cd-6-combined doc.pdf

8/10/2019 cd-6-combined doc.pdf

1/62

SECURITY ANALYSIS AND IMPLEMENTATIONS

OF 3-LEVEL SECURITY SYSTEM USING IMAGE

BASED AUTHENTICATION

The Project report submitted in partial fulfillment

of the requirements for the award of

BACHELOR OF TECHNOLOGY

IN

INFORMATION TECHNOLOGY

By

K.UDAY KUMAR 09241A12B4

B.RAJASEKHAR 09241A1297

K.SAICHARAN 09241A12A4

D.VENKATA REDDY 09241A12B5

Under the Esteemed Guidance of

V.Padma

(Associate Professor)

DEPARTMENT OF INFORMATION TECHNOLOGY

GOKARAJU RANGARAJU INSTITUTE OF ENGINEERING AND TECHNOLOGY

HYDERABAD


2/62

2013

CERTIFICATE

This is to certify that it is a bonafide record of Project work entitled SECURITY ANALYSIS

AND IMPLEMENTATION OF 3-LEVEL SECURITY USING IMAGE BASEDAUTHENTICATION don by K.UDAY KUMAR (09241A12B4), D.VENKATA

REDDY(09241A12B5) K.SAICHARAN(09241A1A4) B.RAJASEKHAR(09241A1297)

students of B.Tech(IT) in the Department of Information Technology, Gokaraju Rangaraju

Institute of Engineering and Technology during the period 2012-2013 in the partial fulfillment of

the requirements for the award of degree of B.Tech in Information Technology. This work is not

submitted to any other university for the award of any Degree/Diploma.

Assoc prof. V.Padma Dr. T.V.Rajini Kanth

Project Guide Head of the DepartmentDepartment of IT Department of IT

GRIET, HYDERABAD GRIET, HYDERABAD

External Examiner


3/62

ACKNOWLEDGEMENT

We wish to express our deep gratitude to our guide V.Padma, Associate professor in the

Department of Information Technology, for all the advice, encouragement and constant support

he has given us throughout our project work. This work would not have been possible without

his support and valuable suggestions.

We are grateful to Dr. T.V.Rajini Kanth, Head of the Department of Information

Technology and the Members of Project Review Committeefor their valuable suggestions.

We are also grateful to Dr. Jandhyala N.Murty, Principal and Prof P.S.Raju, Director of

GRIET for giving us the necessary facilities to carry out our project work successfully.

We would like to thank all our friends for their help and constructive criticism during our

project work.

K.UDAY KUMAR 09241A12B4

B.RAJASEKHAR 09241A1297

K.SAICHARAN 09241A12A4

D.VENKATA REDDY 09241A12B5


4/62

ABSTRACT

Increasing security has always been an issue since Internet and Web Development came into

existence, text based passwords is not enough to counter such problems, which is also an

anachronistic approach now. Therefore, this demands the need for something more secure along

with being more user-friendly. Therefore, we have tried to increase the security by involving a 3-

level security approach, involving text based password at Level 1, Image Based Authentication

at Level 2, and automated generated one-time password (received through an automated email to

the authentic user) at Level 3.And an assiduous effort has been done for thwarting Shoulder

attack, Tempest attack, and Brute-force attack at client side , through the use of unique image set

in the IBA System Authentication plays a crucial role in protecting resources against

unauthorized and illegal use.

Authentication processes may vary from simple password based authentication system to

costly and computation intensified authentication systems. Passwords are more than just a key.

They serve several purposes. They ensure our privacy, keeping our sensitive information secure.

Passwords authenticate us to a machine to prove our identity-a secret key that only we should

know. They also enforce non repudiation, preventing us from later rejecting the validity of

transactions authenticated with our passwords. Our username identifies us and the password

validates us. But passwords have some weaknesses: more than one person can possess its

knowledge at one time. Moreover, there is a constant threat of losing your password to someone

else with venomous intent.

Password thefts can and do happen on a daily basis, so we need to defend them. Now

merely using some random alphabets grouped together with special characters does not assure

safety. We need something esoteric, something different along with being user-friendly as our

password, to make it secure.. This paper is a unique and an esoteric study of using images as


5/62

password and implementation of an extremely secured system, employing 3 levels of security-

(Text Password, Image Password, and One-Time automated generated password). This unique

user-friendly System named as 3 Level Security that can be employed in any organization for

storing crucial and confidential documents, and ensures the security through its three levels

Firstly-through Text Password, Secondly-through Image based Password, and Thirdly-through

One-Time Automated Password.


6/62

CONTENTSS.NO. CHAPTERS PAGE NO.

