report purely automated graphical paswd
DESCRIPTION
PROJECT REPORT SAMPLETRANSCRIPT
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
1. INTRODUCTION
User authentication is a fundamental component in most computer security contexts. It
provides the basis for access control and user accountability. While there are various
types of user authentication systems, alphanumerical username/passwords are the most
common type of user authentication. They are versatile and easy to implement and
use. Alphanumerical passwords are required to satisfy two contradictory requirements.
They have to be easily remembered by a user, while they have to be hard to guess by
impostor . Users are known to choose easily guessable and/or short text passwords,
which are an easy target of dictionary and brute-forced attacks. Enforcing a strong
password policy sometimes leads to an opposite effect, as a user may resort to write
his or her difficult-to-remember passwords on sticky notes exposing them to direct
theft. In the literature, several techniques have been proposed to reduce the limitations
of alphanumerical password. One proposed solution is to use an easy to remember
long phrases (passphrase) rather than a single word. Another proposed solution is to
use graphical passwords, in which graphics (images) are used instead of
alphanumerical passwords. This can be achieved by asking the user to select regions
from an image rather than typing characters as in alphanumeric password approaches.
In this extended abstract, we propose a graphical password authentication system. The
system combines graphical and text-based passwords trying to achieve the best of both
worlds. The proposed system is described
Graphical Passwords:
Graphical passwords refer to using pictures (also drawings) as passwords. In theory,
graphical passwords are easier to remember, since humans remember pictures better
than words. Also, they should be more resistant to brute-force attacks, since the search
space is practically infinite. In general, graphical passwords techniques are classified
into two main categories: recognition-based and recall based graphical techniques . In
recognition-based techniques, a user is authenticated by challenging him/her to
JCET, LAKKIDI
1
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
identify one or more images he or she chooses during the registration stage. In recall-
based techniques, a user is asked to reproduce something that he or she created or
selected earlier during the registration stage. Passfaces is a recognition-based
technique, where a user is authenticated by challenging him/her into recognizing
human faces . In this approach, a user create a password by clicking on several
locations on an image. During authentication, the user must click on those locations.
PassPoints builds on Blonders idea, and overcomes some of the limitations of his
scheme. Several other approaches have been surveyed. Various graphical password
schemes have been proposed as alternatives to text-based passwords. Research and
experience have shown that text-based pass-words are fraught with both usability and
security problems that make them less than desirable solutions. Psychology studies
have revealed that the human brain is better at recognizing and recalling images than
text graphical pass-words are intended to capitalize on this human characteristic in
hopes that by reducing the memory burden on users, coupled with a larger full
password space offered by images, more secure passwords can be produced and users
will not resort to unsafe practices in order to cope speakers of any language. It
propose and examine the usability and security of CuedClick Points (CCP), a cued-
recall graphical password technique. Users click on one point per image for a
sequence of images. The next image is based on the previous click-point. We present
the results of an initial user study which revealed positive results. Performance was
very good in terms of speed, accuracy, and number of errors. Users preferred CCP to
PassPoints , saying that selecting and remembering only one point per image was
easier, and that seeing each image triggered their memory of where the corresponding
point was located.
t also suggest that CCP provides greater security than PassPoints because the
number of images increases the workload for attackers. or a sequence of images. The
next image displayed is based on the previous click-point so users receive immediate
implicit feedback as to whether they are on the correct path when logging in. CCP
offers both improved usability and security. We conducted an in-lab user study with
JCET, LAKKIDI
2
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
24 participants and a total of 257 trials. Users had high success rates, could quickly
create and re-enter their passwords, and were very accurate when entering their click-
points. Participants rated the system positively and indicated that they preferred CCP
to a PassPoints-style system. They also said that they appreciated the immediate
implicit feedback telling them whether their latest click-point was correctly entered.
A preliminary security analysis of this new scheme is also presented. Hotspots (i.e.,
areas of the image that users are more likely to select) are a concern in click-based
passwords, so CCP uses a large set of images that will be difficult for attackers to
obtain. For our proposed system, hotspot analysis requires proportionally more effort
by attackers, as each image must be collected and analyzed individually. CCP appears
to allow greater security than PassPoints , the workload for attackers of CCP can be
arbitrarily increased by augmenting the number of images in the system. As with most
graphical passwords, CCP is not intended for environments where shoulder-surfing is
a serious threat.
Graphical Password Strategy:
Cued Click Points (CCP) is a proposed alternative to PassPoints. In CCP, users click
one point on each of c = 5 images rather than on five points on one image. It offers
cued-recall and introduces visual cues that instantly alert valid users if they have
made a mistake when entering their latest click-point (at which point they can cancel
their attempt and retry from the beginning). It also makes attacks based on hotspot
analysis more challenging, as we discuss later. As shown in Figure 1, each click
results in showing a next-image, in effect leading users down a “path” as they click
on their sequence of points. A wrong click leads down an incorrect path, with an
explicit indication of authentication failure only after the final click. Users can choose
their images only to the extent that their click-point indicates the next image. If they
dislike the resulting images, they could create a new password involving different
click-points to get different images. A trial consisted of the following steps.
(i) Create phase: Create a password by clicking on one point in each of five system-
JCET, LAKKIDI
3
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
selected images presented in sequence.
(ii) Confirm phase: Confirm this password by re-entering it correctly. Users in
correctly confirming their password could retry the confirmation or return to
Step1:A new password started with the same initial image, but generally included
different images thereafter, depending on the click-points. Two questions: Answer two
10-point Likert scale questions on the computer about their current password’s ease
of creation and predicted memorability. Likert scale questions ask respondents to
indicate their level of agreement with the given statement on a scale ranging from
strongly agree to strongly disagree.
(iii) Login phase: Log in with their current password. If users noticed an error
during login, they could cancel their login attempt and try again. Alternatively, if they
did not know their password, they could create a new password, effectively returning
to Step1: of the trial with the same initial image as a starting point. If users felt too
frustrated with the particular images to try again, they could skip this trial and move
on to the next trial.
JCET, LAKKIDI
4
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
2. LITERATURE SURVEY
Access to computer systems is most often based on the use of alphanumeric
passwords. However, users have difficulty remembering a password that is long and
random-appearing. Instead, they create short, simple, and insecure passwords.
