Mail is formatted using MIME, a content discription format. In this format, all properties of an email are specified in the header of the message. Examples include ‘From:’, ‘Subject:’ and ‘Date:’ for instance and also ‘To:’ and ‘Cc:’ are headers in the MIME.

Mail is generally sent using SMTP. In contrast to MIME, the message format description, SMTP is a protocol. One can tell a mail server (SMTP) the recipients of an email using this protocol. Therefor these recipients set with SMTP can be different than the ones specified in the MIME message (ever noticed a header like ‘undisclosed recipients’, which is clearly not a valid email address).

Because it is redundant at a high programming level, like PHP, to set recipients twice (once in MIME and once in SMTP), methods are defined for sending mail. PHP’s mail() function for example accepts ‘to’, ’subject’ and ‘message’ parameters. Also, since the number of different MIME headers are virtually infinite, it also accepts an ‘additional headers’ parameter. This is one part of introducing a potential security breach.

The other part is in the function’s handling of the additional headers parameter. Of course it has to be possible to send mail using recipients specified as Cc or Bcc instead of To. To this end mail() examines the parameter for these headers and extracts them. As headers are specified per line in the MIME format, you can inject headers to the ‘additional headers’ parameter if one has access to a field in it, let’s say ‘Date:’ or ‘From:’. Headers are separated using a line feed character (LF), \n in PHP or %0A url encoded.

A MIME email usually has the following layout:

To: you@yourdomain.com
From: me@mydomain.com
Subject: Hi there

I'm just mailing to say hello!

Now if you have your website visitors send you mail and have them set the ‘From:’ header contents for instance, they might fill out an arbitrary email address and add ‘%0ABcc: extra@email.com; extra2@email.com;… (etc)’. Now also an Bcc header is set and your mail form just became a spam robot. Workaround is simple: don’t allow newlines in MIME header fields! Another post about this common pittfall can be found on websiterepairs.net.

For this purpose the captcha was invented. Besides the fact that captcha sounds nice enough to be a buzz word it actually is short for Completely Automated Public Turing test to tell Computers and Humans Apart, although this is a bit contrived. This means that a captcha is a challenge response mechanism but it doesn’t need to be in the form of an image depicting distorted text which has to be copied in a text box which is the most common form of captchas. Creative new captchas can be found, like a transistor image which has to be read.

Technology

Wikipedia mentions a couple of features a captcha must have to qualify as one. A captcha is a challenge-response test between a system and a user of which

1. current software is unable to solve accurately,
2. most humans can solve, and
3. does not rely on the type of CAPTCHA being new to the attacker.

The first one remarks a captcha as temporal. This means that with increasing processing power and increasing insight in artificial intelligence challenges we now consider to be captchas might not be in the (near) future. Philosophically, this means that captchas are a temporary phenomenon because mankind will eventually be able to build robots which are at least as intelligent as humans are. But for now they’ll do.

The second one emphasises the differences we see between humans and robots. This is actually quite an interesting point because mankind actually admits its current limitations in its own intelligence being unable to write software which is able to solve ‘puzzles’ which are easy to solve for humans.

Which bridges to the last bullet on the list. Of course you could just add a simple checkbox labeled “Do not check this box if you are human”. No attacker would think of a spam protection this weak but because of that it might just work. The robot stumbling across your comment submission form does not expect such a protection and therefor cannot bypass it. Although this does not qualify as a captcha because the novelty of the protection will only make the attacker look into it to solve it in an instance. Of course a captcha can be a captcha when it is an innovative challenge but it should not rely on being unknown. Security through obscurity is not security at all.

Processing power and algorithms

As time passes by technology advances resulting in more processing power in both processor quantity and quality and more mathematical developments. These are the engine propelling artificial intelligence development. On the other hand, having this field of computer science developing the struggle for making captchas to tell humans and computers apart becomes harder and harder. Who knows when software becomes as advanced as to be able to not only solve puzzles or identify puzzle types but to be really intelligent and thereby be able to find ways to solve a puzzle without knowing the puzzle’s rules in advance? 20 years? 30? 5?!

Usefulness

Captcha’s can be useful too. The Recaptcha program for instance helps digitizing books by showing snippets scanned from books which they are unable to parse with their OCR software. This way the snippets are ‘decyphered’ by hundreds of people insuring accuracy and helping the system in which it is implemented to be bot-free.

Other examples of captchas might be usefull to the website’s theme such as a math class forum’s captcha challenging users with simple math like or . Another example of such a situated captcha is Adafruit’s. Adafruit is a website and webshop on the Arduino, which is a do it yourself programmable breadboard. You’ll need to ‘read’ the resistor’s value in order to post a comment.

Adafruit's resistor captcha makes you slide the four sliders to match the color code on the resistor above.

