Three Level Security System Using Image Based Aunthentication
Engineering Project of Venkata Krishna
1. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
1
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 1
INTRODUCTON
1.1 INTRODUCTION
There has been a great deal of hype for graphical passwords since two decade due to the
fact that primitive’s methods suffered from an innumerable number of attacks which could be
imposed easily. Here we will progress down the taxonomy of authentication methods. To start
with we focus on the most common computer authentication method that makes use of text
passwords. Despite the vulnerabilities, it’s the user natural tendency of the users that they will
always prefer to go for short passwords for ease of remembrance and also lack of awareness
about how attackers tend to attacks. Unfortunately, these passwords are broken mercilessly by
intruders by several simple means such as masquerading, Eaves dropping and other rude means
say dictionary attacks, shoulder surfing attacks, social engineering attacks .To mitigate the
problems with traditional methods, advanced methods have been proposed using graphical as
passwords .The idea of graphical passwords first described by Greg Blonder (1996). For
Blonder, graphical passwords have a predetermined image that the sequence and the tap regions
selected are interpreted as the graphical password. Since then, many other graphical password
schemes have been proposed. The desirable quality associated with graphical passwords is that
psychologically humans can remember graphical far better than text and hence is the best
alternative being proposed. There is a rapid and growing interest in graphical passwords for they
are more or infinite in numbers thus providing more resistance. The major goal of this work is to
reduce the guessing attacks as well as encouraging users to select more random, and difficult
passwords to guess.
Taxonomy of Authentication
In this depiction of current authentication methods Biometric based authentication
system’s techniques are proved to be expensive, slow and unreliable and hence not preferred by
many. Token based authentication system is high security and usability and Accessibility
compare then others. But is system employ knowledge based techniques to enhance security. But
2. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
2
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
the current knowledge based techniques are still immature. For instance, ATM cards always go
hand in hand with PIN number.
Fig 1.1: Taxonomy of Authentication
Taxonomy of Password Authentication Techniques
So the knowledge based techniques are the most wanted techniques to improve real high
security. Recognition based & recalls based are the two names by which graphical techniques
could be classified.
3. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
3
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Summary
The rest of the project report is organized as follows: The Chapters from Chapter 2 to
Chapter 10 will provide the information about the Defenses against Large Scale Online Password
Guessing attacks by using Persuasive Click Points. The Chapter 2 will give survey on the
literatures which are more important in development of this project and in Chapter 3 gives the
disadvantages and the advantages of the existing and the proposed systems and also provide the
problem setup of the project .The Chapter 4 will provide all the necessary Requirements of
Functional and Non-Functional Requirements of Defenses against Large Scale Online Password
Guessing attacks by using Persuasive Click Points. In Chapter 5 the Architecture of the Defenses
against Large Scale Online Password Guessing attacks by using Persuasive Click Points and the
modules which are implemented in it are discussed. The designing of the system with all the
necessary UML diagrams are explained in Chapter 6. The Pseudo code is discussed in the
Chapter 7.Finally the testing is done with all possible test cases are described in Chapter 8.The
final conclusion and the references are followed in the preceding Chapters 9 and Chapter 10
Respectively
4. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
4
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 2
LITERATURE SURVEY
2.1 Graphical Password Authentication Using Cued Click Points
We propose and examine the usability and security of Cued Click Points, a cued-recall
graphical password technique. Users click on one point per image for a sequence of images. The
next image is based on the previous click-point. We present the results of an initial user study
which revealed positive results. Performance was very good in terms of speed, accuracy, and
number of errors. Users preferred CCP to Pass Points, saying they thought that selecting and
remembering only one point per image was easier, and that seeing each image triggered their
memory of where the corresponding point was located. We also suggest that CCP provides
greater security than Pass Points because the number of images increases the workload for
attackers.
