Machine-to-Machine ALTCHA
M2M ALTCHA is a machine-to-machine (M2M) verification system designed as a rate-limiter implemented on the consumer’s end. It provides protection for valuable resources, mitigates spam, and prevents abuse within online services and APIs while ensuring continued accessibility for automated systems.
Usage flow
- Request for expensive action:
The sender initiates a request to perform a resource-intensive action on the remote server, such as creating a new account, using HTTP endpoint:
POST /create_account- Server response with challenge:
Upon receiving the request, the remote server responds with a 401 Unauthorized status code and includes a challenge header in the response:
WWW-Authenticate: Altcha algorithm=SHA-512, challenge=..., salt=..., signature=...- Solution computation and resubmission:
The sender computes the solution to the received challenge and includes the solution in a subsequent request by adding a solution header:
Authorization: Altcha algorithm=SHA-512, number=..., challenge=..., salt=..., signature=...Complexity
Unlike consumer devices, server environments typically possess higher computational capabilities. Hence, challenges designed for servers should demand a higher level of computational effort compared to consumer devices.
As a guiding principle, it’s recommended to set the maximum number in the range of “tens of millions” when generating a new challenge. This threshold ensures that the computational task remains sufficiently challenging for server systems, requiring substantial computational resources and time to compute a solution.
Read more about adjusting comlexity.
Purpose and benefits
-
Resource protection
Prevents resource abuse by imposing a computational challenge before allowing resource-intensive actions.
-
Spam mitigation
Acts as a barrier against automated spamming or unauthorized access attempts.
-
Continued accessibility
Ensures automated systems can access services while deterring malicious activities.