Hash

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the “message”, and the hash value is sometimes called the message digest or simply digest. (Wikipedia, retreived may 2009). In other words a hash (digest) is the result of a hashing function from a certain input (password, file, etc.).

Challenge

The challenge is a question presented to a party who needs to provide the correct answer. A common form of this algorithm is where the challenge is asking for the password and the valid response is the correct password. Also CAPCHAs are a well known implementation.

One step further

When you combine these two an intuitive way of keeping a password secret while being sent along a publicly accessible area and still being valid for authentication checks emerges.

A system has stored user information (username, password, email, etc.) in a database and has the password stored as an MD5 hash. MD5 is the name of the function as there are more hashing functions. When a user requests a login prompt, the server generates a random string (the challenge) and sends it along with the login prompt. Also it stores the string in the session of that request.

The user enters his username and password and hits ‘login’. Just before submitting, a client side script is triggered which calculates the MD5 hash of the password, concatenates the challenge to the digest and hashes that result. This is submitted as the ‘password’ in code.

Now the server has to verify the password. As there is no way to reverse the MD5 digest, the coded password is matched agains the database in a special way. The database needs to concatenate the previously generated challenge to the stored digests and calculate the MD5 hash of that. When the result is the same as the submitted coded password a login is successful.

Discussion

A downside to this technique is the database server processing capacity is required as password digests need to be hashed every login attempt. Worst case (most processing time) is when such an attempt fails or the last hit is a success as every password in the database needs to be checked. Therefore this system is not really scalable to systems aiming for masses of users.

Client scripting must be available. This is not really a critical downside as e.g. JavaScript is common, but you can not assume everybody supports it.

Demonstration

A demonstration of challenge hashing is available in JavaScript and PHP for you to investigate.

If (a lot of) money is involved, criminality is or at least tries to be. To prevent burglars from coming into your house you can install anti theft equipment. To prevent third parties from messing with your mail you can send it by registered delivery (as long as you trust your logistics company). You can do the same in the virtual word: online environments like websites or social applications. For example, you could encode a telephone conversation to prevent someone from listening in as cable companies encode their television signals to grant only paying viewers access to the content. When talking about security some basic terms must be clear.

Identity

An identity is a unique value which refers to an entity. A username for instance, is unique on a system and refers to the owner (user). A license plate identifies a car and a book from the library probably has it’s own book id. Id is commonly used to shorten identity or identifier.

Integrity

This is a term which in general is subjective. Integrity is a scale how an entity can be trusted. For example, mail mans are considered to be very integer as they are expected not to read and/or alter letters the they deliver. Because of this, a letter has a high level of integrity. You expect the letter you read was written the way you read it.

Authentication

This is a term reflecting the authenticity of an entity. Is a painting the original or is it a fake? (Note the words ‘the’ and ‘a’). Is a passport counterfeit or is it legal?

Authorization

A certain method to allow or deny privileges to an entity. Examples: If you are a site administrator you are authorized to make changes to the site and if you bought a concert ticket you are granted access to the concert perimeter. “HTTP Error 403: You are not authorized” and “Access denied” are common messages as a result of a failed authorization operation.

Online utilization

Often clearance to something (e.g. access to your e-mails) is granted based on proven authentication of an authorized identity. In the example of ordering a bread face to face, you are sure you pay your money to the baker and you are sure you receive your bread. But what if this would not be face to face? What if you would order your bread online and pay by credit card? How can you be sure you paid the bakery and not mister Thief? How can you be sure mister Thief didn’t listen in and knows your credit card credentials by now? And if you paid the bakery, how can you be sure you receive your bread, which has not been messed with? If you receive anything at all. Every aspect of the four terms mentioned above need to be covered.

Identity is something you can do nothing about. But this can be covered by authentication. The primitive resources to authenticate an identity (verify that someone is who he says to be)  are limited. Basically you can rely on three categories:

• Physically: Prove that someone is. Examples are fingerprints, retina scans, voice prints and DNA.
• Property: Prove by possession. Examples are passports and credit cards.
• Knowledge: Prove by memory. Examples are passwords and PIN codes.

In digital telecommunication only property and knowledge based tests can be performed. This is because the physical properties will need to be sampled in order to be transmitted to the checking authority. This sample can be seen as a (long) password, which can be copied, stored, etc and therefore as safe as a password. This is in contradiction to face to face communication, where e.g. finger prints, behavioural habits or facial expressions cannot easily be copied.

Usually only something from the knowledge domain is required for login on the Internet (combination of username and password) and does therefore not always guarantee a satisfying safety level. How more techiques from this field are used will be discussed in the follow up article on security basics. Techniques like SSL, public key/private key, certificates, hashing, etc…