2.2 Reducing Shoulder-surfing by Using Gaze-based Password Entry
Shoulder-surfing – using direct observation techniques, such as looking over someone's
shoulder, to get passwords, PINs and other sensitive personal information – is a problem that has
been difficult to overcome. When a user enters information using a keyboard, mouse, touch
screen or any traditional input device, a malicious observer may be able to acquire the user’s
password credentials. We present Eye Password, a system that mitigates the issues of shoulder
surfing via a novel approach to user input.
With Eye Password, a user enters sensitive input by selecting from an on-screen keyboard
using only the orientation of their pupils, making eavesdropping by a malicious observer largely
impractical. We present a number of design choices and discuss their effect on usability and
security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our
approach. Our results demonstrate that gaze-based password entry requires marginal additional
time over using a keyboard, error rates are similar to those of using a keyboard and subjects
preferred the gaze-based password entry approach over traditional methods.
5. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
5
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
2.3 Deja vu: A User Study Using Images for Authentication
Current secure systems suffer because they neglect the importance of human factors in
security. We address a fundamental weakness of knowledge-based authentication schemes,
which is the human limitation to remember secure passwords. Our approach to improve the
security of these systems relies on recognition-based, rather than recall-based authentication. We
examine the requirements of a recognition-based authentication system and propose Deja Vu,
which authenticates a user through her ability to recognize previously seen images. Deja Vu is
more reliable and easier to use than traditional recall-based schemes, which require the user to
precisely recall passwords or PINs. Furthermore, it has the advantage that it prevents users from
choosing weak passwords and makes it difficult to write down or share passwords with others.
2.4 Image Based Registration and Authentication System
Security-sensitive environments protect their resources against unauthorized access by
enforcing access control mechanisms. Text based passwords are not secure enough for such
applications. User authentication can be improved by using both text passwords and structured
images. Our image based registration and authentication system is called IBRAS. The system
developed displays an image or set of images to the user, who would then select one to identify
them. The system uses such image based passwords and integrates image registration and
notification interfaces. Image registration enables users to have their favorite image. The paper
will describe our experience and future work.
2
2.5 User interface design affects security Patterns in click-based graphical passwords
Design of the user interface incenses users and may en-courage either secure or insecure
behavior. Using data from four deferent but closely related click-based graphical password
studies, we show that user-selected passwords vary considerably in their predictability. Our
analysis looks at click-point patterns within passwords and shows that Pass Points passwords
follow distinct patterns. Surprisingly, these patterns occur independently of the background
6. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
6
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
image. Conversely, CCP and PCCP passwords are nearly indistinguishable from those of a
random dataset. These results provide insight on modeling effective password spaces and on how
user interface characteristics lead to more (or less) secure user behavior.
7. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
7
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 3
PROBLEM DEFINITION
3.1 EXISTING SYSTEM
In existing system, password are mostly of text oriented .So the password can be broken
by intruders by masquerading ,brute force attack ,dictionary attack etc ,There are some
application existing with graphical passwords ,their major drawback is larger memory space.
Some have prone to shoulder surfing attack .In Cued Click Point ,the user have select click point
in five different images in sequence based on the previous image .The drawback of the concept is
it is difficult to remember the click points in different images.
Disadvantages
Although Pass Points is relatively usable, security weaknesses make passwords easier for
attackers to predict .Hotspots are areas of the image that have higher likelihood of being selected
by users as password click-points. Attackers who gain knowledge of these hotspots through
harvesting sample passwords can build attack dictionaries and more successfully guessPass
Points passwords. Users also tend to select their click-points in predictable patterns (e.g., straight
lines), which can also be exploited by attackers even without knowledge of the background
image; indeed, purely automated attacks against Pass Points based on image processing
techniques and spatial patterns are a threat
3.2 PROBLEM STATEMENT
Usable security has unique usability challenges because the need for security often means
that standard human-computer-interaction approaches cannot be directly applied. An important
usability goal for authentication systems is to support users in selecting better passwords. Users
often create memorable passwords that are easy for attackers to guess, but strong system-
assigned passwords are difficult for users to remember.
8. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
8
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
3.3 PROPOSED SYSTEM
In proposed system, we use a click-based graphical password system. During password
creation, there is a small view port area that is randomly positioned on the image. Users must
select a click-point within the view port. If they are unable or unwilling to select a point in the
current view port, they may press the Shuffle button to randomly reposition the view port. The
view port guides users to select more random passwords. Therefore this works encouraging users
to select more random, and difficult passwords to guess.
Advantages of proposed system
This systematic examination provides a comprehensive and integrated evaluation of
PCCP covering both usability and security issues, to advance understanding as is prudent before
practical deployment of new security mechanisms. Results show that PCCP is effective at
reducing hotspots (areas of the image where users are more likely to select click-points) and
avoiding patterns formed by click-points within a password, while still maintaining usability.
9. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
9
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 4
SYSTEM ANALYSIS AND REQUIREMENTS
4.1 SOFTWARE REQUIREMENTS
o Operating System : Windows XP/7/8
o Application Server : NETBEANS
o Front End : JAVA, Swings
o Database : MYSQL
o Database Connectivity : JDBC
4.2 HARDWARE REQUIREMENTS
o Processor - Pentium –III, intel, amd
o Speed - 1.1 Ghz
o RAM - 256 MB(min)
o Hard Disk - 20 GB(min)
10. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
10
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
4.3 FUNCTIONAL REQUIREMENTS
1. It provides provision to the user to register.
2. It provides a provision to the user to select an image.
3. It provides a provision to the user to generate graphical password from selected image.
4. It provides a provision to the user to compare graphical password from input image for
login.
5. It provides a provision to Login user.
6. It provides a provision to the user to compare graphical password from input image for
user to make transactions.
7. It provides provision to user to make his transactions.
8. It provides provision for user to deposit.
9. It provides a provision for user to withdrawal.
10. It provides a provision for user to view transaction reports.
4.4 NON-FUNCTIONAL REQUIREMENTS
Non-Functional requirements describe user-visible aspects of the system that are not
directly related to functionality of the system.
a) User Interface
A menu interface has been provided to the client to be user friendly.
b) Documentation
The client is provided with an introductory help about the client interface and the
user documentation has been developed through help hyperlink.
c) Performance Constraints
Requests should be processed within no time.
Users should be authenticated for accessing the requested data.
11. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
11
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
d) Error Handling and Extreme Conditions
In case of User Error, the System should display a meaningful error message to
the user, such that the user can correct his Error.
The high level components in proposed system should handle exceptions that
occur while connecting to database server, IO Exceptions etc.
e) Quality Issues
Quality issues refer to how reliable, available and robust should the system be?
While developing the proposed system the developer must be able to guarantee the
reliability transactions so that they will be processed completely and accurately.
The ability of system to detect failures and recovery from those failures refers to the
availability of system. Robustness of system refers to the capability of system providing
information when concurrent users requesting for information.
f) Acceptance Criteria
The developer will have to demonstrate and show to the user that the system works
by testing with suitable test cases so that all conditions are satisfied.
4.5 FEASIBILITY STUDY
Three key considerations involved in the feasibility analysis are
Technical Feasibility
Economical Feasibility
Operational Feasibility
i) Technical Feasibility
The developed system have a modest requirement, as only minimal or null changes
are required for implementing this system. As all the Technical aspects are already
available.
12. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
12
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
ii) Economical Feasibility
The developed system is well within the budget and this was achieved because
most of the technologies used are freely available. Only the customized products had
been purchased.
iii) Social Feasibility
The Users level of confidence must be raised so that he is also able to make some
constructive criticism, which is welcomed, as he is the final user of the system
13. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
13
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
4.6 Use Case Analysis:
Fig 4.1: Use Case Diagram for Persuasive click point
Use Case Description
In this first user must register by giving the details of user and then create the
graphical password from image.
If the user is already registered then browse the image and give the x,y values as
password for login.
Compare image for the graphical password verification.
register new user
login
browse an image
create graphical password from
image
compare image for graphical
password
credit
debit
user
transcation history
14. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
14
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
If the user is a valid user then the transaction can be done like credit, debit,
transaction history.
