHA,

only humans can enter comments on a blog. There is no need to make

users sign up before they enter a comment, and no legitimate

comments are ever lost!

Protecting Website Registration. Several companies (Yahoo!,

Microsoft, etc.) offer free email services. Up until a few years ago,

most of these services suffered from a specific type of attack: "bots"

Page 3: captcha doc

that would sign up for thousands of email accounts every minute. The

solution to this problem was to use CAPTCHAs to ensure that only

humans obtain free accounts. In general, free services should be

protected with a CAPTCHA in order to prevent abuse by automated

scripts.

Protecting Email Addresses From Scrapers. Spammers crawl the

Web in search of email addresses posted in clear text. CAPTCHAs

provide an effective mechanism to hide your email address from Web

scrapers. The idea is to require users to solve a CAPTCHA before

showing your email address. A free and secure implementation that

uses CAPTCHAs to obfuscate an email address can be found at

reCAPTCHA MailHide.

Online Polls. In November 1999, http://www.slashdot.org released an

online poll asking which was the best graduate school in computer

science (a dangerous question to ask over the web!). As is the case

with most online polls, IP addresses of voters were recorded in order

to prevent single users from voting more than once. However,

students at Carnegie Mellon found a way to stuff the ballots using

programs that voted for CMU thousands of times. CMU's score

started growing rapidly. The next day, students at MIT wrote their

own program and the poll became a contest between voting "bots."

MIT finished with 21,156 votes, Carnegie Mellon with 21,032 and

every other school with less than 1,000. Can the result of any online

poll be trusted? Not unless the poll ensures that only humans can vote.

Page 4: captcha doc

Preventing Dictionary Attacks. CAPTCHAs can also be used to

prevent dictionary attacks in password systems. The idea is simple:

prevent a computer from being able to iterate through the entire space

of passwords by requiring it to solve a CAPTCHA after a certain

number of unsuccessful logins. This is better than the classic approach

of locking an account after a sequence of unsuccessful logins, since

doing so allows an attacker to lock accounts at will.

Search Engine Bots. It is sometimes desirable to keep webpages

unindexed to prevent others from finding them easily. There is an

html tag to prevent search engine bots from reading web pages. The

tag, however, doesn't guarantee that bots won't read a web page; it

only serves to say "no bots, please." Search engine bots, since they

usually belong to large companies, respect web pages that don't want

to allow them in. However, in order to truly guarantee that bots won't

enter a web site, CAPTCHAs are needed.

Worms and Spam. CAPTCHAs also offer a plausible solution

against email worms and spam: "I will only accept an email if I know

there is a human behind the other computer." A few companies are

already marketing this idea.

Page 5: captcha doc

Problems in text captcha:

we have successfully applied machine learning to the problem of

solving HIPs. We have learned that decomposing the HIP problem into

segmentation and recognition greatly simplifies analysis. Recognition on

even unprocessed images (given segmentation is a solved) can be done

automatically using neural networks. Segmentation, on the other hand, is the

difficulty differentiator between weaker and stronger HIPs and requires

custom intervention for each HIP. We have used this observation to design

new HIPs and new tests for machine learning algorithms with the hope of

improving them.

Page 6: captcha doc

Advantages of Image Captcha:

A good way to avoid automatic form submissions when creating a

web form is to add some kind of verification. One of the best ways is to use

an image verification, called also captcha. What it does is to dynamically

create an image with a random string displayed on it. Then visitor is asked to

type that string in a text field and once the form is submitted it checks if the

string on the image matches the one inputted by the user. Because there is no

easy way to read a text from an image (image recognition) this is a good way

to protect your web forms from spammers.For doing this CAPTCHA I

would suggest using a session variable where you store the string generated

and displayed on that dynamically generated image.

Abstract:

In this paper, we introduce the concept of Public- Key embedded

Graphic CAPTCHAs and their usage as an Anti-Phishing mechanism. These

Page 7: captcha doc

CAPTCHAs contain a user-specific image object and a pattern of a secure

channel invariant, wherein the image object and pattern are linked. By virtue

of a built-in one/two-way implicit challenge mechanism and this verifiable

association between the image object and the specific sub-pattern of the

Public Key, they help in detecting/resisting automated or human-assisted

Phishing attacks.

We have presented a mutual authentication mechanism based on simple

identification of an image and text within a CAPTCHA. The solution is

based on the proposed concept of Public-Key embedded Graphic

CAPTCHAs, which encode a challenge based on a unique mapping between

Image object types and bit positions of the Public Key of the website. We

have also described how the proposed solution can augment the legacy

Password-based authentication mechanisms and make them resistant to

Man-in-the-Middle Phishing attacks. We have also given a proposed

functional architecture for the solution as well as a set of guidelines for

effective implementation. We have implemented a browserplugin

based on this idea and plan to conduct User studies to test its effectiveness

and user acceptance.

Software Used:

Language: Java, JavaScript, XML

Framework: Struts 1.2, Ajax

Technology: Jsp, Servlet

Page 8: captcha doc

Build Tool: Apache Ant 1.7.0

Database: MySql 5.0

Web Server: Tomcat 5.5

.Literature Survey:

Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works.

In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in

computing systems, pages 581–590, New York, NY, USA, 2006. ACM

Press.

[2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS)

Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Updated

by RFCs 4366, 4680, 4681.

[3] Amir Herzberg and Ahmad Gbara. Security and identification

indicators for browsers against spoofing and phishing attacks. Cryptology

ePrint Archive, Report 2004/155, 2004.

[4] Avivah Litan. Phishing attack victims likely targets for identity

theft. In Gartner First Take FT-22-8873, Gartner Research, 2004.

[5] G. Mori and J. Malik. Recognizing objects in adversarial clutter –

breaking a visual captcha, 2003.

Page 9: captcha doc

[6] M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the

’weakest link’ - a human/computer interaction approach to usable and

effective security. BT Technology Journal, 19(3):122–131, 2001.

[7] L. von Ahn, M. Blum, N. Hopper, and J. Langford. Captcha:

Using hard ai problems for security. In Proceedings of Eurocrypt, pages

294–311,2003.

[8] Luis von Ahn, Manuel Blum, and John Langford. Telling humans

and computers apart automatically. Commun. ACM, 47(2):56–60, 2004.

[9] Min Wu, Robert C. Miller, and Simson L. Garfinkel. Do security

toolbars actually prevent phishing attacks? In CHI ’06: Proceedings of the

SIGCHI conference on Human Factors in computing systems,pages 601–

610, New York, NY, USA, 2006. ACM Press.

[10] Zishuang (Eileen) Ye, Sean Smith, and Denise Anthony. Trusted

paths for browsers. ACM Trans. Inf. Syst. Secur., 8(2):153–186, 2005.