10 likes | 119 Views
Protecting the Web with Transparent Proof-of-Work. Web Server. URL w/ valid PoW. Content. Solution Scripts. Content. mod_kaPoW. Clients. URL w/ invalid PoW. Error Page. Error Page. Wu-chang Feng, Tom Shrimpton, Ed Kaiser (student) { wuchang,teshrim,edkaiser}@cs.pdx.edu.
E N D
Protecting the Web with Transparent Proof-of-Work Web Server URL w/ valid PoW Content Solution Scripts Content mod_kaPoW Clients URL w/ invalid PoW Error Page Error Page Wu-chang Feng, Tom Shrimpton, Ed Kaiser (student){wuchang,teshrim,edkaiser}@cs.pdx.edu • 1. Problem: Attacks on the Web • 2. CAPTCHA to the rescue? • Problem #1: Inaccessible • Problem #2: Economics broken • Fixed human workload • Outsourced for under $0.01 per CAPTCHA • Mechanical Turk, getafreelancer.com • Problem #3: Hackers are solving the hard AI problem • Yahoo! CAPTCHA broken 1/16/2008 • http://network-security-research.blogspot.com/ • Windows Live and Google CAPTCHAs broken 2/6/2008 , 2/22/2008 • http://www.websense.com/securitylabs/blog/ • Many others Click fraud Distributed Denial-of-Service Comment spam Ticket purchasing robots • 3. What about Proof-of-Work (PoW)? • Addresses Problem #1: No user-interface issues • Addresses Problem #2: Variable workload • Addresses Problem #3: Hard cryptographic problem • Q: Why is the landscape littered with unused PoW protocols? • Hashcash, TLS puzzles, TCP puzzles, IP puzzles, Public work • A: PoW requires protocol changes and universal deployment • CAPTCHAs do not! • 4. mod_kaPoW • Apache module for embedding PoW challenges into URLs • Leverage ubiquitous JavaScript support to deploy PoW • Server dynamically embeds PoWs in embedded URLs • Client-side JavaScript solver must calculate answers for access • No network protocol changes • No web browser changes • No web server content changes 5. Example New approach • Proof-of-Work without protocol changes • Dynamic embedding of PoW into URLs Research Impact • Deployable alternative to CAPTCHAs • New weapon against today’s web attacks • 6. Implementation • JavaScript solver (kaPoW.js) • “onLoad” event handler to solve PoW challenges for embedded images • “onClick” event handler to solve challenges for embedded links • Solve routine finds a value A, such that • SHA1(NC || URL || A) 0 mod DC • DC client-specific server-assigned difficulty • NC client-specific server-generated nonce • mod_kaPoW Apache module • 8. Future work • Policy module for setting per-client Dc • Client history • Client reputation • Client location • Request type • Resource requested • Adding to applications • Forums (phpBB) • Wikis (MediaWiki) • Blogs (WordPress, Slashcode) • Web 2.0 / AJAX • Economic analysis • What is the cost of idle CPU cycles? • Markets based on CPU cycles 7. Thwarting DoS • 10. Publications • E. Andreeva, G. Neven, B. Preneel T. Shrimpton, “Seven-Property Preserving Iterated Hashing: ROX”, ASIACRYPT 2007. • T. Ristenpart, T. Shrimpton, “How to Build a Hash Function From Any Collision-Resistant Function”, ASIACRYPT 2007. • W. Feng, E. Kaiser, “The Case for Public Work”, Global Internet 2007. • E. Kaiser, W. Feng, “mod_kaPoW: Protecting the Web with Transparent Proof-of-Work”, in submission. • 9. Availability • Demo site • http://kapow.cs.pdx.edu • Non-commercial source release • In progress