Graphical passwords have been designed to try to make passwords more memorable
and easier for people to use and, therefore, more secure. Using a graphical password,
users click on images rather than type alphanumeric characters. We have designed a
new and more secure graphical password system, called PassPoints. In this paper we
describe the PassPoints system, its security characteristics, and the empirical study we
carried out comparing PassPoints to alphanumeric passwords. In the empirical study
participants learned either an alphanumeric or graphical password and subsequently
carried out three longitudinal trials to input their passwords over a period of five
weeks. The results show that the graphical group took longer and made more errors in
learning the password, but that the difference was largely a consequence of just a few
graphical participants who had difficulty learning to use graphical passwords. In the
longitudinal trials the two groups performed similarly on memory of their password,
but the graphical group took more time to input a password.
Backgrounds on passwords:
Identification and authentication can be considered as the basic method for providing
system security. These two methods commonly assure access control at the first
boundary of the system. Before accessing resources of the system user needs to
provide his identifier by giving some secret information or something that only he own
or only he has as the part of his personality. One of the instances of secret information
JCET, LAKKIDI
5
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
is a password. It is commonly used technology for authentication in different kinds of
computer systems. Typically passwords are (i) It should be easy to remember, and the
user authentication protocol should be executable quickly and easily by humans.
(ii) Passwords should be secure, that is they should look random and should be hard to
guess; they should be changed frequently, and should be different on different
accounts of the same user; they should not be written down or stored in plain text
Mainly two types of passwords are used- text password(alphanumeric passwords) and
graphical password. Text password is presented as a sequence of digits and letters;
however graphical password is concerned with images.
Alpha numeric passwords:
Alpha-numeric passwords were first introduced in the 1960s as a solution to security
issues that became evident as the first multi-user operating systems were being
developed. As the name indicates, an alpha-numeric password is simply a string of
letters and digits. Although almost any string can serve as a password, these passwords
only offer good security as long as they are complicated enough so that they cannot be
deduced or guessed.
Usually guidelines for text passwords are:
(i) Length of the password should be at least 8 characters.
(ii) Password should not consist of any relative information to user otherwise it would
be easy to guess such password.
(iii) Moreover it is a good practice not to use popular combinations or words (such as:
123456789, QAZwsx11, password) because in this case it becomes possible to use
dictionary attack on it.
(iv) Better to combine upper and lower case in the password.
So it will be critical to create strong and random password not related to the user and
using combinations of alphabetic, numeric and other symbols in it. However in this
case user can face with the problem of too complicated password which can be hard to
remember Also usage of such “strong” passwords can lead to the different side effects.
In order to decrease the amount of passwords to remember user can begin to use one
JCET, LAKKIDI
6
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
everywhere, what may increase the possibility of stealing or cracking it. If policy of
the system force user to change passwords periodically he can simplify this changes by
substituting one letter or use few passwords in a loop. The main thing to remember is
that users almost always go by way of the least resistance and it does not matter how
strict the policy is. As we can see using the text password means to find a balance
between easy‐to‐remember and easy‐to‐break passwords from one side and strong but
hard to remember from the other side.
The major drawback of alpha-numeric password is the dictionary attack. Because of
the difficulty in remembering random strings of characters, most users tend to choose
a common word, or a name. Unfortunately, there are several tools that allow an
individual to crack passwords by automatically testing all the words that occur in
dictionaries or public directories. This attack will usually not uncover the password of
a predetermined user; but studies have shown that this attack is usually successful in
finding valid passwords of some users of given system. For example
Regular word: Michael
Alphanumeric password:**M1ch@3L
Graphical passwords:
Graphical passwords can be used like alternative to the text ones. This technology is
free from text password limitations. It is based on the human’s peculiarity to
remember visual images better than the text ones. Graphical passwords were originally
described by Blonder (1996). In his description of the concept an image would appear
on the screen, and the user would click on a few chosen regions of it. If the correct
regions were clicked in, the user would be authenticated. Memory of passwords and
efficiency of their input are two key human factors criteria. Memorability has two
aspects: how the user chooses and encodes the password and what task the user does
when later retrieving the password. In a graphical password system, a user needs to
choose memorable locations in an image. Choosing memorable locations depends on
the nature of the image itself and the specific sequence of click locations. To support
JCET, LAKKIDI
7
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
memorability, images should have semantically meaningful content because meaning
for arbitrary things is poor. This suggests that jumbled or abstract images will be less
memorable than concrete, real-world scenes. A graphical password is an
authentication system that works by having the user select from images, in a specific
order, presented in a graphical user interface (GUI). For this reason, the graphical-
password approach is sometimes called graphical user authentication (GUA).A
graphical password is easier than a text-based password for most people to remember.
Suppose an 8-character password is necessary to gain entry into a particular computer
network. Instead of w8KiJ72c,for example, a user might select images of the earth
(from among a screen full of real and fictitious planets), the country of France (from a
map of the world), the city of Nice (from a map of France), a white stucco house with
arched doorways and red tiles on the roof, a green plastic cooler with a white lid, a
package of Gouda cheese, a bottle of grape juice, and a pink paper cup with little green
stars around its upper edge and three red bands around the middle.
Fig.1.Graphical password
Graphical passwords may offer better security than text-based passwords because
many people, in an attempt to memorize text-based passwords, use plain words (rather
than the recommended jumble of characters). A dictionary search can often hit on a
password and allow a hacker to gain entry into a system in seconds. But if a series of
selectable images is used on successive screen pages, and if there are many images on
each page, a hacker must try every possible combination at random. If there are 100
JCET, LAKKIDI
8
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
images on each of the 8 pages in an 8-image password, there are 1008, or 10
quadrillion (10,000,000,000,000,000), possible combinations that could form the
graphical password! If the system has a built-in delay of only 0.1 second following the
selection of each image until the presentation of the next page, it would take (on
average) millions of years to break into the system by hitting it with random image
sequences.
Advantages:
The advantages of graphical password are :
Usability:
As it was mentioned before one of the most convincing reasons for using graphical
password scheme is the fact that humans seem to have an amazing ability for recalling
pictures, whether they are line drawings or real objects. Human’s brain tends to
remember visual images much more easily. So from this point of view Graphical
password is more preferable for users because combination of images is easier to
remember and reproduce than the combination of letters and digest. Another benefit
for using graphical password is alphabetic independency. It does not matter what
language user operates, human’s ability to draw, memorize and recognize visual
images is nationality independent.
