report purely automated graphical paswd

PURELY AUTOMATED ATTACKS ON PASSPOINT-STYLE GRAPHICALPASSWORD

1. INTRODUCTION

User authentication is a fundamental component in most computer security contexts. It

provides the basis for access control and user accountability. While there are various

types of user authentication systems, alphanumerical username/passwords are the most

common type of user authentication. They are versatile and easy to implement and

use. Alphanumerical passwords are required to satisfy two contradictory requirements.

They have to be easily remembered by a user, while they have to be hard to guess by

impostor . Users are known to choose easily guessable and/or short text passwords,

which are an easy target of dictionary and brute-forced attacks. Enforcing a strong

password policy sometimes leads to an opposite effect, as a user may resort to write

his or her difficult-to-remember passwords on sticky notes exposing them to direct

theft. In the literature, several techniques have been proposed to reduce the limitations

of alphanumerical password. One proposed solution is to use an easy to remember

long phrases (passphrase) rather than a single word. Another proposed solution is to

use graphical passwords, in which graphics (images) are used instead of

alphanumerical passwords. This can be achieved by asking the user to select regions

from an image rather than typing characters as in alphanumeric password approaches.

In this extended abstract, we propose a graphical password authentication system. The

system combines graphical and text-based passwords trying to achieve the best of both

worlds. The proposed system is described

Graphical Passwords:

Graphical passwords refer to using pictures (also drawings) as passwords. In theory,

graphical passwords are easier to remember, since humans remember pictures better

than words. Also, they should be more resistant to brute-force attacks, since the search

space is practically infinite. In general, graphical passwords techniques are classified

into two main categories: recognition-based and recall based graphical techniques . In

recognition-based techniques, a user is authenticated by challenging him/her to

JCET, LAKKIDI

1


identify one or more images he or she chooses during the registration stage. In recall-

based techniques, a user is asked to reproduce something that he or she created or

selected earlier during the registration stage. Passfaces is a recognition-based

technique, where a user is authenticated by challenging him/her into recognizing

human faces . In this approach, a user create a password by clicking on several

locations on an image. During authentication, the user must click on those locations.

PassPoints builds on Blonders idea, and overcomes some of the limitations of his

scheme. Several other approaches have been surveyed. Various graphical password

schemes have been proposed as alternatives to text-based passwords. Research and

experience have shown that text-based pass-words are fraught with both usability and

security problems that make them less than desirable solutions. Psychology studies

have revealed that the human brain is better at recognizing and recalling images than

text graphical pass-words are intended to capitalize on this human characteristic in

hopes that by reducing the memory burden on users, coupled with a larger full

password space offered by images, more secure passwords can be produced and users

will not resort to unsafe practices in order to cope speakers of any language. It

propose and examine the usability and security of CuedClick Points (CCP), a cued-

recall graphical password technique. Users click on one point per image for a

sequence of images. The next image is based on the previous click-point. We present

the results of an initial user study which revealed positive results. Performance was

very good in terms of speed, accuracy, and number of errors. Users preferred CCP to

PassPoints , saying that selecting and remembering only one point per image was

easier, and that seeing each image triggered their memory of where the corresponding

point was located.

t also suggest that CCP provides greater security than PassPoints because the

number of images increases the workload for attackers. or a sequence of images. The

next image displayed is based on the previous click-point so users receive immediate

implicit feedback as to whether they are on the correct path when logging in. CCP

offers both improved usability and security. We conducted an in-lab user study with

JCET, LAKKIDI

2


24 participants and a total of 257 trials. Users had high success rates, could quickly

create and re-enter their passwords, and were very accurate when entering their click-

points. Participants rated the system positively and indicated that they preferred CCP

to a PassPoints-style system. They also said that they appreciated the immediate

implicit feedback telling them whether their latest click-point was correctly entered.

A preliminary security analysis of this new scheme is also presented. Hotspots (i.e.,

areas of the image that users are more likely to select) are a concern in click-based

passwords, so CCP uses a large set of images that will be difficult for attackers to

obtain. For our proposed system, hotspot analysis requires proportionally more effort

by attackers, as each image must be collected and analyzed individually. CCP appears

to allow greater security than PassPoints , the workload for attackers of CCP can be

arbitrarily increased by augmenting the number of images in the system. As with most

graphical passwords, CCP is not intended for environments where shoulder-surfing is

a serious threat.

Graphical Password Strategy:

Cued Click Points (CCP) is a proposed alternative to PassPoints. In CCP, users click

one point on each of c = 5 images rather than on five points on one image. It offers

cued-recall and introduces visual cues that instantly alert valid users if they have

made a mistake when entering their latest click-point (at which point they can cancel

their attempt and retry from the beginning). It also makes attacks based on hotspot

analysis more challenging, as we discuss later. As shown in Figure 1, each click

results in showing a next-image, in effect leading users down a “path” as they click

on their sequence of points. A wrong click leads down an incorrect path, with an

explicit indication of authentication failure only after the final click. Users can choose

their images only to the extent that their click-point indicates the next image. If they

dislike the resulting images, they could create a new password involving different

click-points to get different images. A trial consisted of the following steps.

(i) Create phase: Create a password by clicking on one point in each of five system-

JCET, LAKKIDI

3


selected images presented in sequence.

(ii) Confirm phase: Confirm this password by re-entering it correctly. Users in

correctly confirming their password could retry the confirmation or return to

Step1:A new password started with the same initial image, but generally included

different images thereafter, depending on the click-points. Two questions: Answer two

10-point Likert scale questions on the computer about their current password’s ease

of creation and predicted memorability. Likert scale questions ask respondents to

indicate their level of agreement with the given statement on a scale ranging from

strongly agree to strongly disagree.

(iii) Login phase: Log in with their current password. If users noticed an error

during login, they could cancel their login attempt and try again. Alternatively, if they

did not know their password, they could create a new password, effectively returning

to Step1: of the trial with the same initial image as a starting point. If users felt too

frustrated with the particular images to try again, they could skip this trial and move

on to the next trial.

JCET, LAKKIDI

4


2. LITERATURE SURVEY

Access to computer systems is most often based on the use of alphanumeric

passwords. However, users have difficulty remembering a password that is long and

random-appearing. Instead, they create short, simple, and insecure passwords.

