INS CASE STUDY
CAPTCHA
A
STUDY
AND
IMPLEMENTATION
GOUTAM M33
VIJAY MADHANI34
NISHKAM RAZDAN46
Introduction
A CAPTCHA or Captcha is a type of challenge-response test used in computing as an attempt to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are supposedly unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. A common type of CAPTCHA requires the user to type letters or digits from a distorted image that appears on the screen.
Standard Interpretation:
Player C an interrogator is tasked with trying to determine who among A and B is a human or a computer. A captcha is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine.
Characteristics
A CAPTCHA is a means of automatically generating challenges which intends to:
- Provide a problem easy enough for all humans to solve.
- Prevent standard automated software from filling out a form.
This has the benefit of distinguishing humans from computers. It also creates incentive to further develop artificial intelligence of computers.
Types of CAPTCHAS
Text: By far the most common type of captcha involves the use of letters that are arranged randomly and are distorted in some way with various background colours or fonts.
Audio: Audio CAPTCHA’s for the visually impaired are probably the second most common type of CAPTCHA.
Miscellaneous: There are also other CAPTCHA’s that require you to solve a problem that should be easy for a person but very hard for a computer to solve such as choosing which item in a list is not a bird for example but the problem with this is that one needs to have a large number of questions before it really becomes effective.
Applications of CAPTCHAs
CAPTCHAs have several applications for practical security, including (but not limited to):
- Preventing Comment Spam in Blogs. Most bloggers are familiar with programs that submit bogus comments, usually for the purpose of raising search engine ranks of some website. This is called comment spam. By using a CAPTCHA, only humans can enter comments on a blog. There is no need to make users sign up before they enter a comment, and no legitimate comments are ever lost.
- Protecting Website Registration. Several companies (Yahoo!, Microsoft, etc.) offer free email services. Up until a few years ago, most of these services suffered from a specific type of attack: "bots" that would sign up for thousands of email accounts every minute. The solution to this problem was to use CAPTCHAs to ensure that only humans obtain free accounts. In general, free services should be protected with a CAPTCHA in order to prevent abuse by automated scripts.
- Protecting Email Addresses from Scrapers. Spammers crawl on the Web in search of email addresses posted in clear text. CAPTCHAs provide an effective mechanism to hide your email address from Web scrapers. The idea is to require users to solve a CAPTCHA before showing one’s email address.
- Online Polls. Can the result of any online poll be trusted? Not unless the poll ensures that only humans can vote.
- Preventing Dictionary Attacks. CAPTCHAs can also be used to prevent dictionary attacks in password systems. The idea is simple: prevent a computer from being able to iterate through the entire space of passwords by requiring it to solve a CAPTCHA after a certain number of unsuccessful logins. This is better than the classic approach of locking an account after a sequence of unsuccessful logins, since doing so allows an attacker to lock accounts at will.
- Search Engine Bots. It is sometimes desirable to keep WebPages unindexed to prevent others from finding them easily. There is an html tag to prevent search engine bots from reading web pages. The tag, however, doesn't guarantee that bots won't read a web page; it only serves to say "no bots, please." Search engine bots, since they usually belong to large companies, respect web pages that don't want to allow them in. However, in order to truly guarantee that bots won't enter a web site, CAPTCHAs are needed.
- Worms and Spam. CAPTCHAs also offer a plausible solution against email worms and spam: "I will only accept an email if I know there is a human behind the other computer." A few companies are already marketing this idea.
Guidelines
- Accessibility. CAPTCHAs must be accessible. CAPTCHAs based solely on reading text — or other visual-perception tasks — prevent visually impaired users from accessing the protected resource. Such CAPTCHAs may make a site incompatible with Section 508 in the United States. Any implementation of a CAPTCHA should allow blind users to get around the barrier, for example, by permitting users to opt for an audio or sound CAPTCHA.
- Image Security. CAPTCHA images of text should be distorted randomly before being presented to the user. Many implementations of CAPTCHAs use undistorted text, or text with only minor distortions. These implementations are vulnerable to simple automated attacks.
- Script Security. Building a secure CAPTCHA code is not easy. In addition to making the images unreadable by computers, the system should ensure that there are no easy ways around it at the script level. Common examples of insecurities in this respect include: (1) Systems that pass the answer to the CAPTCHA in plain text as part of the web form. (2) Systems where a solution to the same CAPTCHA can be used multiple times (this makes the CAPTCHA vulnerable to so-called "replay attacks"). Most CAPTCHA scripts found freely on the Web are vulnerable to these types of attacks.
