SECURITY ANALYSIS AND IMPLEMENTATIONS

OF 3-LEVEL SECURITY SYSTEM USING IMAGE

BASED AUTHENTICATION
The Project report submitted in partial fulfillment
of the requirements for the award of

BACHELOR OF TECHNOLOGY
IN
INFORMATION TECHNOLOGY
By

K.UDAY KUMAR

09241A12B4

B.RAJASEKHAR
K.SAICHARAN
D.VENKATA REDDY

09241A1297
09241A12A4
09241A12B5

Under the Esteemed Guidance of

V.Padma
(Associate Professor)

DEPARTMENT OF INFORMATION TECHNOLOGY

GOKARAJU RANGARAJU INSTITUTE OF ENGINEERING AND TECHNOLOGY
HYDERABAD

2013

CERTIFICATE
This is to certify that it is a bonafide record of Project work entitled SECURITY ANALYSIS
AND IMPLEMENTATION OF 3-LEVEL SECURITY USING IMAGE BASED
AUTHENTICATION

don

REDDY(09241A12B5)

K.SAICHARAN(09241A1A4)

by

K.UDAY

KUMAR

(09241A12B4),

D.VENKATA

B.RAJASEKHAR(09241A1297)

students of B.Tech(IT) in the Department of Information Technology, Gokaraju Rangaraju

Institute of Engineering and Technology during the period 2012-2013 in the partial fulfillment of
the requirements for the award of degree of B.Tech in Information Technology. This work is not
submitted to any other university for the award of any Degree/Diploma.

Assoc prof. V.Padma

Project Guide
Department of IT
GRIET, HYDERABAD

Dr. T.V.Rajini Kanth

Head of the Department
Department of IT
GRIET, HYDERABAD

External Examiner

ACKNOWLEDGEMENT

We wish to express our deep gratitude to our guide V.Padma, Associate professor in the
Department of Information Technology, for all the advice, encouragement and constant support
he has given us throughout our project work. This work would not have been possible without
his support and valuable suggestions.

We are grateful to Dr. T.V.Rajini Kanth, Head of the Department of Information

Technology and the Members of Project Review Committee for their valuable suggestions.
We are also grateful to Dr. Jandhyala N.Murty, Principal and Prof P.S.Raju, Director of
GRIET for giving us the necessary facilities to carry out our project work successfully.
We would like to thank all our friends for their help and constructive criticism during our
project work.

K.UDAY KUMAR

09241A12B4

B.RAJASEKHAR
K.SAICHARAN
D.VENKATA REDDY

09241A1297
09241A12A4
09241A12B5

ABSTRACT
Increasing security has always been an issue since Internet and Web Development came into
existence, text based passwords is not enough to counter such problems, which is also an
anachronistic approach now. Therefore, this demands the need for something more secure along
with being more user-friendly. Therefore, we have tried to increase the security by involving a 3level security approach, involving text based password at Level 1, Image Based Authentication
at Level 2, and automated generated one-time password (received through an automated email to
the authentic user) at Level 3.And an assiduous effort has been done for thwarting Shoulder
attack, Tempest attack, and Brute-force attack at client side , through the use of unique image set
in the IBA System Authentication plays a crucial role in protecting resources against
unauthorized and illegal use.

Authentication processes may vary from simple password based authentication system to
costly and computation intensified authentication systems. Passwords are more than just a key.
They serve several purposes. They ensure our privacy, keeping our sensitive information secure.
Passwords authenticate us to a machine to prove our identity-a secret key that only we should
know. They also enforce non repudiation, preventing us from later rejecting the validity of
transactions authenticated with our passwords. Our username identifies us and the password
validates us. But passwords have some weaknesses: more than one person can possess its
knowledge at one time. Moreover, there is a constant threat of losing your password to someone
else with venomous intent.

Password thefts can and do happen on a daily basis, so we need to defend them. Now
merely using some random alphabets grouped together with special characters does not assure
safety. We need something esoteric, something different along with being user-friendly as our
password, to make it secure.. This paper is a unique and an esoteric study of using images as

password and implementation of an extremely secured system, employing 3 levels of security(Text Password, Image Password, and One-Time automated generated password). This unique
user-friendly System named as 3 Level Security that can be employed in any organization for
storing crucial and confidential documents, and ensures the security through its three levels
Firstly-through Text Password, Secondly-through Image based Password, and Thirdly-through
One-Time Automated Password.

