CAPTCHA is a standard security technology that relies on open AI problems to tell computers and humans apart. The most widely deployed CAPTCHAs are text-based schemes. Robustness and usability are two fundamental requirements of CAPTCHA design, as in many other security systems they often interconnect and challenge each other. The state-of-the-art of CAPTCHA design suggests that text CAPTCHAs should rely on the segmentation resistance principle to provide robustness assurance; as individual character recognition is a solved problem. This principle has gained wide popularity and is currently adopted by many CAPTCHA schemes, including those used by Microsoft, Yahoo, and Google. This thesis first answers: Are CAPTCHAs that adopt the segmentation resistance principle vulnerable to novel segmentation attacks? Our examination of various well known segmentation resistant CAPTCHA schemes suggests that simple but novel low-cost attacks can break them with a high success rate. The second question this thesis attempts to answer is: How can we systematically examine CAPTCHA robustness? Traditional approaches for examining CAPTCHA robustness rely on techniques adopted by computer vision, document understanding, and machine-learning communities. It is assumed that a CAPTCHA AI challenge remains an open problem until further progress has been made in these communities; that is how lazy cryptographers do AI. However, seldom have such examinations of CAPTCHA design focused on CAPTCHAs as a security mechanism, rather the main goal is advancing such fields. In this thesis we promote a different, much simpler, methodology for examining CAPTCHA robustness as a security mechanism. In essence, our methodology applies adversarial thinking skills by searching for exploitable invariants found in the design of CAPTCHA. In particular, we demonstrate our methodology on various CAPTCHA schemes; some are representative of major segmentation resistance mechanisms, while others rely on the use of colour or OCR techniques as a defence against attacks. With each examination we learn lessons on how to design better CAPTCHA schemes and lessons on the trade-offs between CAPTCHA robustness and usability. The main novel contributions of this thesis are: A systematic framework that classifies common exploitable invariants for attacking text CAPTCHAs and for aiding the design of next generation CAPTCHAs; extensive case studies highlighting the implications of the use of colour in CAPTCHA design; the identification of usability issues associated with commonly used defence mechanisms in CAPTCHA design, and finally we conclude with general design principles on mainstream segmentation resistance mechanisms. In general, this thesis contributes to a better understanding of how to design robust and usable text CAPTCHA schemes.
| Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:576635 |
| Date | January 2012 |
| Creators | Salah El Ahmad, Ahmad |
| Publisher | University of Newcastle Upon Tyne |
| Source Sets | Ethos UK |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation |
Page generated in 0.002 seconds