Graphical passwords have been designed to try to make passwords more memorable

and easier for people to use and, therefore, more secure. Using a graphical password,

users click on images rather than type alphanumeric characters. We have designed a

new and more secure graphical password system, called PassPoints. In this paper we

describe the PassPoints system, its security characteristics, and the empirical study we

carried out comparing PassPoints to alphanumeric passwords. In the empirical study

participants learned either an alphanumeric or graphical password and subsequently

carried out three longitudinal trials to input their passwords over a period of five

weeks. The results show that the graphical group took longer and made more errors in

learning the password, but that the difference was largely a consequence of just a few

graphical participants who had difficulty learning to use graphical passwords. In the

longitudinal trials the two groups performed similarly on memory of their password,

but the graphical group took more time to input a password.

Backgrounds on passwords:

Identification and authentication can be considered as the basic method for providing

system security. These two methods commonly assure access control at the first

boundary of the system. Before accessing resources of the system user needs to

provide his identifier by giving some secret information or something that only he own

or only he has as the part of his personality. One of the instances of secret information

JCET, LAKKIDI

5


is a password. It is commonly used technology for authentication in different kinds of

computer systems. Typically passwords are (i) It should be easy to remember, and the

user authentication protocol should be executable quickly and easily by humans.

(ii) Passwords should be secure, that is they should look random and should be hard to

guess; they should be changed frequently, and should be different on different

accounts of the same user; they should not be written down or stored in plain text

Mainly two types of passwords are used- text password(alphanumeric passwords) and

graphical password. Text password is presented as a sequence of digits and letters;

however graphical password is concerned with images.

Alpha numeric passwords:

Alpha-numeric passwords were first introduced in the 1960s as a solution to security

issues that became evident as the first multi-user operating systems were being

developed. As the name indicates, an alpha-numeric password is simply a string of

letters and digits. Although almost any string can serve as a password, these passwords

only offer good security as long as they are complicated enough so that they cannot be

deduced or guessed.

Usually guidelines for text passwords are:

(i) Length of the password should be at least 8 characters.

(ii) Password should not consist of any relative information to user otherwise it would

be easy to guess such password.

(iii) Moreover it is a good practice not to use popular combinations or words (such as:

123456789, QAZwsx11, password) because in this case it becomes possible to use

dictionary attack on it.

(iv) Better to combine upper and lower case in the password.

So it will be critical to create strong and random password not related to the user and

using combinations of alphabetic, numeric and other symbols in it. However in this

case user can face with the problem of too complicated password which can be hard to

remember Also usage of such “strong” passwords can lead to the different side effects.

In order to decrease the amount of passwords to remember user can begin to use one

JCET, LAKKIDI

6


everywhere, what may increase the possibility of stealing or cracking it. If policy of

the system force user to change passwords periodically he can simplify this changes by

substituting one letter or use few passwords in a loop. The main thing to remember is

that users almost always go by way of the least resistance and it does not matter how

strict the policy is. As we can see using the text password means to find a balance

between easy‐to‐remember and easy‐to‐break passwords from one side and strong but

hard to remember from the other side.

The major drawback of alpha-numeric password is the dictionary attack. Because of

the difficulty in remembering random strings of characters, most users tend to choose

a common word, or a name. Unfortunately, there are several tools that allow an

individual to crack passwords by automatically testing all the words that occur in

dictionaries or public directories. This attack will usually not uncover the password of

a predetermined user; but studies have shown that this attack is usually successful in

finding valid passwords of some users of given system. For example

Regular word: Michael

Alphanumeric password:**M1ch@3L

Graphical passwords:

Graphical passwords can be used like alternative to the text ones. This technology is

free from text password limitations. It is based on the human’s peculiarity to

remember visual images better than the text ones. Graphical passwords were originally

described by Blonder (1996). In his description of the concept an image would appear

on the screen, and the user would click on a few chosen regions of it. If the correct

regions were clicked in, the user would be authenticated. Memory of passwords and

efficiency of their input are two key human factors criteria. Memorability has two

aspects: how the user chooses and encodes the password and what task the user does

when later retrieving the password. In a graphical password system, a user needs to

choose memorable locations in an image. Choosing memorable locations depends on

the nature of the image itself and the specific sequence of click locations. To support

JCET, LAKKIDI

7


memorability, images should have semantically meaningful content because meaning

for arbitrary things is poor. This suggests that jumbled or abstract images will be less

memorable than concrete, real-world scenes. A graphical password is an

authentication system that works by having the user select from images, in a specific

order, presented in a graphical user interface (GUI). For this reason, the graphical-

password approach is sometimes called graphical user authentication (GUA).A

graphical password is easier than a text-based password for most people to remember.

Suppose an 8-character password is necessary to gain entry into a particular computer

network. Instead of w8KiJ72c,for example, a user might select images of the earth

(from among a screen full of real and fictitious planets), the country of France (from a

map of the world), the city of Nice (from a map of France), a white stucco house with

arched doorways and red tiles on the roof, a green plastic cooler with a white lid, a

package of Gouda cheese, a bottle of grape juice, and a pink paper cup with little green

stars around its upper edge and three red bands around the middle.

Fig.1.Graphical password

Graphical passwords may offer better security than text-based passwords because

many people, in an attempt to memorize text-based passwords, use plain words (rather

than the recommended jumble of characters). A dictionary search can often hit on a

password and allow a hacker to gain entry into a system in seconds. But if a series of

selectable images is used on successive screen pages, and if there are many images on

each page, a hacker must try every possible combination at random. If there are 100

JCET, LAKKIDI

8


images on each of the 8 pages in an 8-image password, there are 1008, or 10

quadrillion (10,000,000,000,000,000), possible combinations that could form the

graphical password! If the system has a built-in delay of only 0.1 second following the

selection of each image until the presentation of the next page, it would take (on

average) millions of years to break into the system by hitting it with random image

sequences.

Advantages:

The advantages of graphical password are :

Usability:

As it was mentioned before one of the most convincing reasons for using graphical

password scheme is the fact that humans seem to have an amazing ability for recalling

pictures, whether they are line drawings or real objects. Human’s brain tends to

remember visual images much more easily. So from this point of view Graphical

password is more preferable for users because combination of images is easier to

remember and reproduce than the combination of letters and digest. Another benefit

for using graphical password is alphabetic independency. It does not matter what

language user operates, human’s ability to draw, memorize and recognize visual

images is nationality independent.