Security:
Second advantage of graphical scheme is infeasibility to dictionary attacks, because of
the large password space, but mainly because there are no pre‐existing searchable
dictionaries for graphical information. In some methods of graphical passwords it is
hard to produce automatic attacks (for instance image recognition and determination
based on content). This scheme is free of some commonly used techniques of logging.
Disadvantages:
Security:
First disadvantage originates from usability advantage. Because for human it is easy to
remember visual images, possibilities of “shoulder‐surfing” attack increasing. This
usability has double effect: from one side it becomes easily for average user to
JCET, LAKKIDI
9
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
remember the password, from the other side criminal can easily remember the whole
combination of images or areas on the image by standing behind the user. There are
some techniques which can prevent such kind of attacks.
Second disadvantage is not critical nowadays but still it exists. Graphical passwords
require corresponding hardware and software availability on a user’s machine. (For
instance – mouse or touch screen for cursor gesture recognition based passwords).
The main disadvantage of the graphical password is similar to main disadvantage of
text one. It is – human. It does not matter how complex, secure and powerful your
security system is. If user chose a weak password it can be easily hacked. For example
in DAS method if user instead of using random long graphical password draws a
circle, there is a high probability that such easy password will be remembered by
attacker and reproduced easier that stronger one. In this case the only thing that can be
made is to force users to choose strong password and periodically change it. Moreover
it is better to implement a service which will control a similarity of user’s new
password with the previous one.
Usability:
Apart of all advantages all graphical passwords have the same “problem”‐ they take
much longer time for log in than textual passwords. Especially for “Pick‐O‐lock
scheme” where user needs to remember all strings for all variation of password’s icon.
For example if we have 4 password’s icon user needs to remember 16 strings, for 5 –
25 strings and so on.
Passpoint Graphical Password:
Now days, to access a computer resource, the most common authentication method we
are using is traditional ‘username’ and ‘Password’, in which the password is secret
alphanumeric word known to the computer and the user. But users have many
problems with the alphanumeric passwords. If a password is not used frequently then
there is a chance of forgetting and if the password is hard to guess, it is hard to
JCET, LAKKIDI
10
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
remember. For these reasons the researchers have developed various graphical
password schemes.
The PassPoints scheme was first developed by Wiedenbeck,and it is based on the idea
of Blonder. Even in Blonder’s approach the password is represented by multiple clicks
on a single image. But Wiedenbeck’s PassPoints system overcomes the limitation of
Blonder’s scheme, i.e. there are no predefined boundaries around areas of the image
where the user can click. One of the advantages with PassPoints scheme is that a user
can click on anyplace on the image. It allows the use of arbitrary images. After
clicking on several areas, the sequence is stored. A tolerance region around the chosen
click points is calculated. When logging in, the user has to click on points within the
tolerance. Generally, users cannot click on the same points that are selected during
registration. So, a tolerance is given. This tolerance allows a user to click on nearby
locations. For example, if the tolerance is 20X20, users can click on any location
within the 20 pixels around (top, bottom, left, right) a click point.
Fig .2. The PassPoint interface
.
There is another method in which a single click on multiple images is allowed. It is
called as Cued Click Points. These schemes are called as cued recall based schemes
since the background image can be regarded as a cue to recall the location of clicks
chosen as a password. Along with PassPoints technique, there are other techniques
existing. One such technique is Passfaces, in which user chooses four faces from a
JCET, LAKKIDI
11
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
pool of faces. When logging in , the user sees a 3X3 grid of nine faces, consisting of
one face previously chosen by the user and eight decoy faces, the user has to recognize
and click anywhere on the chosen face. This procedure is repeated.
Shoulder Surfing Attack:
Main drawbacks for the current graphical password schemes are the shoulder-surfing
problem and usability problem. Even though graphical passwords are difficult to guess
and break, if someone directly observes during the password entering session, he/she
probably figure out the password by guessing it randomly. Nevertheless, the issue of
how to design the authentication systems which have both the security and usability
elements is yet another example of what making the challenge of Human Computer
Interaction (HCI) and security communities. In computers security jargon, shoulder-
surfing refers to the direct observation techniques, such as looking over someone’s
shoulder, to get information like passwords, PINs and other sensitive personal
information. As well as when a user enters information using a keyboard, mouse,
touch screen or any traditional input device. Like text based passwords graphical
passwords are also vulnerable to Shoulder-Surfing.
Cued Click Point:
The usability and security of CuedClick Points (CCP), a cued-recall graphical
password technique. Users click on one point per image for a sequence of images.
The next image is based on the previous click-point. Performance was very good in
terms of speed, accuracy, and number of errors. Users preferred CCP to PassPoints
(Wiedenbeck ), saying that selecting and remembering only one point per image was
easier, and that seeing each image triggered their memory of where the corresponding
point was located. We also suggest that CCP provides greater security than PassPoints
because the number of images increases the workload for attackers. or a sequence of
images. The next image displayed is based on the previous click-point so users
receive immediate implicit feedback as to whether they are on the correct path when
JCET, LAKKIDI
12
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
logging in. CCP offers both improved usability and security. We conducted an in-
lab user study with 24 participants and a total of 257 trials. Users had high success
rates, could quickly create and re-enter their passwords, and were very accurate when
entering their click-points. Participants rated the system positively and indicated that
they preferred CCP to a PassPoints-style system. They also said that they appreciated
the immediate implicit feedback telling them whether their latest click-point was
correctly entered. A preliminary security analysis of this new scheme is also
presented. Hotspots (i.e., areas of the image that users are more likely to select) are a
concern in click-based passwords , so CCP uses a large set of images that will be dif-
ficult for attackers to obtain. For our proposed system, hotspot analysis requires
proportionally more effort by attackers, as each image must be collected and analyzed
individually. CCP appears to allow greater security than PassPoints; the workload for
attackers of CCP can be arbitrarily increased by augmenting the number of images in
the system. As with most graphical passwords, CCP is not intended for environments
where shoulder-surfing is a serious threat.
