-
Notifications
You must be signed in to change notification settings - Fork 7
/
captcha-bypass-internet-draft.txt
1350 lines (840 loc) · 46.7 KB
/
captcha-bypass-internet-draft.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group A. Davidson
Internet-Draft Royal Holloway, University of London
Intended status: Informational N. Sullivan
Expires: March 17, 2017 Cloudflare
G. Tankersley
Cloudflare
F. Valsorda
Cloudflare
September 13, 2016
Protocol for bypassing challenge pages using RSA blind signed tokens
draft-protocol-challenge-bypass-00
Abstract
This document proposes a protocol for bypassing challenge pages (such
as forms requiring CAPTCHA submissions) that are served by edge
services in order to protect origin websites. A client is required
to complete an initial challenge and is then granted signed tokens
which can be redeemed in the future to bypass challenges and thus
meaning that honest users undergo less manual computation. The
signed tokens are cryptographically unlinkable to prevent future
requests being linked to the original signed set of tokens.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 17, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
Davidson, et al. Expires March 17, 2017 [Page 1]
Internet-Draft Protocol for bypassing challenge pages September 2016
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Acquiring Signed Tokens . . . . . . . . . . . . . . . . . 5
2.2. Redeeming Tokens . . . . . . . . . . . . . . . . . . . . 7
3. Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Protocol Communication . . . . . . . . . . . . . . . . . 8
3.2. Design Formation . . . . . . . . . . . . . . . . . . . . 8
3.2.1. Variables and Functions . . . . . . . . . . . . . . . 9
3.2.2. Structs . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3. JSON Objects . . . . . . . . . . . . . . . . . . . . 10
3.3. Data Formatting . . . . . . . . . . . . . . . . . . . . . 10
3.3.1. Tokens . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.2. Client-Edge Message Format . . . . . . . . . . . . . 11
3.3.3. Edge-Client Message Format . . . . . . . . . . . . . 12
3.3.4. Signature Transport Format . . . . . . . . . . . . . 12
3.3.5. Certificate Transport Format . . . . . . . . . . . . 12
4. Cryptographic Tools . . . . . . . . . . . . . . . . . . . . . 12
4.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. Signing/Verifying Algorithms . . . . . . . . . . . . . . 13
4.3. Blinding/Unblinding Algorithms . . . . . . . . . . . . . 13
4.4. Encryption/Decryption Algorithms . . . . . . . . . . . . 13
4.5. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 13
4.6. Instantiation of Cryptographic Tools . . . . . . . . . . 14
4.7. Randomness Sampling . . . . . . . . . . . . . . . . . . . 14
5. Browser plugin . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Pinned public keys . . . . . . . . . . . . . . . . . . . 17
6. Token Acquisition Protocol . . . . . . . . . . . . . . . . . 17
6.1. [OriginRequest] . . . . . . . . . . . . . . . . . . . . . 17
6.2. ChallengePage . . . . . . . . . . . . . . . . . . . . . . 18
6.3. VerifyCertificate . . . . . . . . . . . . . . . . . . . . 18
6.4. GenerateTokens + BlindTokens . . . . . . . . . . . . . . 18
6.5. SolveChallenge . . . . . . . . . . . . . . . . . . . . . 18
6.6. [SignRequest] . . . . . . . . . . . . . . . . . . . . . . 19
6.7. SignTokens . . . . . . . . . . . . . . . . . . . . . . . 19
6.8. [Response] . . . . . . . . . . . . . . . . . . . . . . . 19
Davidson, et al. Expires March 17, 2017 [Page 2]
Internet-Draft Protocol for bypassing challenge pages September 2016
6.9. VerifyingSignatures . . . . . . . . . . . . . . . . . . . 19
6.10. UnblindTokens . . . . . . . . . . . . . . . . . . . . . . 20
6.11. StoreTokens . . . . . . . . . . . . . . . . . . . . . . . 20
7. Challenge Bypass Protocol . . . . . . . . . . . . . . . . . . 20
7.1. ConstructTokenMessage . . . . . . . . . . . . . . . . . . 20
7.2. ProofOfWork . . . . . . . . . . . . . . . . . . . . . . . 21
7.3. SendToken . . . . . . . . . . . . . . . . . . . . . . . . 21
7.4. VerifyPoW . . . . . . . . . . . . . . . . . . . . . . . . 21
7.5. VerifyTokenMessage . . . . . . . . . . . . . . . . . . . 22
7.6. GetOrigin + [Response] . . . . . . . . . . . . . . . . . 22
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
8.1. Normative References . . . . . . . . . . . . . . . . . . 22
8.2. Informative References . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
Various challenge pages are used to distinguish human access to a
website from automated access, with the intention of preventing
malicious behaviour that could compromise the website that is being
hosted. CAPTCHAs ("Completely Automated Public Turing test to tell
Computers and Humans Apart") [ABHL03] are one of the most widely used
methods for distinguishing human access to a resource from automated
access. CAPTCHAs are regularly deployed as "interstitial" pages
forcing a user to answer the CAPTCHA before access is given to a
website that was requested by the user. This is used to prevent
malicious access by automated processes that can adversely affect the
performance of the website itself. While these 'challenges' succeed
in their mission, they create noticeably more work for honest users
who have to complete them.