Security:

Second advantage of graphical scheme is infeasibility to dictionary attacks, because of

the large password space, but mainly because there are no pre‐existing searchable

dictionaries for graphical information. In some methods of graphical passwords it is

hard to produce automatic attacks (for instance image recognition and determination

based on content). This scheme is free of some commonly used techniques of logging.

Disadvantages:

Security:

First disadvantage originates from usability advantage. Because for human it is easy to

remember visual images, possibilities of “shoulder‐surfing” attack increasing. This

usability has double effect: from one side it becomes easily for average user to

JCET, LAKKIDI

9


remember the password, from the other side criminal can easily remember the whole

combination of images or areas on the image by standing behind the user. There are

some techniques which can prevent such kind of attacks.

Second disadvantage is not critical nowadays but still it exists. Graphical passwords

require corresponding hardware and software availability on a user’s machine. (For

instance – mouse or touch screen for cursor gesture recognition based passwords).

The main disadvantage of the graphical password is similar to main disadvantage of

text one. It is – human. It does not matter how complex, secure and powerful your

security system is. If user chose a weak password it can be easily hacked. For example

in DAS method if user instead of using random long graphical password draws a

circle, there is a high probability that such easy password will be remembered by

attacker and reproduced easier that stronger one. In this case the only thing that can be

made is to force users to choose strong password and periodically change it. Moreover

it is better to implement a service which will control a similarity of user’s new

password with the previous one.

Usability:

Apart of all advantages all graphical passwords have the same “problem”‐ they take

much longer time for log in than textual passwords. Especially for “Pick‐O‐lock

scheme” where user needs to remember all strings for all variation of password’s icon.

For example if we have 4 password’s icon user needs to remember 16 strings, for 5 –

25 strings and so on.

Passpoint Graphical Password:

Now days, to access a computer resource, the most common authentication method we

are using is traditional ‘username’ and ‘Password’, in which the password is secret

alphanumeric word known to the computer and the user. But users have many

problems with the alphanumeric passwords. If a password is not used frequently then

there is a chance of forgetting and if the password is hard to guess, it is hard to

JCET, LAKKIDI

10


remember. For these reasons the researchers have developed various graphical

password schemes.

The PassPoints scheme was first developed by Wiedenbeck,and it is based on the idea

of Blonder. Even in Blonder’s approach the password is represented by multiple clicks

on a single image. But Wiedenbeck’s PassPoints system overcomes the limitation of

Blonder’s scheme, i.e. there are no predefined boundaries around areas of the image

where the user can click. One of the advantages with PassPoints scheme is that a user

can click on anyplace on the image. It allows the use of arbitrary images. After

clicking on several areas, the sequence is stored. A tolerance region around the chosen

click points is calculated. When logging in, the user has to click on points within the

tolerance. Generally, users cannot click on the same points that are selected during

registration. So, a tolerance is given. This tolerance allows a user to click on nearby

locations. For example, if the tolerance is 20X20, users can click on any location

within the 20 pixels around (top, bottom, left, right) a click point.

Fig .2. The PassPoint interface

.

There is another method in which a single click on multiple images is allowed. It is

called as Cued Click Points. These schemes are called as cued recall based schemes

since the background image can be regarded as a cue to recall the location of clicks

chosen as a password. Along with PassPoints technique, there are other techniques

existing. One such technique is Passfaces, in which user chooses four faces from a

JCET, LAKKIDI

11


pool of faces. When logging in , the user sees a 3X3 grid of nine faces, consisting of

one face previously chosen by the user and eight decoy faces, the user has to recognize

and click anywhere on the chosen face. This procedure is repeated.

Shoulder Surfing Attack:

Main drawbacks for the current graphical password schemes are the shoulder-surfing

problem and usability problem. Even though graphical passwords are difficult to guess

and break, if someone directly observes during the password entering session, he/she

probably figure out the password by guessing it randomly. Nevertheless, the issue of

how to design the authentication systems which have both the security and usability

elements is yet another example of what making the challenge of Human Computer

Interaction (HCI) and security communities. In computers security jargon, shoulder-

surfing refers to the direct observation techniques, such as looking over someone’s

shoulder, to get information like passwords, PINs and other sensitive personal

information. As well as when a user enters information using a keyboard, mouse,

touch screen or any traditional input device. Like text based passwords graphical

passwords are also vulnerable to Shoulder-Surfing.

Cued Click Point:

The usability and security of CuedClick Points (CCP), a cued-recall graphical

password technique. Users click on one point per image for a sequence of images.

The next image is based on the previous click-point. Performance was very good in

terms of speed, accuracy, and number of errors. Users preferred CCP to PassPoints

(Wiedenbeck ), saying that selecting and remembering only one point per image was

easier, and that seeing each image triggered their memory of where the corresponding

point was located. We also suggest that CCP provides greater security than PassPoints

because the number of images increases the workload for attackers. or a sequence of

images. The next image displayed is based on the previous click-point so users

receive immediate implicit feedback as to whether they are on the correct path when

JCET, LAKKIDI

12


logging in. CCP offers both improved usability and security. We conducted an in-

lab user study with 24 participants and a total of 257 trials. Users had high success

rates, could quickly create and re-enter their passwords, and were very accurate when

entering their click-points. Participants rated the system positively and indicated that

they preferred CCP to a PassPoints-style system. They also said that they appreciated

the immediate implicit feedback telling them whether their latest click-point was

correctly entered. A preliminary security analysis of this new scheme is also

presented. Hotspots (i.e., areas of the image that users are more likely to select) are a

concern in click-based passwords , so CCP uses a large set of images that will be dif-

ficult for attackers to obtain. For our proposed system, hotspot analysis requires

proportionally more effort by attackers, as each image must be collected and analyzed

individually. CCP appears to allow greater security than PassPoints; the workload for

attackers of CCP can be arbitrarily increased by augmenting the number of images in

the system. As with most graphical passwords, CCP is not intended for environments

where shoulder-surfing is a serious threat.