JCET, LAKKIDI
13
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
3.SYSTEM ANALYSIS AND DESIGN
Existing System:
The existing system does not allow the companies to centralize the document
management. Document encryption and decryption is not performed. It does not
provide security for confidential material from accidental misuse, employee theft,
unauthorized distribution etc.
Drawbacks Of Existing Systems:
(i)Lack of security
(ii)Prone to unauthorized distribution
(iii)Lack of desired accuracy
(iv)No encryption and decryption
Proposed System:
The proposed Cued Click Points scheme shows promise as a usable and memorable
authentication mechanism. By taking advantage of users’ ability to recognize images
and the memory trigger associated with seeing a new image, CCP has advantages over
PassPoints in terms of usability. Being cued as each image is shown and having to
remember only one click-point per image appears easier than having to remember an
ordered series of clicks on one image. In our small comparison group, users strongly
preferred CCP. We believe that CCP offers a more secure alternative to PassPoints.
CCP increases the workload for attackers by forcing them to first acquire image sets
JCET, LAKKIDI
14
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
for each user, and then conduct hotspot analysis on each of these images. Fur16 Cued
Click Points theremore, the system’s flexibility to increase the overall number of
images in the system allows us to arbitrarily increase this workload.
Feasibility Study:
Feasibility study is a procedure that identifies, describes and evaluates candidate
system and selects the best system for the job. An estimate is made of whether the
identified user needs may be satisfied using current software and hardware
technologies. The study will decide if the proposed system will be cost effective from
a business point of view and if it can be developed given existing budgetary
constraints. The key considerations involved in the feasibility analysis are economic,
technical, behavioral and operational.
Economic Feasibility:
The economic analysis is to determine the benefits and savings that are expected from
a candidate system and compare them with costs. The system is economically
feasible, as the organization possesses the hardware and software resources required
for the functioning of the system. Any additional resources, if required, can also be
easily acquired.
Technical Feasibility:
It centers on the existing computer system and to what extent it can support the
proposed addition. Since the minimum requirements of the system like IIS o the
server and a browser on the client, are met by any average user.
Operational Feasibility:
The system operation is the longest phase in the development life cycle of a system.
So, operational feasibility should be given much importance. The users of the system
don’t need thorough training on the system. All they are expected to know to operate
the system is the basic net surfing knowledge. It has a user-friendly interface.
Behavioral Feasibility:
JCET, LAKKIDI
15
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
In today’s world, where computer is an inevitable entity, the systems like auction site,
which requires no special efforts than surfing the net are enjoying wide acceptance.
Thus the organization is convinced that the system is feasible.
Modules Of The Proposed System are:-
1.Functional management
2. Image manipulation
3.Security
4.User management
5.Network management
User management:
The user management is the place where the administrator manages the GUI that helps
the users to easily use the system without difficulty. Here we implement the side that
is directly in contact with the users.
Image manipulation:
The image manipulation deals with manipulation of the images. Here the adding
removing images to the pool is happening. This pool is used for future password
tracing stages.
Functional Operation:
The implementation of the function by means of which the manipulation of the image
takes is implemented here. It is by means of this function that the jumbling of the
image from one to another , so that each character is traced carefully.
Security:
Here security of the system is implemented in this module. Order of images is
correctly evaluated. And ensures authentication standard.
Data Flow Diagram
JCET, LAKKIDI
16
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.3.Context level
Figure.4.Level 1
The level 1 of proposed system consists various levels of operations : user
management,image manipulation,security and functional operation.The user can login
through login section .
JCET, LAKKIDI
17
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.5.user Management
The user management is the place where the administrator manages the GUI that helps
the users to easily use the system without difficulty. Here we implement the side that
is directly in contact with the users.
JCET, LAKKIDI
18
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.6.Security
Here security of the system is implemented in this module. Order of images is
correctly evaluated. And it ensures authentication standard.
JCET, LAKKIDI
19
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.7.Image Manipulation
The image manipulation deals with manipulation of the images. Here the adding
removing images to the pool is happening. This pool is used for future password
tracing stages.
JCET, LAKKIDI
20
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.8.Functional Operation
The implementation of the function by means of which the manipulation of the image
takes is implemented here. It is by means of this function that the jumbling of the
image from one to another , so that each character is traced carefully.
JCET, LAKKIDI
21
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
4. SYSTEM SPECIFICATION AND DESIGN
The purpose of system requirements analysis is to obtain a thorough and detailed
understanding of the business need as defined in project origination and captured in the
business case, and to break it down into discrete requirements, which are then clearly
defined, reviewed and agreed upon with the customer decision makers. During system
requirements analysis, the framework for the application is developed, providing the
foundation for all future design and development efforts.
Table.1. Hardware Requirements
System IBM-Compatible PC
Processor Intel Pentium IV or above
Speed 2.8 GHz.
Memory 512 MB RAM
Hard Disk Drive 80 GB
Table.2. Software Requirements
Java:
Java is a programming language originally developed by James Gosling at Sun
JCET, LAKKIDI
Development Platform Windows XP/Linux
Front-End Tool JAVA
Back-End Tool My SQL/SQL Server
IDE Net Beans/Visual Studio
22
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Microsystems (which is now a subsidiary of Oracle Corporation) and released in 1995
as a core component of Sun Microsystems' Java platform. In the Java programming
language, all source code is first written in plain text files ending with the .java
extension. Those source files are then compiled into .class files by the javac compiler.
A class file does not contain code that is native to your processor; it instead contains
bytecodes the machine language of the Java Virtual Machine (Java VM). The java
launcher tool then runs your application with an instance of the Java V Because the
Java VM is available on many different operating systems, the same .class files are
capable of running on Microsoft Windows, the Solaris Operating System (Solaris
OS), Linux, or Mac OS. This include various tasks such as finding performance
bottlenecks and recompiling (to native code) frequently used sections of code.
Through the Java VM, the same application is capable of running on multiple
platforms.
The Java Platform:
A platform is the hardware or software environment in which a program runs.We've
already mentioned some of the most popular platforms like Microsoft Windows,
Linux, Solaris OS, and Mac OS. Most platforms can be described as a combination of
the operating system and underlying hardware. The Java platform differs from most
other platforms in that it's a software-only platform that runs on top of other hardware-
based platforms. The Java platform has two components: the java virtual machine and
the java Application Programming Interface (API). The Java Virtual Machine; it's the
base for the Java platform and is ported onto various hardware-based platforms.
