|
Posted on the 25 November 2007, by Noon Silk
Brief overview of hashcash[1].
So now that you've reviewed that, let's talk about what I've done here. Basically we are taking the difficult problem of factorisation and applying it to some common problems. Those are: comment spam, and bruce force spamming/authentication attempts.
What I do in this specific case is:
1 - Take two 22-bit primes, p1 & p2
2 - Multiply these two to get a result: r
3 - Send this number "r" to the client-side javascript
4 - Force the javascript to factor this number back into p1 and p2
5 - Send the factored p1 and p2 and compare with the original factors
If this process succeeds, the post is accepted. If it doesn't it is rejected. I.e. if the client doesn't spend the time (a matter of seconds, because p1 and p2 are so small) then they don't get to post the message, or attempt the login.
And that's pretty much all there is to it. I utilised the javascript code found here[3] as the basis for the javascript factorisation and the BigInteger class for c# found here[4] for the prime number generation.
There will be a few more additions to my own implementation as time goes on; like a requirement that one of these problems be solved before another can be requested (for a given client); to prevent multiple "solvings" in an "out-of-order" sort of mode. And maybe some other things as I think of them. Other interesting aspects might be to upgrade the bit-size based on the computing power that is detected (hard if the client lies), or at least a varying range of algorithms that are known to be "hard" that can be swapped in and out.
This system attempts to replace, or at the very least - assist - the current CAPTCHA solutions that exist today. There are some very smart[2] people working on solutions to those, so it's at least interesting to think of other angles. It at the very least requires a spammer to have implemented a javascript-processing form submission process and to note have a timeout on said processing. Maybe at most it requires some sort of special-targetting of this exact model. If that's the case, then I probably should've kept the bitsize private ;)
Either way, I hope it provokes some further interesting developments. I think at least it has been motivation-enough for me to finally enable comments on this website :)
[1] http://en.wikipedia.org/wiki/Hashcash
[2] OCR Research Team
[3] Prime Number Factorisation in Javascript
[4] C# BigInteger Class
crypto, hashcash
|
comment(s) 19
|
