Tesis Doctorales de la Universidad de Alcalá |
WHERE DO CAPTCHAS FAIL: A STUDY IN COMMON PITFALLS IN CAPTCHA DESIGN AND HOW TO AVOID THEM | Autor/a | Hernandez Castro, Carlos | Departamento | Teoría de la Señal y Comunicaciones | Director/a | Fernández Barrero, David | Codirector/a | Rodríguez Moreno, María Dolores | Fecha de defensa | 21/12/2017 | Calificación | Sobresaliente Cum Laude | Programa | Tecnologías de la Información y las Comunicaciones (RD 99/2011) | Mención internacional | Si | Resumen | Today, much of the interaction between clients and providers has moved to the
Internet. Some tricksters, con-artists and charlatans have also learned to benefit
from this new situation. New improved cons, tricks and deceptions can be found
on-line. Many of these deceptions are only profitable if they are done at a large
scale. In order to achieve these large numbers of interactions, these attacks require
automation.
CAPTCHAs (Completely Automated Public Turing test to tell Computers and
Humans Apart) or HIPs (Human Interaction Proofs) are a relatively new security
mechanism against automated attacks. They try to detect when the other end of the
interaction is a human or a computer program (a bot). Since their origins, most of
the proposals have been based on the seminal idea of using problems thought to be
hard for AI/ML but easy for humans. As of today, all the studied CAPTCHA schemes
have failed.
CAPTCHA design is still in its initial conception. The stream of successful attacks on
them are a hint that CAPTCHA are now as weak as the first cyphers. Yet cyphers
were improved after successive successful cryptanalysis. We consider that similarly
new security studies in novel, original CAPTCHAs will advance the corpus of
knowledge in the field as well as the awareness about CAPTCHA security.
This dissertation focuses on the design of CAPTCHAs. Its first goal is to understand
whether there are currently CAPTCHAs that can be considered secure. To do so, it
analyses new, original CAPTCHA proposals. The second goal of this dissertation is
to find a way in which to assess a basic level of security for new CAPTCHA designs.
To do so, it studies the results of previous security analysis trying to find common
weaknesses. Based on them, it proposes a guideline or framework that specifies
mechanisms to avoid some of these design pitfalls. This can be the starting point
for a high-level methodology for the design of new CAPTCHAs. Ultimately, the goal
of this research is to build a semi-automatic framework for the analysis of the
security of new CAPTCHAs. |
|