Use Case Description Table
USECASE ACTOR STEPS DESCRIPTION
1.REGISTRATION USER 1.Press the registration
2.Enter details of user
After completing to
registration, all the details
of user saved in database.
2. CREATE
GRAPHICAL
PASSWORD FROM
IMAGE
USER 1.Press the Create
password.
2.Enter the required X
and Y co-ordinates.
After enter the co-
ordinates, the
corresponding values are
stored in database.
3.BROWSE AN
IMAGE
USER 1.We select an image
from the Image
database.
2.Set the co-ordinate
values
After Browse the image,
corresponding co-ordinate
values of Image are stored
in database.
4.LOGIN USER 1.Press the login.
2.Enter the username
and password.
After enter the username
&password, Admin check
with username & pwd in
database. if it same user
login is successful.
5.COMPARE IMAGE
FOR GRAPHICAL
PASSWORD
ADMIN 1.Admin collect all
details of password.
2.Admin compare the
user password and
actual values of Image
co-ordinates.
After comparing the
graphical password, if I
same successfulfor login.
6.CREDIT USER 1.Press the Credit
button.
2.Enter credit details.
After enter the all the
details of credit,
transactions are occurred
successfully.
7.DEBIT USER 1.Select the debit.
2.Enter the required
amount to be withdraw.
After completing the debit,
amount will be withdraw
successfully.
Table 4.1: Use Case Analysis
15. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
15
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 5
SYSTEM ARCHITECTURE
5.1 SYSTEM ARCHITECTURE DESCRIPTION
The project is about User authentication to the system with the implementation of the persuasive
click points. First of all, any User has register and the graphical password is given as the input to
the login process. The two images are compared for authenticating the user to the system, If any
error occurred then user must login to the system again, if there are no errors then the transaction
management will display the transaction details.
Fig 5.1: System Architecture
16. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
16
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
5.2 MODULES
The System Architecture consisting of four modules namely:
i. Registration
ii. Password Creation
iii. User Login
iv. Transaction management
i. Registration
In this Registration module user enter the all the details like his name, address of the
user ,mobile number and emailed .After enter the details, all details are stored in user
database.
These details are used for the Authentication in login process .So these details are
very important for the further process. So these details are securely stored in User
database.
In this Registration process, user has to choose his username.
ii. Password Creation
In this module, we have to create our own password with help of any image in the
Image Database .In this module, we create the password with help of X and Y co-
ordinate’s of window .So in this (X, Y) values are to be set in the picture.
These co-ordinate values are to be stored in admin database .In this we have to
develop no. of passwords based on the size of window ,nothing but it will depend on no
.of co-ordinate values .So guessing of Unauthorized user is very difficult and also easy to
remember the authorized party.
iii. User Login
In this module, user wants to login into the system .In this admin asks username and
password and then user enter the username and graphical password nothing but co-
ordinate values.
17. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
17
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
After enter the username and password, Admin checks the entered username &
password with Username, Password in database.
If both are same, then user has to login in system successfully .Otherwise go to
Registration process.
iv) Transaction Management:
In this Transaction Management module, we are testing weather system works
properly or not .In this, the system is linkup with Banking Transactions.
In this, user has to credit the money with help of our system and also debit the
money successfully.
18. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
18
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 6
SYSTEM DESIGN
6.1 CLASS DIAGRAM
Fig 6.1: Class diagram
19. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
19
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Description of Class Diagram
The class diagram mainly consists of User Register ,Image Process and Data Check.
In the user registration, login process is used to verify the details which are correct if the
details given are invalid then the user must re-enter the valid details and compare the
image and test is done on it.
In the Image process, the pixel values are taken when the password is created and that
pixel values are used for retrieval of data from the data base.
In the Data Check, the data is verified that is where the intensity values of the co-
ordinates are equal or not.