CONTENTS
S.NO.

CHAPTERS

CHAPTER 1: INTRODUCTION

PAGE NO.
1-3

1.1 Security Analysis and Implementation of 3-Level Security

1.2 Existing System

1.3 Proposed system

1.4 Hardware used

1.5software used

CHAPTER 2:LITERATURE SURVEY

4-12

2.1Sharing the Data Center Network

2.2 Comparision of three Schedulers of CPU in Xen

2.3 Cloud CMP

2.4 Impact of Virtualisation on Computer Network

2.5 Data Flow Diagrams

CHAPTER 3: MODULES

13-18

3.1 Registration

13

3.2 Text based Authentication

13

3.3 Image based Authentication

13

3.4 Opass Authentication

14

3.5 Security

15

3.6 Authentication

16

CHAPTER 4: JSP

19-22

4.1 Introduction

19

4.2 Architecture of JSP

20

4.3 Servlets

21

CHAPTER 5: JAVA BEANS

23-27

5.1 Introduction

23

5.2 Visualisation of Textual Password

23

5.3 Attacks against Textual Passwords

CHAPTER 6: TESTING

24

28-32

6.1 Functional Testing

29

6.2 Validation Testing

30

6.3 System Testing

30

6.4 Structure Testing

30

6.5 Output Testing

30

6.6 User Acceptance

31

6.7 Feasibility Study

31

6.8 Technical Study

32

6.9 Operational Study

32

6.10 Economical Study

32

CHAPTER 7:SOURCE CODE

33-36

CHAPTER 8:RESULTS AND ANALYSIS

37-47

CHAPTER 9:CONCLUSION AND FUTURE WORK

48

REFERENCES

49
LIST OF FIGURES

FIG.NO

FIGURE NAME

P.NO

1.1

Architecture Diagram

2.1

DFD Level-0

2.2

DFD Level 1

2.3

DFD Level-2

2.4

UML Diagrams

2.5

Class Diagram

10

2.6

Sequence Diagram

11

2.7

Collaboration Diagram

12

2.8

Activity Diagram

12

8.1

Home Page

37

8.2

Registration Page1

38

8.3

Registration Page2

39

8.4

Registration Grid1

40

8.5

Registration Grid2

41

8.6

Registration Grid3

42

8.7

Success Page

43

8.8

Login page

44

8.9

One time Password

45

8.10

Successful Home Page

46

8.11

Griet Home Page

47

CHAPTER-1
INTRODUCTION
1.1 Security Analysis and Implementation of 3-Level SecuritySystem Using
Image Based Authentication
Objective
The three level security systems approached on security purpose. 3-Level Security system is
definitely a time consuming approach, as the user has to traverse through the three levels of
security, and will need to refer to his email-id for the one-time automated generated password.

1.2 Existing System:

Now days many hackers are hack our accounts and share all the details or collect the
documents.

Hackers are mostly hack our bank details , office details and personal mail,
Now many security purpose are used, But most of all failure process.

Because all the application are some easy way to hack.

Our username identifies us and the password validates us. But passwords have some
weaknesses: more than one person can possess its knowledge at one time. Moreover,
there is a constant threat of losing your password to someone else with venomous intent.

Disadvantages:

Any hacker if in the extreme case, suppose will cross through the above two mentioned
security levels.

Man in middle attacks and dictionary attacks possible

1.3 Proposed System:

This unique and user-friendly 3-Level Security System is involving three levels of security.
Where the preceding level must be passed in order to proceed to next level.

Security at this level has been imposed by using Text based password (with special
characters), which is a usual and now an anachronistic approach.

At this level the security has been imposed using Image based authentication (IBA),
where the user will be asked to select from the two difficulty levels. Both the levels will
be having three unique Image grids, from where the user has to select three images, one
from each grid.

After the successful clearance of the above two levels, the 3-Level Security System will
then generate a one-time numeric password that would be valid just for that login session.
The authentic user will be informed of this one time password on his signed up email-id.
Any hacker if in the extreme case, suppose (although difficult) will cross through the above two
mentioned security levels, will definitely not be able to cross the third security level, unless he
has access to the original users email-id.

Advantages:

This system use only security purpose, it uses to all security place.

Hackers are not very easily to hack the security, Bcoz there levels are more useful this
concept.

