Updates: Replaced SHA-1 with SHA-512

Following up with the advise given by our supervisor, and with the fact that SHA-1 has been broken. We replaced the old SHA-1 Message Digest Algorithm with SHA-512.

Some notes about SHA. It stands for Secure Hash Algorithm. It computes a fixed-length message digest (String) of an input message of any length. The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-224, SHA-256, SHA-384, and SHA-512 are classify under SHA-2.

Differences among them is the bit length of the digest they produce. SHA-512 produce a 64-char String.



From the diagram above, obtained from Wikipedia, till date no attacks have been found against SHA-2.

After searching on google, hoping to find an example of how to implement SHA-512 on Java .. there were none ... then we found something similar. Since Java 1.4.2, there is the Java Cryptographic Extension (JCE). It support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.

So now what we have to do is change
MessageDigest md = MessageDigest.getInstance("SHA-1");
to
MessageDigest md = MessageDigest.getInstance("SHA-512");

and increase the HASH length in the CACHE table to 64.

My full method() code below


public static String SHA(String text)

throws CaptchaException {
MessageDigest md = null;
try {
// Can be MD5 (128bit), SHA-1(160bit), SHA-256, SHA-384,SHA-512
md = MessageDigest.getInstance("SHA-512");
byte data[] = md.digest(text.getBytes("UTF-8"));

StringBuffer buf = new StringBuffer();
for (int i = 0; i < data.length; i++) {
int halfbyte = (data[i] >>> 4) & 0x0F;
int two_halfs = 0;
do {
if ((0 <= halfbyte) && (halfbyte <= 9))
buf.append((char) ('0' + halfbyte));
else
buf.append((char) ('a' + (halfbyte - 10)));
halfbyte = data[i] & 0x0F;
} while(two_halfs++ < 0);
}
return buf.toString();
}
// might be thrown by MessageDigest.getInstance
catch (NoSuchAlgorithmException e) {
throw new CaptchaException(e.getMessage());
}
// might be thrown by text.getBytes
catch (UnsupportedEncodingException e) {
throw new CaptchaException(e.getMessage());
}
}

Meeting 26 March 2008

Text CAPTCHA Demo, Design and Implementation Review

Discussion:
Alan showing the demo on the Text CAPTCHA with validation and logging to block attacks to supervisor.

Conclusions:
· CAPTCHA design
- Some characters are difficult to be identified. Need to fine tune it.
- The contrast between the text and the background for the blue color design of the captcha is difficult to be identified by user. Either remove the color “blue” or change the text color.

· CAPTCHA implementation
- The text remains unchanged after refresh. Need to kill the session every time after each refresh.
- Current hashing algorithm used is SHA1, hash algorithms MD5 and SHA1 had been broken.
Need to change to other hashing algorithm, suggested SHA256 or SHA512.

· CAPTCHA design methodology
- The CAPTCHA engine should be portable. The engine should be able to be used on as a
mobile application as well as a web based plug-in.

Action items
Fine Tune CAPTCHA Design by ALAN

Kill Session Every Time After Each Refresh by LEXIS
Change Current Hashing Algorithm to SHA256 or SHA512 by LEXIS

Image CAPTCHA Demo, Design and Implementation Review.

Discussion:
Alan demo the new CAPTCHA design to supervisor. Supervisor review and comments.

Conclusions:
· Current image CAPTCHA has too few images, low permutation, thus is subjected to brute force attacks.
· Need to increase the amount of images, required to have a huge database.
· Suggested to implement the image and text CAPTCHA together, images and text appear at random.


Action items
Increase amount of images to enlarge database by TEAM
Implement image and text CAPTCHA together by LEXIS and ALAN


CAPTCHA Customizer Demo and Review.

Discussion:
Alan demo the CAPTCHA customizer to supervisor. Supervisor review and comment.
Conclusions:
· Position Module
- The grid coordinates cannot be seen clearly as the font size is too big which causes
overlapping, reduce the font size to make it clearer and change the font color if need to.
- Need to limit the range of position as the character will be out of range when a user enter a
value wider than the interface.