JCET, LAKKIDI

13


3.SYSTEM ANALYSIS AND DESIGN

Existing System:

The existing system does not allow the companies to centralize the document

management. Document encryption and decryption is not performed. It does not

provide security for confidential material from accidental misuse, employee theft,

unauthorized distribution etc.

Drawbacks Of Existing Systems:

(i)Lack of security

(ii)Prone to unauthorized distribution

(iii)Lack of desired accuracy

(iv)No encryption and decryption

Proposed System:

The proposed Cued Click Points scheme shows promise as a usable and memorable

authentication mechanism. By taking advantage of users’ ability to recognize images

and the memory trigger associated with seeing a new image, CCP has advantages over

PassPoints in terms of usability. Being cued as each image is shown and having to

remember only one click-point per image appears easier than having to remember an

ordered series of clicks on one image. In our small comparison group, users strongly

preferred CCP. We believe that CCP offers a more secure alternative to PassPoints.

CCP increases the workload for attackers by forcing them to first acquire image sets

JCET, LAKKIDI

14


for each user, and then conduct hotspot analysis on each of these images. Fur16 Cued

Click Points theremore, the system’s flexibility to increase the overall number of

images in the system allows us to arbitrarily increase this workload.

Feasibility Study:

Feasibility study is a procedure that identifies, describes and evaluates candidate

system and selects the best system for the job. An estimate is made of whether the

identified user needs may be satisfied using current software and hardware

technologies. The study will decide if the proposed system will be cost effective from

a business point of view and if it can be developed given existing budgetary

constraints. The key considerations involved in the feasibility analysis are economic,

technical, behavioral and operational.

Economic Feasibility:

The economic analysis is to determine the benefits and savings that are expected from

a candidate system and compare them with costs. The system is economically

feasible, as the organization possesses the hardware and software resources required

for the functioning of the system. Any additional resources, if required, can also be

easily acquired.

Technical Feasibility:

It centers on the existing computer system and to what extent it can support the

proposed addition. Since the minimum requirements of the system like IIS o the

server and a browser on the client, are met by any average user.

Operational Feasibility:

The system operation is the longest phase in the development life cycle of a system.

So, operational feasibility should be given much importance. The users of the system

don’t need thorough training on the system. All they are expected to know to operate

the system is the basic net surfing knowledge. It has a user-friendly interface.

Behavioral Feasibility:

JCET, LAKKIDI

15


In today’s world, where computer is an inevitable entity, the systems like auction site,

which requires no special efforts than surfing the net are enjoying wide acceptance.

Thus the organization is convinced that the system is feasible.

Modules Of The Proposed System are:-

1.Functional management

2. Image manipulation

3.Security

4.User management

5.Network management

User management:

The user management is the place where the administrator manages the GUI that helps

the users to easily use the system without difficulty. Here we implement the side that

is directly in contact with the users.

Image manipulation:

The image manipulation deals with manipulation of the images. Here the adding

removing images to the pool is happening. This pool is used for future password

tracing stages.

Functional Operation:

The implementation of the function by means of which the manipulation of the image

takes is implemented here. It is by means of this function that the jumbling of the

image from one to another , so that each character is traced carefully.

Security:

Here security of the system is implemented in this module. Order of images is

correctly evaluated. And ensures authentication standard.

Data Flow Diagram

JCET, LAKKIDI

16


Figure.3.Context level

Figure.4.Level 1

The level 1 of proposed system consists various levels of operations : user

management,image manipulation,security and functional operation.The user can login

through login section .

JCET, LAKKIDI

17


Figure.5.user Management

The user management is the place where the administrator manages the GUI that helps

the users to easily use the system without difficulty. Here we implement the side that

is directly in contact with the users.

JCET, LAKKIDI

18


Figure.6.Security

Here security of the system is implemented in this module. Order of images is

correctly evaluated. And it ensures authentication standard.

JCET, LAKKIDI

19


Figure.7.Image Manipulation

The image manipulation deals with manipulation of the images. Here the adding

removing images to the pool is happening. This pool is used for future password

tracing stages.

JCET, LAKKIDI

20


Figure.8.Functional Operation

The implementation of the function by means of which the manipulation of the image

takes is implemented here. It is by means of this function that the jumbling of the

image from one to another , so that each character is traced carefully.

JCET, LAKKIDI

21


4. SYSTEM SPECIFICATION AND DESIGN

The purpose of system requirements analysis is to obtain a thorough and detailed

understanding of the business need as defined in project origination and captured in the

business case, and to break it down into discrete requirements, which are then clearly

defined, reviewed and agreed upon with the customer decision makers. During system

requirements analysis, the framework for the application is developed, providing the

foundation for all future design and development efforts.

Table.1. Hardware Requirements

System IBM-Compatible PC

Processor Intel Pentium IV or above

Speed 2.8 GHz.

Memory 512 MB RAM

Hard Disk Drive 80 GB

Table.2. Software Requirements

Java:

Java is a programming language originally developed by James Gosling at Sun

JCET, LAKKIDI

Development Platform Windows XP/Linux

Front-End Tool JAVA

Back-End Tool My SQL/SQL Server

IDE Net Beans/Visual Studio

22


Microsystems (which is now a subsidiary of Oracle Corporation) and released in 1995

as a core component of Sun Microsystems' Java platform. In the Java programming

language, all source code is first written in plain text files ending with the .java

extension. Those source files are then compiled into .class files by the javac compiler.

A class file does not contain code that is native to your processor; it instead contains

bytecodes the machine language of the Java Virtual Machine (Java VM). The java

launcher tool then runs your application with an instance of the Java V Because the

Java VM is available on many different operating systems, the same .class files are

capable of running on Microsoft Windows, the Solaris Operating System (Solaris

OS), Linux, or Mac OS. This include various tasks such as finding performance

bottlenecks and recompiling (to native code) frequently used sections of code.

Through the Java VM, the same application is capable of running on multiple

platforms.

The Java Platform:

A platform is the hardware or software environment in which a program runs.We've

already mentioned some of the most popular platforms like Microsoft Windows,

Linux, Solaris OS, and Mac OS. Most platforms can be described as a combination of

the operating system and underlying hardware. The Java platform differs from most

other platforms in that it's a software-only platform that runs on top of other hardware-

based platforms. The Java platform has two components: the java virtual machine and

the java Application Programming Interface (API). The Java Virtual Machine; it's the

base for the Java platform and is ported onto various hardware-based platforms.

