ASP. NET verification code and Graphic Programming Technology (1)

Verification Code principle

In the current software operating environment, security has become an issue that must be considered by most software. hackers are everywhere and attack methods are increasingly diversified. In particular, WEB systems are facing severe challenges due to their openness, hacker incidents are endless, causing greater losses and impacts. Our software developers need to have a good understanding of this and take measures to defend against various hacker attacks.

Enumeration dictionary security attack

In various hacker attacks, it is common to use usernames and passwords. Many of them use enumeration dictionaries to continuously test user names and passwords.

For example, a hacker obtains a bank account and opens the online banking logon interface of the Account's bank. After analyzing the HTML code, we find that the page is shoddy and has no verification code and no security control. We only need to enter the bank account and withdrawal password to log on. The hacker immediately wrote a program that directly called the HTTP protocol and used the program to simulate a browser to submit the account and password to the online banking server and try to log on. Because the withdrawal password is a six-digit Arabic number, there are also 1 million combinations. the hacker's computer has been tested from six to six, which will certainly test the real password. The hacker finds a computer with high-speed broadband access and runs the program for obtaining the withdrawal password. If this computer can test 10 passwords in one second, so it takes 0.1 million seconds to find the password. 0.1 million seconds, that is, 27 hours. In fact, it may not take that long. The hacker turned around and found that the password had been found, so he immediately logged on to the online bank to get money, or forged a bank card to withdraw cash from the ATM. That is to say, it takes up to one day for hackers to obtain an unpredictable amount of illegal income.

Verification Code defense

Online Banking can have many ways to defend against hacker attacks. For example, using ActiveX controls instead of the standard text box to enter accounts and passwords, you can use a USB Interface Password disk for data encryption and detection, or use a client program instead of a browser to log on to the online bank. However, these are client technologies, and thousands of hackers can perform a variety of surgical knives to dissect these technologies. Basically, the client technology is unreliable.

It is relatively safer to use server-side technology. For example, if a password is found to be wrong three times in a row, the account is locked and can be logged on after one day. You can also use the verification code technology to defend against enumeration dictionary password attacks.

There is a new online bank, which is similar to the old online bank, but the verification code technology is adopted. When a user logs on, in addition to entering the account and withdrawal password, the browser also displays an image, some scrawled characters are displayed. You need to recognize these characters before entering them. When submitting a form to the server, the browser will append the verification code entered by the user, after the Server accepts the form data, in addition to verifying the account and withdrawal password, it also checks whether the verification code is entered correctly. If the login information verification fails, the server will prompt you to log on again, in addition, a new verification code containing random content is generated, and the user has to re-identify the new verification code during the next logon.

Because the correct Verification Code text is stored on the server, the hacker program on the client cannot obtain it, the content of the verification code is random, and the hacker program cannot find the rule, you can only obtain the verification code by recognizing the image containing the verification code sent from the server. This shows the difference between the computer and the human brain. The human brain far exceeds the current computer in terms of graphic recognition, and the server uses some techniques to generate sloppy writing, the human brain can easily recognize images filled with random distribution, but computers are hard to recognize. The hacker program cannot recognize the verification code. Only images can be displayed for the hacker to personally identify the verification code. In this case, each time the hacker tests the password, the hacker must carefully identify the verification code image and then manually enter the verification code text. A maximum of 1 million input requests are required. It is estimated that no one in the world will be willing to do this kind of work. In this way, the verification code technology effectively defends against this enumeration dictionary Test password security attack. At this time, hackers will turn to other methods, and a large number of novice hackers will give up attacking the website.

Verification code technical concept

The verification code technology utilizes the difference between the human brain and the computer.

We all know that there is a big difference between computers and the human brain. Computers are competent for numerical computation and precise logic judgment. They are suitable for executing repetitive and repetitive simple data processing, but image recognition, fuzzy logic judgment, poor learning and innovation capabilities. The opposite is true for the human brain, but not for numerical operations, but for image recognition.

In the verification code technology, a key process is to identify the verification code text from an image filled with random shapes. This process is hard to be achieved by computers at present, it is quite easy for the human brain.

The verification code technology forces the human brain to participate in the Security Information verification process by using images that are difficult to recognize by computers and easy to recognize by the human brain. The image that contains the verification code text is the verification code medium. After careful observation, we can know that this verification code media is easy to recognize by computers, so we can also use other means such as synthetic speech as the verification code media. For example, the server provides an image similar to a QQ expression with noise, and then allows the user to determine whether to choose the facial expression status of the image, whether it is a smile or a nosebleed, which can also be used as a verification code.

Because enumeration dictionary security attacks require a large number of attempts to guess the security information, the repetitive process may require tens of thousands or even hundreds of millions of times. The verification code technology forces the human brain to participate in every attempt to guess the security information, it is difficult for the human brain to perform simple repetitive work for a long time, which makes enumeration dictionary security attacks unfeasible. In this way, the application successfully defends against enumeration dictionary security attacks.