These challenge pages are commonly served by CDNs who offer security
services to customers. Companies like Cloudflare offer customers the
ability to serve CAPTCHA pages (often using Google's ReCAPTCHA
service) to any IP addresses requesting a protected resource where
the IP is deemed to have a "bad reputation". IP reputation scoring
comes from varied sources and is based on whether any malicious
activity (such as spamming and/or abuse) is detected as originating
from the IP in question.
Services such as Tor suffer dramatically under such reputation-based
systems. Users are assigned to one of a small number of exit nodes
when accessing webpages through Tor and appear to be browsing with
the IP of that node. The IP addresses of these nodes are frequently
associated with malicious and abusive behaviour and are thus assigned
poor reputation scores. This problem is not specific to Tor; VPNs,
I2P, and internet users behind large-scale NAT installations are
affected similarly.
Davidson, et al. Expires March 17, 2017 [Page 3]
Internet-Draft Protocol for bypassing challenge pages September 2016
The end result is that honest users of these services are forced to
complete many challenge pages in order to access content protected by
edge service providers such as Cloudflare, and the problem is
exacerbated by the fact that these companies offer services to a wide
range of popular websites. This results in a huge increase in
workload for average Tor users in spite of their non-malicious
nature.
Further problems arise for users who choose not to enable JavaScript
in their browsers since they are served with challenges that are
rapidly deteriorating to the point where a large proportion of
challenges are too hard to be solved.
Currently some edge providers (e.g. Cloudflare) attempt to solve
this problem by providing cookies that enable access to protected
resources once a CAPTCHA has been solved. There are two problems
with this method: first, that when a new Tor circuit is constructed
the cookie is rendered useless; and secondly, that setting cookies
across many domains controlled by the same CDN could lead to
deanonymisation attacks outside the current Tor Browser threat model.
As such a new solution to this problem is needed.
In this document we detail a protocol that enables a user to complete
a single edge-served challenge page in return for a finite number of
signed tokens. These tokens can then be used to bypass future
challenge pages that are served by participating edge-providers. The
tokens are generated in such a way that signed tokens cannot be
linked to future redeemed tokens for bypassing. We achieve this
using the RSA blind signature scheme first presented by David Chaum
[Cha83].
1.1. Terminology
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC2119].
The following terms are used:
edge: A serving endpoint that provides access to a protected origin.
client: The endpoint attempting to access an edge-protected service.
origin: The endpoint where web content is stored.
edge-protected: Term for origins that pay the edge to provide
protection services for their domain.
Davidson, et al. Expires March 17, 2017 [Page 4]
Internet-Draft Protocol for bypassing challenge pages September 2016
endpoint: Points where requests and responses are dealt with.
browser: A program ran by the client that provides access to
webpages.
plugin: An installed service that runs in the client's browser.
tokens: JSON structures that are generated by the plugin in the
client's browser for future redemption.
blinding: An operation that "hides" the contents of the token while
still allowing the underlying token to be cryptographically signed.
unblinding: The reverse procedure of blinding. Recovers a token and
(if signed) a valid signature on the token.
challenge answer: Generated when submitting a response to a given
challenge.
challenge page: A page generated by the edge for the client. The
client must answer a challenge on the page correctly and return it to
gain access to a particular resource.
nonce: A randomly sampled value that is used for generating unique
tokens.
