grimpirate

I've included a small flash file as the attachment. Basically what it does is generate a hexadecimal value ranging from 0 to 4294967295. If you take a look at the attached file you should be able to see that the generated value does two things. Randomly orients the characters of the string in clockwise/counter-clockwise rotations and randomly blurs/sharpens the image. I'll be trying to use this in order to prevent illegal registration for the forum software I'm working on. So I've completed the first step (or at least what I think is the first step), which is generating a random verification stamp.

Now the "obstacle" I've come across is the following:
Given that I know how to pass this string to a php using a POST method. Would this somehow reveal the string publically and thus make the efforts of generating the stamp useless? In other words, how can I get this string to compare with the one input in the text field by the user, without giving it away?

Attached Files

test.zip (15.7 KB, 23 views)

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

big_k105

My guess is that you are hiding that in a html hidden field so in other words it would be available to the public and any bot that wants to read it.

I have a php script that creates an image via the random function and that number that is generated is then encrypted using the md5 function and stored in a session variable. Then when the user enters what they thing is the number you run that through md5 and compare the session variable that you stored earlier and you will know if it is the same or not.

__________________
BIG K aka Kyle
Programming Forums
Kyle K Online

Please do not PM or email me programming questions. Post them in the forums instead.

grimpirate

Well I was actually considering passing it through the POST method utilizing Flash. However, I imagine that the data will be readily available if someone looks at it. The server I have the forum on doesn't support the graphical libraries hence why I didn't use PHP to do it, and if it all possible I'd like to avoid using sessions. They don't always work well on the server.

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

big_k105

I guess you could pass it via post using flash and make it more secure if there is a way for flash to encrypt the information you pass via post. I really don't know much about flash so I really don't know if there would be away to encrypt it and then match that exact same encryption in php when you check it later. But the post would be available for someone if they viewed the packages being sent back and forth from there computer, it would just be a matter of the bot knowing how to read that information.

I guess the other option would be via a cookie, but not everyone has cookies turned on, or at least people say that. But if you don't want to use sessions my guess is you are using cookies to keep the users logged into your forum software after they login.

__________________
BIG K aka Kyle
Programming Forums
Kyle K Online

Please do not PM or email me programming questions. Post them in the forums instead.

grimpirate

Actually I use a unique user id which is passed in the get variable. I don't use cookies or sessions. I think I will have to write my own encoding into Flash. That's what I was figuring I'd have to do anyhow. I already have an implementation of my own hash in the forum so I figure I'll just recode this into Flash. Thanks Big K

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

Dameon

Encryption would be useless here. You can't make Alice and Dave the same person. People have spent several years now trying to explain this to the recording and movie industries.

The point of CAPTCHA is that the data sent to the client can only be interpreted by humans and that the server is the only party with the correct answer. You can't generate the image client side. If it's a random string, then the server doesn't know what the answer is. "Encrypting" random data from an untrusted party to verify it's correctness doesn't make sense. If the server gives the flash document a parameter with the answer in it, then you're giving the enemy the answer to begin with.

__________________
MD5(sig) = bcef75433db02e9ad9bf81d6f7c5c270

grimpirate

I'm not entirely sure I understand what you mean Dameon, the server doesn't give the flash document a parameter. Rather the flash would generate a random string, encode it using a hash and send that to the server. Thus the server would receive two pieces of data. The text displayed by the flash as input via a text box and the hash sent by Flash. Within the php it would encode the text box input and check that hash against the flash hash.

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

grimpirate

Well I finally worked out the problem to what I think is a good stopgap to those robots that troll sites. Might not stop humans so effectively, but at the very least it would stop those bots. I've implemented it on the registration page of the new beta of my forum software GrimBB. Click here to see it working. Basically, the user fills out the form in flash, and five pieces of info are sent to the PHP script redirect.php. The username and two passwords, and the security key and its hash. The hash however is salted and it's calculated using the custom gh1 hash I use for the forum. I hope this impresses somebody ^_^

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis

Styx

As Dameon mentions, using flash is like using javascript: they're both client-side. What you're doing is creating a random client-side string, encrypting it, then checking the hash with the input hash server-side. This is giving total power of validation to the client rather than keeping generation and storage server-side.

http://it.slashdot.org/comments.pl?s...6&cid=13390791

grimpirate

Quoting from the wikipedia page on CAPTCHAFurthermore, my specific CAPTCHA issues has certain limitations associated with it:

1. No cookie use
2. No session variables
3. No javascript
4. No access to graphical routines in PHP (the language the board is coded in)

This is simply a step above the previous form I used for registering, which can be seen in the stable version of my board and can still be used if the person opts to disable the small CAPTCHA flash file I coded.

__________________
Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB | Mimesis