- Security Even After Wide-Spread Adoption. There are various "CAPTCHAs" that would be insecure if a significant number of sites started using them. An example of such a puzzle is asking text-based questions, such as a mathematical question ("what is 1+1"). Since a parser could easily be written that would allow bots to bypass this test, such "CAPTCHAs" rely on the fact that few sites use them, and thus that a bot author has no incentive to program their bot to solve that challenge. True CAPTCHAs should be secure even after a significant number of websites adopt them.
Example
Ways to break CAPTCHAs
-Bypassing the CAPTCHA safeguard by exploiting bugs in the system.
-Using OCR technology or advanced AI pattern recognition.
-Using cheap human labour in sweatshops.
-Reusing the session ID of a known image.
-Cracking the hash functions used in certain CAPTCHA implementations
Example
High Level Description
1. EZ-Gimpy
An example algorithm for breaking EZ-Gimpy consists of 3 main steps:
- Locate possible letters at various locations
- Construct graph of consistent letters
- Look for plausible words in the graph
This page will give a high level description of these steps, using the image below as an example.
Candidate Letters
The first step is to hypothesize a set of candidate letters in the image. This is done using shape matching techniques The method essentially looks at a bunch of points in the image at random, and compares these points to points on each of the 26 letters. The comparison is done in a way that is very robust to background clutter and outliers and deformation of the letters. The process usually results in 3-5 candidate letters per actual letter in the image.
In the example shown here, the "p" of profit matches well to both an "o" or a "p", the border between the "p" and the "r" look a bit like a "u", and so forth. At this stage we have many candidates, to be sure we don't miss anything for later steps.
Consistent Letters
Next, pairs of letters are to see whether or not they are "consistent", or can be used consecutively to form a word. In the example below, green lines are drawn between pairs of letters that could be chained together to form a complete word.
Plausible Words
There are many possible paths through the graph of letters constructed in the previous step. However, most of them do not form real words. For example, "pfql" is a path through the graph, but we don't need to consider it further since it isn't a real word. It turns out that the vast majority of paths through the graph are meaningless.
We select out the real words in the graph, and assign scores to them based on how well their individual letters match the image. In this example, 2 complete words are found, "roll" and "profit". We compute matching scores for each letter or these words, and find that "profit", with a score of 9.42 (lower is better, it's a distance measure) matches the image better than "roll", that has a score of 11.94.
IMPLEMENTATION
A javascript CAPTCHA.
html
head
title>Captcha</title>
<script type="text/javascript">
//Created / Generates the captcha function
functionDrawCaptcha()
{
var a = Math.ceil(Math.random() * 10)+ '';
var b = Math.ceil(Math.random() * 10)+ '';
var c = Math.ceil(Math.random() * 10)+ '';
var d = Math.ceil(Math.random() * 10)+ '';
var e = Math.ceil(Math.random() * 10)+ '';
var f = Math.ceil(Math.random() * 10)+ '';
var g = Math.ceil(Math.random() * 10)+ '';
var code = a + ' ' + b + ' ' + ' ' + c + ' ' + d + ' ' + e + ' '+ f + ' ' + g;
document.getElementById("txtCaptcha").value = code
}
// Validate the Entered input aganist the generated security code function
functionValidCaptcha(){
var str1 = removeSpaces(document.getElementById('txtCaptcha').value);
var str2 = removeSpaces(document.getElementById('txtInput').value);
if (str1 == str2) return true;
return false;
}
// Remove the spaces from the entered and generated code
functionremoveSpaces(string)
{
returnstring.split(' ').join('');
}
</script>
</head>
<body onload="DrawCaptcha();">
table
tr
<td
Welcome ToCaptchabr />
</td>
</tr
tr
<td
<input type="text" id="txtCaptcha"
style="background-image:url(1.jpg); text-align:center; border:none;
font-weight:bold; font-family:Modern" />
<input type="button" id="btnrefresh" value="Refresh" onclick="DrawCaptcha();" />
</td>
</tr
tr
<td
<input type="text" id="txtInput"/>
</td>
</tr
tr
<td
<input id="Button1" type="button" value="Check" onclick="alert(ValidCaptcha());"/>
</td>
</tr
</table>
</body>
</html>
SCREENSHOTS