2. Protocol Overview
Our protocols are initiated when a client is presented with a
challenge page that contains additional information indicating that
the edge service accepts tokens for bypassing the challenge. This
can be indicated in the HTML of the page as a meta tag along with a
certificate advising which public key the edge is currently using.
Two separate protocols exist for when the client has no signed tokens
available to it and secondly for when the client already has tokens.
Both protocols require essentially four rounds of communication. We
take into account the initial request and response when the client
attempts to visit an edge-protected origin and is served a challenge
page instead.
2.1. Acquiring Signed Tokens
Davidson, et al. Expires March 17, 2017 [Page 5]
Internet-Draft Protocol for bypassing challenge pages September 2016
Client Edge
[OriginRequest] ------->
ChallengePage ^
+ bypass_tag |
+ sig_key_cert |
<------- [Response] v
^ VerifyCertificate
| GenerateTokens
v BlindTokens
^ SolveChallenge
v [SignRequest] ------->
VerifyChallenge ^
SignTokens |
<------- [Response] v
^ VerifySigs
| UnblindTokens
| StoreTokens
v [Finished]
Figure 1: Full message flow for acquiring signed tokens
When a client attempts to visit an edge-protected origin the edge can
indicate that it accepts tokens for bypassing a challenge page in
exchange as well as presenting a certificate corresponding to their
current signing key. In this event the client does the following:
o checks that the certificate is valid and that the signature
verifies correctly;
o checks that it is aware of the public key provided (e.g. that the
key is pinned in the plugin);
o generates N tokens and blinds them;
o sends the tokens to the edge along with an answer to the
challenge.
In practice N =< 100 so as not put too much work on the browser,
limiting to this number also mitigates DDoS potential. After
receiving the tokens and the answer to the challenge the edge does
the following:
o checks that the answer is correct;
o if this is the case then it signs the tokens and returns the
signatures to the client.
Davidson, et al. Expires March 17, 2017 [Page 6]
Internet-Draft Protocol for bypassing challenge pages September 2016
The client does not immediately get access to the origin, though this
can be achieved if the client immediately reloads the page and
redeems a token using the process below. The client participates in
some final post-processing:
o they check that the signatures verify correctly with respect to
the pinned public key and the blinded token;
o they unblind the token and signature pair to get a new pair of the
original token and a valid sigature;
o they finally store the pair in their browser plugin for future
use.
2.2. Redeeming Tokens
Client Edge
[OriginRequest] ------>
ChallengePage ^
+ bypass_tag |
+ sig_key_cert |
<------ [Response] v
^ VerifyCertificate
| ConstructTokenMessage
| ProofOfWork*
v [SendToken] ------>
VerifyPoW* ^
VerifyTokenMessage |
GetOrigin |
<------ [Response] v
[Finished]
Figure 2: Full message flow for redeeming tokens
o - optional extensions to the protocol
As before the client attempts to visit an edge-protected website and
is faced with a challenge page. If the edge accepts tokens and
provides a certificate that corresponds to a key that the client has
pinned in their plugin and they have tokens signed by the counterpart
private key then the client can attempt to bypass the prospective
challenge page. This process is as follows:
o client constructs and sends a message containing:
Davidson, et al. Expires March 17, 2017 [Page 7]
Internet-Draft Protocol for bypassing challenge pages September 2016
* an encrypted, unused token;
* a valid signature for the token;
* a HMAC, keyed by the token and computed over message
identifying information;
o edge receives the message and performs the following checks:
* decrypts the token and checks that it resembles an agreed
structure, else the protocol is aborted;
* checks if the token has already been used, if so the protocol
is aborted;
* verifies the signature on the unencrypted token;
* validates the HMAC using the token as a key and unique message
information as input;
o If all checks pass the edge allows the client access to the
originally requested origin.