Any hacker if in the extreme case, suppose (although difficult) will cross through the
above two mentioned security levels, will definitely not be able to cross the third security
level, unless he has access to the original users emailid.

The user will be authenticated as an authentic user, and will be awarded access to the
stored information, only after crossing the three security levels (Security level1-Text
password, Security level2-Image Based password, and Security level3- One-Time
Automated password).

1.4 Hardware Used

Main Processor

: Above 2 GHz

Ram

: 512 MB

Hard Disk

: 80 GB

Platform

: Windows 8

1.5 Software Used

Language

: JAVA, Swing

Database

: MySQL

Architecture Diagram:

User

Text based
authentication

Login to
System

FIG:1. 1Architecture diagram

Image Based
authentication

Email
Authentication

CHAPTER-2
LITERATURE SURVEY

2.1 SHARING THE DATA CENTER NETWORK

While todays data centers are multiplexed across many non-cooperating applications, they
lack effective means to share their network. Relying on TCPs congestion control, as we show
from experiments in production data centers, opens up the network to denial of service attacks
and performance interference. We present Seawall, a network bandwidth allocation scheme that
divides network capacity based on an administrator-specified policy. Seawall computes and
enforces allocations by tunneling traffic through congestion controlled, point to multipoint, edge
to edge tunnels.

2.2 COMPARISON OF THE THREE CPU SCHEDULERS IN XEN

The primary motivation for enterprises to adopt virtualization technologies is to create a

more agile and dynamic IT infrastructure with server consolidation, high resource utilization,
the ability to quickly add and adjust capacity on demand while lowering total cost of
ownership and responding more effectively to changing business conditions. However, effective
management of virtualized IT environments introduces new and unique requirements, such as
dynamically resizing and migrating virtual machines (VMs) in response to changing application
demands. Such capacity management methods should work in conjunction with the underlying
resource management mechanisms. However, it is not clear whether a straight-forward port of

process schedulers to VM schedulers would perform just as well. We use theopen source Xen
virtual machine monitor to perform a comparativeevaluation of three different CPU schedulers
for virtual machines.We analyze the impact of the choice of scheduler and its parameterson
application performance, and discuss challenges in estimating theapplication resource
requirements in virtualized environments.

2.3 CLOUDCMP: COMPARING PUBLIC CLOUD PROVIDERS

While many public cloud providers offer pay-as-you-go computing, their varying
approaches to infrastructure, virtualization, and software services lead to a problem of plenty. To
help customers pick a cloud that fits their needs, we develop CloudCmp, a systematic comparator
of the performance and cost of cloud providers. CloudCmp measures the elastic computing,
persistent storage, and networking services offered by a cloud along metrics that directly reflect
their impact on the performance of customer applications. CloudCmp strives to ensure fairness,
representativeness, and compliance of these measurements while limiting measurement cost.
Applying CloudCmp to four cloud providers that together account for most of the cloud
customers today, we find that their offered services vary widely in performance and costs,
underscoring the need for thoughtful provider selection. From case studies on three
representative cloud applications, we show that CloudCmp can guide customers in selecting the
best-performing provider for their applications.

2.4.THE IMPACT OF VIRTUALIZATION ON NETWORK PERFORMANCE

Cloud computing services allow users to lease computing resources from large scale data
centers operated by service providers. Using cloud services, users can deploy a wide variety of
applications dynamically and on-demand. Most cloud service providers use machine
virtualization to provide flexible and costeffective resource sharing. However, few studies have
investigatedthe impact of machine virtualization in the cloud on networking performance.In this

paper, we present a measurement study to characterize the impact of virtualization on the

networking performance of the Amazon Elastic Cloud Computing (EC2) data center.We
measure the processor sharing, packet delay, TCP/UDP throughput and packet loss among
Amazon EC2 virtual machines. Our results show that even though the data center network is
lightly utilized,virtualization can still cause significant throughput instability and abnormal delay
variations. We discuss the implications of our findings on several classes of applications.

