ChallengeResponse Systems

1
Challenge-Response Systems

• Group 8

presents
2
What is Challenge-Response?
Challenge-response is the an abstract concept
referring to the act of limiting access to some
resource by a certain procedure. This procedure
is defined as follows

• Person attempts to gain access to restricted
  material
• System challenges person
• Person responds to challenge
• System grants access if response is satisfactory

3
Why do we need a challenge?

• Privacy Some content is considered personal,
  and users will want either exclusive access, or
  want to give only a very small set of people
  access.
• Security Some content is sensitive and should
  only be seen by persons with certain credentials.
• Protection Content vital to the operation of
  businesses, countries, etc should only be handled
  by persons properly trained and equipped to do so.

4
Why do we need a database?
There are a number of things that we need to keep
track of, such as

• The definition of privileged in the context in
  which we are implementing our CR1 system
• What content is considered priveleged
• Who should have access to what
• Questions and Answers There needs to be at
  least as many questions as possible users, and at
  least one (and preferably only one) correct
  answer to each question.

1 Challenge-response
5
Why do we need a database?
We need to be able to keep track of each of these
things, separately, or all together, in a
convenient way. Convenient in this case means

• The information should be restricted in much the
  same way that the CR system operates.
• Changing the information should be easy for
  anyone who is authorized to do so.
• The verification process should be as efficient
  as possible.
• We should be unrestricted in the kind of
  information that we can keep track of.

6
Why do we need a database?

• All of these criteria can be satisfied by storing
  the information in a properly designed and
  implemented database.
• Today, most, if not all database management
  systems have built-in functions supporting
  authentication.
• In fact, this functionality is now incorporated
  into DBMSs to safeguard the information contained
  within.
• Storing information in a database allows us to
  easily attach information not critical to
  authentication (biological data, for example), to
  information required for authorization.

7
What types of CR systems are there?
Challenge-response systems can be divided into
two categories.

• Cryptographic A CR system falls in this
  category simply by making use of some sort of
  cryptography in its implementation.
• Non-cryptographic
• In some ways, older than cryptographic CR.
• Basic forms of this existed only for as long as
  it took for attackers to devise means of
  circumvention.
• More recently, new kind of non-cryptographic CR
  has appeard in the form of counter Turing tests.

8
Non-cryptographic CR
Basic authentication is the simples form of a
challenge-response system. Explanation of the
process will be accompanied by a live
demonstration

• User requests access to restricted content
• System asks user to present proof of
  authorization
• User provides authorization information
• System verifies whether information is valid
• If it is, user is granted access to content

9
The need for encryption
With the concept of remote authentication came
vulnerabilities which attackers can (and do)
exploit.

• Enter ye unscrupulous person
• User requests access to restricted content
• System asks user to present proof of
  authorization
• User provides authorization information
• Attacker listens to network traffic and copies
  information
• System verifies whether information is valid and
  grants access.
• The attacker can then pose as the user and gain
  access to the restricted content!
• OH NO!

10
The need for encryption
To counter this, the authorization process is
altered slightly.

• User requests access to restricted content
• System asks user to present proof of
  authorization
• This time, sends random string with request.
• User provides authorization information
• Information is encrypted using the random string
  as a key
• Attacker listens to network traffic and copies
  information
• System decrypts and verifies information, and
  grants access
• An attacker, posing as the user, is given a
  different encryption key
• Previously recorded information is now invalid

11
Build a better lock

• and you build a better thief.
• Malicious person can get around the previously
  described setup by listening to traffic both ways
  and, recording the key, and finding out how
  information is encrypted.
• More clever ways of protecting information must
  be devised.
• This just mean dedicated attackers will find
  another way to go about their evil activity.
• This back-and-forth is expected to continue
  indefinitely

12
Challenge-Response Proper

• Rise of the CAPTCHA

13
The Turing Test
In 1950, Alan Turing devised a test to rate the
intelligence of a machine

• A human participant would hold a conversation
  with two other correspondents
• One of these would be a machine with some measure
  of artificial intelligence
• If the human cannot tell the difference between
  the other human correspondent, and the computer,
  then the computer passes the test, and is
  considered intelligent.

14
CAPTCHA!

• Stands for Completely Automated Public Turing
  Test to Tell Humans and Computers Apart
• Is a variation of the Turing test, devised in
  such a way that humans will pass and machines
  will fail
• This aspect of CR systems, is what most people
  are referring to when they mention
  challenge-response.

