This is the project blog for the Dario La email obfuscation project at university of edinburgh

Thursday, October 13, 2005

Lecture Notes 13 Oct

Project Musings: 13 Oct 2005


Started reading Honeypots by Lance Spitzner (Addison-Wesley, 2003) to gather ideas on how to improve on the existing spam honeypot.

Establishing Upper Resource Bounds on Spammer’s machine

NP Complete Problem for Spammer
  • Mine Sweeper is NP complete (wikipedia)

  • Problem must not be easy to solve

  • Must deter spammer to try use site

  • Can limit attacker machine’s – CPU, Memory or Bandwidth

  • Must identify way to set/measure reasonable bounds on these?

  • Whilst may not be able to know these bounds, as we do not know attackers modus operandi, an estimated bounds maybe useful in identifying a suitable NP complete problem

JavaScript must have these characteristics to deter the attacker
  • Problem must be NP complete – must be no shortcuts to solving the problem i.e. attacker must successfully complete execution before they can derive result

  • The source code function must be such that

## JavaScript Idea (Email address stored in an incomplete private-key) ##
  1. Encrypt email address using trapdoor function/public-key algorithm

  2. To gain email address need private key

  3. Use certain bits in private-key to generate a minesweeper grid

  4. Human user must play the minesweeper game and discover where all the mines are to recover the full private key to de-crypt the email address

# with this method, we may not need code obfuscation, although code obfuscation may make it harder for attacker to understand the underlying algorithm

# Obfuscation may be important to prevent automated processing of the script. If attacker does not know how JavaScript runs cannot run it, must require human user to run code. Becomes a new form of captcha (reverse turing test)

Cons of this approach:
  • user must interact (and win minesweeper) to gain private key.

  • Client-side code cannot be relied to set up minesweeper grid

  • Must random minesweeper grids, therefore server side code is required

  • May not appeal to diabled users

  • May not be suitable for micro browsers

But it maybe a fun way to demonstrate how it works! Hiding your email address in games. It maybe simple for you to solve the puzzle, but not for a computer.

Disability factor can be addressed by a guest book form input function.


Post a Comment

<< Home