6.2 SEQUENCE DIAGRAM
Fig 6.2: Sequence Diagrams for User Registration
: user: user
user interfaceuser interface registrationregistration insert imageinsert image create
password
create
password
databasedatabase message boxmessage box
1:user register()
1.1:enter user deatails()
1.1.1: checkuser regisration()
1.1.1.1: create password()
1.1.1.1.1: store data()
1.1.1.1.1.1: return status()
1.1.1.1.1.1.1: display message
20. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
20
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Description of Sequence Diagram for User Registration
For this user need to enter the details and then the user details are been checked
internally.
Then User Create the password by giving the image as input.
Then the password and the details are stored in the database.
From the Database if we want any details then the status will be given to the user by
a message this message will be displayed.
Sequence Diagrams for User Login
Fig. 6.3: Sequence Diagrams for User Login
: user: user
user interface
(ui)
user interface
(ui)
loginlogin logim
management
login
management
compare graphical
password
compare graphical
password
cheakdatacheckdata message boxmessage box
1.1: login()
1.2: enter login details()
1.3: send data()
1.4: input image()
1.5: send user data
checkdata
return status
1.7: display message()
1.8: display message()
21. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
21
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Description of Sequence Diagrams for User Login
After registration user must login by entering the login details. Then the data is send
to the login management.
User gives the image for comparing the graphical password then the data is send to
verification.
After verification the message is send to the login management and then the
message is send to the message box.
The message box will send the message to the user.
6.3 COLLABORATION DIAGRAM
Fig 6.4 Collaboration Diagrams for User Registration
:user user
interface
:Registra
tion
:insert
mode
create
pwd
:databas
e:message
box
1: user register()
2: Enter user details
3: check user registration
4: create pwd
5: 1.1.1.1 store data
6: 1.1.1.1 return status
7: 1.1.1.1.1 display message
22. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
22
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Collaboration Diagrams for User Registration
For this user need to enter the details and then the user details are been checked
internally.
Then User Create the password by giving the image as input.
Then the password and the details are stored in the database.
From the Database if we want any details then the status will be given to the user by a
message this message will be displayed
Collaboration Diagrams for User Login
Fig 6.5: Collaboration Diagrams for User Login
Description of Sequence Diagrams for User Login:
After registration user must login by entering the login details. Then the data is send
to the login management.
User gives the image for comparing the graphical password then the data is send to
verification.
5: send user data
:user
:user
interface :check
data
:masssage
box
:login
:login
management
:compare
graphical pwd
6: check data
1: login()
2: enetr login details
7: return status
9: display message
3: send data
4: input data
8: display message
23. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
23
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
After verification the message is send to the login management and then the
message is send to the message box.
The message box will send the message to the user.
6.4 ACTIVITY DIAGRAM
Fig 6.6: Activity Diagram of Persuasive click points
Description of Activity Diagram
In this first the user must login by giving the details.
If the details are invalid then the login fails then the user must re-enter the details.
If the details are valid then the login process is successful then the user transactions
can be done.
User
Login
Enter User
Details
Login
Failure
LoginSuc
cessfully
User
Transactions
logout
valid DetailsInvalid Details
24. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
24
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
6.5 STATE CHART DIAGRAM
State Chat diagram for User Login
Fig 6.7: State Chart diagram for User Login
user
registration
enter user
details
create graphical
password
login transaction
s
depositwithdraw
logout
25. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
25
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Description of State Chart diagram for User Login
In this first user must register by giving the details of user and then create the
graphical password from image.
If the user is already registered then browse the image and give the x,y values as
password for login.
Compare image for the graphical password verification.
If the user is a valid user then the transaction can be done like credit, debit,
transaction history
State chart diagram for login:
Fig 6.8: State chart diagram for login
user login
enter user
details
login
successfully
login failure valid detailsinvalid details
user
transactions
logout
26. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
26
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Description of State Chart diagram for login
In this first the user must login by giving the details.
If the details are invalid then the login fails then the user must re-enter the details.
If the details are valid then the login process is successful then the user transactions
can be done.