CHAPTER 1: INTRODUCTION 1-3

1.1Security Analysis and Implementation of 3-Level Security 1

1.2Existing System 1

1.3 Proposed system 2

1.4 Hardware used 3

1.5software used 3

CHAPTER 2:LITERATURE SURVEY 4-12

2.1Sharing the Data Center Network 4

2.2 Comparision of three Schedulers of CPU in Xen 4

2.3 Cloud CMP 5

2.4 Impact of Virtualisation on Computer Network 5

2.5 Data Flow Diagrams 6

CHAPTER 3: MODULES 13-18

3.1 Registration 133.2 Text based Authentication 13

3.3 Image based Authentication 13

3.4 Opass Authentication 14

3.5 Security 15

3.6 Authentication 16

CHAPTER 4: JSP 19-22

4.1 Introduction 19

4.2 Architecture of JSP 20

4.3 Servlets 21

CHAPTER 5: JAVA BEANS 23-27

5.1 Introduction 23

5.2 Visualisation of Textual Password 23


7/62

5.3 Attacks against Textual Passwords 24

CHAPTER 6: TESTING 28-32

6.1Functional Testing 29

6.2Validation Testing 30

6.3 System Testing 30

6.4 Structure Testing 30

6.5 Output Testing 30

6.6 User Acceptance 31

6.7 Feasibility Study 31

6.8 Technical Study 32

6.9 Operational Study 32

6.10 Economical Study 32

CHAPTER 7:SOURCE CODE 33-36

CHAPTER 8:RESULTS AND ANALYSIS 37-47

CHAPTER 9:CONCLUSION AND FUTURE WORK 48

REFERENCES 49

LIST OF FIGURES

FIG.NO FIGURE NAME P.NO

1.1 Architecture Diagram 3

2.1 DFD Level-0 6

2.2 DFD Level 1 7

2.3 DFD Level-2 8

2.4 UML Diagrams 9

2.5 Class Diagram 10

2.6 Sequence Diagram 11

2.7 Collaboration Diagram 12

2.8 Activity Diagram 12

8.1 Home Page 37

8.2 Registration Page1 38


8/62

8.3 Registration Page2 39

8.4 Registration Grid1 40



8.7 Success Page 43

8.8 Login page 44

8.9 One time Password 45

8.10 Successful Home Page 46

8.11 Griet Home Page 47


9/62

CHAPTER-1

INTRODUCTION

1.1 Security Analysis and Implementation of 3-Level SecuritySystem Using

Image Based Authentication

Objective

The three level security systems approached on security purpose. 3-Level Security system is

definitely a time consuming approach, as the user has to traverse through the three levels of

security, and will need to refer to his email-id for the one-time automated generated password.

1.2 Existing System:

Now days many hackers are hack our accounts and share all the details or collect the

documents.

Hackers are mostly hack our bank details , office details and personal mail,

Now many security purpose are used, But most of all failure process.

Because all the application are some easy way to hack.

Our username identifies us and the password validates us. But passwords have some

weaknesses: more than one person can possess its knowledge at one time. Moreover,

there is a constant threat of losing your password to someone else with venomous intent.

Disadvantages:

Any hacker if in the extreme case, suppose will cross through the above two mentioned

security levels.

Man in middle attacks and dictionary attacks possible


10/62

1.3 Proposed System:

This unique and user-friendly 3-Level Security System is involving three levels of security.

Where the preceding level must be passed in order to proceed to next level.

Security at this level has been imposed by using Text based password (with special

characters), which is a usual and now an anachronistic approach.

At this level the security has been imposed using Image based authentication (IBA),

where the user will be asked to select from the two difficulty levels. Both the levels will

be having three unique Image grids, from where the user has to select three images, onefrom each grid.

After the successful clearance of the above two levels, the 3-Level Security System will

then generate a one-time numeric password that would be valid just for that login session.

The authentic user will be informed of this one time password on his signed up email-id.

Any hacker if in the extreme case, suppose (although difficult) will cross through the above two

mentioned security levels, will definitely not be able to cross the third security level, unless he

has access to the original users email-id.

Advantages:

This system use only security purpose, it uses to all security place.

Hackers are not very easily to hack the security, Bcoz there levels are more useful this

concept.

Any hacker if in the extreme case, suppose (although difficult) will cross through the

above two mentioned security levels, will definitely not be able to cross the third securitylevel, unless he has access to the original users emailid.

The user will be authenticated as an authentic user, and will be awarded access to the

stored information, only after crossing the three security levels (Security level1-Text

password, Security level2-Image Based password, and Security level3- One-Time

Automated password).


11/62

1.4 Hardware Used

Main Processor : Above 2 GHz

Ram : 512 MB

Hard Disk : 80 GB

Platform : Windows 8

1.5 Software Used

Language : JAVA, Swing

Database : MySQL

Architecture Diagram:

FIG:1. 1Architecture diagram


12/62

CHAPTER-2

LITERATURE SURVEY

2.1 SHARING THE DATA CENTER NETWORK

While todays data centers are multiplexed across many non-cooperating applications, they

lack effective means to share their network. Relying on TCPs congestion control, as we show

from experiments in production data centers, opens up the network to denial of service attacks

and performance interference. We present Seawall, a network bandwidth allocation scheme that

divides network capacity based on an administrator-specified policy. Seawall computes and

enforces allocations by tunneling traffic through congestion controlled, point to multipoint, edge

to edge tunnels.

2.2 COMPARISON OF THE THREE CPU SCHEDULERS IN XEN

The primary motivation for enterprises to adopt virtualization technologies is to create a

more agile and dynamic IT infrastructure with server consolidation, high resource utilization,

the ability to quickly add and adjust capacity on demand while lowering total cost of

ownership and responding more effectively to changing business conditions. However, effective

management of virtualized IT environments introduces new and unique requirements, such as

dynamically resizing and migrating virtual machines (VMs) in response to changing application

demands. Such capacity management methods should work in conjunction with the underlying

resource management mechanisms. However, it is not clear whether a straight-forward port of


13/62

process schedulers to VM schedulers would perform just as well. We use theopen source Xen

virtual machine monitor to perform a comparativeevaluation of three different CPU schedulers

for virtual machines.We analyze the impact of the choice of scheduler and its parameterson

application performance, and discuss challenges in estimating theapplication resource

requirements in virtualized environments.

2.3 CLOUDCMP: COMPARING PUBLIC CLOUD PROVIDERS

While many public cloud providers offer pay-as-you-go computing, their varying

approaches to infrastructure, virtualization, and software services lead to a problem of plenty. To

help customers pick a cloud that fits their needs, we develop CloudCmp, a systematic comparator

of the performance and cost of cloud providers. CloudCmp measures the elastic computing,

persistent storage, and networking services offered by a cloud along metrics that directly reflect

their impact on the performance of customer applications. CloudCmp strives to ensure fairness,

representativeness, and compliance of these measurements while limiting measurement cost.

