INS CASE STUDY

CAPTCHA
A
STUDY
AND
IMPLEMENTATION

GOUTAM M 33

VIJAY MADHANI 34

NISHKAM RAZDAN 46

Introduction
A CAPTCHA or Captcha is a type of challenge-response test used in computing as an
attempt to ensure that the response is not generated by a computer. The process usually
involves one computer (a server) asking a user to complete a simple test which the computer
is able to generate and grade. Because other computers are supposedly unable to solve the
CAPTCHA, any user entering a correct solution is presumed to be human. A common type of
CAPTCHA requires the user to type letters or digits from a distorted image that appears on
the screen.

Standard Interpretation:

Player C an interrogator is tasked with trying to determine who among A and B is a human or
a computer. A captcha is sometimes described as a reverse Turing test, because it is
administered by a machine and targeted to a human, in contrast to the standard Turing test
that is typically administered by a human and targeted to a machine.

Characteristics

A CAPTCHA is a means of automatically generating challenges which intends to:

 Provide a problem easy enough for all humans to solve.

 Prevent standard automated software from filling out a form.

This has the benefit of distinguishing humans from computers. It also creates incentive to
further develop artificial intelligence of computers.

Types of CAPTCHAS

Text: By far the most common type of captcha involves the use of letters that are arranged
randomly and are distorted in some way with various background colours or fonts.

Audio: Audio CAPTCHA’s for the visually impaired are probably the second most common
type of CAPTCHA.

Miscellaneous: There are also other CAPTCHA’s that require you to solve a problem that
should be easy for a person but very hard for a computer to solve such as choosing which
item in a list is not a bird for example but the problem with this is that one needs to have a
large number of questions before it really becomes effective.   
Applications of CAPTCHAs

CAPTCHAs have several applications for practical security, including (but not limited to):

 Preventing Comment Spam in Blogs. Most bloggers are familiar with programs that
submit bogus comments, usually for the purpose of raising search engine ranks of
some website. This is called comment spam. By using a CAPTCHA, only humans can
enter comments on a blog. There is no need to make users sign up before they enter a
comment, and no legitimate comments are ever lost.

 Protecting Website Registration. Several companies (Yahoo!, Microsoft, etc.) offer

free email services. Up until a few years ago, most of these services suffered from a
specific type of attack: "bots" that would sign up for thousands of email accounts
every minute. The solution to this problem was to use CAPTCHAs to ensure that only
humans obtain free accounts. In general, free services should be protected with a
CAPTCHA in order to prevent abuse by automated scripts.

 Protecting Email Addresses from Scrapers. Spammers crawl on the Web in search
of email addresses posted in clear text. CAPTCHAs provide an effective mechanism
to hide your email address from Web scrapers. The idea is to require users to solve a
CAPTCHA before showing one’s email address.

 Online Polls. Can the result of any online poll be trusted? Not unless the poll ensures
that only humans can vote.

 Preventing Dictionary Attacks. CAPTCHAs can also be used to prevent dictionary

attacks in password systems. The idea is simple: prevent a computer from being able
to iterate through the entire space of passwords by requiring it to solve a CAPTCHA
after a certain number of unsuccessful logins. This is better than the classic approach
of locking an account after a sequence of unsuccessful logins, since doing so allows
an attacker to lock accounts at will.

 Search Engine Bots. It is sometimes desirable to keep WebPages unindexed to

prevent others from finding them easily. There is an html tag to prevent search engine
bots from reading web pages. The tag, however, doesn't guarantee that bots won't read
a web page; it only serves to say "no bots, please." Search engine bots, since they
usually belong to large companies, respect web pages that don't want to allow them
in. However, in order to truly guarantee that bots won't enter a web site, CAPTCHAs
are needed.

 Worms and Spam. CAPTCHAs also offer a plausible solution against email worms
and spam: "I will only accept an email if I know there is a human behind the other
computer." A few companies are already marketing this idea.
Guidelines
 Accessibility. CAPTCHAs must be accessible. CAPTCHAs based solely on reading
text — or other visual-perception tasks — prevent visually impaired users from
accessing the protected resource. Such CAPTCHAs may make a site incompatible
with Section 508 in the United States. Any implementation of a CAPTCHA should
allow blind users to get around the barrier, for example, by permitting users to opt for
an audio or sound CAPTCHA.

 Image Security. CAPTCHA images of text should be distorted randomly before

being presented to the user. Many implementations of CAPTCHAs use undistorted
text, or text with only minor distortions. These implementations are vulnerable to
simple automated attacks.

