Evaluation of captcha technologies
•Download as PPTX, PDF•
2 likes•764 views
I present a new security primitive based on hard AI problems, namely, a novel family of graph-ical password systems built on top of Captcha technology, which we call Captcha as graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical password systems, such as PassPoints, that often leads to weak password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Evaluation of captcha technologies
Similar to Evaluation of captcha technologies (20)
Recently uploaded
Recently uploaded (20)
Evaluation of captcha technologies
- 1. CAPTCHA Are you Human? (Sorry, I have to ask) Presentation by B. Monika Keerthi
- 2. Password What is PASSWORD? PASSWORD is a secret word or string of characters that is used for user authentication to prove his identity and gain access to resources. What is AUTHENTICATION? Authentication is a process of confirmation of a persons identity. Text Password: Text password is a string of characters that is used for user authentication to prove his identity and gain access to resources. Graphical Password: A graphical password is an authentication system that works by having the user select from images, in a specific order, presented in a graphical user interface (GUI). For this reason, the graphical-password approach is sometimes called Graphical user authentication (GUA).
- 3. Types of Graphical passwords Recall BasedTechniques A user is asked to reproduce something that he created or selected earlier during the registration stage Recognition BasedTechniques A user is presented with a set of images and the user passes the authentication by recognizing and identifying the images he selected during the registration stage. Cued-recallTechnique An extra cue is provided to users to remember and target specific locations within a presented image.
- 4. Draw-A-Secret (DAS) Scheme Recall BasedTechniques: Signature scheme Pass Point Scheme Recognition BasedTechniques Dhamija and Perrig Scheme Sobrado and Birget Scheme Pass face scheme
- 5. CAPTCHA CAPTCHA – Completely Automated Public Turing test to tell Computers & Humans Apart. • Invented at CMU by Luis von Ahn, Manuel Blum, et.al. • It is a program, which acts as a challenge response to test to separate humans from computer programs. Generic CAPTCHAs distortletters&numbers- Distorted characters are presented to the user. User has to recognize the distorted letters. If the guessed letters are correct, the user is inferred to be a human & allowed access. Humans can read the distorted & noisy text. Current OCRs(OpticalCharacter Recognition) cannot read them.
- 6. Background TuringTest “Standard Interpretation" player C, the interrogator,is tasked with trying to determine which player A or B is a computer and which is a human. ReverseTuringTest It is administered by a machine and targeted to a human.
- 7. Types of CAPTCHAs Text CAPTCHA Gimpy CAPTCHA EZ Gimpy MSN CAPTCHA GraphicCAPTCHA Bongo PIX Audio CAPTCHA
- 8. TextCAPTCHA 1.Text Based- Simple, normal questions :- What is the sum of five & ninty-five ? If today is Monday, what is day before yesterday ? Which of mango, table & water is a fruit ? Very effective, needs a large question bank. Congnitively challenged users find it hard.
- 9. Gimpy CAPTCHA Gimpy- Designed byYahoo & CMU(Carnegie Mellon University) Picks up 10 random words from dictionary & distorts, fills with noise. User has to recognize at least 3 words. If the user is correct, then he is admitted.
- 10. EZGimpy EZ-Gimpy- A modified version of Gimpy. Yahoo used this version in Messenger. Has only 1 random string of characters. Not a dictionary word, so not prone to dictionary attack. Not a good implementation , already broken by OCRs(Optical Character Recognition).
- 11. MSN CAPTCHA MSNs passport serviceCAPATCHAs- Provided for Microsoft’s MSN services. Use of 8 characters. Warping is used to distort. Very strong implementation, hasn’t been broken. It is segmentation-resistant.
- 12. Graphic CAPTCHA 2.Graphic basedCAPTCHAs- 1. BONGO- User has to solve a pattern recognition problem. Has to tell the distinct characteristic between two sets of figures. Then tell to which set a given figure belongs to.
- 13. Graphic CAPTCHA 2. PIX- Uses a large database of labelled images. It shows a set of images, user has to recognize the common feature among those. Eg :- pick the common characteristic among the following 4 pictures =“aeroplane”.