Applying CloudCmp to four cloud providers that together account for most of the cloud

customers today, we find that their offered services vary widely in performance and costs,

underscoring the need for thoughtful provider selection. From case studies on three

representative cloud applications, we show that CloudCmp can guide customers in selecting the

best-performing provider for their applications.

2.4.THE IMPACT OF VIRTUALIZATION ON NETWORK PERFORMANCE

Cloud computing services allow users to lease computing resources from large scale data

centers operated by service providers. Using cloud services, users can deploy a wide variety of

applications dynamically and on-demand. Most cloud service providers use machine

virtualization to provide flexible and costeffective resource sharing. However, few studies have

investigatedthe impact of machine virtualization in the cloud on networking performance.In this


14/62

paper, we present a measurement study to characterize the impact of virtualization on the

networking performance of the Amazon Elastic Cloud Computing (EC2) data center.We

measure the processor sharing, packet delay, TCP/UDP throughput and packet loss among

Amazon EC2 virtual machines. Our results show that even though the data center network is

lightly utilized,virtualization can still cause significant throughput instability and abnormal delay

variations. We discuss the implications of our findings on several classes of applications.

2.5 Diagrams

2.5.1 Dataflow Diagrams

LEVEL 0:

User

Openapplicat

ion

Username

Text

password

Password

Authentication


15/62

FIG:2.1 LEVEL 0

LEVEL 1:

Password

Authentication

Click

Correct

Image

Image

authenticati

on


16/62

FIG 2.2 LEVEL 1

LEVEL 2:

Email pwd

Fetch password

Pwd


17/62

FIG 2.3 LEVEL 2

2.5.2 UML Diagrams:

Usecase Diagram:

open application

user

email password

Image authendication

Server

username&text pwd


18/62

FIG 2.4 Usecase diagram

2.5.3 Class Diagram:

Application

pwd

request

response

open application()

authendication()

user.

request

response

open application()

fetch pwd()


19/62

FIG 2.5 class diagram

2.5.4 Sequence Diagram:


20/62

FIG 2.6 sequence diagram

user application authendication server

1.request

2.application request

3.application response

4.username and text pwd

5.pwd authendication

6.Image selection

7.Image authendication

8.email pwd to user

9.pwd authendication

10.success

11.open application


21/62

2.5.5 Collaboration Diagram:

FIG 2.7: Collaboration diagram

2.5.6 Activity Diagram:

user applicati

on

authendic

ation

server

1: 1.request

2: 2.application request

3: 3.application response

4: 4.username and text pwd

5: 5.pwd authendication

6: 6.Image selection

7: 7.Image authendication8: 8.email pwd to user

9: 9.pwd authendication

10: 10.success

11: 11.open application

user

openapplication

username

& pwd

Imageauthendication

emailpassword

fetch pwd in

application

success


22/62

FIG 2.8 Activity diagram

CHAPTER-3

MODULES

3.1Registration Module

Registration is one of the primary modules in any data management system. A user

record management starts with registering a user with the system. Registration being a

customizable and scalable solution to user record management also requires a customizable

user registration system. Since every implementation of registration may be different on the

type of information that it may require, it is extremely important to keep the registration

module generalized in a way where it can be configured to take registration information

about a user according to the needs of the implementer.

3.2Text Based Authentication

Security at this level has been imposed by using Text based password (with special

characters), which is a usual and now an anachronistic approach. Security at Level 1, at the

client side is ensured by the use of text password, and that text password has to be entered by

ensuring employment of special characters. Therefore, security at level1 is ensured by use of

text password which is a usual approach, and now an anachronistic approach.

3.3Image Based Authentication

At this level the security has been imposed using Image Based Authentication

(IBA),where the user will be asked to select from the two difficulty levels. Both the levels

will be having three unique Image grids, from where the user has to select three images, one

from each grid. The IBA security level is divided into 2 difficulty levels.

The Images to be selected from an image set:


23/62

1) Should not be easily describable,

2) Should be easy to remember

The security of the system can be compromised if we do not select proper images for the

image set. Also we have to keep in mind that a user should be able to remember his image

password easily. Another important aspect relating to image set is how these images are arranged

when presented to a user.

We use a random display of images within an image set i.e. within an image set, images are

arranged randomly and their position is no where related to previous image set that was

generated at an earlier point of time, i.e. during the previous signup or login process. By doing

this, the system protects itself from many security attacks (to be discussed later on) especially

from an eavesdropper looking from behind. Keystroke Logging is one of the key attacks

attempted by a hacker in password authentication systems. Is most common when text based

passwords are use to authenticate users. The attacker observes the key strokes of a user and later

can have access to the system.

3.4Opass Authentication

The 3-Level Security System will then generate a one-time numeric password that would

be valid just for that login session. The authentic user will be informed of this one time

password on his signed up email-id. Any hacker if in the extreme case, suppose (although

difficult) will cross through the above two mentioned security levels, will definitely not be

able to cross the third security level, unless he has access to the original users email-id. The

user will be authenticated as an authentic user, and will be awarded access to the stored

information, only after crossing the three security levels (Security level1-Text password,

Security level2-Image Based password, and Security level3 One-Time Automated password).


24/62

3.5 Security:

Security is the degree of protection to safeguard a nation, union of nations, persons or

person against danger, damage, loss, and crime. Security as a form of protection is structures and

processes that provide or improve security as a condition. The Institute for Security and Open

Methodologies (ISECOM) in the OSSTMM 3 defines security as "a form of protection where a

separation is created between the assets and the threat". This includes but is not limited to the

elimination of either the asset or the threat. Security as a national condition was defined in a

United Nations study (1986) so that countries can develop and progress safely.

Security has to be compared to related concepts: safety, continuity, reliability. The key

difference between security and reliability is that security must take into account the actions of

people attempting to cause destruction.