2.5 Diagrams
2.5.1 Dataflow Diagrams
LEVEL 0:

User

Open
applicat
ion

Username

Text
password

Password
Authentication

FIG:2.1 LEVEL 0

LEVEL 1:

Password
Authentication

Click
Correct
Image

Image
authenticati
on

FIG 2.2 LEVEL 1

LEVEL 2:

Email pwd

Fetch password

Pwd

FIG 2.3 LEVEL 2

2.5.2 UML Diagrams:

Usecase Diagram:

open application

username&text pwd

Image authendication
Server
user
email password

FIG 2.4 Usecase diagram

2.5.3 Class Diagram:

user.
request
response
open application()
fetch pwd()

Application
pwd
request
response
open application()
authendication()

FIG 2.5 class diagram

2.5.4 Sequence Diagram:

user

application

authendication

1.request
2.application request

3.application response

4.username and text pwd

5.pwd authendication

6.Image selection

7.Image authendication

8.email pwd to user

9.pwd authendication

10.success

11.open application

FIG 2.6 sequence diagram

server

2.5.5 Collaboration Diagram:

1: 1.request
user

applicati
on

9: 9.pwd authendication

4: 4.username and text pwd

6: 6.Image selection
11: 11.open application

2: 2.application request

3: 3.application response
5: 5.pwd authendication
7: 7.Image authendication
8: 8.email pwd to user
10: 10.success
authendic
ation

server

FIG 2.7: Collaboration diagram

2.5.6 Activity Diagram:

user

open
application

username
& pwd

Image
authendication

email
password

fetch pwd in
application

success

FIG 2.8 Activity diagram

CHAPTER-3
MODULES

3.1 Registration Module

Registration is one of the primary modules in any data management system. A user
record management starts with registering a user with the system. Registration being a
customizable and scalable solution to user record management also requires a customizable
user registration system. Since every implementation of registration may be different on the
type of information that it may require, it is extremely important to keep the registration
module generalized in a way where it can be configured to take registration information
about a user according to the needs of the implementer.

3.2 Text Based Authentication

Security at this level has been imposed by using Text based password (with special
characters), which is a usual and now an anachronistic approach. Security at Level 1, at the
client side is ensured by the use of text password, and that text password has to be entered by
ensuring employment of special characters. Therefore, security at level1 is ensured by use of
text password which is a usual approach, and now an anachronistic approach.

3.3 Image Based Authentication

At this level the security has been imposed using Image Based Authentication
(IBA),where the user will be asked to select from the two difficulty levels. Both the levels
will be having three unique Image grids, from where the user has to select three images, one
from each grid. The IBA security level is divided into 2 difficulty levels.
The Images to be selected from an image set:

1) Should not be easily describable,

2) Should be easy to remember

The security of the system can be compromised if we do not select proper images for the
image set. Also we have to keep in mind that a user should be able to remember his image
password easily. Another important aspect relating to image set is how these images are arranged
when presented to a user.

We use a random display of images within an image set i.e. within an image set, images are
arranged randomly and their position is no where related to previous image set that was
generated at an earlier point of time, i.e. during the previous signup or login process. By doing
this, the system protects itself from many security attacks (to be discussed later on) especially
from an eavesdropper looking from behind. Keystroke Logging is one of the key attacks
attempted by a hacker in password authentication systems. Is most common when text based
passwords are use to authenticate users. The attacker observes the key strokes of a user and later
can have access to the system.

3.4 Opass Authentication

The 3-Level Security System will then generate a one-time numeric password that would
be valid just for that login session. The authentic user will be informed of this one time
password on his signed up email-id. Any hacker if in the extreme case, suppose (although
difficult) will cross through the above two mentioned security levels, will definitely not be
able to cross the third security level, unless he has access to the original users email-id. The
user will be authenticated as an authentic user, and will be awarded access to the stored
information, only after crossing the three security levels (Security level1-Text password,
Security level2-Image Based password, and Security level3 One-Time Automated password).

3.5 Security:
Security is the degree of protection to safeguard a nation, union of nations, persons or
person against danger, damage, loss, and crime. Security as a form of protection is structures and
processes that provide or improve security as a condition. The Institute for Security and Open
Methodologies (ISECOM) in the OSSTMM 3 defines security as "a form of protection where a
separation is created between the assets and the threat". This includes but is not limited to the
elimination of either the asset or the threat. Security as a national condition was defined in a
United Nations study (1986) so that countries can develop and progress safely.
Security has to be compared to related concepts: safety, continuity, reliability. The key
difference between security and reliability is that security must take into account the actions of
people attempting to cause destruction.

3.5.1 Different scenarios also give rise to the context in which security is maintained:

With respect to classified matter, the condition that prevents unauthorized persons from
having access to official information that is safeguarded in the interests of national
security.