3. Preliminaries
3.1. Protocol Communication
We assume that our protocol is carried out over HTTP. This is a
natural choice for the medium of communication given that the
protocol is initiated by a client who is accessing a URI over the
internet. Due to this assumption we may refer to messages between
the client and the edge as HTTP requests and responses respectively.
This also helps us to elaborate on particulars of the protocol that
are intrinsically linked to this method of communication.
However, while the original intention of this protocol is for
bypassing challenge pages over HTTP we encourage usage of the idea to
any scenario where the receiving of unlinkable "currency" is an
appropriate reward for completing some pre-defined challenge. The
message format of the protocol is not strictly required to be HTTP as
long as no structural changes are made to the messages that are sent.
3.2. Design Formation
To explain the concepts in our design we will use a variety of
structures that are most easily exposed using an easily readable code
syntax.
Davidson, et al. Expires March 17, 2017 [Page 8]
Internet-Draft Protocol for bypassing challenge pages September 2016
3.2.1. Variables and Functions
Variables and functions follow the syntax of C-like languages, such
as:
int apple = 7;
where "int" is the type of the variable 'apple' and 7 is the value
assigned to it. All types are self-explanatory and follow convention
apart from:
o "int_b": Used for large integers when undergoing cryptographic
operations in large groups.
o All arrays will be denoted by a set of square brackets followed by
the type of data that is contained. For example an array of
strings will be described as: "[]string"
o We call key-value stores 'maps' and define them as:
"map[type_1](type_2)"
where type_1 is the type of the keys for the map (e.g. string) and
type_2 is the type of the stored values (e.g. int).
We avoid type declaration when defining functions in favour of a
textual explanation.
3.2.2. Structs
We use structs to define a closed ecosystem (similar to an object)
with a list of variables and functions that define the struct. We
describe structs using the syntax:
struct Person {
var (
string name;
int age;
map[string](string) emailAddresses;
);
func (
setAge(n int);
changeName(name string);
addEmail(email string);
)
}
Davidson, et al. Expires March 17, 2017 [Page 9]
Internet-Draft Protocol for bypassing challenge pages September 2016
this gives us an interface with which we can interact with the
struct, allowing us to store and access data with respect to this
definition. Here, "vars" defines a list of variables stored on the
struct, while "func" defines a list of functions that require
implementation.
3.2.3. JSON Objects
We use JSON objects for representing tokens and for constructing
messages for sending from the client to the edge. We define our JSON
structures as:
{
"key_1":"[value_1]"
"key_2":"[value_2]"
.
.
.
"key_n":"[value_n]"
}
where each ""key_i"" is a key value, key_i is marshaled as a string
but can be any built-in type. Likewise ""[value_i]"" represents the
corresponding value for ""key_i"", "value_i" is typically encoded as
a string in either hexadecimal or base64 encoding. We assume that
all JSON is accessible using a map-interface where, if data is a JSON
object, then "data[key_1]" returns "value_1".
3.3. Data Formatting
This section deals with the formatting of the different data types
that are required in our protocol. This will cover how tokens should
be formatted and how messages between the client and the edge should
be structured.
3.3.1. Tokens
Tokens are JSON-like structures containing a single nonce field, i.e.
{
"nonce":"[nonce_value]"
}
where [nonce_value] is a base64 encoded 32-byte sequence of
cryptographically random bytes.
Davidson, et al. Expires March 17, 2017 [Page 10]
Internet-Draft Protocol for bypassing challenge pages September 2016
3.3.2. Client-Edge Message Format
The messages that the client sends to the edge after being served a
challenge page (i.e. in the third round of communication) are written
as JSON structures. These messages designate the type of operation
that is required of the edge. All messages below are base64 encoded
before they are sent.
The messages are heavily defined by the HTTP protocol that the
client-edge interaction takes place over. For example, the signing
messages detailed below are included in the body of a HTTP request
due to artificial limits placed on HTTP header field sizes by web
servers. Likewise the redemption messages are significantly smaller
and are thus included in a header. This difference in transport
architecture leads to differences in the message formats shown below.