3.5.1 Different scenarios also give rise to the context in which security is maintained:

With respect to classified matter, the condition that prevents unauthorized persons from

having access to official information that is safeguarded in the interests of national

security.

Measures taken by a military unit, an activity or installation to protect itself against all

acts designed to, or which may, impair its effectiveness.

3.5.2 Security concepts:

Certain concepts recur throughout different fields of security

Assurance - assurance is the level of guarantee that a security system will behave as

expected


25/62

Countermeasure - a countermeasure is a way to stop a threat from triggering a risk event

Defense in depth - never rely on one single security measure alone

Exploit - a vulnerability that has been triggered by a threat - a risk of 1.0 (100%)

Risk - a risk is a possible event which could cause a loss

Threat - a threat is a method of triggering a risk event that is dangerous

Vulnerability - a weakness in a target that can potentially be exploited by a security threat

3.5.3 Security management in organizations:

In the corporate world, various aspects of security were historically addressed separately -

notably by distinct and often non communicating departments for IT security, physical security,

and fraud prevention. Today there is a greater recognition of the interconnected nature of

security requirements, an approach variously known as holistic security, "all hazards"

management, and other terms.

Inciting factors in the convergence of security disciplines include the development of digital

video surveillance technologies (see Professional video over IP) and the digitization and

networking of physical control systems (see SCADA). Greater interdisciplinary cooperation is

further evidenced by the February 2005 creation of the Alliance for Enterprise Security Risk

Management, a joint venture including leading associations in security (ASIS), information

security (ISSA, the Information Systems Security Association), and IT audit (ISACA, the

Information Systems Audit and Control Association).

In 2007 the International Organisation for Standardization (ISO) released ISO 28000 -

Security Management Systems for the supply chain. Although the title supply chain is included,

this Standard specifies the requirements for a security management system, including those

aspects critical to security assurance for any organisation or enterprise wishing to management

the security of the organisation and its activities. ISO 28000 is the foremost risk based security

system and is suitable for managing both public and private regulatory security, customs and

industry based security schemes and requirements.


26/62

3.6 Authentication:

Authentication is the act of confirming the truth of an attribute of a datum or entity. This

might involve confirming the identity of a person or software program, tracing the origins of an

artifact, or ensuring that a product is what its packaging and labeling claims to be.

3.6.1Authentication methods:

In art, antiques, and anthropology, a common problem is verifying that a person has the said

identity, or a given artifact was produced by a certain person or was produced in a certain place

or period of history.

3.6.2 There are three types of techniques for doing this.

The first type of authentication is accepting proof of identity given by a credible person who

has evidence on the said identity, or on the originator and the object under assessment as theoriginator's artifact respectively.

The second type of authentication is comparing the attributes of the object itself to what is

known about objects of that origin. For example, an art expert might look for similarities in the

style of painting, check the location and form of a signature, or compare the object to an old

photograph. An archaeologist might use carbon dating to verify the age of an artifact, do a

chemical analysis of the materials used, or compare the style of construction or decoration to

other artifacts of similar origin. The physics of sound and light, and comparison with a known

physical environment, can be used to examine the authenticity of audio recordings, photographs,

or videos.


27/62

Attribute comparison may be vulnerable to forgery. In general, it relies on the facts that

creating a forgery indistinguishable from a genuine artifact requires expert knowledge, that

mistakes are easily made, and that the amount of effort required to do so is considerably greater

than the amount of profit that can be gained from the forgery.

In art and antiques, certificates are of great importance for authenticating an object of

interest and value. Certificates can, however, also be forged, and the authentication of these

poses a problem. For instance, the son of Han van Meegeren, the well-known art-forger, forged

the work of his father and provided a certificate for its provenance as well; see the article Jacques

van Meegeren. Criminal and civil penalties for fraud, forgery, and counterfeiting can reduce the

incentive for falsification, depending on the risk of getting caught.

The third type of authentication relies on documentation or other external affirmations. For

example, the rules of evidence in criminal courts often require establishing the chain of custody

of evidence presented. This can be accomplished through a written evidence log, or by testimony

from the police detectives and forensics staff that handled it. Some antiques are accompanied by

certificates attesting to their authenticity. External records have their own problems of forgery

and perjury, and are also vulnerable to being separated from the artifact and lost.

Currency and other financial instruments commonly use the first type of authentication

method. Bills, coins, and cheques incorporate hard-to-duplicate physical features, such as fine

printing or engraving, distinctive feel, watermarks, and holographic imagery, which are easy for

receivers to verify.

Consumer goods such as pharmaceuticals, perfume, fashion clothing can use either type of

authentication method to prevent counterfeit goods from taking advantage of a popular brand's

reputation (damaging the brand owner's sales and reputation). A trademark is a legally protected

marking or other identifying feature which aids consumers in the identification of genuine brand-

name goods.


28/62

CHAPTER-4

JSP

4.1 Introduction

Java Server Pages (JSP) is a Java technology that allows software developers to dynamically

generate HTML, XML or other types of documents in response to a Web client request. The

technology allows Java code and certain pre-defined actions to be embedded into static content.

The JSP syntax adds additional XML-like tags, called JSP actions, to be used to invoke

built-in functionality. Additionally, the technology allows for the creation of JSP tag libraries

that act as extensions to the standard HTML or XML tags. Tag libraries provide a platform

independent way of extending the capabilities of a Web server.

JSPs are compiled into Java Servlets by a JSP compiler. A JSP compiler may generate a

servlet in Java code that is then compiled by the Java compiler, or it may generate byte code for

the servlet directly. JSPs can also be interpreted on-the-fly reducing the time taken to reload

changes


29/62

Java Server Pages (JSP) technology provides a simplified, fast way to create dynamic web

content. JSP technology enables rapid development of web-based applications that are server-

and platform-independent.

