[Giagnocavo]Michael::Write() - Turing image generator for ASP.NET

Tuesday, October 12, 2004

Turing image generator for ASP.NET

Today I was coding a site, and I realised I needed an easy way to avoid automatic signups. So, I did what everyone else does: added a Turing image. Since I was coding in ASP.NET 2.0, I thought it'd be nice to try out the new ASIX image generator type page.

It's pretty nifty. Nothing that you couldn't do with an ASHX in about 5 minutes, but still pretty cool. What I like is that the template starts you off right where you can start coding against the Graphics object. This will definately make entry much easier for people who aren't as comfortable with these classes. In the past I've normally been against things like this (i.e., a whole set of code just to save some minor work for one specific case), but I think this was a pretty good thing to add.

Download the code here: Turing.cs.txt. This is for ASP.NET 2.0 -- just create a new ASIX and point it at the Turing class. But, it should be pretty simple to hook it up into ASP.NET 1.1. If anyone seems interested, or somehow I get more free time, I'll post the required ASHX handler. Anyways, from ASP.NET 2, all you need in your main page is this code:

string nonce = Turing.GenerateNewNonce();
ViewState["turingNonce"] = nonce;
this.turingImage.ImageUrl = "~/Turing.asix?nonce=" + Server.UrlEncode(nonce);

Then, to verify (say, in a validator) just do:

Turing.Verify((string)ViewState["nonce"], myTextBox.Text);

Just be sure to set EnableViewStateMac to true (otherwise someone can set the “nonce” to something known and render the system ineffective).

Note, I originally wanted to use a nonce system, but instead ended up using a simple encryption. So, it's possible to record the output of an image once (via the querystring data) and store it for later use (until the ASP.NET app restarts). I also use the Random class instead of the RNGCryptoServiceProvider.

As well, since I only use 5 capital roman letters, some basic AI should be able to defeat the algorithm. Add more letters, lines, change colours, etc. to make it stronger. There's some commented code that adds a dark gradient background. Playing around with this could make it harder for AI, at the cost of making it hard for your users.

Edit:
I realised that the way things were, an attacker could request the image multiple times, and get a different output (since the noise is random). This could be used to run a couple of extra passes on the same code, and increase the accuracy of AI against it. Or an attacker could request the code enough times to get an image that isn't that distorted and attack that.

The fix is to seed the random generator with something we can calculate from the nonce (to ensure it's the same image each time), and something the attacker cannot know (so he can't just run our code and see where the lines are). I do this by encrypting the nonce, and taking the first 4 bytes as a seed for the Random class. At 5:33am, this seems solid enough to ensure the numbers are not known to the attacker.

Here's the updated code: Turing2.cs.txt

I think I'm going to A) Add some image transformations to 'warp' the text somewhat, and B) really create a nonce system, instead of just relying on a simple encryption.

Code | Security

Tuesday, October 12, 2004 1:19:43 AM UTC

Comments [0] | Trackback

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):
Live Comment Preview