Proof of Work Mechanism
The proof-of-work mechanism is designed to prevent automated abuse and spam by requiring website visitors to perform a computational task. This task involves finding a specific number determined by the server, and utilizing SHA hashing for challenge generation and verification. The system employs a randomized salt and secret number to create a challenge that users must solve to submit the form or access the website.
Challenge generation
-
Random salt creation
A server generates a random string (salt) of sufficient length (usually at least 10 characters). This salt serves as an additional input to ensure the uniqueness and complexity of the challenge for each user. -
Secret number generation
The server generates a secret number, a positive integer, which remains hidden from the client. This number determines the complexity of the challenge. -
Challenge computation
The server concatenates the salt and secret number, creating a unique string. This concatenated string is hashed using the SHA algorithm, producing a fixed-size hash, representing the challenge. -
Server signature creation
An HMAC key is used to create a signature based on the challenge. This signature acts as a verification mechanism for the correctness of the solution submitted by the user.
In this proof-of-work mechanism, the client’s task involves iterative computation to find a matching solution for the challenge provided by the server.
Client-side task
The client’s task involves continuously iterating through numbers, combining them with the provided salt, and hashing them using SHA until discovering a number that, when hashed with the salt, matches the challenge received from the server. This iterative process requires computational effort from the client’s side to find a solution that meets the criteria set by the server.
Upon finding a matching solution, the client submits the solution along with the original challenge back to the server for validation. If the submitted solution aligns with the original challenge, as per the server’s verification process, the client gains access to the website’s services, demonstrating that it has completed the proof-of-work task successfully.
-
Iterative computation
- Starting from zero, the client iterates through numbers, incrementing sequentially.
- For each iteration, it concatenates the salt received from the server with the current number being tested.
- It applies the SHA hashing algorithm to the concatenated string.
- The resulting hash is compared to the challenge received from the server.
-
Matching solution
The client continues this iterative process until it finds a number that, when combined with the provided salt, produces a SHA hash that matches the challenge provided by the server.
Solution verification
-
Challenge validation
Using the received salt and number from the client, the server re-computes the challenge by concatenating these values and applying the SHA hashing algorithm. It then compares this computed challenge with the one received from the client to confirm their equality. -
Signature validation
The server reconstructs the signature based on the challenge and HMAC key. It compares this reconstructed signature with the one submitted by the user to authenticate the correctness of the solution. -
Verification check
The request is considered verified only if both validation checks (challenge and signature) pass. If successful, the server grants access or processes the user request; otherwise, it denies access or treats the request as potentially malicious.
Refer to the server integration guide for examples and implementation details.