4.2 Architecture OF JSP:


30/62

FIG 4.1:Architechture of JSP

4.2.1The Advantages of JSP:

Active Server Pages (ASP). ASP is a similar technology from Microsoft. The advantages

of JSP are twofold. First, the dynamic part is written in Java, not Visual Basic or other

MS-specific language, so it is more powerful and easier to use. Second, it is portable to

other operating systems and non-Microsoft Web servers.

Pure Servlets. JSP doesn't give you anything that you couldn't in principle do with a

servlet. But it is more convenient to write (and to modify!) regular HTML than to have a

zillion println statements that generate the HTML. Plus, by separating the look from the

content you can put different people on different tasks: your Web page design experts can

build the HTML, leaving places for your servlet programmers to insert the dynamic

content.

Server-Side Includes (SSI). SSI is a widely-supported technology for including

externally-defined pieces into a static Web page. JSP is better because it lets you use

servlets instead of a separate program to generate that dynamic part. Besides, SSI is really

only intended for simple inclusions, not for "real" programs that use form data, make

database connections, and the like.

JavaScript. JavaScript can generate HTML dynamically on the client. This is a useful

capability, but only handles situations where the dynamic information is based on the

client's environment. With the exception of cookies, HTTP and form submission data is

not available to JavaScript. And, since it runs on the client, JavaScript can't access server-

side resources like databases, catalogs, pricing information, and the like.


31/62

Static HTML. Regular HTML, of course, cannot contain dynamic information. JSP is so

easy and convenient that it is quite feasible to augment HTML pages that only benefit

marginally by the insertion of small amounts of dynamic data. Previously, the cost of

using dynamic data would preclude its use in all but the most valuable instances.

4.3 Servlets

Java Servlet technology provides Web developers with a simple, consistent mechanism for

extending the functionality of a Web server and for accessing existing business systems. Servlets

are server-side Java EE components that generate responses (typically HTML pages) to requests

(typically HTTP requests) from clients. A servlet can almost be thought of as an applet that runs

on the server sidewithout a face.

// Hello.java

importjava.io.*;

importjavax.servlet.*;

publicclass Hello extends GenericServlet {

publicvoid service(ServletRequest request, ServletResponse response)

throws ServletException, IOException{

response.setContentType("text/html");

finalPrintWriter pw = response.getWriter();

pw.println("Hello, world!");

pw.close();

}

}

The import statements direct the Java compiler to include all of the public classes and interfaces

from thejava.ioandjavax.servletpackages in the compilation.


32/62

The Hello class extends the GenericServlet class; the GenericServlet class provides the

interface for the server to forward requests to the servlet and control the servlet's lifecycle.

The Hello class overrides the service(ServletRequest, ServletResponse) method defined

by the Servlet interface to provide the code for the service request handler. The service() method

is passed a ServletRequest object that contains the request from the client and a

ServletResponseobject used to create the response returned to the client. The service() method

declares that it throws the exceptions ServletException and IOException if a problem prevents it

from responding to the request.

The setContentType(String) method in the response object is called to set the MIME

content type of the returned data to "text/html". The getWriter()method in the response returnsa PrintWriterobject that is used to write the data that is sent to the client. The println(String)

method is called to write the "Hello, world!"string to the response and then the close()method

is called to close the print writer, which causes the data that has been written to the stream to be

returned to the client.

CHAPTER-5

JAVA BEANS


33/62

5.1 Introduction

JavaBeans are reusable software components for Java that can be manipulated visually in a

builder tool. Practically, they are classes written in the Java programming language conforming

to a particular convention. They are used to encapsulate many objects into a single object (the

bean), so that they can be passed around as a single bean object instead of as multiple individual

objects. A JavaBean is a Java Object that isserializable, has a nullary constructor, and allows

access to properties using getter and setter methods.

The required conventions are:

The class must have a public default constructor. This allows easy instantiation within editingand activation frameworks.

The class properties must be accessible using get, set, and other methods (so-called accessor

methods and mutator methods), following a standard naming convention. This allows easy

automated inspection and updating of bean state within frameworks, many of which include

custom editors for various types of properties.

The class should be serializable. This allows applications and frameworks to reliably save,

store, and restore the bean's state in a fashion that is independent of the VM and platform.

Because these requirements are largely expressed as conventions rather than by

implementing interfaces, some developers view JavaBeans as Plain Old Java Objects that follow

specific naming conventions.

5.2 Visualization of Textual Passwords

Passwords are now everywhere. The main form of passwords is based on characters you can

type on your keyboard, normally called textual passwords. One major security problem with

textual passwords is its vulnerability to dictionary attack, namely, brute-force attack based on a

dictionary which is much smaller than the whole password space. In this project, you will

develop an interactive program to visualize the security of a textual password w.r.t. one or more


34/62

given dictionaries, and to help the user to select a more secure textual password while he/she is

typing the password.

The second part of the system is called a proactive password checker (PPC). All existing

PPCs we can find on the Internet have very limited visualization effect, and cannot clearly show

the reason why a password is weak or strong, and give no clue how the user should react. The

goal of the project is to have the first fully visualized PPC.

5.3 ATTACKS AGAINST TEXTUAL PASSWORDS

Attackers generally compromise passwords in one of four ways:1. By gathering enough information about users to guess their password;

2. By social engineering, e.g., tricking users into revealing their usernames and/or passwords;

3. By capturing users passwords, e.g., via shoulder surfing or spyware

4. By cracking passwords using a software program, such as John the Ripper.

5.3.1 Human Selection of Mnemonic Phrase-based Passwords

Textual passwords are often the only mechanism used to authenticate users of a networked

system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to

strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords.

