A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.

The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires that the user type the letters or digits of a distorted image that appears on the screen.

A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:

The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon

University. At the time, they developed the first CAPTCHA to be used by Yahoo.

Applications of CAPTCHAs CAPTCHAs have several applications for practical security, including (but not limited to):

Preventing Comment Spam in Blogs. Most bloggers are familiar with programs that submit bogus comments, usually for the purpose of raising search engine ranks of some website (e.g., "buy penny stocks here"). This is called comment spam. By using a CAPTCHA, only humans can enter comments on a blog. There is no need to make users sign up before they enter a comment, and no legitimate comments are ever lost! Protecting Website Registration. Several companies (Yahoo!, Microsoft, etc.) offer free email services. Up until a few years ago, most of these services suffered from a specific type of attack: "bots"

that would sign up for thousands of email accounts every minute. The solution to this problem was to use CAPTCHAs to ensure that only humans obtain free accounts. In general, free services should be protected with a CAPTCHA in order to prevent abuse by automated scripts.

Protecting Email Addresses From Scrapers. Spammers crawl the Web in search of email addresses posted in clear text. CAPTCHAs provide an effective mechanism to hide your email address from Web scrapers. The idea is to require users to solve a CAPTCHA before showing your email address. A free and secure implementation that uses CAPTCHAs to obfuscate an email address can be found at reCAPTCHA MailHide. Online Polls. In November 1999, http://www.slashdot.org released an online poll asking which was the best graduate school in computer science (a dangerous question to ask over the web!). As is the case with most online polls, IP addresses of voters were recorded in order to prevent single users from voting more than once. However, students at Carnegie Mellon found a way to stuff the ballots using programs that voted for CMU thousands of times. CMU's score started growing rapidly. The next day, students at MIT wrote their own program and the poll became a contest between voting "bots." MIT finished with 21,156 votes, Carnegie Mellon with 21,032 and every other school with less than 1,000. Can the result of any online poll be trusted? Not unless the poll ensures that only humans can vote. Preventing Dictionary Attacks. CAPTCHAs can also be used to prevent dictionary attacks in password systems. The idea is simple: prevent a computer from being able to iterate through the entire space

of passwords by requiring it to solve a CAPTCHA after a certain number of unsuccessful logins. This is better than the classic approach of locking an account after a sequence of unsuccessful logins, since doing so allows an attacker to lock accounts at will.

Search Engine Bots. It is sometimes desirable to keep webpages unindexed to prevent others from finding them easily. There is an html tag to prevent search engine bots from reading web pages. The tag, however, doesn't guarantee that bots won't read a web page; it only serves to say "no bots, please." Search engine bots, since they usually belong to large companies, respect web pages that don't want to allow them in. However, in order to truly guarantee that bots won't enter a web site, CAPTCHAs are needed. Worms and Spam. CAPTCHAs also offer a plausible solution against email worms and spam: "I will only accept an email if I know there is a human behind the other computer." A few companies are already marketing this idea.

Problems in text captcha: we have successfully applied machine learning to the problem of solving HIPs. We have learned that decomposing the HIP problem into segmentation and recognition greatly simplifies analysis. Recognition on even unprocessed images (given segmentation is a solved) can be done automatically using neural networks. Segmentation, on the other hand, is the difficulty differentiator between weaker and stronger HIPs and requires custom intervention for each HIP. We have used this observation to design new HIPs and new tests for machine learning algorithms with the hope of improving them. Advantages of Image Captcha: A good way to avoid automatic form submissions when creating a web form is to add some kind of verification. One of the best ways is to use an image verification, called also captcha. What it does is to dynamically

create an image with a random string displayed on it. Then visitor is asked to type that string in a text field and once the form is submitted it checks if the string on the image matches the one inputted by the user. Because there is no easy way to read a text from an image (image recognition) this is a good way to protect your web forms from spammers.For doing this CAPTCHA I would suggest using a session variable where you store the string generated and displayed on that dynamically generated image.

Abstract: In this paper, we introduce the concept of Public- Key embedded Graphic CAPTCHAs and their usage as an Anti-Phishing mechanism. These CAPTCHAs contain a user-specific image object and a pattern of a secure channel invariant, wherein the image object and pattern are linked. By virtue of a built-in one/two-way implicit challenge mechanism and this verifiable association between the image object and the specific sub-pattern of the

Public Key, they help in detecting/resisting automated or human-assisted Phishing attacks. We have presented a mutual authentication mechanism based on simple identification of an image and text within a CAPTCHA. The solution is based on the proposed concept of Public-Key embedded Graphic CAPTCHAs, which encode a challenge based on a unique mapping between Image object types and bit positions of the Public Key of the website. We have also described how the proposed solution can augment the legacy Password-based authentication mechanisms and make them resistant to Man-in-the-Middle Phishing attacks. We have also given a proposed functional architecture for the solution as well as a set of guidelines for effective implementation. We have implemented a browserplugin based on this idea and plan to conduct User studies to test its effectiveness and user acceptance. Software Used:  Language: Java, JavaScript, XML  Framework: Struts 1.2, Ajax  Technology: Jsp, Servlet  Build Tool: Apache Ant 1.7.0  Database: MySql 5.0

 Web Server: Tomcat 5.5

.Literature Survey: Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581–590, New York, NY, USA, 2006. ACM Press. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Updated by RFCs 4366, 4680, 4681. [3] Amir Herzberg and Ahmad Gbara. Security and identification indicators for browsers against spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155, 2004. [4] Avivah Litan. Phishing attack victims likely targets for identity theft. In Gartner First Take FT-22-8873, Gartner Research, 2004. [5] G. Mori and J. Malik. Recognizing objects in adversarial clutter – breaking a visual captcha, 2003. [6] M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the ’weakest link’ - a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122–131, 2001.

[7] L. von Ahn, M. Blum, N. Hopper, and J. Langford. Captcha: Using hard ai problems for security. In Proceedings of Eurocrypt, pages 294–311,2003. [8] Luis von Ahn, Manuel Blum, and John Langford. Telling humans and computers apart automatically. Commun. ACM, 47(2):56–60, 2004. [9] Min Wu, Robert C. Miller, and Simson L. Garfinkel. Do security toolbars actually prevent phishing attacks? In CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems,pages 601– 610, New York, NY, USA, 2006. ACM Press. [10] Zishuang (Eileen) Ye, Sean Smith, and Denise Anthony. Trusted paths for browsers. ACM Trans. Inf. Syst. Secur., 8(2):153–186, 2005.

Sign up to vote on this title
UsefulNot useful