Meeting: 26 Feb 2008 (Group)

CAPTCHA customizer
Alan update on CAPTCHA customizer tools V3.0. The following customizer modules has been included :


- CAPTCHA Display Size
- CAPTCHA Customizer Fonts Extrusion
- CAPTCHA Customizer Fonts Choosing Design
- CAPTCHA Customizer Charactors Choosing
- CAPTCHA Customizer character scaling
- CAPTCHA Customizer Angles Rotation
- CAPTCHA Position Text Position

Discussion:
Team has discussed on the GUI of the CAPTCHA Customizer Tools:
- Customizer tools layout frame should keep consistent for every module.
- Preview features should be included in every module.
- Fix value field should be hided to prevent confusion from users.

Above suggestion will be updated again by ALAN in newer CAPTCHA Customizer Tools version.

CAPTCHA Answer Validation
Team has decided to implement the CATPCHA answer validation system by using J2EE Form-based Authentication service. It act as a gateway for users authentication and authorization issues.

Team will need to implement the service to meet the needs of :

- Running in both normal pc web and J2ME application.
- Only 1 set of server code needed in order to validate the answer from normal pc web and J2ME users.
- Able be the only gateway for end users to access other web application resource.

Lexis and Sebastian will start the implementation.

Logging
Team dicussed about the logger design :

- Log system will log the following details of the visitors:
* IP address
* MAC address (Prevent NAT)
* Access date/time
* Access counter
* CAPTCHA challenge
* CAPTCHA answer

- If a visitor request the CAPTCHA challenge more than 5 times within 24 hours, the system will block the visitors from requesting a new CAPTCHA again for 12 hours. This can prevent DoS attack by stoping an attacker keep requesting for new CAPTCHA to jam the server traffic.

CAPTCHA design for session 2
Team has decided to program a simple gaming style CAPTCHA to prevent DoS attack. The following picture illustrate the CAPTCHA ideal.

- It will be 4 x 4 , 16 grid game.
- User will use either keyboard/Mouse to move object.
- User will need to move the yellow object to the pink object in order to complete the challenge.
- There will be obstacles to prevent user from having a straight moving path for the object.

Plan and Test Case

Discussion:
Test Plan schedule and Test Case format has been designed by Lexis and Sebastian. Hence team will need to start do testing for the application developed base on RUP phase timeline.


Conclusion:
Sebastian and Adrian are assigned to do all the testing for the application

Attendance :
Sebastian Seah
Lexis Ow
Alan Chee
Adrian

Recorded by Sebastian

Updates: Captcha Customizer v1 - Display

The Captcha Customizer Display customizing design is created. Users can change the values in the textfield to change the image size of the output captcha image.

Technical: MDlet HTTPS

Brief introduction on the needs of a HTTPS connection. To ensure a secure channel between the server and client. The server and client both derive a session key from this secret value, which is used to encrypt all subsequent traffic sent between them.

Actually it's very simple to do HTTPS connections.

MISLEADING SOLUTION:

Previously, instead of the ContentConnection Class, we changed to the HttpsConnection Class:

HttpsConnection hc = (HttpsConnection)Connector.open(url);

We got errors like:

SOLUTION:

Based on the article here, we realised that it's the issue of "Unknown Certificates". This is because the certificates are created by us, thus it is not represented in the keystore of the J2ME Wireless Toolkit.

The J2ME Wireless Toolkit contains a tool called MEKeyTool, purpose is to manage the public keys of certificate authorities. It is found in the "installation_dir/bin".

To list keys in the default keystore:

mekeytool -list

Now, we gotta import the keystore used in tomcat into the Wireless Toolkit:

mekeytool -import -alias tomcat -keystore "z:\.keystore" -storepass changeit

Now we do a -list, you can observe it is in our keystore. Pointers to take note, when creating the certificate in tomcat, you MUST key in the "url_used" when they prompt you for FIRST NAME. I used the IP 10.211.55.2, so FIRST NAME is 10.211.55.2. Or else you will get the "Certificate does not contain the correct site name" error.

Since we now know that it's the configuration portion that causes us the problem, not the problem with the code. All we have to do is construct a HTTPS Connection String. So instead of this:

String url = "http://localhost:8080/"

ContentConnection connection = (ContentConnection) Connector.open(url);

we change it to this:

String url = "https://localhost:8443/"

ContentConnection connection = (ContentConnection) Connector.open(url);

WA LA!!

Technical: MySQL commands

Feel free to add SQL commands here. Easy reference record for us.


