There can be no question that the simplest way to use a captcha is to let someone else do all the work. We are now seeing just the beginning of commercial web services that, for a fee, will allow you to incorporate a captcha challenge based on their servers into your website. In this case, all the effort of presenting the captcha and evaluating the user’s answer takes place off your site and outside your knowledge. Recently we have also begun seeing Open Source or otherwise free sources for the same kind of service. Such services allow you to screen users with no more effort than putting a few lines of prefabricated code into your own scripts.
To use the captchas.net service (at Yeea+ TRaeTYRd_Ve ), for instance, you first request a username and secret key from the site (free for noncommercial use). The secret key is then used by the site’s server to generate a captcha based on a random string (the nonce) that you send with the request for the image.
We list the steps of captchas.net’s published algorithm here, because you will need to implement those same steps in your own code in order to check that the captcha value submitted by the user is indeed the value that was displayed in the captcha generated by captchas.net.
When explained like this, it may seem unnecessarily complicated, but it can be implemented in just a few lines of PHP, which we will provide here.
SnyderSouthwell_5084.book Page 336 Wednesday, July 27, 2005 9:37 PM
C H A P T E R 1 7 ■ A L L O W I N G O N L Y H U M A N U S E R S 337
1. Concatenate the (existing) secret and the (just generated) nonce. The nonce should be shorter than 17 characters, a limit imposed by the 32-character length of an MD5 hash.
2. Hash the result using MD5. The result is a string of 16 hexadecimal values (32 characters in total length).
3. Step through the result as many times as the length of the nonce, doing the following for each two hexadecimal characters (and at the end discarding any remaining unused characters in the result):
• Turn the hexadecimal value into decimal.
• Turn the decimal value into a 26-character string offset.
• Turn the offset into an ASCII character value.
• Turn the ASCII character value into an alphabetic character.
• Concatenate the alphabetic characters into a string. If the nonce were longer than 16 characters, no more values would exist to generate characters with, and so this string would be padded after 16 characters to the desired length with the letter R, which is offset ! or ASCII *(.
We illustrate the workings of the algorithm here with an assumed secret of RST"#$ and a 6-character nonce of %&'UVW (separating with spaces for clarity as necessary):
1. Concatenated: RST"#$%&'UVW.
2. Hashed: (%#S#&WU()&$VSW%"(%R""!"%((RSR&*. 3. Decimal: ""'%$$(#&$"#!)$.
4. Offset: "#"("""*"'&. 5. ASCII: "!*""%"!)""'""$"!#. 6. String: ^c]ebW.
To incorporate a captcha into an application, you must first generate a nonce, and then store it in a session variable so that it will be retrievable to check the user’s input. We recom- mend a process something like the following:
XV_VcReVR_`_TV
fdZ_XRcR_U`^gR]fVT`_TReV_ReVUhZeYeYVTfccV_eeZ^V _`_TV.^U&cR_U!'&$$(eZ^V,
^R\VZeVRdZVc`_eYVfdVcSj`_]jfdZ_XeYVWZcdedZiTYRcRTeVcd`WeYV_`_TV _`_TV.dfSdec_`_TV!',
de`cVeYV_`_TVZ_eYVdVddZ`_
PD6DD:@?L_`_TVN._`_TV,
338 C H A P T E R 1 7 ■ A L L O W I N G O N L Y H U M A N U S E R S
Requesting the captcha from the captchas.net server requires only a single line of code:
-Z^XdcT.Yeea+ Z^RXVTRaeTYRd_Ve0T]ZV_e.-0.T]ZV_e0/\Vj.-0._`_TV0/➥ R]e.EjaVZ_eYV]VeeVcdj`fdVVYVcV /
In this code, the T]ZV_e variable permits the captchas.net server to identify you, and thus to retrieve your secret key. The _`_TV variable is the random string associated with this particular request. The captchas.net server uses its published algorithm (described previously) to generate the text in the captcha, based on its knowledge of your secret key plus the nonce that you have sent.
We’ll need to use the same algorithm while processing the form to determine if the string typed by the user is, indeed, the string encoded in the captcha image. The code for checking the user’s input follows, and can be found also as TYVT\4RaeTYR:_afeaYa in the Chapter 17 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -0aYa
cVecZVgVeYVde`cVUdVTcVe cVTcVReVeYVTRaeTYReRcXVe _`_TV.PD6DD:@?L_`_TVN, deVa".dVTcVe_`_TV, YRdYeYVcVdf]eZ_XdecZ_X deVa#.^U&deVa", cVecZVgVeYVTRaeTYReRcXVe _`_TV=V_XeY.dec]V__`_TV, eRcXVe.?F==,
W`cZ.!,Z-_`_TV=V_XeY,Z.Z#l T`_gVcee`UVTZ^R]
SjeV.YViUVTdfSdecdeVa#Z#, UVeVc^Z_V`WWdVe
^`U#'.SjeV#',
TR]Tf]ReV2D4::T`_gVcee`R]aYRSVeZTR_UZ_dVceZ_e`decZ_X TYRc.TYc^`U#'*(,
eRcXVe.TYRc, n
T`^aRcVeYVcVTcVReVUeRcXVee`eYVfdVcdcVda`_dV R_UcVda`_URaac`acZReV]j
ZWeRcXVe...PA@DELTRaeTYRNl acZ_e-Y"/4`_XcRef]ReZ`_d9f^R_- Y"/, n
V]dVl
acZ_e-Y"/D`ccjZeRTefR]]jdRZUeRcXVe- Y"/, n
0/
SnyderSouthwell_5084.book Page 338 Wednesday, July 27, 2005 9:37 PM
C H A P T E R 1 7 ■ A L L O W I N G O N L Y H U M A N U S E R S 339
This code may look complicated, but all it is doing is re-creating the captcha target string (using captchas.net’s own algorithm to transform the secret key concatenated with the nonce), and then comparing that to the user’s answer. In this case, we provide a whimsical response to the user’s effort.
As with all such black boxes, you must trust someone else’s efforts to do an effective job.
Because you are usually left with no real knowledge about how the service works and how good a job it is doing, you can’t adapt your application as your knowledge about your users increases.
Furthermore, even simply incorporating a few lines of someone else’s code into your own program adds another layer of application complexity, with the additional potential for server and traffic delays and malfunctions. In addition, buying someone else’s programming may not be financially feasible, especially if your site sees a sudden increase in traffic or a prolonged auto- mated attack, and you are forced to license a greater number of generated captchas to keep up with the demand.