CAPTCHA:OutlineDescriptionDescription (cont.)UsageText CAPTCHAWeak Text CAPTCHAStrong Text CAPTCHAImage CAPTCHAESP-Pix Picture CAPTCHAAudio CAPTCHAreCaptchaCriticismSecuritySecurity (cont.)SummaryReferencesQuestionsCAPTCHA:CAPTCHA:William StricklandCOT4810 Spring 2008April 17, 2008Outline•Description•Usage•General types–Text –Image–Audio•reCaptcha•Criticisms •Security•SummaryDescription•Completely Automated Public Turing test to tell Computers and Humans Apart.•Simple implementation by AltaVista in 1997.•Term CAPTCHA and specifications formalized in 2000 at Carnegie Mellon University.Description (cont.)•Specifications:–Cannot be solved by current computers.–Can be solved by humans.–Remains strong if attacker knows generation algorithm.•Designed to detect that user is human, not which human.Usage•CAPTCHA can prevent or deter–Automated spam email.–Automated postings into forums.–Abuse of online purchase systems.–Brute force attacks against web resources such as email services like Gmail.–Abuse of bandwidth to other web resources.Text CAPTCHA•Most common form of CAPTCHA.•Closely related to OCR.•Many Algorithms exist, most of them bad.•Obscures text with:–Perturbation – manipulation of characters.–Addition of stray marks.–Masking Patterns–Random noise.Weak Text CAPTCHA•Rapid Share’s CAPTCHA•EZ-Gimpy (formerly used by yahoo)Strong Text CAPTCHA•Passport CAPTCHA•Yahoo’s CAPTCHAImage CAPTCHA•Provide the user with a series of images•Ask the user to:–Identify a picture matching a description–Identify a common theme to the images•Requires huge databases of images with metadata to provides sets.ESP-Pix Picture CAPTCHAAudio CAPTCHA•Play scrambled audio to user.•Compares against metadata.•Developed to aid blind users.•Strong audio CAPTCHA often impossible for users to decipher.reCaptcha•Make use of Human Computing Power–Take text from books that could not be deciphered with OCR.–Garble the text up more.–Provide alongside known garbled text.–Have user decipher both (authenticate with known).–Repeat until enough users agree on the unknown text.–This text is now known and book has been digitally encoded.•Strong CAPTCHA that accomplishes work.Criticism•Exclusionary to Users with disabilities.•No official standards or ruling body for creation of CAPTCHA algorithms.•Difficult user interactions.•No published for proper implementation of algorithms.Security•Very hard to balance effectiveness of CAPTCHA and usability.•Difficult for programmer to identify bad CAPTCHA algorithms.•Researchers frequently break seemingly strong CAPTCHA. •Algorithms possibility protected under DMCA.Security (cont.)•Methods to break:–OCR–Artificial Intelligence –Turing Farm–Porn Turing Farm•None of these methods are effective in the wild.•Spam business model breaks down with small increases in operating costs.Summary•CAPTCHA do not provide individual authentication.•CAPTCHA cannot stop extravagant exploits that utilize humans.•In some situations user authentication is more suited. •CAPTCHA are difficult to design.•CAPTCHA are effective in reducing spam and automated attacks.References•“Are You Human?” July 19, 2007. Podcast. “Security Now!.” grc.com. July 19,2007. <https://www.grc.com/securitynow.htm>.•Palo Alto Research Corporation, "History." Palo Alto Research Corporation. 28 Feb 2003. 17 Apr 2008 <http://www2.parc.com/istl/projects/captcha/history.htm >. •captchas.net, “Free CAPTCHA-Service.” captchas.net. 17 Apr 2008. 17 Apr 2008. <http://captchas.net/>.•Hocevar, Sam. PWNtcha - captcha decoder. 17 Apr 2008. 17 Apr 2008 <http://sam.zoy.org/pwntcha/>. •Mori, Greg. Malik, Jitendra. "Recognizing Objects in Adversarial Clutter:Breaking a Visual CAPTCHA." •Ahn, Luis von. Blum, Manuel. and Langford, John. "Telling Humans and Computers Apart Automatically." Communications of the ACM 47(2004) •Chellapilla, Kumar. Simard, Patrice Y. "Recognizing Using Machine Learning to Break Visual (HIPs)."Questions•True or False, CAPTCHA can provide User authentication. •Name one tool used to obscure source text in Text CAPTCHA
View Full Document
Unlocking...