SANDEEP MEHTA (ECE, IV Year)

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart Invented at CMU by Luis von Ahn, Manuel Blum, et. al A program that is a challenge – response test to separate humans from computer programs

Generic CAPTCHAs distort letters and numbers Distorted characters are presented to user User has to recognize the distorted letters If the guessed letters are correct, the user is inferred to be a human and allowed access Else, user is a bot and denied access

Humans can read the distorted and noisy text Current OCRs cannot read them

What is a Turing test? o Proposed by Alan Turing o To test a machine’s level of intelligence o Human judge asks questions to two participants, one is a machine, he doesn’t know which is which o If judge can’t tell which is the machine, the machine passes the test o CAPTCHA employs a reverse Turing test, judge = CAPTCHA program, participant = user if user passes CAPTCHA, he is human if user fails, it is a machine

CAPTCHA A common type of CAPTCHA requires the user to type the letters of a distorted image sometimes with the addition of an obscured sequence of letters or digits appears on screen. This string which the user has to type to submit a form.This is a simple problem for humans, but a very hard problem for computers which have to use character recognition, because the displayed string is alienated in a way, which makes it very hard for a computer to decode.

CAPTCHA A program that can generate and grade tests that: 1. Most humans can pass 2. Current computer programs cannot pass

Continued… The concept of a CAPTCHA is motivated by real-world problems faced by internet companies such as Yahoo! and AltaVista. These companies offer free accounts, intended for use by humans. However, they found that many online vendors were using "bots", computer programs that would sign up for thousands of accounts, from which they could send out masses of junk .

Text Based CAPTCHAs Gimpy, ez-gimpy Pick a word or words from a small dictionary Distort them and add noise and background Gimpy-r, Google’s CAPTCHA Pick random letters Distort them, add noise and background Simard’s HIP Pick random letters and numbers Distort them and add arcs 9

Gimpy: o Designed by Yahoo and CMU o Picks up 10 random words from dictionary and distorts, fills with noise o User has to recognize at least 3 words o If user is correct, he is admitted

EZ-Gimpy: o A modified version of Gimpy o Yahoo used this version in Messenger o Has only 1 random string of characters o Not a dictionary word, so not prone to dictionary attack o Not a good implementation, already broken by OCRs

MSN’s Passport service CAPTCHAs: o Provided for Microsoft’s MSN services o Use 8 characters o Warping is used to distort o Very strong implementation, hasn’t been broken o It is segmentation-resistant

Text Based CAPTCHAs 13

Graphic Based CAPTCHAs Bongo Display two series of blocks User must find the characteristic that sets the two series apart User is asked to determine which series each of four single blocks belongs to Difference? thick vs. thin lines 14

Image CAPTCHA Provide the user with a series of images Ask the user to: Identify a picture matching a description Identify a common theme to the images Requires huge databases of images with metadata to provides sets.

PIX: o Uses a large database of labelled images o It shows a set of images, user has to recognize the common feature among those o E.g., Pick the common characteristic among the following four pictures-----”Aeroplane”

Graphic Based CAPTCHAs 17 Dog Pool

Audio CAPTCHAs: o Consist of downloadable audio clip o User listens and enters the spoken word o Helps visually disabled users o Below is the Google’s audio enabled CAPTCHA o Not popular

Verify digitized books: reCAPTCHA o Used in Google Books Project o Two words are shown, the program knows first word o If user enters first word correctly, it assumes that the second unknown word will also be entered correctly o Second word becomes “known”

Things to keep in mind: o Don’t store CAPTCHA solution in Web page’s metadata o A CAPTCHA is no good if it doesn't distort o Need a large database of different CAPTCHA questions o Avoid repetition of questions

Breaking CAPTCHAs Most text based CAPTCHAs have been broken by software OCR Segmentation Other CAPTCHAs were broken by streaming the tests for unsuspecting users to solve. 21

Criticism Exclusionary to Users with disabilities. No official standards or ruling body for creation of CAPTCHA algorithms. Difficult user interactions. No published for proper implementation of algorithms.

Security Very hard to balance effectiveness of CAPTCHA and usability. Difficult for programmer to identify bad CAPTCHA algorithms. Researchers frequently break seemingly strong CAPTCHA. Algorithms possibility protected under DMCA.

Summary CAPTCHA do not provide individual authentication. CAPTCHA cannot stop extravagant exploits that utilize humans. In some situations user authentication is more suited. CAPTCHA are difficult to design. CAPTCHA are effective in reducing spam and automated attacks.

Principles The principles behind CAPTCHA are as follows: The user is presented with a garbled image on which some text is displayed. This image is generated by the server using random text. The user must enter the same letters in the text into a text field that is displayed on the form to protect. When the form is submitted, the server checks if the text entered by the user matches the initial generated text. If it does, the transaction continues. Otherwise, an error message is displayed and the user has to enter a new code.

Applications Online polls Protecting Website Registration Preventing Comment Spam in Blogs. Search Engine Bots Worms and Spam Prevent Dictionary attacks

THANK YOU