3.3.2.1. Signing
In the first protocol, when the client sends an answer to the given
challenge page they can also append a JSON object to the of the form:
{
"type":"Signing",
"contents":"[t'_1],[t'_2], ...,[t'_N]"
}
where [t'_i] is a generated token that has been subsequently blinded.
We call such a JSON object a 'JSON signing request' (JSR).
After base64 encoding is done the final message is sent to the edge
as:
blinded-tokens=[base64 encoded JSR]
3.3.2.2. Redeeming
In the second protocol when the client attempts to bypass a challenge
they send a message containing a JSON object of the form:
{
"type":"Redeem",
"contents":"[<encrypted_token>,<signature>,<HMAC>]"
}
where the token that is encrypted has been since unblinded. Such an
object is known as a 'JSON redemption request' (JRR).
Davidson, et al. Expires March 17, 2017 [Page 11]
Internet-Draft Protocol for bypassing challenge pages September 2016
3.3.3. Edge-Client Message Format
The messages returned by the edge to the client are much more heavily
defined by the messaging protocol being used to communicate. For
example, in the redemption protocol the server merely serves content
from the origin in the event that the token that is redeemed verifies
correctly.
In the first protocol however the edge also returns a comma-separated
list:
signatures=[s'_1],[s'_2],...,[s'_N]
where [s'_i] is a signature computed by the edge over the blinded
token [t'_i] that it received along with a response to the challenge
page that was sent.
3.3.4. Signature Transport Format
Signatures are sent between the client and the edge using the JWS
format defined in [RFC7515]. The token that is signed is stored as
the payload on the JWS object - thus when carrying out unblinding on
the signature the payload must also be updated.
3.3.5. Certificate Transport Format
Certificates can be transported via any standardised method for
encoding a certificate (e.g. X.509v3 [RFC5280]).
4. Cryptographic Tools
To instantiate the protocols above we require a set of tools that
allows either participant to perform cryptographic operations over
data. In this section we detail the materials and the algorithms
that are required in order to compute these operations.
4.1. Keys
Our protocol requires two key pairs:
o edge identity keys (id-pub-key, id-priv-key): Used for performing
the encryption and decryption required on the token that is sent
for redemption;
o edge signing keys (sign-pub-key, sign-priv-key): Used for
performing the signing and verification of signatures;
o A symmetric MAC key derived from the 'nonce' field on a token.
Davidson, et al. Expires March 17, 2017 [Page 12]
Internet-Draft Protocol for bypassing challenge pages September 2016
The edge holds both key pairs and the plugin in the client's browser
has the public keys. The MAC key is derived at the time of messaging
and is shared by both parties.
4.2. Signing/Verifying Algorithms
o SIGN(sign-priv-key, data) --> sig : takes a private signing key
and some 'data' and returns a valid signature 'sig' on 'data'.
o VERIFY(sign-pub-key, data, sig) --> 'good'/'bad' : takes the a
public verification key, some 'data' and a signature 'sig' and
outputs 'good' if 'sig' is a valid signature on 'data'. Otherwise
it outputs 'bad'.
4.3. Blinding/Unblinding Algorithms
o BLIND(blinding-factor, data) --> blind-data : takes a randomly
sampled 'blinding-factor' and some 'data' and outputs 'blind-data'
that is computationally unlinkable from 'data'.
o UNBLIND(blinding-factor, blind-data, blind-sig) --> (data, sig) :
takes 'blind-data' and the randomly sampled 'blinding-factor' used
to generate it, along with an optional parameter for a valid
signature 'blind-sig' computed over 'blind-data' as input.
Outputs 'data' and 'sig' where 'data' is the unblinded counterpart
to 'blind-data' and 'sig' is a valid signature on 'data'.
4.4. Encryption/Decryption Algorithms
o ENCRYPT(id-pub-key, plaintext) --> ciphertext : takes a public
encryption key and a 'plaintext' as input and outputs an encrypted
'ciphertext'.
o DECRYPT(id-priv-key, ciphertext) --> plaintext : takes a private
decryption key and an encrypted 'ciphertext' as input and outputs
a 'plaintext'.
4.5. MAC Algorithm
Our MAC algorithm has the following specification:
o MAC(mac-key, data) --> mac : takes a symmetric mac-key and 'data'
as input and outputs 'mac' as a valid authentication code on
'data'.