15
Why would we need to tell Humans and Computers
Apart?
Case Study 1 The AltaVista add-URL problem

• If a website is to be found via search engine, it
  must first be submitted.
• Search engines have algorithms for rating sites
  which correspond with keywords.
• One aspect of AltaVistas rating system was (is)
  how many times a page is submitted, assuming that
  different, interested persons will go through the
  submission process.
• Tech-savvy persons took advantage of this by
  writing scripts to repetitively add their sites
  to the search engine.
• This skewed the search engines ratings
  significantly.

16
Why would we need to tell Humans and Computers
Apart?
Case Study 2 The Yahoo! chat room problem

• Udi Manber of Yahoo! approached researchers at
  Carnegie-Mellon University this problem.
• Robots2 were invading Yahoo! chat rooms and
  soliciting information from participants
• They were also filling the chat rooms with
  advertisements and links to other sites.

2 Automated scripts
17
Why would we need to tell Humans and Computers
Apart?
Case Study 3 Spam!

• More then 60 of email traversing the internet is
  spam3.
• Most, if not all spam is generated and propagated
  by robots.
• These robots sign up email accounts, then send
  messages containing advertisements and other
  unwanted content to millions of other accounts.
• Most of the time, this is done solely to bog down
  the mailservers, i.e. for no good reason.

3 unwanted, unsolicited messages, also called
junk mail
18
How can we tell Humans and Computers Apart?
In the initial development stages, some desirable
traits of a suitable CAPTCHA were put forward.

• The test should present a challenge which can be
  automatically generated.
• Human users should be able to take the test
  quickly.
• It should accept virtually all human users (even
  young or naive users) with high reliability,
  while rejecting very few
• The test should reject virtually all machine
  users.
• It should resist automatic attack for many years
  even as technology advances and even if the
  algorithms are known (e.g. published and/or
  released as open source)

19
How can we tell Humans and Computers Apart?

• Even though scientist are trying to close the gap
  between man and machine, the current separation
  can be, and has been utilized.
• For the CAPTCHA project, the relevant gap is the
  shortcoming of computer vision, or more
  precisely, character recognition.
• The human faculty for recognition, though taken
  for granted, is astounding.
• Computers recognition facilities are not so
  astounding.
• This is not expected to change very much in the
  near future.

20
So how does it work?

• Yall know what were talking about, but just in
  case
• When trying to access content that only a human
  should be privy to, the user is presented with a
  sequence of characters, generated
  pseudo-randomly4.
• These are subject to a subset of a number of
  visual distortions including scaling, skewing,
  warping, speckling and background noise.
• The user is asked to type the characters as they
  appear.
• Human users will have very little passing the
  test quickly.
• Robots cannot pass without cheating.

4 from a large enough selection set so as to
appear random
21
Antispam
The most talked about application of CR systems
is as a means of countering junk mail, or
spam. The explanation of how this works will be
accompanied by live demonstration.

• Legitimate user sends email to protected user
• Enter Microshaft SpamGuard XP! Proffessional 2006
  Elite Spam-blocking Edition PRO!
• SpamGuard checks whilelist5 for address on email
• Address is not on list, so SpamGuard sends a
  CAPTCHA back to sender

5 a list of addresses that do not need
verification
22
Antispam

• The user takes test and sends back correct answer
• SpamGuard verifies answer, allows message to go
  to protected user, and puts newly verified
  address on whitelist
• User will not have to take test again, since
  address is now on whitelist

5 a list of addreses that do not need verification
23
Antispam

• Enter ye Ms. Roboto!
• Robot sends email to protected user
• SpamGuard checks whilelist5 for address on email
• Address is not on list, so SpamGuard sends a
  CAPTCHA back to sender
• Robot, if it even notices that there has been a
  reply, cannot make head or tail of the test
• SpamGuard receiving no reply to the CAPTCHA,
  tosses the email
• Protected user, ideally, does not even know about
  it

24
Pros and Cons

• The obvious advantage is that the CAPTCHA does
  what it is supposed to do (mostly).
• CAPTCHA has come under considerable criticism in
  online circles. Some complaints are.
• It can be circumvented in a number of ways by
  spammers who are clever enough.
• It is annoying to have to fill out a test just to
  send an email
• Important mail sometimes ends up in the junk
  folder
• Sometimes one CR system will challenge another CR
  system, and the message ends up in oblivion while
  the systems send challenges back and forth
• Foils mailing lists which though automated, are
  actually solicited