The API is a large collection of ready-made software components that provide many

useful capabilities. It is grouped into libraries of related classes and interfaces; these

libraries are known as packages. The API and Java Virtual Machine insulate the

program from the underlying hardware.

As a platform-independent environment, the Java platform can be a bit slower than

native code. However, advances in compiler and virtual machine technologies are

JCET, LAKKIDI

23


bringing performance close to that of native code without threatening portability.

Java platform gives you the following features:

Development Tools: The development tools provide everything you'll need for

compiling, running, monitoring, debugging, and documenting your applications. As a

new developer, the main tools you'll be using are the javac compiler, the java launcher,

and the javadoc documentation tool.

Application Programming Interface (API): The API provides the core functionality of

the Java programming language. It offers a wide array of useful classes ready for use in

your own applications. It spans everything from basic objects, to networking and security,

to XML generation and database access, and more. The core API is very large.

Deployment Technologies: The JDK software provides standard mechanisms such as the

Java Web Start software and Java Plug-In software for deploying your applications to end

users.

User Interface Toolkits: The Swing and Java 2D toolkits make it possible to create

sophisticated Graphical User Interfaces (GUIs).

Integration Libraries: Integration libraries such as the Java IDL API, JDBCTM API,

Java Naming and Directory InterfaceTM ("J.N.D.I.") API, Java RMI, and Java Remote

Method Invocation over Internet Inter-ORB Protocol Technology (Java RMI-IIOP

Technology) enable database access and manipulation of remote objects. Java technology

will help to do the following:

Get started quickly: Although the Java programming language is a powerful object-

oriented language, it's easy to learn, especially for programmers already familiar with C

or C++.

Write less code: Comparisons of program metrics (class counts, method counts, and so

on) suggest that a program written in the Java programming language can be four times

smaller than the same program written in C++.

Write better code: The Java programming language encourages good coding practices,

JCET, LAKKIDI

24


and automatic garbage collection helps you avoid memory leaks. Its object orientation, its

JavaBeansTM component architecture, and its wide-ranging, easily extendible API let

you reuse existing, tested code and introduce fewer bugs.

Develop programs more quickly: The Java programming language is simpler than C++,

and as such, your development time could be up to twice as fast when writing in it. Your

programs will also require fewer lines of code.

Avoid platform dependencies: You can keep your program portable by avoiding the use

of libraries written in other languages.

Write once, run anywhere: Because applications written in the Java programming

language are compiled into machine-independent bytecodes, they run consistently on any

Java platform.

Distribute software more easily: With Java Web Start software, users will be able to

launch your applications with a single click of the mouse. An automatic version check at

startup ensures that users are always up to date with the latest version of your software. If

an update is available, the Java Web Start software will automatically update their

installation.

JavaServerPages(JSP):

JSP is a java based technology that simplifies the process of developing dynamic web

sites. With JSP, web designers and developers can quickly incorporate dynamic elements

into web pages using embedded java and simple mark-up tags. These tags provide the

HTML designer with a way to access data and business logic stored inside java objects.

Java Server Pages are text files with the extension .jsp, which take the place of traditional

HTML pages. JSP files contain traditional HTML along with embedded code that allows

the developer to access data from the java code running on the server. JSP offers several

benefits for dynamic content generation. As a Java-based technology, it enjoys all of the

advantages that the Java language provides with respect to development and deployment.

As an object-oriented language with strong typing, encapsulation, exception handling,

and automatic memory management, use of Java leads to increased programmer JCET, LAKKIDI

25


productivity and more robust code. Because compiled Java bytecode is portable across all

platforms that support a JVM, use of JSP does not lock us into using a specific hardware

platform, operating system, or server software. If a switch in any of these components

becomes necessary, all JSP pages and associated Java classes can be migrated over as is.

Because JSP is vendor-neutral, developers and system architects can select best of breed

solutions at all stages of JSP deployment .JSP technology is the Java platform technology

for building applications containing dynamic web content such as HTML, DHTML,

XHTML, and XML. The Java Server Pages technology enables the authoring of web

pages that create dynamic content easily but with maximum power and flexibility. The

Java Server Pages technology offers a number of advantages:

Write Once, Run Anywhere properties:

The Java Server Pages technology is platform independent, both in its dynamic Web

pages, its Web servers, and its underlying server components. We can author JSP pages

on any platform, run them on any Web server or Web enabled application server, and

access them from any web browser. We can also build the server components on any

platform and run them on any server.

High quality tool support:

The Write Once, Run Anywhere properties of JSP allows the user to choose best-of-breed

tools. Additionally, an explicit goal of the Java Server Pages design is to enable the

creation of high portable tools.

Reuse of components and tag libraries:

The Java Server Pages technology emphasizes the use of reusable components such as

Java Bean components, Enterprise Java Beans components and tag libraries. These

components can be used in interactive tools for component development and page

composition. This saves considerable development time while giving the cross-platform

power and flexibility of the Java programming language and other scripting languages.

Separation of dynamic and static content:

The Java Server Pages technology enables the separation of static content from dynamic

content that is inserted into the static template. This greatly simplifies the creation of

JCET, LAKKIDI

26


content. This separation is supported by beans specifically designed for the interaction

with server-side objects, and, specifically, by the tag extension mechanism.

Support for scripting and actions:

The Java Server Pages technology supports scripting elements as well as actions. Actions

permit the encapsulation of useful functionality in a convenient form that can also be

manipulated by tools. Scripts provide mechanism to glue together this functionality in a

per-page manner.

Web access layer for N-tier enterprise application architecture:

The Java Server pages technology is an integral part of the Java 2Platform Enterprise

Edition (J2EE), which brings Java technology to enterprise computing. We can now

develop powerful middle-tier server applications, using a web site that uses Java Server

Pages technology as a front end to Enterprise Java Beans components in a J2EE

complaint.

My SQL:

MySQL database has become the world's most popular Open source database because of

its consistency, fast performance, high reliability and ease of use. It has also become the

database of choice for a new generation of applications built on the LAMP stack (Linux,

Apache, MySQL, PHP / Perl / Python). MySQL runs on more than 20 platforms

including Linux, Windows, OS/X, HP-UX, AIX, Netware, giving you the kind of

flexibility that puts you in control. MySQL offers a comprehensive range of certified

software, support, training and consulting.

