captcha doc
TRANSCRIPT
A CAPTCHA is a type of challenge-response test used in computing to
ensure that the response is not generated by a computer. The process usually
involves one computer (a server) asking a user to complete a simple test
which the computer is able to generate and grade. Because other computers
are unable to solve the CAPTCHA, any user entering a correct solution is
presumed to be human. Thus, it is sometimes described as a reverse Turing
test, because it is administered by a machine and targeted to a human, in
contrast to the standard Turing test that is typically administered by a human
and targeted to a machine. A common type of CAPTCHA requires that the
user type the letters or digits of a distorted image that appears on the screen.
A CAPTCHA is a program that can generate and grade tests that humans can
pass but current computer programs cannot. For example, humans can read
distorted text as the one shown below, but current computer programs can't:
The term CAPTCHA (for Completely Automated Turing Test To Tell
Computers and Humans Apart) was coined in 2000 by Luis von Ahn,
Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon
University. At the time, they developed the first CAPTCHA to be used by
Yahoo.
Applications of CAPTCHAs
CAPTCHAs have several applications for practical security, including (but
not limited to):
Preventing Comment Spam in Blogs. Most bloggers are familiar
with programs that submit bogus comments, usually for the purpose
of raising search engine ranks of some website (e.g., "buy penny
stocks here"). This is called comment spam. By using a CAPTCHA,
only humans can enter comments on a blog. There is no need to make
users sign up before they enter a comment, and no legitimate
comments are ever lost!
Protecting Website Registration. Several companies (Yahoo!,
Microsoft, etc.) offer free email services. Up until a few years ago,
most of these services suffered from a specific type of attack: "bots"
that would sign up for thousands of email accounts every minute. The
solution to this problem was to use CAPTCHAs to ensure that only
humans obtain free accounts. In general, free services should be
protected with a CAPTCHA in order to prevent abuse by automated
scripts.
Protecting Email Addresses From Scrapers. Spammers crawl the
Web in search of email addresses posted in clear text. CAPTCHAs
provide an effective mechanism to hide your email address from Web
scrapers. The idea is to require users to solve a CAPTCHA before
showing your email address. A free and secure implementation that
uses CAPTCHAs to obfuscate an email address can be found at
reCAPTCHA MailHide.
Online Polls. In November 1999, http://www.slashdot.org released an
online poll asking which was the best graduate school in computer
science (a dangerous question to ask over the web!). As is the case
with most online polls, IP addresses of voters were recorded in order
to prevent single users from voting more than once. However,
students at Carnegie Mellon found a way to stuff the ballots using
programs that voted for CMU thousands of times. CMU's score
started growing rapidly. The next day, students at MIT wrote their
own program and the poll became a contest between voting "bots."
MIT finished with 21,156 votes, Carnegie Mellon with 21,032 and
every other school with less than 1,000. Can the result of any online
poll be trusted? Not unless the poll ensures that only humans can vote.
Preventing Dictionary Attacks. CAPTCHAs can also be used to
prevent dictionary attacks in password systems. The idea is simple:
prevent a computer from being able to iterate through the entire space
of passwords by requiring it to solve a CAPTCHA after a certain
number of unsuccessful logins. This is better than the classic approach
of locking an account after a sequence of unsuccessful logins, since
doing so allows an attacker to lock accounts at will.
Search Engine Bots. It is sometimes desirable to keep webpages
unindexed to prevent others from finding them easily. There is an
html tag to prevent search engine bots from reading web pages. The
tag, however, doesn't guarantee that bots won't read a web page; it
only serves to say "no bots, please." Search engine bots, since they
usually belong to large companies, respect web pages that don't want
to allow them in. However, in order to truly guarantee that bots won't
enter a web site, CAPTCHAs are needed.
Worms and Spam. CAPTCHAs also offer a plausible solution
against email worms and spam: "I will only accept an email if I know
there is a human behind the other computer." A few companies are
already marketing this idea.