The API is a large collection of ready-made software components that provide many
useful capabilities. It is grouped into libraries of related classes and interfaces; these
libraries are known as packages. The API and Java Virtual Machine insulate the
program from the underlying hardware.
As a platform-independent environment, the Java platform can be a bit slower than
native code. However, advances in compiler and virtual machine technologies are
JCET, LAKKIDI
23
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
bringing performance close to that of native code without threatening portability.
Java platform gives you the following features:
Development Tools: The development tools provide everything you'll need for
compiling, running, monitoring, debugging, and documenting your applications. As a
new developer, the main tools you'll be using are the javac compiler, the java launcher,
and the javadoc documentation tool.
Application Programming Interface (API): The API provides the core functionality of
the Java programming language. It offers a wide array of useful classes ready for use in
your own applications. It spans everything from basic objects, to networking and security,
to XML generation and database access, and more. The core API is very large.
Deployment Technologies: The JDK software provides standard mechanisms such as the
Java Web Start software and Java Plug-In software for deploying your applications to end
users.
User Interface Toolkits: The Swing and Java 2D toolkits make it possible to create
sophisticated Graphical User Interfaces (GUIs).
Integration Libraries: Integration libraries such as the Java IDL API, JDBCTM API,
Java Naming and Directory InterfaceTM ("J.N.D.I.") API, Java RMI, and Java Remote
Method Invocation over Internet Inter-ORB Protocol Technology (Java RMI-IIOP
Technology) enable database access and manipulation of remote objects. Java technology
will help to do the following:
Get started quickly: Although the Java programming language is a powerful object-
oriented language, it's easy to learn, especially for programmers already familiar with C
or C++.
Write less code: Comparisons of program metrics (class counts, method counts, and so
on) suggest that a program written in the Java programming language can be four times
smaller than the same program written in C++.
Write better code: The Java programming language encourages good coding practices,
JCET, LAKKIDI
24
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
and automatic garbage collection helps you avoid memory leaks. Its object orientation, its
JavaBeansTM component architecture, and its wide-ranging, easily extendible API let
you reuse existing, tested code and introduce fewer bugs.
Develop programs more quickly: The Java programming language is simpler than C++,
and as such, your development time could be up to twice as fast when writing in it. Your
programs will also require fewer lines of code.
Avoid platform dependencies: You can keep your program portable by avoiding the use
of libraries written in other languages.
Write once, run anywhere: Because applications written in the Java programming
language are compiled into machine-independent bytecodes, they run consistently on any
Java platform.
Distribute software more easily: With Java Web Start software, users will be able to
launch your applications with a single click of the mouse. An automatic version check at
startup ensures that users are always up to date with the latest version of your software. If
an update is available, the Java Web Start software will automatically update their
installation.
JavaServerPages(JSP):
JSP is a java based technology that simplifies the process of developing dynamic web
sites. With JSP, web designers and developers can quickly incorporate dynamic elements
into web pages using embedded java and simple mark-up tags. These tags provide the
HTML designer with a way to access data and business logic stored inside java objects.
Java Server Pages are text files with the extension .jsp, which take the place of traditional
HTML pages. JSP files contain traditional HTML along with embedded code that allows
the developer to access data from the java code running on the server. JSP offers several
benefits for dynamic content generation. As a Java-based technology, it enjoys all of the
advantages that the Java language provides with respect to development and deployment.
As an object-oriented language with strong typing, encapsulation, exception handling,
and automatic memory management, use of Java leads to increased programmer JCET, LAKKIDI
25
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
productivity and more robust code. Because compiled Java bytecode is portable across all
platforms that support a JVM, use of JSP does not lock us into using a specific hardware
platform, operating system, or server software. If a switch in any of these components
becomes necessary, all JSP pages and associated Java classes can be migrated over as is.
Because JSP is vendor-neutral, developers and system architects can select best of breed
solutions at all stages of JSP deployment .JSP technology is the Java platform technology
for building applications containing dynamic web content such as HTML, DHTML,
XHTML, and XML. The Java Server Pages technology enables the authoring of web
pages that create dynamic content easily but with maximum power and flexibility. The
Java Server Pages technology offers a number of advantages:
Write Once, Run Anywhere properties:
The Java Server Pages technology is platform independent, both in its dynamic Web
pages, its Web servers, and its underlying server components. We can author JSP pages
on any platform, run them on any Web server or Web enabled application server, and
access them from any web browser. We can also build the server components on any
platform and run them on any server.
High quality tool support:
The Write Once, Run Anywhere properties of JSP allows the user to choose best-of-breed
tools. Additionally, an explicit goal of the Java Server Pages design is to enable the
creation of high portable tools.
Reuse of components and tag libraries:
The Java Server Pages technology emphasizes the use of reusable components such as
Java Bean components, Enterprise Java Beans components and tag libraries. These
components can be used in interactive tools for component development and page
composition. This saves considerable development time while giving the cross-platform
power and flexibility of the Java programming language and other scripting languages.
Separation of dynamic and static content:
The Java Server Pages technology enables the separation of static content from dynamic
content that is inserted into the static template. This greatly simplifies the creation of
JCET, LAKKIDI
26
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
content. This separation is supported by beans specifically designed for the interaction
with server-side objects, and, specifically, by the tag extension mechanism.
Support for scripting and actions:
The Java Server Pages technology supports scripting elements as well as actions. Actions
permit the encapsulation of useful functionality in a convenient form that can also be
manipulated by tools. Scripts provide mechanism to glue together this functionality in a
per-page manner.
Web access layer for N-tier enterprise application architecture:
The Java Server pages technology is an integral part of the Java 2Platform Enterprise
Edition (J2EE), which brings Java technology to enterprise computing. We can now
develop powerful middle-tier server applications, using a web site that uses Java Server
Pages technology as a front end to Enterprise Java Beans components in a J2EE
complaint.
