算法,花费的时间来运行,但容易验证?算法、容易、时间
我设计一个网站的实验中,将有哪些用户的必须的点击并按住一会儿,然后松开,然后客户端提交AJAX事件服务器的按钮。
不过,从autoclick机器人和快速的垃圾邮件prevent,我想保持时间是非常真实的,而不是跳能,如:做一些计算。问题的关键是浪费实际的CPU时间,这样就不能简单地猜测AJAX回调值或转向更快的系统时钟绕过它。
是否有任何的算法,
在快速和放大器;易生成一个挑战的服务器上 在花费一些时间来在客户端执行,没有恶搞或快捷方式的时间。 在容易与放大器;快速验证响应导致在服务器上? 解决方案您正在寻找一个证明, -work系统。
最流行的算法似乎是的Hashcash (也的维基的),其用于比特币,等等。其基本思路是将要求客户端程序找出散列有一定数量的前导零,这是一个问题,他们必须解决与蛮力
基本上,它的工作原理是这样的:客户有某种道理的。对于电子邮件,这通常是收件人的电子邮件地址和今天的日期。因此,它可能是这样的:
bob@example.com:04102011
客户端现在已经找到一个随机字符串就摆在这方面:
asdlkfjasdlbob@example.com:04202011
使得这个哈希有一堆的前导零。 (我的例子是行不通的,因为我只是做了一个数字。)
然后,在你的身边,你就必须采取这种随机输入并在其上运行的单的哈希值,检查它是否与一群0的开始。这是一个的非常的快速操作。
之所以说的客户的有花的CPU时间相当数量上寻找合适的哈希值,它是一个强力的问题。该只知道要做到这一点是要选择一个随机字符串,测试它,如果它不能正常工作,请另外选择一个。
当然,因为你不这样做的电子邮件,你可能会想使用一个不同的令牌某种形式,而不是一个电子邮件地址和日期。然而,在你的情况,这很容易:你可以只是做了一个随机字符串的服务器端,并把它传递到客户端
该特定算法的一个优点是,它是很容易调整的难度:只要改变你要多少前导零。您所需要的更多的零,时间越长,将采取客户端;然而,核查仍然需要在最终的时间是相同的。
I am designing an website for experiment, there will be a button which user must click and hold for a while, then release, then client submits AJAX event to server.
However, to prevent from autoclick bots and fast spam, I want the hold time to be very real and not skip-able, e.g. doing some calculation. The point is to waste actual CPU time, so that you can't simply guess the AJAX callback value or turning faster system clock to bypass it.
Are there any algorithm that
fast & easy to generate a challenge on a server costs some time to execute on the client side, no spoof or shortcut the time. easy & fast to verify the response result on a server?解决方案
You're looking for a Proof-of-work system.
The most popular algorithm seems to be Hashcash (also on Wikipedia), which is used for bitcoins, among other things. The basic idea is to ask the client program to find a hash with a certain number of leading zeroes, which is a problem they have to solve with brute force.
Basically, it works like this: the client has some sort of token. For email, this is usually the recipient's email address and today's date. So it could look like this:
bob@example.com:04102011
The client now has to find a random string to put in front of this:
asdlkfjasdlbob@example.com:04202011
such that the hash of this has a bunch of leading 0s. (My example won't work because I just made up a number.)
Then, on your side, you just have to take this random input and run a single hash on it, to check if it starts with a bunch of 0s. This is a very fast operation.
The reason that the client has to spend a fair amount of CPU time on finding the right hash is that it is a brute-force problem. The only know want to do it is to choose a random string, test it, and if it doesn't work, choose another one.
Of course, since you're not doing emails, you will probably want to use a different token of some sort rather than an email address and date. However, in your case, this is easy: you can just make up a random string server-side and pass it to the client.
One advantage of this particular algorithm is that it's very easy to adjust the difficulty: just change how many leading zeroes you want. The more zeroes you require, the longer it will take the client; however, verification still takes the same amount of time on your end.