6.6 COMPONENT DIAGRAM
Fig 6.9: Component Diagram of Persuasive click points
Defenses against Large Scale Online Password Guessing Attacks by Persuasive Click Points
consists of four components
User Registration
Graphical Password
Login Management
Transactions Management
DEFENCE AGAINST INE PASSWORD GUESSING
ATTACKS BY USING PERSUASIVE CLICK POINTS
USER
REGISTRATION
GRAPHICAL
PASSWORD
LOGIN
MANAGEMENT
TRANSACTION
MANAGEMENT
27. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
27
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
6.7 DEPLOYMENT DIAGRAM
Fig 6.10: Deployment Diagram of Persuasive click points
Description of Deployment Diagram:
Deployment Diagram consisting of following objects.
User Interface
Defense against large scale online password guessing attack by using Persuasive click
points.
o Swings
o JDK1.6
Database
o My Sql
o image
In this system initially user interact with the Defense against large Scale online password
system .In this swings and JDK 1.6 are sub parts of this system and this is link with the
Database consisting of my sql and Image database.
MYSQ
L
user
interface
Defence againist
largescale online passw...
SWIN
GS
JDK1.
6
DATA
BAES
IMAG
E
28. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
28
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
6.8 ER DIAGRAM
Fig 6.11: ER Diagram of Persuasive click points
Explanation for ER Diagram
The Database is designed keeping in mind all the functional requirements of the
System. There are several attributes for every entity in an ER Diagram .Here New User
and Pixel are the entities and there is the relation between them.
For the New User entity there are attributes are name, user name, account number,
guardian, address, balance, Image and in the pixel entity there are attributes like name of
the image and the password.
Guardian
Use Name
Image
Accno
Balance Address
PixelNew User
Name
has
1 1
Name Passw
ord
Image
Path value
1
Name
Path
Image
29. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
29
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
DATA DICTIONARY
The database used for the system consists of five tables, The first one is the user details
table in which the entire details about the user are stored and second one is the address table
consists the address of the user. The table upload data consists of the data under categories, from
this table the entire operation of the system is based and the login master table handles the details
of each login of the user. And finally the Category Info table consists of the type of Data stored
in the Data Base.
1. New User Table
Table 6.1: New User Table
2. Pixel Table
Field name Data type Description
User name Varchar2 Name of the user in the login
Name Varchar2 Name of the user
Balance Number Balance amount
Address Varchar2 Address of the user
Image Jpg Image password
Guardian Varchar2 Guardian to the user
Accno number Account number of the user
Field name Data type Description
Name Varchar2 Name of the user
Image Jpg Image password
Password number password of the user
30. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
30
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Table 6.2: Pixel Table
3. Path value
Table 6.3: Path value table
Field name Data type Description
Name Varchar2 Name of the user
Image Jpg Image password
Path Varchar2 Path value
31. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
31
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CHAPTER 7
SYSTEM IMPLEMENTATION
7.1 ALGORITHMS
Persuasive click points
The implementation of the persuasive click point’s algorithm is of at most importance for
the exact User authentication to happen, The algorithm for the persuasive click points includes
two phases i.e., firstly during the registration of the passwords and during the login process.
Registration process
The User should register in to the system, before he can use the system for secure login.
Step 1: The image is to uploaded which the user wants to use as his password.
Step 2: There is a small view port area that is randomly positioned on the image, Users must
select a click-point within the view port.
Step 3: If they cannot or unwilling
then
they may press the shuffle button to randomly reposition the view port.
The click points must be selected in such a way that there is less chances of inclusion of
hotspots.
Login process
After the registration in to the system the, User wants to enter the system to view his
personal data.
Step 1: The User uploads the image, which he has selected as his password image.
Step 2: The User should select the click points in the order in which he has done during the
registration process.
Step 3: if any problem, then retry for a limited no of times
Or the account is blocked
32. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
32
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
else the account is opened
7.2 PSEUDO CODE
The main action performed in the system is to compare the image that is given as an input.