A mnemonic password is one where a user chooses a memorable phrase and uses a character

(often the first letter) to represent each word in the phrase. In this paper, we hypothesize that

users will select mnemonic phrases that are commonly available on the Internet, and that it is

possible to build a dictionary to crack mnemonic phrase-based passwords.

We conduct a survey to gather user-generated passwords. We show the majority of survey

respondents based their mnemonic passwords on phrases that can be found on the Internet, and

we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry

dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2


35/62

million entries cracked 11% of control passwords. The user generated mnemonic passwords

were also slightly more resistant to brute force attacks than control passwords. These results

suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic

passwords could become ore vulnerable in the future and should not be treated as a panacea.

5.3.2 Picture Password:

A Visual Login Technique for Mobile Devices Adequate user authentication is a persistent

problem, particularly with handheld devices such as Personal Digital Assistants (PDAs), which

tend to be highly personal and at the fringes of an organization's influence. Yet, these devices

are being used increasingly in corporate settings where they pose a security risk, not only by

containing sensitive information, but also by providing the means to access such information

over wireless network interfaces. User authentication is the first line of defense for a lost or

stolen PDA. However, motivating users to enable simple PIN or password mechanisms and

periodically update their authentication information is a constant struggle. This paper describes a

general purpose mechanism for authenticating a user to a PDA using a visual login technique

called Picture Password.

The underlying rationale is that image recall is an easy and natural way for users to

authenticate, removing a serious barrier to compliance with organizational policy. Features of

Picture Password include style dependent image selection, password reuse, and embedded

salting, which overcome a number of problems with knowledge-based authentication for

handheld devices. Though designed specifically for handheld devices, Picture Password is also

suitable for notebooks, workstations, and other computational devices.

Normally, Passwords are used for,

(a) Authentication (Establishes that the user is who they say they are),

(b) Authorization (The process used to decide if the authenticated person is allowed to access

specific information or functions) and

(c) Access Control (Restriction of access-includes authentication & authorization).


36/62

Here a graphical password system with a supportive sound signature to increase the

remembrance of the password is discussed.

5.3.4 Java (programming language)

Java is a programming language originally developed by James Gosling at Sun

Microsystems (which is now a subsidiary of Oracle Corporation) and released in 1995 as a core

component of Sun Microsystems' Java platform. The language derives much of its syntax from C

and C++ but has a simpler object model and fewer low-level facilities. Java applications are

typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM)

regardless of computer architecture. Java is general-purpose, concurrent, class-based, and object-

oriented, and is specifically designed to have as few implementation dependencies as possible. It

is intended to let application developers "write once, run anywhere". Java is considered by many

as one of the most influential programming languages of the 20th century, and widely used from

application software to web application.

The original and reference implementation Java compilers, virtual machines, and class

libraries were developed by Sun from 1995. As of May 2007, in compliance with the

specifications of the Java Community Process, Sun relicensed most of their Java technologies

under the GNU General Public License. Others have also developed alternative implementations

of these Sun technologies, such as the GNU Compiler for Java and GNU Classpath

5.3.5 J2EE application

A J2EE applicationor a Java 2 Platform Enterprise Edition applicationis any

deployable unit of J2EE functionality. This can be a single J2EE module or a group of modules

packaged into an EAR file along with a J2EE application deployment descriptor. J2EE

applications are typically engineered to be distributed across multiple computing tiers.


37/62

Enterprise applications can consist of the following:

EJB modules (packaged in JAR files);

Web modules (packaged in WAR files);

connector modules or resource adapters (packaged in RAR files);

Session Initiation Protocol (SIP) modules (packaged in SAR files);

application client modules;

Additional JAR files containing dependent classes or other components required by the

application;

Any combination of the above.


38/62

CHAPTER-6

TESTING

The various levels of testing are:

1. White Box Testing

2. Black Box Testing

3. Unit Testing

4. Functional Testing

5. Performance Testing

6. Integration Testing

7. Objective

8. Integration Testing

9. Validation Testing

10.System Testing

11.Structure Testing

12.Output Testing

13.User Acceptance Testing

White Box Testing

Execution of every path in the program.

Black Box Testing


39/62

Exhaustive input testing is required to find all errors.

Unit Testing

Unit testing, also known as Module Testing, focuses verification efforts on the

module. The module is tested separately and this is carried out at the programming stage

itself.

Unit Test comprises of the set of tests performed by an individual programmer

before integration of the unit into the system.

Unit test focuses on the smallest unit of software design- the software component

or module.

Using component level design, important control paths are tested to uncover

errors within the boundary of the module.

Unit test is white box oriented and the step can be conducted in parallel for

multiple components.

6.1 Functional Testing:

Functional test cases involve exercising the code with normal input values for which the

expected results are known, as well as the boundary values

6.1.2 Objective:

The objective is to take unit-tested modules and build a program structure that has been

dictated by design.

Performance Testing:


40/62

Performance testing determines the amount of execution time spent in various parts of the

unit, program throughput, and response time and device utilization of the program unit. It

occurs throughout all steps in the testing process.

Integration Testing:

It is a systematic technique for constructing the program structure while at the same time

conducting tests to uncover errors associated with in the interface.

It takes the unit tested modules and builds a program structure.

All the modules are combined and tested as a whole.

Integration of all the components to form the entire system and a overall testing is

executed.

6.2 Validation Testing:

Validation test succeeds when the software functions in a manner that can be reasonably

expected by the client.

Software validation is achieved through a series of black box testing which confirms to

the requirements.

Black box testing is conducted at the software interface.

The test is designed to uncover interface errors, is also used to demonstrate that softwarefunctions are operational, input is properly accepted, output are produced and that the

integrity of external information is maintained.

6.3 System Testing:


41/62

Tests to find the discrepancies between the system and its original objective, current

specifications and system documentation.