· Purge Logs Module
- The position of the “date” label is wrong, need to reposition it.
- The logs are unable to delete according to the specific date. Need to rectify it.

Action items
Change the font size of the grid coordinates by ALAN
Limit the range of position by ALAN
Reposition of the “date” label by ALAN
Delete logs according to the specific date by ALAN

Presentation Slides, Demo and MPEG Video

Discussion:
The team discusses with supervisor the content to show in the presentation slides and demo.
Conclusions:
· Presentation Slides
- Show the logging policy
- Can state the flaw of the image CAPTCHA if implement standalone and the solutions to it. Can
state it in the report if there’s no intention of including it in the presentation slides.


· Demo
- For the customizer, demo only 1 or 2 of the more important functions as there are too many
functions in it.

· MPEG Video
- A video on our presentation with the presentation slides and demo.
- Can use it as a rehearsal of our presentation and demo.

Action items
Power Point Slide by SEBASTIAN
MPEG Video by LEXIS

Project Development at Alan's Place

Today is public holiday. And we are spending it wisely as time is running out fast. We achieve the followings today.

EPIC CAPTCHA Screen Shot

In white

In Red

In Blue

Can you identify the char in these image?

I think you can, but OCR tools can not !

Result reading from FreeOCR V1:

White : ’JC5'£ l‘¥[€[

Red : 2Z' lT'·E'¥N

Blue : 2G! grip

The correct answer should be

White : O53RLZ4B

Red : ZZ'BC#08

Blue : 32O48L@=

Have you got it ?

Meeting : 15 March 2008

CAPTCHA Design
Alan update on CAPTCHA 3D text design V4.0 now can be displayed in red, blue, yellow and green color.

CAPTCHA customizer
Alan demo on CAPTCHA customizer tools V4.0 which updated base on comments given by Supervisor.

· Users enter field must implement with error entry checking.
· Remove the unused field to prevent confusion from users.
· Preview of the effect should reflect to the actual value entered by users.

CAPTCHA Answer Validation
Lexis update the CAPTCHA validation system V1.1 which developed based on J2EE Form-based Authentication service to the team.

Discussion:
1. CAPTCHA answer given by end users can be validated accurately.
2. J2ME validation system has been developed. It will use the same validation structure with normal web version. End users now able to use the J2ME enable device to request and answer to the CAPTCHA challenge.
3. Validation data is now stored in database instead of Hash Table which use hip memory. CAPTCHA answer validation timestamp is set to 300 sec.

Action:
Lexis and Alan will need to combine the CAPTCHA text design with the validation system.



Logging

Sebastian and Adrian has come out with a Logging system which can prevent users from attacking the CAPTCHA system.

1. The following users information will be logged :
· Session ID
· IP address
· Time request the CAPTCHA challenge
· CAPTCHA status ( Not Answer / Correct / Incorrect)

2. Three policies have been designed in order act as the guideline to filter the possible attackers:

Policy 1
Problem : Attacker keep request a new captcha in short period but different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS request more than 100 times in 60 sec, BLOCK for 12 hours

Policy 2
Problem : Attacker keep request a new captcha but does not give any answer with different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , no. na / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours

Policy 3
Problem : Attacker keep request a new captcha by trying the possible answers (Brute Force) different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , incorrect / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours

3. The value for the following field can be adjusted by system admin in order to suite their service needs and condition:
· Pass time to be checked.
· Repeat times of requesting.
· Percentage of users not answer or given incorrect answer.
· Block duration.

Action:
Adrian and Sebastian will continue implement the descript design to the log system.

New CAPTCHA design
Team has decide to implement the image base CAPTCHA into our current CAPTCHA design.

Discussion:

The following are the new image CAPTCHA design features :

1. Need the users to identify the object inside the image.
2. Simple object image will be used, for instant cat, dog, car and etc.
3. Image will be overlayed with designed frames in order to prevent attacker from having the standard image scanning algorithm.
4. The image will be also be rotated in order to increase the image security.
5. The design will be "prove of concept" ideal as it might need huge image database in order to prevent the brute force attack.
6. Image CAPTCHA will be implemented into 3D text CAPTCHA. Hence user will get different base of CAPTCHA randomly.