My SQL:
MySQL database has become the world's most popular Open source database because of
its consistency, fast performance, high reliability and ease of use. It has also become the
database of choice for a new generation of applications built on the LAMP stack (Linux,
Apache, MySQL, PHP / Perl / Python). MySQL runs on more than 20 platforms
including Linux, Windows, OS/X, HP-UX, AIX, Netware, giving you the kind of
flexibility that puts you in control. MySQL offers a comprehensive range of certified
software, support, training and consulting.
MySQL is a multithreaded, multi-user SQL Database Management System. My SQL's
implementation of a relational database is an abstraction on top of a computer’s file
system. The relational database abstraction allows collection of data items to be
organized as a set of formally described tables. Data can be accessed or reassembled from
these tables in many different ways, which do not require any reorganization of the
database tables themselves.
Relational database speak SQL (Structured Query Language). SQL is a standard
interactive programming language for getting information from and updating a relational
JCET, LAKKIDI
27
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
database. Although SQL itself is both an ANSI and an ISO standard, many database
products support SQL with proprietary extensions to the standard language.
MySQL's extensions to SQL are not proprietary, since MySQL's code is kept free (as in
the user's library to use hte code) by the GPL. SQL queries take the form of a command
language that lets you select, insert, update, find out the location of data, and so forth.
My SQL Features:
Very fast and much reliable for any type of application.
Very lightweight application.
Command line tool is very powerful and can be used to run SQL
queries against database.
Supports indexing and binary objects.
Allows changing the structure of table while server is running.
It has a wide user base.
It is a very fast thread-based memory allocation system.
JCET, LAKKIDI
28
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
5. PROJECT DESCRIPTION AND IMPLEMENTATION
Cued Click Points (CCP) is a proposed alternative to PassPoints. In CCP, users click
one point on each of c = 5 images rather than on five points on one image. It offers
cued-recall and introduces visual cues that instantly alert valid users if they have
made a mistake when entering their latest click-point (at which point they can cancel
their attempt and retry from the beginning). It also makes attacks based on hotspot
analysis more challenging, as we discuss later. As shown in Figure each click results
in showing a next-image, in effect leading users down a “path” as they click on their
sequence of points. A wrong click leads down an incorrect path, with an explicit
indication of authentication failure only after the final click. Users can choose their
images only to the extent that their click-point indicates the next image. If they dislike
the resulting images, they could create a new password involving different click-
points to get different images. A trial consisted of the following steps.
1. Create phase: Create a password by clicking on one point in each of five system-
selected images presented in sequence.
2. Confirm phase: Confirm this password by re-entering it correctly. Users in-
correctly confirming their password could retry the confirmation or return to Step 1.
A new password started with the same initial image, but generally included different
images thereafter, depending on the click-points.
3. Two questions: Answer two 10-point Likert-scale questions on the computer
about their current password’s ease of creation and predicted memorability. Likert-
scale questions ask respondents to indicate their level of agreement with the given
JCET, LAKKIDI
29
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
statement on a scale ranging from strongly agree to strongly disagree.
4. MRT: Complete a Mental Rotations Test (MRT) puzzle . This was based on task
that is used to distract users for a minimum of 30 seconds by giving them a visual
task to complete in order to clear their working memory.
5. Login phase: Log in with their current password. If users noticed an error during
login, they could cancel their login attempt and try again. Alternatively, if they did
not know their password, they could create a new password, effectively returning to
Step 1 of the trial with the same initial image as a starting point. If users felt too
frustrated with the particular images to try again, they could skip this trial and move
on to the next trial.
Figure.9.Implementation
Client :
(i) Username and Password.
(ii) Matters.
(iii)New Registration.
User:
(i) View Advertisements.
(ii) Registration.
JCET, LAKKIDI
30
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.10.Images in image pool
Ad-Manager consist of mainly 3 modules:
(i)The Administration module.
(ii)Transaction module.
(iii)Client module
Administrator Module:
This module provides an interface to store informations of client ,user and
applications. The basic details along with the rights and permissions provides the
scope of this module. This modules provides service like client registration alter/drop,
user registration alter/drop and application registration alter/drop.
(i)Client Registration And Alter/drop.
(ii)The User Registration And Alter/Drop.
(iii)Application Registration Alter/Drop.
Transaction Module:
Transaction module includes Tariff management, various reports, different member
activations etc .Advertisement management is also a part of this module.Tariff
management includes different rates,which based on the number of images and
videos.In the member activation different members are activated or deactivated based
on their payments. Management of various advertisements are also under the control
JCET, LAKKIDI
31
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
of administrator.
(i)Tariff Management.
(ii)Payments.
(iii)Reports.
(iv)Member Activation.
(v)Advertisement Management
Client Module:
This module provides details of clients. Client can upload/delete the images and videos
in the space which is allocated by the administrator. Client can renew their account by
paying an extra amount.
(i)Uploading
(ii)New Registration.
(iii)Client Renewal.
(iv)Change Password.
Home page:
Home page contains login section for user and administrator or manager. Existing
both user and administrator / manager can login through login section for entering
bank transaction . Using the signup function the new user can register by selecting
graphical password and login to the bank transaction process .
JCET, LAKKIDI
32
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.11.Home page
New User Registration:
New user can register through signup function that he /she can enter into the
registration form. By entering the correct details in all fields he/she must click create
account button.
JCET, LAKKIDI
33
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.12.New user registration
Figure.13.Image pool
After successful registration user can enter into an image pool.Imagepool is a
window that contains lot of images added by administrator. From there user can select JCET, LAKKIDI
34
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
first image, and second image and so on. After selecting images user can click DONE
button.
Figure.14.Cued click page
After selecting images from the image pool user can directly enter a new window
that contain the previous selected images. User can choose any specific point on the
images. This specific points choosen as passwords and must be remember .That points
stored in the database. After these steps , registration process is completed.
Login Page:
After successful registration , the user can first enter user name and text password to
enter to bank transaction.Valid user can enter into next section.
JCET, LAKKIDI
35
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.15.Login Page1
Figure.16.Login page 2
After that user enter into the another window it contain the image pool. From there
user can select first image that user selected during registration time.And then user
click the valid specific point on the image.If clicked point is correct then the user can
enter to the second picture previously selected by the user.
JCET, LAKKIDI
36
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.17.Login Page 3
By selecting the valid point in first image, the user can enter to the second image.If
the user can click the point that can clicked during the registration time.If the point is
valid, then login is successfully done.