6.4 Structure Testing:

It is concerned with exercising the internal logic of a program and traversing particular

execution paths.

6.5 Output Testing:

Output of test cases compared with the expected results created during design of test

cases.

Asking the user about the format required by them tests the output generated or displayed

by the system under consideration.

Here, the output format is considered into two was, one is on screen and another one is

printed format.

The output on the screen is found to be correct as the format was designed in the system

design phase according to user needs.

The output comes out as the specified requirements as the users hard copy.

6.6 User acceptance Testing:

Final Stage, before handling over to the customer which is usually carried out by the

customer where the test cases are executed with actual data.

The system under consideration is tested for user acceptance and constantly keeping

touch with the prospective system user at the time of developing and making changes

whenever required.

It involves planning and execution of various types of test in order to demonstrate that the

implemented software system satisfies the requirements stated in the requirement

document


42/62

Two set of acceptance test to be run:

1. Those developed by quality assurance group.

2. Those developed by customer.

6.7 Feasibility Study

Feasibility study is the test of a system proposal according to its workability, impact on the

organization, ability to meet user needs, and effective use of recourses. It focuses on the

evaluation of existing system and procedures analysis of alternative candidate system cost

estimates. Feasibility analysis was done to determine whether the system would be feasible.

The development of a computer based system or a product is more likely plagued by

resources and delivery dates. Feasibility study helps the analyst to decide whether or not to

proceed, amend, postpone or cancel the project, particularly important when the project is large,

complex and costly.Once the analysis of the user requirement is complement, the system has to

check for the compatibility and feasibility of the software package that is aimed at. An important

outcome of the preliminary investigation is the determination that the system requested is

feasible.

6.8 Technical Feasibility:

The technology used can be developed with the current equipments and has the technical

capacity to hold the data required by the new system.

This technology supports the modern trends of technology.

Easily accessible,more secure technologies.


43/62

Technical feasibility on the existing system and to what extend it can support the proposed

addition.We can add new modules easily without affecting the Core Program. Most of parts are

running in the server using the concept of stored procedures.

6.9 Operational Feasibility:

This proposed system can easily implemented, as this is based on JSP coding (JAVA) &

HTML .The database created is with MySql server which is more secure and easy to handle.

The resources that are required to implement/install these are available. The personal of the

organization already has enough exposure to computers. So the project is operationally feasible.

6.10 Economical Feasibility:

Economic analysis is the most frequently used method for evaluating the effectiveness of a

new system. More commonly known cost/benefit analysis, the procedure is to determine the

benefits and savings that are expected from a candidate system and compare them with costs. If

benefits outweigh costs, then the decision is made to design and implement the system. An

entrepreneur must accurately weigh the cost versus benefits before taking an action. This system

is more economically feasible which assess the brain capacity with quick & online test. So it is

economically a good project.

CHAPTER-7

SOURCE CODE

//Employee login

import java.io.*;

import java.sql.*;import javax.servlet.*;

import javax.servlet.http.*;public class emplogin extends HttpServlet {


44/62

String eid="";String password="";

String email="";String Limageset="";

Connection con=null;

Statement st=null;ResultSet rs=null;RequestDispatcher rd=null;

HttpSession sn=null;PrintWriter out=null;

public void doPost(HttpServletRequest req, HttpServletResponse res) throwsIOException,ServletException {

eid = req.getParameter("eid");password = req.getParameter("password");

Limageset=req.getParameter("Limageset");email=req.getParameter("email");

res.setContentType("text/html");out = res.getWriter();

HttpSession sn = req.getSession(true);sn.setAttribute("eid",eid);

sn.setAttribute("password",password);RequestDispatcher rd;

try {

Class.forName("com.mysql.jdbc.Driver");con =

DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");st = con.createStatement();

rs = st.executeQuery("select * from profile where username='"+eid+"' &&password='"+password+"'");

if(rs.next()){

email=rs.getString(11);sn.setAttribute("email",email);

System.out.println(email);

if(Limageset.equals("set1")){

String destination ="/Multilevelsecurity/Loginset1.jsp";res.sendRedirect(res.encodeRedirectURL(destination));

//rd=req.getRequestDispatcher("passGen");}

else if(Limageset.equals("set2")){

String destination ="/Multilevelsecurity/Loginset4.jsp";res.sendRedirect(res.encodeRedirectURL(destination));


45/62

}

//rd =

getServletConfig().getServletContext().getRequestDispatcher("/run.html");

// reqDispatcher.forward(req,res);}

else {String destination ="/Multilevelsecurity/failure.jsp";

res.sendRedirect(res.encodeRedirectURL(destination));

// out.println("welcome");}

// rd.forward(req,res);} catch(Exception e2) {

//System.out.println("Exception : "+e2.toString());out.println(e2);

}}

}

//Create user account

import java.io.*;


import javax.servlet.http.*;public class createuseraccount extends HttpServlet {

Connection con=null;Statement st=null;

ResultSet rs=null;RequestDispatcher rd=null;

public void doPost(HttpServletRequest req, HttpServletResponse res) throws

IOException,ServletException {HttpSession sn = req.getSession(true);

String username= req.getParameter("username");String password= req.getParameter("password");

String firstname= req.getParameter("firstname");String lastname= req.getParameter("lastname");

String address1= req.getParameter("address1");String address2= req.getParameter("address2");

String city= req.getParameter("city");String state= req.getParameter("state");


46/62

String zipcode= req.getParameter("zipcode");String telephone= req.getParameter("telephone");

String emailid= req.getParameter("email");String imageset=req.getParameter("Imageset");

sn.setAttribute("username", username);

sn.setAttribute("password", password);sn.setAttribute("firstname", firstname);sn.setAttribute("lastname", lastname);

sn.setAttribute("address1", address1);sn.setAttribute("address2", address2);

sn.setAttribute("city", city);sn.setAttribute("state", state);

sn.setAttribute("zipcode", zipcode);sn.setAttribute("telephone", telephone);

sn.setAttribute("emailid", emailid);

