CAPTCHA Design
Alan update on CAPTCHA 3D text design V4.0 now can be displayed in red, blue, yellow and green color.
CAPTCHA customizer
Alan demo on CAPTCHA customizer tools V4.0 which updated base on comments given by Supervisor.
· Users enter field must implement with error entry checking.
· Remove the unused field to prevent confusion from users.
· Preview of the effect should reflect to the actual value entered by users.
CAPTCHA Answer Validation
Lexis update the CAPTCHA validation system V1.1 which developed based on J2EE Form-based Authentication service to the team.
Discussion:
1. CAPTCHA answer given by end users can be validated accurately.
2. J2ME validation system has been developed. It will use the same validation structure with normal web version. End users now able to use the J2ME enable device to request and answer to the CAPTCHA challenge.
3. Validation data is now stored in database instead of Hash Table which use hip memory. CAPTCHA answer validation timestamp is set to 300 sec.
Action:
Lexis and Alan will need to combine the CAPTCHA text design with the validation system.
Logging
Sebastian and Adrian has come out with a Logging system which can prevent users from attacking the CAPTCHA system.
1. The following users information will be logged :
· Session ID
· IP address
· Time request the CAPTCHA challenge
· CAPTCHA status ( Not Answer / Correct / Incorrect)
2. Three policies have been designed in order act as the guideline to filter the possible attackers:
Policy 1
Problem : Attacker keep request a new captcha in short period but different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS request more than 100 times in 60 sec, BLOCK for 12 hours
Policy 2
Problem : Attacker keep request a new captcha but does not give any answer with different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , no. na / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours
Policy 3
Problem : Attacker keep request a new captcha by trying the possible answers (Brute Force) different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , incorrect / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours
3. The value for the following field can be adjusted by system admin in order to suite their service needs and condition:
· Pass time to be checked.
· Repeat times of requesting.
· Percentage of users not answer or given incorrect answer.
· Block duration.
Action:
Adrian and Sebastian will continue implement the descript design to the log system.
New CAPTCHA design
Team has decide to implement the image base CAPTCHA into our current CAPTCHA design.
Discussion:
The following are the new image CAPTCHA design features :
1. Need the users to identify the object inside the image.
2. Simple object image will be used, for instant cat, dog, car and etc.
3. Image will be overlayed with designed frames in order to prevent attacker from having the standard image scanning algorithm.
4. The image will be also be rotated in order to increase the image security.
5. The design will be "prove of concept" ideal as it might need huge image database in order to prevent the brute force attack.
6. Image CAPTCHA will be implemented into 3D text CAPTCHA. Hence user will get different base of CAPTCHA randomly.
Action items
Image CAPTCHA implementation, by TEAM
Voice Features
Team decided to add the voice features to the current 3D TEXT CAPTCHA design.
Discussion:
The purposes of the voice system implementation are:
-To help the handicap internet users (mainly blind) to solve the CAPTCHA challenge.
-To help elderly who has poor eyesight due to age problem for identifying the CAPTCHA challenge.
-To help internet users who can not identifying CAPTCHA challenge characters.
The voice of each character is stored in MP3 format in order increase the voice streaming speed. In order to prevent the attacker to break the CAPTCHA challenge by reading the voice file name of each characters, all the CAPTCHA challenge voice files are concatenated into a single MP3 files called “CAPTCHA.mp3” before streaming to the client tier. Below diagram illustrates how the voice concatenation works.
Action:
Image CAPTCHA implementation, by TEAM
Attendance :
- SEAH CHOON YEE, SEBASTIAN
- CHEE SUEN SIANG, ALAN
- CHIA U-MENG, ADRIAN
- OW WAI LEONG, LEXIS
No comments:
Post a Comment