 Script Security. Building a secure CAPTCHA code is not easy. In addition to making
the images unreadable by computers, the system should ensure that there are no easy
ways around it at the script level. Common examples of insecurities in this respect
include: (1) Systems that pass the answer to the CAPTCHA in plain text as part of the
web form. (2) Systems where a solution to the same CAPTCHA can be used multiple
times (this makes the CAPTCHA vulnerable to so-called "replay attacks"). Most
CAPTCHA scripts found freely on the Web are vulnerable to these types of attacks.

 Security Even After Wide-Spread Adoption. There are various "CAPTCHAs" that
would be insecure if a significant number of sites started using them. An example of
such a puzzle is asking text-based questions, such as a mathematical question ("what
is 1+1"). Since a parser could easily be written that would allow bots to bypass this
test, such "CAPTCHAs" rely on the fact that few sites use them, and thus that a bot
author has no incentive to program their bot to solve that challenge. True CAPTCHAs
should be secure even after a significant number of websites adopt them.

Example
Ways to break CAPTCHAs

-Bypassing the CAPTCHA safeguard by exploiting bugs in the system.

-Using OCR technology or advanced AI pattern recognition.

-Using cheap human labour in sweatshops.

-Reusing the session ID of a known image.

-Cracking the hash functions used in certain CAPTCHA implementations

Example

High Level Description

1. EZ-Gimpy

An example algorithm for breaking EZ-Gimpy consists of 3 main steps:

1. Locate possible letters at various locations

2. Construct graph of consistent letters
3. Look for plausible words in the graph

This page will give a high level description of these steps, using the image below as an
example.

Candidate Letters

The first step is to hypothesize a set of candidate letters in the image. This is done using
shape matching techniques The method essentially looks at a bunch of points in the image at
random, and compares these points to points on each of the 26 letters. The comparison is
done in a way that is very robust to background clutter and outliers and deformation of the
letters. The process usually results in 3-5 candidate letters per actual letter in the image.

In the example shown here, the "p" of profit matches well to both an "o" or a "p", the border
between the "p" and the "r" look a bit like a "u", and so forth. At this stage we have many
candidates, to be sure we don't miss anything for later steps.

Consistent Letters

Next, pairs of letters are to see whether or not they are "consistent", or can be used
consecutively to form a word. In the example below, green lines are drawn between pairs of
letters that could be chained together to form a complete word.

Plausible Words

There are many possible paths through the graph of letters constructed in the previous step.
However, most of them do not form real words. For example, "pfql" is a path through the
graph, but we don't need to consider it further since it isn't a real word. It turns out that the
vast majority of paths through the graph are meaningless.

We select out the real words in the graph, and assign scores to them based on how well their
individual letters match the image. In this example, 2 complete words are found, "roll" and
"profit". We compute matching scores for each letter or these words, and find that "profit",
with a score of 9.42 (lower is better, it's a distance measure) matches the image better than
"roll", that has a score of 11.94.

IMPLEMENTATION
A javascript CAPTCHA.
<html>
<head>
<title>Captcha</title>

<script type="text/javascript">

//Created / Generates the captcha function

function DrawCaptcha()
{
var a = Math.ceil(Math.random() * 10)+ '';
var b = Math.ceil(Math.random() * 10)+ '';
var c = Math.ceil(Math.random() * 10)+ '';
var d = Math.ceil(Math.random() * 10)+ '';
var e = Math.ceil(Math.random() * 10)+ '';
var f = Math.ceil(Math.random() * 10)+ '';
var g = Math.ceil(Math.random() * 10)+ '';
var code = a + ' ' + b + ' ' + ' ' + c + ' ' + d + ' ' + e + ' '+ f
+ ' ' + g;
document.getElementById("txtCaptcha").value = code
}

// Validate the Entered input aganist the generated security code

function
function ValidCaptcha(){
var str1 =
removeSpaces(document.getElementById('txtCaptcha').value);
var str2 = removeSpaces(document.getElementById('txtInput').value);
if (str1 == str2) return true;
return false;

// Remove the spaces from the entered and generated code

function removeSpaces(string)
{
return string.split(' ').join('');
}

</script>

</head>
<body onload="DrawCaptcha();">
<table>
<tr>
<td>
Welcome To Captcha<br />
</td>
</tr>
<tr>
<td>
<input type="text" id="txtCaptcha"
style="background-image:url(1.jpg); text-align:center;
border:none;
font-weight:bold; font-family:Modern" />
 <input type="button" id="btnrefresh" value="Refresh"
onclick="DrawCaptcha();" />
</td>
</tr>
<tr>
<td>
<input type="text" id="txtInput"/>
</td>
</tr>
<tr>
<td>
<input id="Button1" type="button" value="Check"
onclick="alert(ValidCaptcha());"/>
</td>
</tr>
</table>
</body>
</html>

SCREENSHOTS