Measures taken by a military unit, an activity or installation to protect itself against all
acts designed to, or which may, impair its effectiveness.

3.5.2 Security concepts:

Certain concepts recur throughout different fields of security

Assurance - assurance is the level of guarantee that a security system will behave as
expected

Countermeasure - a countermeasure is a way to stop a threat from triggering a risk event

Defense in depth - never rely on one single security measure alone

Exploit - a vulnerability that has been triggered by a threat - a risk of 1.0 (100%)

Risk - a risk is a possible event which could cause a loss

Threat - a threat is a method of triggering a risk event that is dangerous

Vulnerability - a weakness in a target that can potentially be exploited by a security threat

3.5.3 Security management in organizations:

In the corporate world, various aspects of security were historically addressed separately notably by distinct and often non communicating departments for IT security, physical security,
and fraud prevention. Today there is a greater recognition of the interconnected nature of
security requirements, an approach variously known as holistic security, "all hazards"
management, and other terms.

Inciting factors in the convergence of security disciplines include the development of digital
video surveillance technologies (see Professional video over IP) and the digitization and
networking of physical control systems (see SCADA). Greater interdisciplinary cooperation is
further evidenced by the February 2005 creation of the Alliance for Enterprise Security Risk
Management, a joint venture including leading associations in security (ASIS), information
security (ISSA, the Information Systems Security Association), and IT audit (ISACA, the
Information Systems Audit and Control Association).

In 2007 the International Organisation for Standardization (ISO) released ISO 28000 Security Management Systems for the supply chain. Although the title supply chain is included,
this Standard specifies the requirements for a security management system, including those
aspects critical to security assurance for any organisation or enterprise wishing to management
the security of the organisation and its activities. ISO 28000 is the foremost risk based security
system and is suitable for managing both public and private regulatory security, customs and
industry based security schemes and requirements.

3.6 Authentication:
Authentication is the act of confirming the truth of an attribute of a datum or entity. This
might involve confirming the identity of a person or software program, tracing the origins of an
artifact, or ensuring that a product is what its packaging and labeling claims to be.

3.6.1Authentication methods:
In art, antiques, and anthropology, a common problem is verifying that a person has the said
identity, or a given artifact was produced by a certain person or was produced in a certain place
or period of history.

3.6.2 There are three types of techniques for doing this.

The first type of authentication is accepting proof of identity given by a credible person who
has evidence on the said identity, or on the originator and the object under assessment as the
originator's artifact respectively.

The second type of authentication is comparing the attributes of the object itself to what is
known about objects of that origin. For example, an art expert might look for similarities in the
style of painting, check the location and form of a signature, or compare the object to an old
photograph. An archaeologist might use carbon dating to verify the age of an artifact, do a
chemical analysis of the materials used, or compare the style of construction or decoration to
other artifacts of similar origin. The physics of sound and light, and comparison with a known
physical environment, can be used to examine the authenticity of audio recordings, photographs,
or videos.

Attribute comparison may be vulnerable to forgery. In general, it relies on the facts that
creating a forgery indistinguishable from a genuine artifact requires expert knowledge, that
mistakes are easily made, and that the amount of effort required to do so is considerably greater
than the amount of profit that can be gained from the forgery.

In art and antiques, certificates are of great importance for authenticating an object of
interest and value. Certificates can, however, also be forged, and the authentication of these
poses a problem. For instance, the son of Han van Meegeren, the well-known art-forger, forged
the work of his father and provided a certificate for its provenance as well; see the article Jacques
van Meegeren. Criminal and civil penalties for fraud, forgery, and counterfeiting can reduce the
incentive for falsification, depending on the risk of getting caught.

The third type of authentication relies on documentation or other external affirmations. For
example, the rules of evidence in criminal courts often require establishing the chain of custody
of evidence presented. This can be accomplished through a written evidence log, or by testimony
from the police detectives and forensics staff that handled it. Some antiques are accompanied by
certificates attesting to their authenticity. External records have their own problems of forgery
and perjury, and are also vulnerable to being separated from the artifact and lost.

Currency and other financial instruments commonly use the first type of authentication
method. Bills, coins, and cheques incorporate hard-to-duplicate physical features, such as fine
printing or engraving, distinctive feel, watermarks, and holographic imagery, which are easy for
receivers to verify.