Image Comparision
if(ae.getSource()==upload)
{
Connection connection = null;
PreparedStatement psmnt = null;
FileInputStream fis;
String filename=filenametext.getText();
String name=nametext.getText();
String password=passwordtext.getText();
try
{
Class.forName("com.mysql.jdbc.Driver")
connection = DriverManager.getConnection("jdbc:mysql://localhost/image","root","");
File image = new File(filename);
psmnt = connection.prepareStatement ("insert into pixelvalue values(?,?,?)");
psmnt.setString(1,name);
psmnt.setString(2,filename);
fis = new FileInputStream(image);
psmnt.setBinaryStream(3, (InputStream)fis, (int)(image.length()));
int s = psmnt.executeUpdate();
}
33. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
33
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
catch(Exception ee)
{
}
}
else if(ae.getSource()==Compare)
{
String filename=filenametext.getText();
try
{
File file=new File(filename);
BufferedImage image=ImageIO.read(file);
ImageIcon icon=new ImageIcon(image);
picture.setIcon(icon);
}
catch(Exception ee)
{
}
}
else if(ae.getSource()==Browse)
{
JFileChooser chooser = new JFileChooser();
try {
File f = new File(new File("filename.txt").getCanonicalPath());
chooser.setSelectedFile(f);
}
catch (IOException e1)
{
}
int retval = chooser.showOpenDialog(Browse);
if (retval == JFileChooser.APPROVE_OPTION){
File field = chooser.getSelectedFile();
34. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
34
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
filenametext.setText(field.getAbsolutePath());
}
else if(ae.getSource()==viewport)
{
System.out.println("aa");
}
CHAPTER 8
35. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
35
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
TESTING
8.1 Test Cases
Test case1
Input: The details of the User
Expected Output: The successful registration
Observed Output: same as expected as shown in the Fig 8.1
Fig 8.1: User registration form
Test case 2
36. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
36
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Input: The Image which is to be used as password and click points
Expected Output: The successful creation of password
Observed Output: same as expected as shown in the Fig 8.2
Fig 8.2: Graphical Password Creation of User
Test case 3
37. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
37
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Input: The Image used as a password and click points
Expected Output: unsuccessful login
Observed Output: same as expected as shown in the Fig 8.3
Fig.8.3: Graphical password given is wrong
Test case 4
38. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
38
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Input: The Image used as a password and click points
Expected Output: successful login
Observed Output: same as expected as shown in the Fig 8.4
Fig 8.4: Authentication of the User using image password
Test Cases Report
39. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
39
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Test
Case
ID
Test Case Procedure Expecting
behavior
Exhibiting
behavior
Result
1
User to
register.
User has to select ‘New
User’ option and enter the
details of user.
User has to be
registered if the
entered details are
true else return
error message.
New user is
registered.
Pass
2 User to insert
an image.
User has to the Browse
option and select the
required image as input.
User has to browse
an image.
User selected an
image.
Pass
3 User to Create
Graphical
Password.
User has to select ‘create
Password’ option and
browse a graphical image to
create graphical password.
User has to create
Graphical
password.
User is created
Graphical
password.
Pass
4 User to
compare
images.
User has to select an image
as input to compare
Graphical password to
match.
User has to insert
an image.
User inserted an
image.
Pass
5 User to get
Login.
User has to select
‘registered user’ option and
enter the login details.
User has to login if
the entered login
details are true else
return error display
message.
User is logged
in.
Pass
6 User to
deposit.
User has to select ‘deposit’
option and transact the
amount.
User has to be
deposited.
User got
deposited.
Pass
40. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
40
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
7 User to
withdrawal.
User has to select
‘withdrawal’ option and
transact the amount.
User has to be
withdrawal.
User is
withdrawn
amount.
Pass
8 User to view
transaction
reports.
User has to select
‘transaction Report’ and
enter the password details.
User has to view
the transaction
reports if entered
details are true else
return error
message.
User viewed the
transaction
reports.