MySQL is a multithreaded, multi-user SQL Database Management System. My SQL's

implementation of a relational database is an abstraction on top of a computer’s file

system. The relational database abstraction allows collection of data items to be

organized as a set of formally described tables. Data can be accessed or reassembled from

these tables in many different ways, which do not require any reorganization of the

database tables themselves.

Relational database speak SQL (Structured Query Language). SQL is a standard

interactive programming language for getting information from and updating a relational

JCET, LAKKIDI

27


database. Although SQL itself is both an ANSI and an ISO standard, many database

products support SQL with proprietary extensions to the standard language.

MySQL's extensions to SQL are not proprietary, since MySQL's code is kept free (as in

the user's library to use hte code) by the GPL. SQL queries take the form of a command

language that lets you select, insert, update, find out the location of data, and so forth.

My SQL Features:

Very fast and much reliable for any type of application.

Very lightweight application.

Command line tool is very powerful and can be used to run SQL

queries against database.

Supports indexing and binary objects.

Allows changing the structure of table while server is running.

It has a wide user base.

It is a very fast thread-based memory allocation system.

JCET, LAKKIDI

28


5. PROJECT DESCRIPTION AND IMPLEMENTATION

Cued Click Points (CCP) is a proposed alternative to PassPoints. In CCP, users click

one point on each of c = 5 images rather than on five points on one image. It offers

cued-recall and introduces visual cues that instantly alert valid users if they have

made a mistake when entering their latest click-point (at which point they can cancel

their attempt and retry from the beginning). It also makes attacks based on hotspot

analysis more challenging, as we discuss later. As shown in Figure each click results

in showing a next-image, in effect leading users down a “path” as they click on their

sequence of points. A wrong click leads down an incorrect path, with an explicit

indication of authentication failure only after the final click. Users can choose their

images only to the extent that their click-point indicates the next image. If they dislike

the resulting images, they could create a new password involving different click-

points to get different images. A trial consisted of the following steps.

1. Create phase: Create a password by clicking on one point in each of five system-

selected images presented in sequence.

2. Confirm phase: Confirm this password by re-entering it correctly. Users in-

correctly confirming their password could retry the confirmation or return to Step 1.

A new password started with the same initial image, but generally included different

images thereafter, depending on the click-points.

3. Two questions: Answer two 10-point Likert-scale questions on the computer

about their current password’s ease of creation and predicted memorability. Likert-

scale questions ask respondents to indicate their level of agreement with the given

JCET, LAKKIDI

29


statement on a scale ranging from strongly agree to strongly disagree.

4. MRT: Complete a Mental Rotations Test (MRT) puzzle . This was based on task

that is used to distract users for a minimum of 30 seconds by giving them a visual

task to complete in order to clear their working memory.

5. Login phase: Log in with their current password. If users noticed an error during

login, they could cancel their login attempt and try again. Alternatively, if they did

not know their password, they could create a new password, effectively returning to

Step 1 of the trial with the same initial image as a starting point. If users felt too

frustrated with the particular images to try again, they could skip this trial and move

on to the next trial.

Figure.9.Implementation

Client :

(i) Username and Password.

(ii) Matters.

(iii)New Registration.

User:

(i) View Advertisements.

(ii) Registration.

JCET, LAKKIDI

30


Figure.10.Images in image pool

Ad-Manager consist of mainly 3 modules:

(i)The Administration module.

(ii)Transaction module.

(iii)Client module

Administrator Module:

This module provides an interface to store informations of client ,user and

applications. The basic details along with the rights and permissions provides the

scope of this module. This modules provides service like client registration alter/drop,

user registration alter/drop and application registration alter/drop.

(i)Client Registration And Alter/drop.

(ii)The User Registration And Alter/Drop.

(iii)Application Registration Alter/Drop.

Transaction Module:

Transaction module includes Tariff management, various reports, different member

activations etc .Advertisement management is also a part of this module.Tariff

management includes different rates,which based on the number of images and

videos.In the member activation different members are activated or deactivated based

on their payments. Management of various advertisements are also under the control

JCET, LAKKIDI

31


of administrator.

(i)Tariff Management.

(ii)Payments.

(iii)Reports.

(iv)Member Activation.

(v)Advertisement Management

Client Module:

This module provides details of clients. Client can upload/delete the images and videos

in the space which is allocated by the administrator. Client can renew their account by

paying an extra amount.

(i)Uploading

(ii)New Registration.

(iii)Client Renewal.

(iv)Change Password.

Home page:

Home page contains login section for user and administrator or manager. Existing

both user and administrator / manager can login through login section for entering

bank transaction . Using the signup function the new user can register by selecting

graphical password and login to the bank transaction process .

JCET, LAKKIDI

32


Figure.11.Home page

New User Registration:

New user can register through signup function that he /she can enter into the

registration form. By entering the correct details in all fields he/she must click create

account button.

JCET, LAKKIDI

33


Figure.12.New user registration

Figure.13.Image pool

After successful registration user can enter into an image pool.Imagepool is a

window that contains lot of images added by administrator. From there user can select JCET, LAKKIDI

34


first image, and second image and so on. After selecting images user can click DONE

button.

Figure.14.Cued click page

After selecting images from the image pool user can directly enter a new window

that contain the previous selected images. User can choose any specific point on the

images. This specific points choosen as passwords and must be remember .That points

stored in the database. After these steps , registration process is completed.

Login Page:

After successful registration , the user can first enter user name and text password to

enter to bank transaction.Valid user can enter into next section.

JCET, LAKKIDI

35


Figure.15.Login Page1

Figure.16.Login page 2

After that user enter into the another window it contain the image pool. From there

user can select first image that user selected during registration time.And then user

click the valid specific point on the image.If clicked point is correct then the user can

enter to the second picture previously selected by the user.

JCET, LAKKIDI

36


Figure.17.Login Page 3

By selecting the valid point in first image, the user can enter to the second image.If

the user can click the point that can clicked during the registration time.If the point is

valid, then login is successfully done.

Figure.18.User home page

JCET, LAKKIDI

37


After successful login, user can enter to the user home page.Though the user can

perform various actions like viewing profile,fund transfer,feedbacks,requests etc.

