Embed Size (px)
Citation preview
CAPTCHAAre you Human?
(Sorry, I have to ask)
Presentation byB. Monika Keerthi
Password
What is PASSWORD?
PASSWORD is a secret word or string of characters that is used for userauthentication to prove his identity and gain access to resources.
What is AUTHENTICATION?
Authentication is a process of confirmation of a persons identity.
Text Password:
Text password is a string of characters that is used for user authentication toprove his identity and gain access to resources.
Graphical Password:
A graphical password is an authentication system that works by having the userselect from images, in a specific order, presented in a graphical user interface(GUI).
For this reason, the graphical-password approach is sometimes called Graphicaluser authentication (GUA).
Types of Graphical passwords
Recall Based TechniquesA user is asked to reproduce something that he created or selected earlier during the registration stage
Recognition Based TechniquesA user is presented with a set of images and the user passes the authentication by recognizing and identifying the images he selected during the registration stage.
Cued-recall TechniqueAn extra cue is provided to users to remember and target specific locations within a presented image.
Draw-A-Secret (DAS) Scheme
Recall Based Techniques:
Signature scheme Pass Point Scheme
Recognition Based Techniques
Dhamija and Perrig Scheme Sobrado and Birget Scheme Pass face scheme
CAPTCHA
CAPTCHA – Completely Automated Public Turing test to tell Computers & Humans Apart.
• Invented at CMU by Luis von Ahn, Manuel Blum, et.al.• It is a program, which acts as a challenge response to test to separate humans from
computer programs.
Generic CAPTCHAs distort letters & numbers -
Distorted characters are presented to the user.
User has to recognize the distorted letters.
If the guessed letters are correct, the user is inferred to be a human & allowed access.
Humans can read the distorted & noisy text.
Current OCRs(Optical Character Recognition) cannot read them.
Background
Turing Test
“Standard Interpretation"
player C, the interrogator,is tasked withtrying to determine which player A or Bis a computer and which is a human.
Reverse Turing Test
It is administered by a machineand targeted to a human.
Types of CAPTCHAs
Text CAPTCHA
Gimpy CAPTCHA
EZ Gimpy
MSN CAPTCHA
Graphic CAPTCHA
Bongo
PIX
Audio CAPTCHA
Text CAPTCHA
1. Text Based-
Simple, normal questions :- What is the sum of five & ninty-five ?
If today is Monday, what is day before yesterday ?
Which of mango, table & water is a fruit ?
Very effective, needs a large question bank.
Congnitively challenged users find it hard.
Gimpy CAPTCHA
Gimpy-
Designed by Yahoo & CMU(Carnegie Mellon University)
Picks up 10 random words from dictionary & distorts, fills with noise.
User has to recognize at least 3 words.
If the user is correct, then he is admitted.
EZ Gimpy
EZ-Gimpy- A modified version of Gimpy.
Yahoo used this version in Messenger.
Has only 1 random string of characters.
Not a dictionary word, so not prone to dictionary attack.
Not a good implementation , already broken by OCRs(Optical Character Recognition).
MSN CAPTCHA
MSNs passport service CAPATCHAs-
Provided for Microsoft’s MSN services.
Use of 8 characters.
Warping is used to distort.
Very strong implementation, hasn’t been broken.
It is segmentation-resistant.
Graphic CAPTCHA
2. Graphic based CAPTCHAs-
1. BONGO- User has to solve a pattern recognition problem.
Has to tell the distinct characteristic between two sets of figures.
Then tell to which set a given figure belongs to.
Graphic CAPTCHA
2. PIX-Uses a large database of labelled images.
It shows a set of images, user has to recognize the common feature among those.
Eg :- pick the common characteristic among the following
4 pictures =“aeroplane”.
Audio CAPTCHA
3. Audio CAPTCHAs-
Consists of downloadable audio clip.
User listens & enters the spoken word.
Helps visually disabled users.
Below is the Google’s audio enabled CAPTCHA-
reCAPTCHA
reCAPTCHA (2007)
reCAPTCHA is a free service to protect your website from spam andabuse. reCAPTCHA uses an advanced risk analysis engine and adaptiveCAPTCHAs to keep automated software from engaging in abusiveactivities on your site.
New form of CAPTCHA that also helps digitize books;
The words displayed to the user come directly from old books that arebeing digitized;
Words that OCR could not identify;
Old text that needs tobe digitalized(correctly!)
OCR Transcript reCAPTCHA Transcript
reCAPTCHA
17
CAPTCHA as Graphical Password Scheme(CaRP)
CaRP: An Overview• Captcha is now a standard Internet security technique to protect online
email and other services from being abused by bots.• A new security primitive based on hard AI problems, namely, a novel
family of graphical password systems integrating Captcha technology,called as CaRP.
• CaRP is click-based graphical passwords, where a sequence of clicks onan image is used to derive a password
• In CaRP, a new image is generated for every login attempt.
• CaRP uses an alphabet of visual objects
(e.g., alphanumerical characters, similar animals) to generate CaRP
image
• CaRP schemes are clicked-based graphical passwords.
User authentication with CaRPschemes
A typical way to apply CaRP schemes in user authentication is as follows.
Flowchart of basic CaRP authentication.
Recognition based CaRP
1.Click Text
Click Text is a recognition-based CaRP scheme built on top of text Captcha.
A Click Text password is a sequence of characters in the alphabet, e.g.ρ=“AB#9CD87”, which is similar to a text password.
Click-Text image with 33 characters
Recognition based CaRP
2.Click Animal
Click Animal is a recognition-based CaRP scheme built on top of
Captcha Zoo ,with an alphabet of similar animals such as dog,
horse, cat, etc.
Its password is a sequence of animal names such as
ρ = “Turkey, Cat, Horse, Dog,….”
Captcha Zoo with horses circled red. A Click Animal image
Recognition based CaRP
3.Animal Grid
Animal Grid is a combination of Click Animal and CAS.
Click-A-Secret (CAS) wherein a user clicks the grid cells in his password.
To enter a password, a Click Animal image is displayed first.
After an animal is selected, an image of n × n grid appears, with the grid-cell size equaling the bounding rectangle of the selected animal.
A ClickAnimal image 6 × 6 grid
Applications
Applications
CaRP can be applied on touch-screen devices .
Many e-banking systems uses Captchas in user logins thatrequires solving a Captcha challenge for every online loginattempt.
CaRP increases spammer’s operating cost and thus helpsreduce spam emails.
If CaRP is combined with a policy to throttle the number ofemails sent to new recipients per login session, leads toreduced outbound spam traffic.
Conclusions
CaRP is both a Captcha and a graphical password scheme.
A desired security property that other graphical password schemes lack.
CaRP is also resistant to Captcha relay attacks, and, if combined with dual-view technologies shoulder-surfing attacks.
CaRP can also help to reduce spam emails sent from a Web email service
More efforts will be attracted by CaRP than ordinary Captcha.
CaRP does not rely on any specific Captcha scheme.