Action items
Image CAPTCHA implementation, by TEAM

Voice Features
Team decided to add the voice features to the current 3D TEXT CAPTCHA design.

Discussion:
The purposes of the voice system implementation are:

-To help the handicap internet users (mainly blind) to solve the CAPTCHA challenge.
-To help elderly who has poor eyesight due to age problem for identifying the CAPTCHA challenge.
-To help internet users who can not identifying CAPTCHA challenge characters.

The voice of each character is stored in MP3 format in order increase the voice streaming speed. In order to prevent the attacker to break the CAPTCHA challenge by reading the voice file name of each characters, all the CAPTCHA challenge voice files are concatenated into a single MP3 files called “CAPTCHA.mp3” before streaming to the client tier. Below diagram illustrates how the voice concatenation works.
Action:
Image CAPTCHA implementation, by TEAM

Attendance :
- SEAH CHOON YEE, SEBASTIAN
- CHEE SUEN SIANG, ALAN
- CHIA U-MENG, ADRIAN
- OW WAI LEONG, LEXIS

Technical: To Solve Relative FilePath on Servlets

This will solved the issue of using a relative path in the servlet.

Snippet of the Servlet ReadFromFile.java:

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class ReadFromFile extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {

res.setContentType("text/html");

ServletOutputStream out = res.getOutputStream();
out.println("<html>");
out.println("<head><title>Read From File</title></head>");
out.println("<body>");

// print the file
InputStream in = null;
try {
  in = new BufferedInputStream
  /**
   * I placed this servlet at $TOMCAT/webapps/ROOT/WEB-INF/classes/
   * The code "req.getRealPath" will point u to $TOMCAT/webapps/ROOT
   * So I create another folder called library under ROOT, and place my test.txt inside.
   */
  (new FileInputStream(req.getRealPath("/library/test.txt")) );
  int ch;
  while ((ch = in.read()) !=-1) {
     out.print((char)ch);
  }
 }
 finally {
       // close the InputStream
       if (in != null) in.close();
 }
 out.println("</body></html>");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletExceptio
{
  doGet(request, response);
}
}

Technical: Using Apache Ant

Ant is a tool for automating software build, i.e compile and execution. It is similar to our "make" files, except that it is written in Java and requires the Java2 Platform.

You code whatever you want Ant to do in a XML, and by default it is named build.xml

We can do the following with Ant to ease our job:
- Compile Java Servlets
- Creating the JAR File
- Deploy/Clean up our Project
- Start/Stop Tomcat

Meeting: 06 Mar 2008 (w/ Supervisor)

CAPTCHA Design
Team demo the CAPTCHA 3D text design V4.0 which currently still work in Java Applet platform to the supervisor.

Discussion:

Supervisor satisfy with the CAPTCHA design and feedback with the following comment :

· Need to change some of the font type to other which is easier to be identified by the users.
· Try to implement multicolor CAPTCHA design.
· Need to adjust some of the characters angles to make their shading and shadow more obvious to be identified.

Action:

Above suggestion will be updated by ALAN and Sebastian in newer CAPTCHA design.

CAPTCHA customizer
Team demo the CAPTCHA customizer tools V3.0 to the supervisor. Below are some of the print screen from the CAPTCHA customizer tools.

Discussion:

Supervisor satisfy with the CAPTCHA customizer design and feedback with the following comment :
· Users enter field must implement with error entry checking.
· Remove the unused field to prevent confusion from users.
· Preview of the effect should reflect to the actual value entered by users.

Action:

Above suggestion will be updated by ALAN in newer CAPTCHA Customizer Tools version.

CAPTCHA Answer Validation

Team demo the CAPTCHA validation system V1.0 which developed based on J2EE Form-based Authentication service to the supervisor.