Administrator Home page:

The administrator can login with his/her password and id.The figure shows

The administrator home page.Administrator has the authority to perform various

Actions.The actions like changing password, bug viewing,adding manager,

editing imaging settings etc.

JCET, LAKKIDI

38


Figure.19.Administrator home page

Manager Home Page:

Administrator has the authority to add manager .The figure shows manager home page.

Manager performs various actions like updating balance,user management,changing

password, updating balance etc.

Figure.20.Manager Home page

JCET, LAKKIDI

39


APPENDIX

Code Of Application:

DATABASE CONNECTIVITY …..dbconnect.javapackage DBAccess;import java.sql.*;public class DBConnect{ Connection cn; Statement st; ResultSet rs; public static int k=1; public static int l=1; public boolean connection_status = false; public DBConnect() { try { Class.forName("com.mysql.jdbc.Driver"); cn = DriverManager.getConnection("jdbc:mysql://localhost/gps","root",""); st = cn.createStatement(); cn.setAutoCommit(false); connection_status = true; } catch (Exception e){ System.out.println(e); } } public boolean isConnected() { return connection_status; } public ResultSet GET(String Query) { try { rs = st.executeQuery(Query); cn.commit(); } catch (Exception e) { System.out.println(e); } return rs; }

public int POST(String Query) { int i = 0; int status = 0; try { i = st.executeUpdate(Query); cn.commit(); if(i>0){status = 1;} }

JCET, LAKKIDI

40


catch (Exception e) { System.out.println(e); } return status;}} package DBAccess;

import java.sql.ResultSet;import java.util.Random;

DATABASE PROCESSING…………dbprocess.java

public class DBProcess{ public static int count_of_existance = 0;

public static boolean isEntryExists(String username) { boolean status = false; try { String Query = "select * from clickpoints where username='"+username+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); while(rs.next()) { System.out.println(count_of_existance); status = true; count_of_existance++; } } catch (Exception e) { System.out.println(e); } return status; }

public int getCountOfExistance() { return count_of_existance; }

public static boolean UpdatePreviousClickPointImage(String username,String image_name) { boolean status = false; try { String Query = "select * from clickpoints where username='"+username+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); while(rs.next()) { String imageB = rs.getString("imageB");

JCET, LAKKIDI

41


if(imageB.equalsIgnoreCase("null")) { System.out.println("Updating...."); String click_id = rs.getString("click_id"); String UpdateQuery = "update clickpoints set imageB='"+image_name+"' where click_id='"+click_id+"'"; db.POST(UpdateQuery); break; } } } catch (Exception e) { System.out.println(e); } return status; }

public static boolean InsertClickPoint(String username,String imageA,String imageB,int point_x,int point_y) { boolean status = false; try { String Query = "insert into clickpoints (username,imageA,imageB,point_x,point_y) values('"+username+"','"+imageA+"','"+imageB+"','"+point_x+"','"+point_y+"')"; DBConnect db = new DBConnect(); db.POST(Query); } catch (Exception e) { System.out.println(e); } return status; }

public boolean isFileExists(String filename) { boolean status = false; try { String Query = "select * from imagedata where image_name='"+filename+"'"; DBConnect db = new DBConnect(); ResultSet rs = db.GET(Query); if(rs.next()) { status = true; } } catch (Exception e) {

JCET, LAKKIDI

42


System.out.println(e); } return status; }

public int getTotalUsageCount(String imageName) { int total_count = 0; try { String Query1 = "select * from clickpoints where imageA='"+imageName+"'"; String Query2 = "select * from clickpoints where imageB='"+imageName+"'"; DBConnect db1 = new DBConnect(); DBConnect db2 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } ResultSet rs2 = db2.GET(Query2); while(rs2.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }public int getTotalUsageCount1(String imageName) { int total_count = 0; try { String Query1 = "select * from imagebk where image_name='"+imageName+"'"; DBConnect db1 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }

JCET, LAKKIDI

43


public int getTotalUsageCount2(String imageName) { int total_count = 0; try { String Query1 = "select * from imagesb where image_name='"+imageName+"'"; DBConnect db1 = new DBConnect(); ResultSet rs1 = db1.GET(Query1); while(rs1.next()) { total_count++; } } catch (Exception e) { System.out.println(e); } return total_count; }

public boolean checkOldPassword(String username,String password) { boolean status = false; DBConnect db = new DBConnect(); try { String Query = "select * from login where username='"+username+"' and password='"+password+"'"; ResultSet rs = db.GET(Query); if(rs.next()) { status = true; } } catch (Exception e) { System.out.println(e); } return status; }

public void ChangePassword(String username,String password) { DBConnect db = new DBConnect(); try { String Query = "update login set password='"+password+"' where username='"+username+"'"; db.POST(Query); }

JCET, LAKKIDI

44


catch (Exception e) { System.out.println(e); } }

public int getUserBalance(String username) { int balance = 0; DBConnect db = new DBConnect(); try { String Query = "select * from summary where username='"+username+"'"; ResultSet rs = db.GET(Query); if(rs.next()) { balance = rs.getInt("balance"); } } catch (Exception e) { System.out.println(e); } return balance; }

public void updateUserBalance(String username,int balance,String dateTime) { DBConnect db = new DBConnect(); try { String Query = "update summary set balance='"+balance+"',date='"+dateTime+"' where username='"+username+"'"; db.POST(Query); } catch (Exception e) { System.out.println(e); } }

public void addTransaction(String username,String dateTime,String memo,String type,String amount) { DBConnect db = new DBConnect(); try { String Query = "insert into transactions values('"+username+"','"+dateTime+"','"+memo+"','"+type+"','"+amount+"')"; db.POST(Query); } catch (Exception e)

