In this paper, we propose a novel security protocol for the implementation of CAPTCHA tests that feature advance mechanisms against man-in-the-middle (MITM, for short) attacks. This type of attack is fulfilled by a malicious entity, the MITM, that leverages on unaware users to mass-solve CAPTCHA tests shielding the access to a service. The protocol that we propose uses collision-resistant hash functions modeled as random oracles to guarantee that the solution to a CAPTCHA test solved by an end user is valid only for the server to which the user is connected to. This will prevent MITM attacks because the user is not directly connected to the server. We developed a reference implementation for our protocol that has a low impact and is easy to use, featuring a software plug-in running in the Firefox web browser, on the client side, and a Java servlet-based application, on the server side. © 2013 John Wiley & Sons, Ltd.
The design and implementation of a secure CAPTCHA against man-in-the-middle attacks / FERRARO PETRILLO, Umberto; I., Visconti; Giovanni, Mastroianni. - In: SECURITY AND COMMUNICATION NETWORKS. - ISSN 1939-0114. - STAMPA. - 7:8(2014), pp. 1199-1209. [10.1002/sec.825]
The design and implementation of a secure CAPTCHA against man-in-the-middle attacks
FERRARO PETRILLO, UMBERTO;I. Visconti;
2014
Abstract
In this paper, we propose a novel security protocol for the implementation of CAPTCHA tests that feature advance mechanisms against man-in-the-middle (MITM, for short) attacks. This type of attack is fulfilled by a malicious entity, the MITM, that leverages on unaware users to mass-solve CAPTCHA tests shielding the access to a service. The protocol that we propose uses collision-resistant hash functions modeled as random oracles to guarantee that the solution to a CAPTCHA test solved by an end user is valid only for the server to which the user is connected to. This will prevent MITM attacks because the user is not directly connected to the server. We developed a reference implementation for our protocol that has a low impact and is easy to use, featuring a software plug-in running in the Firefox web browser, on the client side, and a Java servlet-based application, on the server side. © 2013 John Wiley & Sons, Ltd.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
