What is the use of public and private keys for reCAPTCHA?

reCAPTCHA requires a public and private key before it can be embedded on a website. It also needs reCAPTCHA keys depending on the website. What is the reason for this? Does it use public and private keys for words displayed in reCAPTCHA? I know that I can set the Public and Private key in GLOBAL, in which it can be used for other domains , but why do I even need the keys in the first place?

+4

recaptcha public-key private-key

Registered User Aug 10 '10 at 4:31

1 answer

OK This is my guess, no guarantees.

When creating a client page, a public key is required.
The client uses this public key to request from recaptcha: an image that matches the correct answer and possibly an identifier. Of course, the response and identifier are encrypted using the public key. (Thus, the client cannot know the answer)
The type of user in the response sends it to your server.
You have: {id, answer} encrypted using the public key. You send your secret key and this is an encrypted message to the recaptcha server.
recaptcha decrypts the message, showing the response and identifier, and checks if they match.
it tells your server the result of the check.

Note:

If the user sends his own key to recaptcha, the check will fail because your private key does not work with his public key.
The scheme proves that your server is really the one who receives the recaptcha response.

+5

fantasticsid Feb 15 '11 at 15:33

All Articles