reCAPTCHA requires a public and a private key before it can be implemented into a website. It also needs the reCAPTCHA keys depending on the website. What's the reason behind this? Does the Public and Private key affect the words displayed in the reCAPTCHA? I know that I can set the Public and Private key to be GLOBAL in which it can be used for other domains but why even need the keys in the first place?
OK. This is my guess, no guarantee.
- Your public key is required while generating client-side page.
- The client uses this public key to request from recaptcha: an image, a corresponding correct answer and perhaps an id. Of course the answer and the id comes encrypted, using the public key. (So the client cannot know the answer)
- User types in the answer, sends it to your server.
- You have: {id, answer} encrypted using public key. You send your private key and this encrypted message to recaptcha server.
- recaptcha unencrypts the message, revealing the answer and id, and checks if they match.
- it tells your server the result of the check.
Note:
- If the user sends a public key of his own to recaptcha, the check won't succeed since your private key does not work with his public key.
- The scheme proves that your server is really the one receiving the recaptcha answer.