Figure.18.User home page
JCET, LAKKIDI
37
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
After successful login, user can enter to the user home page.Though the user can
perform various actions like viewing profile,fund transfer,feedbacks,requests etc.
Administrator Home page:
The administrator can login with his/her password and id.The figure shows
The administrator home page.Administrator has the authority to perform various
Actions.The actions like changing password, bug viewing,adding manager,
editing imaging settings etc.
JCET, LAKKIDI
38
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
Figure.19.Administrator home page
Manager Home Page:
Administrator has the authority to add manager .The figure shows manager home page.
Manager performs various actions like updating balance,user management,changing
password, updating balance etc.
Figure.20.Manager Home page
JCET, LAKKIDI
39
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
APPENDIX
Code Of Application:
DATABASE CONNECTIVITY …..dbconnect.javapackage DBAccess;import java.sql.*;public class DBConnect{ Connection cn; Statement st; ResultSet rs; public static int k=1; public static int l=1; public boolean connection_status = false; public DBConnect() { try { Class.forName("com.mysql.jdbc.Driver"); cn = DriverManager.getConnection("jdbc:mysql://localhost/gps","root",""); st = cn.createStatement(); cn.setAutoCommit(false); connection_status = true; } catch (Exception e){ System.out.println(e); } } public boolean isConnected() { return connection_status; } public ResultSet GET(String Query) { try { rs = st.executeQuery(Query); cn.commit(); } catch (Exception e) { System.out.println(e); } return rs; }
public int POST(String Query) { int i = 0; int status = 0; try { i = st.executeUpdate(Query); cn.commit(); if(i>0){status = 1;} }
JCET, LAKKIDI
40
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
catch (Exception e) { System.out.println(e); } return status;}} package DBAccess;
import java.sql.ResultSet;import java.util.Random;
DATABASE PROCESSING…………dbprocess.java
public class DBProcess{ public static int count_of_existance = 0;
public static boolean isEntryExists(String username) { boolean status = false; try { String Query = "select * from clickpoints where username='"+username+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); while(rs.next()) { System.out.println(count_of_existance); status = true; count_of_existance++; } } catch (Exception e) { System.out.println(e); } return status; }
public int getCountOfExistance() { return count_of_existance; }
public static boolean UpdatePreviousClickPointImage(String username,String image_name) { boolean status = false; try { String Query = "select * from clickpoints where username='"+username+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); while(rs.next()) { String imageB = rs.getString("imageB");
JCET, LAKKIDI
41
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
if(imageB.equalsIgnoreCase("null")) { System.out.println("Updating...."); String click_id = rs.getString("click_id"); String UpdateQuery = "update clickpoints set imageB='"+image_name+"' where click_id='"+click_id+"'"; db.POST(UpdateQuery); break; } } } catch (Exception e) { System.out.println(e); } return status; }
public static boolean InsertClickPoint(String username,String imageA,String imageB,int point_x,int point_y) { boolean status = false; try { String Query = "insert into clickpoints (username,imageA,imageB,point_x,point_y) values('"+username+"','"+imageA+"','"+imageB+"','"+point_x+"','"+point_y+"')"; DBConnect db = new DBConnect(); db.POST(Query); } catch (Exception e) { System.out.println(e); } return status; }
public boolean isFileExists(String filename) { boolean status = false; try { String Query = "select * from imagedata where image_name='"+filename+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); if(rs.next()) { status = true; } } catch (Exception e) {
JCET, LAKKIDI
42
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
System.out.println(e); } return status; }
public int getTotalUsageCount(String imageName) { int total_count = 0; try { String Query1 = "select * from clickpoints where imageA='"+imageName+"'"; String Query2 = "select * from clickpoints where imageB='"+imageName+"'"; DBConnect db1 = new DBConnect(); DBConnect db2 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } ResultSet rs2 = db2.GET(Query2); while(rs2.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }public int getTotalUsageCount1(String imageName) { int total_count = 0; try { String Query1 = "select * from imagebk where image_name='"+imageName+"'"; DBConnect db1 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }
JCET, LAKKIDI
43
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
public int getTotalUsageCount2(String imageName) { int total_count = 0; try { String Query1 = "select * from imagesb where image_name='"+imageName+"'"; DBConnect db1 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }
public boolean checkOldPassword(String username,String password) { boolean status = false; DBConnect db = new DBConnect(); try { String Query = "select * from login where username='"+username+"' and password='"+password+"'"; ResultSet rs = db.GET(Query); if(rs.next()) { status = true; } } catch (Exception e) { System.out.println(e); } return status; }
public void ChangePassword(String username,String password) { DBConnect db = new DBConnect(); try { String Query = "update login set password='"+password+"' where username='"+username+"'"; db.POST(Query); }
JCET, LAKKIDI
44
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
catch (Exception e) { System.out.println(e); } }
public int getUserBalance(String username) { int balance = 0; DBConnect db = new DBConnect(); try { String Query = "select * from summary where username='"+username+"'"; ResultSet rs = db.GET(Query); if(rs.next()) { balance = rs.getInt("balance"); } } catch (Exception e) { System.out.println(e); } return balance; }
public void updateUserBalance(String username,int balance,String dateTime) { DBConnect db = new DBConnect(); try { String Query = "update summary set balance='"+balance+"',date='"+dateTime+"' where username='"+username+"'"; db.POST(Query); } catch (Exception e) { System.out.println(e); } }
public void addTransaction(String username,String dateTime,String memo,String type,String amount) { DBConnect db = new DBConnect(); try { String Query = "insert into transactions values('"+username+"','"+dateTime+"','"+memo+"','"+type+"','"+amount+"')"; db.POST(Query); } catch (Exception e)
JCET, LAKKIDI
45
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