JCET, LAKKIDI

45


{ System.out.println(e); } }

public void addTransfer(String username,String dateTime,String memo,String to_username,String amount) { DBConnect db = new DBConnect(); try { String Query = "insert into transfers values('"+username+"','"+dateTime+"','"+memo+"','"+to_username+"','"+amount+"')"; db.POST(Query); } catch (Exception e) { System.out.println(e); } }

public static String redirect() { DBConnect db = new DBConnect(); int i=0; try { String Query = "select * from imagedata"; ResultSet rs=db.GET(Query); while(rs.next()){ i++; } int s=new Random().nextInt(i); System.out.println("s>>>.:"+s); String Query1 = "select * from imagedata where image_id='"+s+"'"; ResultSet rs1=db.GET(Query1); if(rs1.next()){ String image = rs1.getString("image_name"); System.out.println("image : "+image); return image; } else{ System.out.println("nullllllll"); return null; } } catch (Exception e) { System.out.println(e); return null;}}}

JCET, LAKKIDI

46


VALIDATING CUED CLICK POINTS…….validator.jsp

<%@page import="java.sql.*" %><jsp:useBean id="db" scope="page" class="DBAccess.DBConnect"/>

<%int point_x = Integer.parseInt(request.getParameter("point_x"));int point_y = Integer.parseInt(request.getParameter("point_y"));System.out.println("point_x"+point_x);System.out.println("point_y"+point_y);String username = session.getAttribute("Name")+"";String image = request.getParameter("image");String image1 = request.getParameter("imagebk");//System.out.println("image"+image);System.out.println("image"+image1);String Q1 = "select * from imagebk where username='"+username+"'";ResultSet rs4 = db.GET(Q1);if(!rs4.next()){ int i=DBAccess.DBConnect.k; String Q = "insert into imagebk(username,image_name,image_path,count) values('"+username+"','"+image1+"','image/"+image1+"','"+i+"')"; db.POST(Q);}String Query = "select * from imagesb where username='"+username+"'and image_name='"+image+"'";ResultSet rs = db.GET(Query);if(rs.next()){ String Query1 = "update imagesb set posx='"+point_x+"',posy='"+point_y+"' where username='"+username+"' and image_name='"+image+"'"; db.POST(Query1); response.sendRedirect("ImageAction.jsp");}else {

int p=DBAccess.DBConnect.k++; String Query2 = "insert into imagesb(username,image_name,image_path,posx,posy) values('"+username+"','"+image+"','image/"+image+"','"+point_x+"','"+point_y+"')"; db.POST(Query2); String Query3 = "update imagebk set count='"+p+"' where username='"+username+"'"; db.POST(Query3); response.sendRedirect("ImageAction.jsp");

JCET, LAKKIDI

47


} %>CLICK POINT SELECTOR……..clickpointselector.jsp<%@page import="java.util.*" %><%@page contentType="text/html" pageEncoding="UTF-8"%><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Click Point Selection</title></head><script type="text/javaScript">function point_it(event,source,count){

pos_x = event.offsetX?(event.offsetX):event.pageX-document.getElementById("good"+count).offsetLeft;

pos_y = event.offsetY?(event.offsetY):event.pageY-document.getElementById("good"+count).offsetTop; var image = source

document.frmclick.form_x.value = pos_x;document.frmclick.form_y.value = pos_y;

var xmlhttp; if(window.XMLHttpRequest) { xmlhttp = new XMLHttpRequest(); } else { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("GET","AjaxUpdater.jsp?point_x="+pos_x+"&point_y="+pos_y+"&image="+image,true); xmlhttp.send();}</script><body><form name="frmclick" action="" method="POST"><%ArrayList selected_images = (ArrayList)session.getAttribute("images_selected");for (int idx = 0; idx < selected_images.size(); idx++){String get = selected_images.get(idx).toString();String name = get.substring(get.indexOf("/")+1,get.length());

JCET, LAKKIDI

48


%><div id="good<%=idx%>"><p><img src="<%=get%>" alt="Unable to Load" id="clicked_image" onclick="point_it(event,'<%=name%>','<%=idx%>')"/></p></div><hr/><%}%><p>You pointed on x = <input type="text" name="form_x" size="4" /> - y = <input type="text" name="form_y" size="4" /></p></form><form name="frm" action="index1.jsp" method="POST"> <p><input type="submit" name="submit" value=" DONE "/></p></form></body></html>

JCET, LAKKIDI

49


CONCLUSION

Graphical passwords are an alternative to existing alphanumeric passwords. In

Graphical passwords users click on images than type a long, complex password.

Passpoints scheme is one of the Graphical user authentication techniques. In this

method the password is represented by multiple clicks on a single image. One of the

advantages with Passpoints scheme is that, a user can click on any place in the image

as a click point. Graphical authentication suffers a major drawback of Shoulder-

surfing. Shoulder-surfing refers to someone observing the user’s action as the user

enters a password. Due to this, the user’s action can be monitored by the attacker or it

can be captured using recording devices such as camera. The graphical password

system has some important issues. The first issue is that the people are better at

memorizing graphical passwords than text-based passwords. And also graphical

passwords have a large password space over alphanumeric passwords. Second issue is

efficiency; users use the mouse to enter a password, it may be slower than the

keyboard. People should spend more time learning and practice the graphical

password but by user’s thinking and feeling this kind of graphical passwords will be

much easier than alphanumeric passwords. Although graphical passwords are

vulnerable to shoulder surfing attacks, our method provides security over this attack.

JCET, LAKKIDI

50


BIBILOGRAPHY

1. James Gosling,Bill Joy,Guy Steela The Java Language Specification,2ndEdition,Sun

Microsystem 2000

2. E, M, Balagurusamy Programming With Java, 2nd Edition, TataMcGrawHill,

Reprint 2000

3. The Java Tutorial, 2nd Edition, volumes Mary Compione and Kathywalrath,

Addison Wesley Longmans, 1998.

4. Ramez Elmasri, Shamkanth. B. Navathe, “Fundamentals of Database Systems”,

The Benjamin/Cummings Publishing Company Inc,1989.

5. Silberschats, Henry.F.Korth, S.Sudarshan; Database System Concepts 5th

edition McGraw-Hill;2005

6.http://searchsecurity.techtarget.com/definition/graphical-password

(Ref.date:2/12/2011)

7. http://www.scs.carleton.ca/~paulv/papers/esorics07-c.pdf(Ref.date:3/03/2012)

8.http://www.cups.cs.cmu.edu/soups/2005/2005proceedings/p1-wiedenbeck.pdf

(Ref.date:30/3/2012)

JCET, LAKKIDI

51


JCET, LAKKIDI

52

report purely automated graphical paswd

Documents