An oracle-based attack on CAPTCHAs protected against oracle attacks
نویسندگان
چکیده
CAPTCHAs/HIPs are security mechanisms that try to prevent automatic abuse of services. They are susceptible to learning attacks in which attackers can use them as oracles. Kwon and Cha presented recently a novel algorithm that intends to avoid such learning attacks and “detect all bots” [6]. They add uncertainties to the grading of challenges, and also use trap images designed to detect bots. The authors suggest that a major IT corporation is studying their proposal for mainstream implementation. We present here two fundamental design flaws regarding their trap images and uncertainty grading. These leak information regarding the correct grading of images. Exploiting them, an attacker can use an UTS-CAPTCHA as an oracle, and perform a learning attack. Our testing has shown that we can increase any reasonable initial success rate up to 100%.
منابع مشابه
An efficient certificateless signcryption scheme in the standard model
Certificateless public key cryptography (CL-PKC) is a useful method in order to solve the problems of traditional public key infrastructure (i.e., large amount of computation, storage and communication costs for managing certificates) and ID-based public key cryptography (i.e., key escrow problem), simultaneously. A signcryption scheme is an important primitive in cryptographic protocols which ...
متن کاملSecurity of Discrete Log Cryptosystems in theRandom Oracle + Generic ModelClaus
Based on a novel proof model we prove security for simple discrete log cryptosystems for which security has been an open problem. We consider a combination of the random oracle (RO) model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic...
متن کاملImperfect Decryption and an Attack on the NTRU Encryption Scheme
A property of the NTRU public-key cryptosystem is that it does not provide perfect decryption. That is, given an instance of the cryptosystem, there exist ciphertexts which can be validly created using the public key but which can’t be decrypted using the private key. The valid ciphertexts which an NTRU secret key will not correctly decipher determine, up to a cyclic shift, the secret key. In t...
متن کاملAnonymous Signcryption against Linear Related-Key Attacks
A related-key attack (RKA) occurs when an adversary tampers the private key stored in a cryptographic hardware device and observes the result of the cryptographic primitive under this modified private key. In this paper, we concentrate on the security of anonymous signcryption schemes under related-key attacks, in the sense that a signcryption system should contain no information that identifie...
متن کاملPadding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs
In [8], Paterson and Yau presented padding oracle attacks against a committee draft version of a revision of the ISO CBC-mode encryption standard [3]. Some of the attacks in [8] require knowledge and manipulation of the initialisation vector (IV). The latest draft of the revision of the standard [4] recommends the use of IVs that are secret and random. This obviates most of the attacks of [8]. ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- CoRR
دوره abs/1702.03815 شماره
صفحات -
تاریخ انتشار 2017