{ System.out.println(e); } }
public void addTransfer(String username,String dateTime,String memo,String to_username,String amount) { DBConnect db = new DBConnect(); try { String Query = "insert into transfers values('"+username+"','"+dateTime+"','"+memo+"','"+to_username+"','"+amount+"')"; db.POST(Query); } catch (Exception e) { System.out.println(e); } }
public static String redirect() { DBConnect db = new DBConnect(); int i=0; try { String Query = "select * from imagedata"; ResultSet rs=db.GET(Query); while(rs.next()){ i++; } int s=new Random().nextInt(i); System.out.println("s>>>.:"+s); String Query1 = "select * from imagedata where image_id='"+s+"'"; ResultSet rs1=db.GET(Query1); if(rs1.next()){ String image = rs1.getString("image_name"); System.out.println("image : "+image); return image; } else{ System.out.println("nullllllll"); return null; } } catch (Exception e) { System.out.println(e); return null;}}}
JCET, LAKKIDI
46
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
VALIDATING CUED CLICK POINTS…….validator.jsp
<%@page import="java.sql.*" %><jsp:useBean id="db" scope="page" class="DBAccess.DBConnect"/>
<%int point_x = Integer.parseInt(request.getParameter("point_x"));int point_y = Integer.parseInt(request.getParameter("point_y"));System.out.println("point_x"+point_x);System.out.println("point_y"+point_y);String username = session.getAttribute("Name")+"";String image = request.getParameter("image");String image1 = request.getParameter("imagebk");//System.out.println("image"+image);System.out.println("image"+image1);String Q1 = "select * from imagebk where username='"+username+"'";ResultSet rs4 = db.GET(Q1);if(!rs4.next()){ int i=DBAccess.DBConnect.k; String Q = "insert into imagebk(username,image_name,image_path,count) values('"+username+"','"+image1+"','image/"+image1+"','"+i+"')"; db.POST(Q);}String Query = "select * from imagesb where username='"+username+"'and image_name='"+image+"'";ResultSet rs = db.GET(Query);if(rs.next()){ String Query1 = "update imagesb set posx='"+point_x+"',posy='"+point_y+"' where username='"+username+"' and image_name='"+image+"'"; db.POST(Query1); response.sendRedirect("ImageAction.jsp");}else {
int p=DBAccess.DBConnect.k++; String Query2 = "insert into imagesb(username,image_name,image_path,posx,posy) values('"+username+"','"+image+"','image/"+image+"','"+point_x+"','"+point_y+"')"; db.POST(Query2); String Query3 = "update imagebk set count='"+p+"' where username='"+username+"'"; db.POST(Query3); response.sendRedirect("ImageAction.jsp");
JCET, LAKKIDI
47
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
} %>CLICK POINT SELECTOR……..clickpointselector.jsp<%@page import="java.util.*" %><%@page contentType="text/html" pageEncoding="UTF-8"%><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Click Point Selection</title></head><script type="text/javaScript">function point_it(event,source,count){
pos_x = event.offsetX?(event.offsetX):event.pageX-document.getElementById("good"+count).offsetLeft;
pos_y = event.offsetY?(event.offsetY):event.pageY-document.getElementById("good"+count).offsetTop; var image = source
document.frmclick.form_x.value = pos_x;document.frmclick.form_y.value = pos_y;
var xmlhttp; if(window.XMLHttpRequest) { xmlhttp = new XMLHttpRequest(); } else { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("GET","AjaxUpdater.jsp?point_x="+pos_x+"&point_y="+pos_y+"&image="+image,true); xmlhttp.send();}</script><body><form name="frmclick" action="" method="POST"><%ArrayList selected_images = (ArrayList)session.getAttribute("images_selected");for (int idx = 0; idx < selected_images.size(); idx++){String get = selected_images.get(idx).toString();String name = get.substring(get.indexOf("/")+1,get.length());
JCET, LAKKIDI
48
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
%><div id="good<%=idx%>"><p><img src="<%=get%>" alt="Unable to Load" id="clicked_image" onclick="point_it(event,'<%=name%>','<%=idx%>')"/></p></div><hr/><%}%><p>You pointed on x = <input type="text" name="form_x" size="4" /> - y = <input type="text" name="form_y" size="4" /></p></form><form name="frm" action="index1.jsp" method="POST"> <p><input type="submit" name="submit" value=" DONE "/></p></form></body></html>
JCET, LAKKIDI
49
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
CONCLUSION
Graphical passwords are an alternative to existing alphanumeric passwords. In
Graphical passwords users click on images than type a long, complex password.
Passpoints scheme is one of the Graphical user authentication techniques. In this
method the password is represented by multiple clicks on a single image. One of the
advantages with Passpoints scheme is that, a user can click on any place in the image
as a click point. Graphical authentication suffers a major drawback of Shoulder-
surfing. Shoulder-surfing refers to someone observing the user’s action as the user
enters a password. Due to this, the user’s action can be monitored by the attacker or it
can be captured using recording devices such as camera. The graphical password
system has some important issues. The first issue is that the people are better at
memorizing graphical passwords than text-based passwords. And also graphical
passwords have a large password space over alphanumeric passwords. Second issue is
efficiency; users use the mouse to enter a password, it may be slower than the
keyboard. People should spend more time learning and practice the graphical
password but by user’s thinking and feeling this kind of graphical passwords will be
much easier than alphanumeric passwords. Although graphical passwords are
vulnerable to shoulder surfing attacks, our method provides security over this attack.
JCET, LAKKIDI
50
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
BIBILOGRAPHY
1. James Gosling,Bill Joy,Guy Steela The Java Language Specification,2ndEdition,Sun
Microsystem 2000
2. E, M, Balagurusamy Programming With Java, 2nd Edition, TataMcGrawHill,
Reprint 2000
3. The Java Tutorial, 2nd Edition, volumes Mary Compione and Kathywalrath,
Addison Wesley Longmans, 1998.
4. Ramez Elmasri, Shamkanth. B. Navathe, “Fundamentals of Database Systems”,
The Benjamin/Cummings Publishing Company Inc,1989.
5. Silberschats, Henry.F.Korth, S.Sudarshan; Database System Concepts 5th
edition McGraw-Hill;2005
6.http://searchsecurity.techtarget.com/definition/graphical-password
(Ref.date:2/12/2011)
7. http://www.scs.carleton.ca/~paulv/papers/esorics07-c.pdf(Ref.date:3/03/2012)
8.http://www.cups.cs.cmu.edu/soups/2005/2005proceedings/p1-wiedenbeck.pdf
(Ref.date:30/3/2012)
JCET, LAKKIDI
51
PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD
JCET, LAKKIDI
52