Davidson, et al. Expires March 17, 2017 [Page 13]
Internet-Draft Protocol for bypassing challenge pages September 2016
4.6. Instantiation of Cryptographic Tools
In theory any digital signature scheme that allows for blind signing
and unblinding operations can be used to instantiate our
requirements. However, due to the simplicity of its design we have
chosen to only support the RSA blind signing modification (RSA-blind)
shown in [![Cha83]]. We may benefit by adding support for elliptic
curve based designs in the future to decrease the size of messages in
our protocol.
By choosing RSA-blind we make the following parameter choices:
o both encryption and signing keys are 2048-bit RSA keys;
o the SIGN/VERIFY algorithm is FDH-RSA to support binding;
o BLIND/UNBLIND follow naturally from the referenced work;
o ENCRYPT/DECRYPT are instantiated with RSA-OAEP;
o MAC is instantiated with HMAC.
4.7. Randomness Sampling
Finally we require an ability for the browser plugin to sample random
values for blinding tokens. Our algorithm can be thought of as:
o SAMPLE(seed) --> rand : takes a random seed as input and generates
a value 'rand'.
we can instantiate this algorithm using any standard library for
generating cryptographic randomness. In future notation we may omit
the seed for ease of exposition.
Random numbers used as blinding factors must be sampled from the full
domain allowed by the chosen RSA parameters [BNPS01].
5. Browser plugin
To participate in the protocol, the client must be using a browser
with an installed and validated browser plugin. This plugin controls
the generation, blinding, unblinding, storage and redemption of
tokens for bypassing challenge pages. The browser plugin can be
thought of as a struct with the following attributes:
Davidson, et al. Expires March 17, 2017 [Page 14]
Internet-Draft Protocol for bypassing challenge pages September 2016
struct Plugin {
var (
map[string]([]string) tokens;
map[string](string) signatures;
map[string](int_b) blindingFactors;
[]string publicKeys;
)
func (
parse(string s, string p);
verifyCert([]byte pk, []byte cert);
verifySig([]byte pk, []byte s, []byte t);
generate(int N);
blind(string t);
unblind(string t', string s', int_b r);
store(string pubKey, []string tokens, []string sigs);
encode(string type, []string data);
mac([]byte nonce, string s);
send(string msg);
pow([]byte randNonce);
)
}
We implement the struct functions in the following way.
o parse(s, p) --> b
This function takes strings s, p as output and returns a boolean 'b'
where "b == true" if p is a valid substring of p. Otherwise "b ==
false".
o verifyCert(pubKey, cert) --> b
This function takes the bytes of a public verification key 'pubKey'
and a certificate 'cert' as input and outputs a boolean value b,
where "b == true" if the signature on 'cert' can be verified
correctly and the public key on 'cert' is pinned in contained in
"Plugin.publicKeys". Otherwise "b == false". The VERIFY() algorithm
is used to ascertain whether the signature is valid over the inputs
to this function.
Other details on the certificate are also verified in this step (for
example that the expiry date has not elapsed and that the provider is
consistent with the protecting edge).
o verifySig(pubKey, s, t) --> b
Davidson, et al. Expires March 17, 2017 [Page 15]
Internet-Draft Protocol for bypassing challenge pages September 2016
This function takes the bytes of a public verification key 'pubKey',
a token 't' and a signature 's'. It outputs "b == true" if 's' is a
valid signature on t and "b == false" otherwise. The plugin runs
VERIFY() using all three inputs to get the output b and returns this
as the output of the function.
o generate(N) --> tokens
This function takes an integer N as input and outputs an array
'tokens' of length N containing. The array is generated by sampling
N 32-byte nonces randomly via SAMPLE() and constructing N tokens
by creating N JSON objects with the "nonce" field set to the value
of the sampled nonce.