Pass
Table 8.1: Test Case Report
CHAPTER 9
41. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
41
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
CONCLUSION
A major advantage of Persuasive Cued Click Point scheme is its large password space
over alphanumeric passwords. There is a growing interest for Graphical passwords since they are
better than Text based passwords, although the main argument for graphical passwords is people
are better at memorizing graphical passwords than text-based passwords .Online Password
guessing attacks on password-only systems have been observed for decades Present-day
attackers targeting such systems are empowered by having control of thousand to million node
battens.
In previous ATT-based login protocols, there exists a security-usability trade-off with
respect to the number of free failed login attempts (i.e., with no ATTs) versus user login
convenience (e.g., less ATTs and other requirements). In contrast, PGRP is more restrictive
against brute force and dictionary attacks while safely allowing a large number of free failed
attempts for legitimate users. PGRP is apparently more effective in preventing password
guessing attacks (without answering ATT challenges), it also offers more convenient login
experience, e.g., fewer ATT challenges for legitimate users. PGRP appears suitable for
organizations of both small and large number of user accounts.
FUTURE ENHANCEMENT
A major advantage of Persuasive cued click point scheme is its large password
space over alphanumeric passwords. There is a growing interest for Graphical passwords
since they are better than Text based passwords, although the main argument for graphical
passwords is that people are better at memorizing graphical passwords than text-based
passwords. Online password guessing attacks on password-only systems have been observed
for decades. Present-day attacker stargazing such systems are empowered by having control
of thousand to million node bonnets. In previous ATT-based login protocols, there exists a
security-usability trade-off with respect to the number of free failed login attempts (i.e., with no
ATTs) versus user login convenience (e.g., less ATTs and other requirements). In contrast,
PGRP is more restrictive against brute force and dictionary attacks while safely allowing a large
42. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
42
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
number of free failed attempts for legitimate users. PGRP is apparently more effective in
preventing password guessing attacks (without answering ATT challenges), it also offers
more convenient login experience, e.g., fewer ATT challenges for legitimate users. PGRP
appears suitable for organizations of both small and large number of user accounts.
CHAPTER-10
43. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
43
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
REFERENCES & BIBLIOGRAPHY
REFERENCES
[1]. Sonia Chiasson, P.C. van Oorschot, and Robert Biddle, “Graphical Password Authentication
Using Cued Click Points” ESORICS, LNCS 4734, pp.359-374,Springer- Verlag Berlin
Heidelberg 2007.
[2]. Zhi Li, Qibin Sun, Yong Lian, and D. D. Giusto, „An association-based graphical password
design resistant to shoulder surfing attack‟, International Conference on Multimedia and Expo
(ICME), IEEE.2005
[3]. R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in
Proceedings of9th USENIX Security Symposium, 2000.
[4]. S. Akula and V. Devisetty, "Image Based Registration and Authentication System," in
Proceedings of Midwest Instruction and Computing Symposium, 2004.
[5]. L. Sobrado and J.-C. Birget, "Graphical passwords," The Rutgers Scholar, An Electronic
Bulletin for Undergraduate Research, vol. 4, 2002.
[6]. I. Jermyn, A. Mayer, F. Mon rose, M. K. Reiter, and A.D. Rubin, "The Design and Analysis
of Graphical Passwords," in Proceedings of the 8th USENIX Security Symposium, 1999.
44. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
44
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
BIBLIOGRAPHY
1. www.javatpoint.com/corejava
2. www.mysql.com
3. www.w3schools.in
4. www.wikepedia.com
5. www.google.com
APPENDIX-A
45. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
45
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
OUTPUT SCREENS
Fig A.1: User Interface to Apply Graphical Password on Banking Application
47. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
47
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Fig A.3: Graphical Password Creation of User
48. DEFENSES AGAINSTLARGESCALEONLINEPASSWORD GUESSING ATTACKS BY USING PERSUASIVECLICK POINTS
48
DEPARTMENT OF INFORMATIONTECHNOLOGY SRKR ENGINEERINGCOLLEGE
Fig A.4: Authentication of the User using image password.