We have proposed CaRP, a new security (very simple/from a time very long ago) depending onunsolved hard AI problems. CaRP is both a Captcha and a graphical password big plan/layout/dishonest plan. The idea of CaRP introduces a new family of graphical passwords, which puts into use a new approach to fight against online guessing attacks: a new CaRP image, which is also a Captcha challenge, is used for every login attempt to make trials of an onlineguessing attack (math-based/computer-based) independent of each other. A password of CaRPcan be found only probably by automatic online guessing attacks including animal-force attacks, a desired security property that other graphical password plans (something big or dishonest)lack. Hotspots in CaRP images can no longer be taken advantage of to mount automatic onlineguessing attacks, a built-in weakness (that could be used to hurt someone or something) in manygraphical password systems.
CaRP forces enemies to resort to much less (producing a lot with very little waste) and much more expensive human-based attacks. On the other hand, the usability of CaRP can be further improved by using images of differentlevels of difficulty based on the login history of the user and the machine used to log in. The besttradeoff between security and usability remains an open question for CaRP, and further studiesare needed to make better/make more pure CaRP for actual uses/military service. Like Captcha, CaRP uses unsolved AI problems. However, a password is much more valuable toattackers than a free email account that Captcha is usually used to protect. Therefore there aremore (rewards or reasons for doing something) for attackers to hack CaRP than Captcha.
That is, more efforts will be attracted to the following win-win game by CaRP than ordinary Captcha: Ifattackers succeed, they add/give to improving AI by providing solutions to open problems suchas separating/dividing 2D texts. Otherwise, our system stays secure, adding/giving to practicalsecurity. As a (solid basic structure on which bigger things can be built), CaRP does not depend on any specific Captcha big plan/layout/dishonest plan. When one Captcha big plan/layout/dishonest plan is broken, a new and more secure one may appear and be convertedto a CaRP big plan/layout/dishonest plan. Overall, our work is one step forward in the way of thinking of using hard AI problems forsecurity. Of reasonable security and usability and practical uses, CaRP has good (possibility of/possible happening of) (small but important improvements), which call for useful future work. More importantly, we expect CaRP to inspire new inventions of such AI based security (people with no modern technology/very basic things).