Discussion:
Supervisors satisfy with the validation system and feedback with the following comment:

· The validation must be secure to prevent attackers from by pass the CAPTCHA system.
· Only 1 set of server code needed to be developed in order to validate the answer from normal computer web and J2ME users.
· CAPTCHA validation answer should store in DATABASE system instead of Hash Table which use hip memory.

Action :
Lexis and Sebastian will update the Supervisor feedback in newer validation system.

Logging

Team discussed with Supervisor regarding the logger design:
Discussion: Team explained to Supervisor regarding the implementation of log system to the CAPTCHA system. The following are the details:

1. Log system will log the following details of the visitors:
· IP address
· MAC address (Prevent NAT)
· Access date/time
· CAPTCHA challenge
· CAPTCHA answer

2. If a visitor request the CAPTCHA challenge more than 5 times within 24 hours, the system will block the visitors from requesting a new CAPTCHA again for 12 hours. This can prevent DoS attack by stoping an attacker keep requesting for new CAPTCHA to jam the server traffic.

3. The log system could prevent the following attacks :
· An attacker who is trying to do brute force attack to break the CAPTCHA answer.
· An attacker who trying the request the CAPTCHA challenge to drain the server resource.

Supervisor approves the log design and gives green light for team to implement it to the current CAPTCHA design.

Action:
Adrian and Sebastian will start the design and actual implementation of the log system.

CAPTCHA design for session 2

The Game based CAPTCHA ideal is rejected by Supervisor.

Discussion:
Supervisor advice that hackers could try to write an “object moving” script to break the game. Hence he advice us to come out with other CAPTCHA design like image or Chinese character CAPTCHA.

Action:
Team will need to come out with another CAPTCHA design.

Attendance :

- TAN HAN CHIANG

- SEAH CHOON YEE, SEBASTIAN

- CHEE SUEN SIANG, ALAN

- CHIA U-MENG, ADRIAN

- OW WAI LEONG, LEXIS

Technical: Login Authentication

When you try to access a protected web resource, the web container activates the authentication mechanism that has been configured for that resource. You can specify the following authentication mechanisms in J2EE:

- HTTP basic authentication
- Form-based login authentication
- Client certificate authentication
- Mutual authentication
- Digest authentication

We will focus more on Form-based login authentication. I will show u in a while how this is related to our captcha structure.

With form-based authentication, the following things occur:

A client requests access to a protected resource.
If the client is unauthenticated, the server redirects the client to a login page.
The client submits the login form to the server.
If the login succeeds, the server redirects the client to the resource. If the login fails, the client is redirected to an error page and prompt user to try again.

In reference to our captcha structure, the username refers to the Session ID. Each connection to the server established a unique SessionID. Password is the captcha String. The captcha String will be generated using a Time SEED. The SessionID and its associated captcha String is stored in a Cache in a HashMap. Upon authentication, successful or failed, the session will be forced invalidated, and the record is removed from the cache.


Form-based authentication is not particularly secure. Why? In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords. If someone can intercept the transmission, the user name and password information can easily be decoded. However all these can be solved by securing all connections are over SSL.

Technical: To get the Mac address of a host

In JDK 1.6 a new method is added in the java.net.NetworkInterface class, this method is getHardwareAddress().

This simple example below will illustrate:

import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.UnknownHostException;

public class MacAddress {

public static void main(String[] args) {
try {
InetAddress address = InetAddress.getLocalHost();

/*
* Get NetworkInterface for the current host and then read the
* hardware address.
*/
NetworkInterface ni = NetworkInterface.getByInetAddress(address);
byte[] mac = ni.getHardwareAddress();

/*
* Extract each array of mac address and convert it to hexa with the
* following format 08-00-27-DC-4A-9E.
*/
for (int i = 0; i < mac.length; i++) {
System.out.format("%02X%s", mac[i], (i < mac.length - 1) ? "-" : "");
}
} catch (UnknownHostException e) {
e.printStackTrace();
} catch (SocketException e) {
e.printStackTrace();
}
}
}