- 14. Audio CAPTCHA 3.AudioCAPTCHAs- Consists of downloadable audio clip. User listens & enters the spoken word. Helps visually disabled users. Below is the Google’s audio enabled CAPTCHA-
- 15. reCAPTCHA reCAPTCHA (2007) reCAPTCHA is a free service to protect your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. New form of CAPTCHA that also helps digitize books; The words displayed to the user come directly from old books that are being digitized; Words that OCR could not identify;
- 16. Old text that needs to be digitalized(correctly!) OCRTranscript reCAPTCHATranscript
- 17. reCAPTCHA 17
- 18. CAPTCHA as Graphical Password Scheme (CaRP) CaRP: An Overview • Captcha is now a standard Internet security technique to protect online email and other services from being abused by bots. • A new security primitive based on hard AI problems, namely, a novel family of graphical password systems integrating Captcha technology, called as CaRP. • CaRP is click-based graphical passwords, where a sequence of clicks on an image is used to derive a password • In CaRP, a new image is generated for every login attempt. • CaRP uses an alphabet of visual objects (e.g., alphanumerical characters, similar animals) to generate CaRP image • CaRP schemes are clicked-based graphical passwords.
- 19. User authentication with CaRP schemes A typical way to apply CaRP schemes in user authentication is as follows. Flowchart of basic CaRP authentication.
- 20. Recognition basedCaRP 1.ClickText ClickText is a recognition-basedCaRP scheme built on top of text Captcha. A ClickText password is a sequence of characters in the alphabet, e.g.ρ =“AB#9CD87”, which is similar to a text password. Click-Text image with 33 characters
- 21. Recognition basedCaRP 2.Click Animal ClickAnimal is a recognition-basedCaRP scheme built on top of Captcha Zoo ,with an alphabet of similar animals such as dog, horse, cat, etc. Its password is a sequence of animal names such as ρ = “Turkey, Cat, Horse, Dog,….” Captcha Zoo with horses circled red. A Click Animal image
- 22. Recognition basedCaRP 3.Animal Grid AnimalGrid is a combination of Click Animal and CAS. Click-A-Secret (CAS) wherein a user clicks the grid cells in his password. To enter a password, a ClickAnimal image is displayed first. After an animal is selected, an image of n × n grid appears, with the grid- cell size equaling the bounding rectangle of the selected animal. A ClickAnimal image 6 × 6 grid
- 23. Applications Applications CaRP can be applied on touch-screen devices . Many e-banking systems uses Captchas in user logins that requires solving a Captcha challenge for every online login attempt. CaRP increases spammer’s operating cost and thus helps reduce spam emails. If CaRP is combined with a policy to throttle the number of emails sent to new recipients per login session, leads to reduced outbound spam traffic.
- 24. Conclusions CaRP is both a Captcha and a graphical password scheme. A desired security property that other graphical password schemes lack. CaRP is also resistant to Captcha relay attacks, and, if combined with dual- view technologies shoulder-surfing attacks. CaRP can also help to reduce spam emails sent from aWeb email service More efforts will be attracted by CaRP than ordinary Captcha. CaRP does not rely on any specific Captcha scheme.
Editor's Notes
- Token based authentication key cards, band cards, smart card, … Biometric based authentication Fingerprints, iris scan, facial recognition, … Knowledge based authentication text-based passwords, picture-based passwords, … most widely used authentication techniques Difficulty of remembering passwords easy to remember -> easy to guess hard to guess -> hard to remember An example of a graphical password uses an image on the screen and lets the user choose a few click points; these click points are the "password", and the user has to click closely to these points again in order to log in. a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
- Let me put in a live example: when I entered the campus..i saw a person receiving us. So now I will recall I saw a person can I remember his face?-recall If i met him again I will recognize him as tht person-recognition If he says u saw me at so and so place-cued
- User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing Redrawing has to touch the same grids in the same sequence in authentication. User studies showed the drawing sequences is hard to remember. Here authentication is conducted by having the user drawing their signature using a mouse. User click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in the correct sequence Pick several pictures out of many choices, identify them later in authentication System display a number of pass-objects (pre-selected by user) among many other objects, user click inside the convex hull bounded by pass-objects advatages Graphical password schemes provide a way of making more human-friendly passwords while increasing the level of security. Here the security of the system is very high. Dictionary attacks and brute force search are infeasible. disadvantages Password registration and log-in process take too long. Require much more storage space than text based passwords. Shoulder Surfing .
- CAPTCHA employs a Reverse Turing Test. Why CAPTCHA was needed ? Sabotage of Online Polls. Spam e-mails. Abusing free Online accounts. Tampering with rankings on recommendation systems (like Ebay, Amazon) Judge = CAPTCHA program, participant = user If the user passes CAPTCHA, he is human otherwise it is a machine.
- The authentication server AS stores a salt s and a hash value H(ρ,s) for each user ID . Upon receiving a login request, AS generates a CaRP image. The coordinates of the clicked points are recorded and sent to AS along with the user ID. AS maps the received coordinates onto the CaRP image, and recovers a sequence of visual object IDs . Then AS retrieves salt s of the account, calculates the hash value of ρ with the salt. Authentication succeeds only if the two hash values match.