Can network security really rely on verification code?

Newspaper trainee reporter She

March 15, the 2015-year Spring Festival has finally come to a curtain. In this year's population migration, 12306 remains the focus of attention. This time the criticism is not the collapse of the site, but the site's verification code.

"Day against night defense, cattle difficult to defend", in order to prevent the ox to reverse the ticket, 12306 constantly update the form of verification code, the latest version of the verification code display by netizens jokingly dubbed as "the most wonderful Thing in history": Users need to be prompted, from 8 pictures found in the tip of the relevant items mentioned, such as greeting cards, statues, shells, glass bottles, rolling pin, Hot air balloon, etc., can not see clearly or not sure of the refresh replacement. You cannot log in or submit an order until you have confirmed it. However, the verification code less than one day, the market many common ticket-grabbing software has cracked the verification code.

Throughout the verification code of other websites, the form is different, there is a combination of letters or numbers, the background is a lot of pure color, and some are disorderly and densely shaded shading; some of the verification code is a formula, need to calculate the results to correct verification, and some is the combination of text and pictures, input some of the specific text, before you can pass.

Perhaps some old netizens remember that when they first started surfing the internet, there was no verification code. So, the scalpers of the verification code is what to use, why should the frequent crack it?

Distinguishing computers from humans

In the era without verification code, not everyone's purpose is so simple, accompanied by the network of "hackers", using a number of small programs to rob network resources. This can be illustrated by the increasing number of spam emails from netizens ' mailboxes. If it is not stopped, then spam comments and spam can be easily passed through the registration process of any website to bombard people's eyeballs in various ways.

Yahoo, one of the "pioneers" of the internet era, began to look for solutions. On the one hand, hundreds of spam bombings that users encounter every day, on the other hand, their own free mailbox, which is the favorite of spam, is a spam message that consumes countless resources from its own servers. What to do? In the 2000, Carnegie Mellon's Luisvonahn used the gimpy mechanism to guard against Yahoo spam messages, and for the first time, the concept of CAPTCHA verification code was proposed.

"Verification Code" in fact, is not a netizen in different websites to see the illegible letter combination pronoun, but "fully automatic distinction between computer and human Turing test" commonly known, as the name suggests, its role is to distinguish between computer and human.

"The verification code is very simple for people to recognize, but it is difficult to automatically identify the computer program, which prevents those who intend to automatically request a computer program to send spam messages or swipe tickets." "Gaohaichang, an associate professor at the University Software Institute, told the China Science Journal.

The devil is a foot in the road

However, Internet security escorts and hackers are the two forces associated with internet platforms that pull each other on the Internet. Villains, outsmart. At this time, someone to make the verification code, then, there will be a master crack verification code. Thus, the verification code by the initial some simple letters, slowly added to the number, patterns, letters are also divided into the case, in the country, the verification code will appear in Chinese characters. The background is no longer a simple color, but a different form of shading. Gaohaichang explained that the software to crack the verification code through the image processing, pattern classification and other methods to automatically identify the contents of the verification code, if the verification code is too simple to be guessed easily.

"In fact 12306 just introduced the pattern verification code, is relatively easy to crack." The computer technology mentioned above is not used at all. The easiest way to do this is by randomly selecting two patterns from the 8 images given to try them out, until they succeed. Mathematically, this random approach is about a 4% chance of success. On a computer, using this method of guessing, the time needed for a successful guess is not even 1 seconds. Gaohaichang said, "in order to increase the difficulty of computer recognition, most of the main web site verification code has been twisted, sticky, plus interference line design." The combination of numbers plus letters, especially in letters, is a lot bigger and more difficult to compute. In this respect, Chinese characters have congenital advantages, the commonly used characters have more than 3,000. Therefore, the domestic website uses the Chinese authentication code to be opposite or is more safe. ”

Security and convenience can not be combined?

However, this silent contest will not draw a period of time, the verification code war is still in full swing. Some people may think, since the verification code is always cracked, then why not design a complex difficult to identify the verification code afterlife?

The introduction of verification code is to protect the Internet resources are not abused, but the verification code itself is also occupied with network resources. And the security and convenience of the verification code, more professional parlance is usability and robustness, is born of Spears and shields.

"At present, the verification code mainly includes text verification code, speech verification Code, graphics verification code." Among them, because of the convenience of the generation, the text verification code is the most widely used, and it is also the verification code of the 12306 major websites. Speech Verification Code and graphics verification Code have high requirements for database and network bandwidth, so the application is not very extensive. On the other hand, speech and graphics verification code for a long time, poor usability, but also not widely used another reason. Gaohaichang explains, "The global research team is looking for ways to replace the code, and some sites have not used the authentication code to distinguish between human and computer programs, but rather use SMS SMS authentication, which can be said to be a good alternative." But this is not unassailable, the ox can also register a bunch of mobile phone number to achieve the crack. So the verification code will be in a longer period of time, and around the verification code design and crack the contest will continue. ”

China Science Daily (8th edition of 2015-03-27)