Set root password: mysqladmin -u root password "your-chosen-passwd"

Login as root: mysql -u root -p

Show databases: show databases;

Use database: use "database_name";

Create database: create database "database_name";

Remove database: drop database "database_name";

Create table: create table cache (sessionid VARCHAR(32) NOT NULL PRIMARY KEY, challange VARCHAR(32));

Updates: Captcha Customizer v1 - Font Extrusion

The Captcha Customizer Font Extrusion design is created. User can change the values in the textfields and the resulting changes will be shown in the preview graph.

Updates: Captcha Customizer v1 - Fonts

The Captcha Customizer Fonts choosing design is created. User can choose the desire fonts from the drop down list and the style of the font will be shown in the preview panel.

The list of fonts is drawn from the system's fonts folder.



The "add" and "delete" function is in progress.

Technical: Tomcat wouldnt start under windows, Java1.6

Tomcat5.5/6 just wouldn't start on windows. We gotta use parallels to test J2ME over Mac's Tomcat.

The messages showing in the jakarta_service_yyyymmdd.log file were:

[174 javajni.c] [error] The specified module could not be found.
[947 prunsrv.c] [error] Failed creating java C:\Java\bin\client\jvm.dll
[1202 prunsrv.c] [error] ServiceStart returned 1

To solve this, copy msvcr71.dll (found in $JAVA_HOME\bin) to the $WINDOWS/system32 directory.

Extracted from here.

Updates: Test Cases

Prior to our product testing, pls refer to the sample test case (Login Example).

I have included it in our groups. File name is "!TestCaseForm(login).doc"

Updates: Captcha Customizer v1 - Text

The Captcha Customizer text choosing design is created. Users can select and unselect characters he/she wants to appear in the captcha design.

Updates: Captcha Customizer v1 - Scale

The Captcha Customizer character scaling design is created. User can change the values in the textfield and the resulting changes will be shown in the preview graph.

Meeting: 13 Feb 2008 (Group)

MINUTES OF THE GROUP MEETING OF EPIC4SECURITY, HELD ON MONDAY, 13 February 2008, AT 7.30PM IN THE SIM STUDENT LOUNGE.

1. Matters Arising Lexis and Alan reported that they found some codings on a OCR to be implemented as a Java Application to show demo on a "OCR attack against our captcha".	Action by:
2. Documentation 2.1 Website Lexis reported that website is done, however it is lacking of contents. Alan suggested to start off with the About Us/Our Team section. The following will be added: a) Project Name b) Group Members c) Individual Tasks d) Supervisor Name e) Assessor Names f) Date last modified 2.2 Test Cases and Test Plan Based on the RUP methodology, we are at the Construction Phase and beta testing of our prototype should begin anytime. A test plan and test scenario with test cases should be drawn out. Format of the test document will based on RUP. Lexis is tasked to draft out the documents' format by 17 Feb.	Lexis Lexis
3. Captcha Design 3.1 Review on our design v3.2. Sebastian suggested that we should improved the visibility of the current design. He suggested to include more lighting, however this may affect the load time of the captcha word. Alan is tasked to add 1 more light and also monitor the load it gives to the tomcat server. Alan is also tasked to work with more colours other than the current white/black. Also to reduce complexity of the design, sebastian suggested to reduce on the angle rotations of the characters. Z-axis rotation will be removed. X and Y-axis rotation will be obtain from a range of given values. X: Max=20, Min=-20, can=0; Y: Max=45, Min=25 & Max=-25, Min=-45; Also suggested that type of Fonts to be revised, as current fonts have look-alike symbols like '1' and "I", or "I" and "l". A revised prototype with new features would be submitted by Alan by 20 Feb. 3.2 Finalised on Captcha Design. Sebastian annouced that the team will finalise the design of the current design with the above mentioned adjustments, and concentrate to develop a new captcha design idea. 3.3 Customizer Tool The group decided to include a customizer tool, which allows easy customization of the captcha design. It will have a simple user-interface targetted to end-users. It will be implemented as a local application, only accessible by the administrator of the organisation. This application will produce/edit a configuration/profile text file which is read in by the captcha program. It allows user to change the following features: a) type of font used b) no. of characters used c) colours d) scaling/frame size e) angle used Alan is assigned to work on the customizer tool and is authorised to add in other features based on his judgement. Lexis will assist him. They are expected to make their deliveries by 30 Feb to be reviewed by the team. 3.4 New Captcha Design Alan suggested to implement a simple game, in a web applet form. This game requires mouse clicks interaction from the user. The game plan will be such, the user controls a main character, and he is supposed to move the character to a specific destination. However in between the character and its desintation, there will be obstacles and dead zone in which will void the game play. We will be taking advantage of collision detection and terrian following in Java3D. Research must be done on the following before commencment of the new design: a) Can a bot handle mouse clicks? b) Can applet talk to servlet? c) Load time of the applet?	Alan Alan Alan Alan, Lexis Alan, Lexis
4. System Design 4.1 Validation Sebastian reported that the current implementation for the validation of captcha is fairly proper and insecure. The current technique is using Session ID passed from the client to the server, and comparing the same Session ID obtained by the server, then validate the associate captcha keyword used by it. No matter how hard is our captcha, attackers can bypass even without typing the captcha by simply re-using the session ID of a known CAPTCHA image. The validation algorithm needs to be revised. Lexis suggest the research of HMAC, stands for keyed-Hash Message Authentication Code which is a more secure scheme. Research of finding should be submitted by 20 Feb and implementation should take place by 30 Feb. 4.2 Logging Sebastian reported that attackers can also flood our captcha server by performing a continuous request of the captcha image and doing nothing in return. Adrian suggest that by the use of logging, we can overcome this problem. Adrian is tasked on the logging part. He will capture: a) IP address of visitor b) M.A.C address (Can this prevent NAT)? c) Date and Time d) Session ID Create a module to check visitors based on log file. It should check if a visitor request more than 5 times of captcha and blocks it if necessary. This is to prevent users from continuously enter a wrong captcha and keep request for a new captcha or those who try to access illegal web url. 4.3 Server Adrian is tasked to ensure that the server is able to run the respective java servlets. 4.4 MIDlet The current MIDlet is unable to support HTTPS. It uses DataInputStream over a contentConnection. To work with HTTPS, javax.microedition.pki.* is required and a HttpsConnection will replace the current contentConnection. Lexis and Sebastian are tasked to research into this and perform the relevant testing with Adrian's server over HTTPS. They are expected to delivery results by 25 Feb.	Sebastian, Lexis Adrian Adrian Sebastian, Lexis
5. Presentation Debrief During the presentation, there were some questions by Adrian Choo. As there are uncertainity in one of the questions regarding image/text captcha, Alan is assigned to follow up with an email with Adrian Choo, to clarify the question he asked. Alan will forward the reply to the team.	Alan
6. A.O.B 6.1 Adrian will be away from 17 Feb to 21 Feb. 6.2 Lexis will be on ICT from 19 Mar to 29 Mar.
There being no other matters, the meeting was closed at 9.59pm.

