|
|
|
|
|
|
by red0point
1421 days ago
|
|
|
I couldn‘t figure out how this scheme works - the only detail I found is that there is „a bunch of maths“ and replay protection of some sort. Is there a technical protocol description somewhere? I‘d be interested in reading this. |
|
|
1. mCaptcha sends a PoW configuration(first XHR request in the demo widget[0]) which includes a challenge text("string"), a salt and a difficulty factor
2. Client generates proof of work by concatenating "string" + salt until difficulty factor is met. If difficulty factor isn't satisfied, it will continue trying to generate Proof of Work(PoW) by appending nonce and incrementing it until the difficulty factor is satisfied.
3. Client sends PoW to mCaptcha, which includes nonce, original salt and "string"(second XHR request in the demo widget)
4.mCaptcha computes hash for "string" + salt + nonce. If difficulty factor is met(i.e resultant hash > difficulty factor), then mCaptcha responds with access token.
5. Client sends access token to the web service.
6. Web services authenticates access token with mCaptcha and only grants access to protected resource, if the token checks out.
I will work on a more detailed specification and report back when it is ready(3 weeks, I think)
[0]: https://demo.mcaptcha.org/widget/?sitekey=pHy0AktWyOKuxZDzFf...
disclosure: author of mCaptcha