o blind(t) --> t'
This function takes a token t as input and outputs a blinded token
t'. The function uses SAMPLE() to generate a 256-byte random "int_b"
r from the full domain allowed by the RSA keys and then runs
BLIND(r, t) --> t' and outputs t'. After each use of blind(), the plugin
should store a map between the blinded data and the blinding factor used,
such as
Plugin.blindingFactors[t'] = r
o unblind(t', s', r) --> (t, s)
Takes a blinded token t', a valid signature s' for t' and the
blinding factor r as input and outputs a pair (t, s) where t is the
unblinded token and s is a valid signature on t. The function uses
the algorithm UNBLIND(r, t', s') to retrieve (t, s).
o store(pubKey, tokens, sigs)
This function does not return anything. It simply sets
Plugin.tokens[pubKey] = tokens
and
Plugin.signatures[tokens[i]] = sigs[i]
o encode(type, data)
Takes a 'type' string and a base64 encoded string 'data' as input.
The 'type' string corresponds to a JSON request (either "JSR" or
"JRR") and creates a JSON object with the "type" field set
appropriately and the "contents" field set to be equal to the 'data'
input.
o mac(nonce, s)
Davidson, et al. Expires March 17, 2017 [Page 16]
Internet-Draft Protocol for bypassing challenge pages September 2016
Takes 'nonce' in byte form and a string 's' as input. The 'nonce'
value is used as the key and 's' is the contents to be computed over.
This function runs the algorithm MAC(nonce, s) on the two inputs and
outputs whatever this algorithm outputs.
o send(msg)
Provides no output, takes a string representation 'msg' as input
where 'msg' is either a JSR or JRR as input. This function reloads
the current page in the browser and appends 'msg' in the HTTP request
that is created (either in a header or in the body).
o pow(randNonce)
Optional method for the plugin. Takes the bytes of a random nonce
'randNonce' as input and computes some proof-of-work computation that
is specified by the edge. The output is given as 'out' and is used
by the client in the following bypass request that is made.
5.1. Pinned public keys
The plugin has a list of pinned public keys stored as base64 strings
in the string array "publicKeys". Because browser plugins are signed
and verifiable as part of a deterministic build process, this
prevents a service from assigning unique public keys to each client
as a way of linking requests and deanonymising users. When an edge
provides a certificate for a given public key, the plugin checks that
the key contained in the certificate is one of its pinned keys before
communicating futher with the edge.
6. Token Acquisition Protocol
The token acquisition protocol allows a client to acquire signatures
on client-generated tokens that can be redeemed in the future to
bypass challenge pages. We analyse the protocol with respect to the
stages that we defined in Figure 1.
6.1. [OriginRequest]
This initiation of the protocol is triggered by the OriginRequest
where the client attempts to access a webpage (for example over
HTTP). For the purposes of our protocol this webpage is edge-
protected.
Davidson, et al. Expires March 17, 2017 [Page 17]
Internet-Draft Protocol for bypassing challenge pages September 2016
6.2. ChallengePage
The edge deems the origin request to come from a client requiring the
showing of a challenge in order to grant access to the protected
website. The challenge page displays some HTML conveying the
explicit challenge to the client.
To participate in accepting challenge bypass tokens, an edge must
also append specific "<meta>" tags to the HTML of the page. The tags
that indicate participation are:
<meta name="captcha-bypass" id="captcha-bypass" />
<meta name="chl-cert" id="chl-cert" content="%s" />
where '%s' is replaced with a valid certificate on some public key.
6.3. VerifyCertificate
When a client is delivered such a page, the installed plugin will run
the "parse()" function on the HTML and the meta tags above, if this
function returns true then the plugin inputs the certificate from
'%s' into "verifyCert()" and checks that this also returns true.
6.4. GenerateTokens + BlindTokens
The plugin retrieves the public key 'pubKey' from the verified
certificate and then checks if "Plugin.tokens[pubKey]" is empty or
not.
If there are no tokens stored for 'pubKey' the plugin runs
"generate(N)" to get an array of N 'toks'. It then runs "blind(t)"
on each token and constructs an array of blinded tokens,
'blindedTokens'. The array 'toks' is stored in the 'tokens' map as
tokens[pubKey] = toks
where 'pubKey' is the public key from the certificate.
6.5. SolveChallenge
This step involves the client solving the presented challenge. This
step requires human intervention, for instance as in the way that