Sebastian will notify us the venue, date and time for the next meeting. Happy New Year to all.

Attendance:
Sebastian Seah
Lexis Ow
Alan Chee
Adrian Chia

Recorded by: Lexis

Updates: Captcha Customizer v1 - Angles

The Captcha Customizer Angles rotation design is created. Users can change the values in the textfield and resulting changes will bw shown in the preview graph.

Updates: Captcha Customizer v1 - Position

The Captcha Position customizer design is created. User can change the values in the textfield and effect of the new values will be shown in the graph.

Updates: Captcha Customizer v1

Captcha Customizer v1 is developed.



The screenhot above is the mainframe the user will see when he/she launches the customizer. The "Epic 4 Security" logo has an effect whereby when the user clicks on it, the system default web browser will open automatically and bring the user to the "Epic 4 Security" web site.

Technical: Applet Servlet Communication

We decided that the "New Captcha" will be implement in a Java3D interactive game form which requires interaction with the user. The only way is perhaps through a Java Applet...

Now what worry us is whether can applet talk to servlet?

Heaven's on our side. We found a nice example showcasing Applet and Servlet communication. It shows how data is sent to a servlet from an applet and how the applet receive an answer from the servlet.

http://www.frank-buss.de/echoservlet/index.html

More comments will be added once we get the hang out of the codes.

Updates: End of Session Debrief

We had our first presentation yesterday. Thanks everyone for the effort you have put in. Everything was smooth, no cock-ups and we made our delivery as targeted. These are the questions arrowed to us during the presentation. We will brainstorm it during the weekend and will have this on our Agenda for this coming Monday's group meeting (04 Feb 2008).

1) RUP - How we apply to our project?

2) Show a Attack on our Captcha.

3) How we prevent OCR attacks (Prove it. How it actually done it)

4) How we prevent brute force (Prove it.)

5) How are we better than market's Captcha (Prove it)

6) Either Text/Picture Captcha or Extra picture with Text? (Blur ?!?)

Technical: Image Format

The captcha image output by the servlet have been change to Portable Network Graphics (PNG) instead of JPEG File Interchange Format (JPG).