Problems in text captcha:
we have successfully applied machine learning to the problem of
solving HIPs. We have learned that decomposing the HIP problem into
segmentation and recognition greatly simplifies analysis. Recognition on
even unprocessed images (given segmentation is a solved) can be done
automatically using neural networks. Segmentation, on the other hand, is the
difficulty differentiator between weaker and stronger HIPs and requires
custom intervention for each HIP. We have used this observation to design
new HIPs and new tests for machine learning algorithms with the hope of
improving them.
Advantages of Image Captcha:
A good way to avoid automatic form submissions when creating a
web form is to add some kind of verification. One of the best ways is to use
an image verification, called also captcha. What it does is to dynamically
create an image with a random string displayed on it. Then visitor is asked to
type that string in a text field and once the form is submitted it checks if the
string on the image matches the one inputted by the user. Because there is no
easy way to read a text from an image (image recognition) this is a good way
to protect your web forms from spammers.For doing this CAPTCHA I
would suggest using a session variable where you store the string generated
and displayed on that dynamically generated image.
Abstract:
In this paper, we introduce the concept of Public- Key embedded
Graphic CAPTCHAs and their usage as an Anti-Phishing mechanism. These
CAPTCHAs contain a user-specific image object and a pattern of a secure
channel invariant, wherein the image object and pattern are linked. By virtue
of a built-in one/two-way implicit challenge mechanism and this verifiable
association between the image object and the specific sub-pattern of the
Public Key, they help in detecting/resisting automated or human-assisted
Phishing attacks.
We have presented a mutual authentication mechanism based on simple
identification of an image and text within a CAPTCHA. The solution is
based on the proposed concept of Public-Key embedded Graphic
CAPTCHAs, which encode a challenge based on a unique mapping between
Image object types and bit positions of the Public Key of the website. We
have also described how the proposed solution can augment the legacy
Password-based authentication mechanisms and make them resistant to
Man-in-the-Middle Phishing attacks. We have also given a proposed
functional architecture for the solution as well as a set of guidelines for
effective implementation. We have implemented a browserplugin
based on this idea and plan to conduct User studies to test its effectiveness
and user acceptance.
Software Used:
Language: Java, JavaScript, XML
Framework: Struts 1.2, Ajax
Technology: Jsp, Servlet
Build Tool: Apache Ant 1.7.0
Database: MySql 5.0
Web Server: Tomcat 5.5
.Literature Survey:
Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works.
In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in
computing systems, pages 581–590, New York, NY, USA, 2006. ACM
Press.
[2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS)
Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Updated
by RFCs 4366, 4680, 4681.
[3] Amir Herzberg and Ahmad Gbara. Security and identification
indicators for browsers against spoofing and phishing attacks. Cryptology
ePrint Archive, Report 2004/155, 2004.
[4] Avivah Litan. Phishing attack victims likely targets for identity
theft. In Gartner First Take FT-22-8873, Gartner Research, 2004.
[5] G. Mori and J. Malik. Recognizing objects in adversarial clutter –
breaking a visual captcha, 2003.
[6] M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the
’weakest link’ - a human/computer interaction approach to usable and
effective security. BT Technology Journal, 19(3):122–131, 2001.
[7] L. von Ahn, M. Blum, N. Hopper, and J. Langford. Captcha:
Using hard ai problems for security. In Proceedings of Eurocrypt, pages
294–311,2003.
[8] Luis von Ahn, Manuel Blum, and John Langford. Telling humans
and computers apart automatically. Commun. ACM, 47(2):56–60, 2004.
[9] Min Wu, Robert C. Miller, and Simson L. Garfinkel. Do security
toolbars actually prevent phishing attacks? In CHI ’06: Proceedings of the
SIGCHI conference on Human Factors in computing systems,pages 601–
610, New York, NY, USA, 2006. ACM Press.
[10] Zishuang (Eileen) Ye, Sean Smith, and Denise Anthony. Trusted
paths for browsers. ACM Trans. Inf. Syst. Secur., 8(2):153–186, 2005.