System.out.println(telephone+zipcode+state+city+address2+address1+lastname+firstname+pass

word+username);RequestDispatcher rd;

try {Class.forName("com.mysql.jdbc.Driver");

con =DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");

st = con.createStatement();// int add=st.executeUpdate("insert into

profile(username,password,firstname,lastname,address1,address2,city,state,zipcode,telephone)values('"+username+"','"+password+"','"+firstname+"','"+lastname+"','"+address1+"','"+address2

+"','"+city+"','"+state+"','"+zipcode+"','"+telephone+"')");//int i=st.executeUpdate("update log set username='"+username+"'");

// rd=req.getRequestDispatcher("adminlogin.jsp");// rd.forward(req,res);

con.close();

if(imageset.equals("set1"))

{String destination ="/Multilevelsecurity/set1.jsp";

res.sendRedirect(res.encodeRedirectURL(destination));}

else if(imageset.equals("set2")){

String destination ="/Multilevelsecurity/set4.jsp";res.sendRedirect(res.encodeRedirectURL(destination));

}} catch(Exception e2) {


47/62

rd=req.getRequestDispatcher("failure.jsp");}

}}

//User login

import java.io.*;


import javax.servlet.http.*;public class userlogin extends HttpServlet {

String username="";String email="";

String eid="";Connection con=null;

Statement st=null;ResultSet rs=null;

RequestDispatcher rd=null;public void doPost(HttpServletRequest req, HttpServletResponse res) throws

IOException,ServletException {username = req.getParameter("username");

email=req.getParameter("email");System.out.println(email);

HttpSession sn = req.getSession(true);sn.setAttribute("eid",username);

RequestDispatcher rd;try {

Class.forName("com.mysql.jdbc.Driver");con =

DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");st = con.createStatement();

rs = st.executeQuery("select email from profile where username");if(rs.next()) {

email=rs.getString(11);rd=req.getRequestDispatcher("mailAPI.jsp");

// sn.setAttribute("dpm",department);} else {

rd=req.getRequestDispatcher("failure.jsp");

}rd.forward(req,res);

}catch(Exception e2)

{System.out.println("Exception : "+e2.toString());


48/62

}}

}

CHAPTER-8

RESULTS AND ANALYSIS

Home page:


49/62

FIG:8.1Home Page

This is a home page of the application which links to registration and login page.

Registration form:

FIG:8.2 Registration Page

This is registration page. It is used to get the user details username address and email id etc


50/62

Registration page


51/62

FIG8.3 Registration page

Registration Grid 1

FIG:8.4 Registration-Grid1


52/62

This is a image password registration page at level-2 and grid-1 stage. User need to select animage as a password.

Registration Grid 2

FIG:8.5 Registration Grid2


53/62

This is a image password registration page at level-2 and grid-2 stage. User need to select animage as a password.

Registration-Grid 3


54/62

FIG:8.6 Registration Grid3

This is a image password registration page at level-2 and grid-3 stage. User need to select an

image as a password.


55/62

Success page:

FIG:8.7.Success Page

Successful completion of registration links to this page


56/62

Login page:

FIG 8.8 Login Page

This login page. User need to login after completion of registration page.


57/62

One time password:

FIG:8.9 One Time Password

This page is level3 validation page. User has to enter his OTP password in this page.


58/62

User Verification Success:

FIG:8.10 User Verification Success Page

This is a successful login page. It means user successfully completed all the 3 levels.


59/62

Redirected Griet Home Page


60/62

FIG:8.11 Griet Home Page

This is a redirected page of successful completion of 3 levels of login and links tohttp://griet.ac.in

CHAPTER-9

CONCLUSION AND FUTURE WORK

The three level security approach applied on the above system, makes it highly secure along

with being more user friendly. This system will definitely help thwarting Shoulder attack,

Tempest attack and brute-force attack at the client side.3-Level Security system is definitely a

time consuming approach, as the user has to traverse through the three levels of security, and will

need to refer to his email-id for the one-time automated generated password. Therefore, this

system cannot be a suitable solution for general security purposes, where time complexity will be

an issue. But will definitely be a boon in areas where high security is the main issue, and time

complexity is secondary, as an example we can take the case of a firm where this system will be

accessible only to some higher designation holding people, who need to store and maintain their

crucial and confidential data secure. In near future not only we will add more features but also make

our system customizable.


61/62

REFERENCES

[1] Nitin, Durg Singh Chauhan, Sohit Ahuja, Pallavi Singh, Ankit Mahanot,Vineet

Punjabi, Shivam Vinay, Manisha Rana, Utkarsh Shrivastava and Nakul Sharma, Security

Analysis and Implementation of JUIT-IBA System using Kerberos Protocol, Proceedings

of the 7th IEEE International Conference on Computer and Information Science, Oregon,

USA, pp. 575-580, 2008

[2] Nitin, Durg Singh Chauhan and Vivek Kumar Sehgal, On a Software Architecture of

JUIT-Image Based Authentication System, Advances in Electrical and Electronics

Engineering, IAENG Transactions on Electrical and Electronics Engineering Volume I-

Special Edition of the World Congress on Engineering and Computer Science, IEEE

Computer Society Press, ISBN: 978-0-7695-3555-5, pp. 35-46, 2009.

[3] http://en.wikipedia.org/wiki/Hue

[4] http://en.wikipedia.org/wiki/Color_vision

[5] http://en.wikipedia.org/wiki/Indigo

[6] http://www.ancientegyptonline.co.uk/hieroglyphs.html


62/62

cd-6-combined doc.pdf

Documents