Consumer goods such as pharmaceuticals, perfume, fashion clothing can use either type of
authentication method to prevent counterfeit goods from taking advantage of a popular brand's
reputation (damaging the brand owner's sales and reputation). A trademark is a legally protected
marking or other identifying feature which aids consumers in the identification of genuine brandname goods.

CHAPTER-4
JSP
4.1 Introduction
Java Server Pages (JSP) is a Java technology that allows software developers to dynamically
generate HTML, XML or other types of documents in response to a Web client request. The
technology allows Java code and certain pre-defined actions to be embedded into static content.

The JSP syntax adds additional XML-like tags, called JSP actions, to be used to invoke
built-in functionality. Additionally, the technology allows for the creation of JSP tag libraries
that act as extensions to the standard HTML or XML tags. Tag libraries provide a platform
independent way of extending the capabilities of a Web server.

JSPs are compiled into Java Servlets by a JSP compiler. A JSP compiler may generate a
servlet in Java code that is then compiled by the Java compiler, or it may generate byte code for
the servlet directly. JSPs can also be interpreted on-the-fly reducing the time taken to reload
changes

Java Server Pages (JSP) technology provides a simplified, fast way to create dynamic web
content. JSP technology enables rapid development of web-based applications that are serverand platform-independent.

4.2 Architecture OF JSP:

FIG 4.1:Architechture of JSP

4.2.1The Advantages of JSP:

Active Server Pages (ASP). ASP is a similar technology from Microsoft. The advantages
of JSP are twofold. First, the dynamic part is written in Java, not Visual Basic or other
MS-specific language, so it is more powerful and easier to use. Second, it is portable to
other operating systems and non-Microsoft Web servers.

Pure Servlets. JSP doesn't give you anything that you couldn't in principle do with a
servlet. But it is more convenient to write (and to modify!) regular HTML than to have a
zillion println statements that generate the HTML. Plus, by separating the look from the
content you can put different people on different tasks: your Web page design experts can
build the HTML, leaving places for your servlet programmers to insert the dynamic
content.

Server-Side Includes (SSI). SSI is a widely-supported technology for including

externally-defined pieces into a static Web page. JSP is better because it lets you use
servlets instead of a separate program to generate that dynamic part. Besides, SSI is really
only intended for simple inclusions, not for "real" programs that use form data, make
database connections, and the like.

JavaScript. JavaScript can generate HTML dynamically on the client. This is a useful
capability, but only handles situations where the dynamic information is based on the
client's environment. With the exception of cookies, HTTP and form submission data is
not available to JavaScript. And, since it runs on the client, JavaScript can't access serverside resources like databases, catalogs, pricing information, and the like.

Static HTML. Regular HTML, of course, cannot contain dynamic information. JSP is so
easy and convenient that it is quite feasible to augment HTML pages that only benefit
marginally by the insertion of small amounts of dynamic data. Previously, the cost of
using dynamic data would preclude its use in all but the most valuable instances.

4.3 Servlets
Java Servlet technology provides Web developers with a simple, consistent mechanism for
extending the functionality of a Web server and for accessing existing business systems. Servlets
are server-side Java EE components that generate responses (typically HTML pages) to requests
(typically HTTP requests) from clients. A servlet can almost be thought of as an applet that runs
on the server sidewithout a face.

// Hello.java
importjava.io.*;
importjavax.servlet.*;
publicclass Hello extends GenericServlet {
publicvoid service(ServletRequest request, ServletResponse response)
throws ServletException, IOException{
response.setContentType("text/html");
finalPrintWriter pw = response.getWriter();
pw.println("Hello, world!");
pw.close();
}
}

The import statements direct the Java compiler to include all of the public classes and interfaces
from the java.io and javax.servlet packages in the compilation.

The Hello class extends the GenericServlet class; the GenericServlet class provides the
interface for the server to forward requests to the servlet and control the servlet's lifecycle.

The Hello class overrides the service(ServletRequest, ServletResponse) method defined

by the Servlet interface to provide the code for the service request handler. The service() method
is passed a ServletRequest object that contains the request from the client and a
ServletResponse object used to create the response returned to the client. The service() method
declares that it throws the exceptions ServletException and IOException if a problem prevents it
from responding to the request.
The setContentType(String) method in the response object is called to set the MIME
content type of the returned data to "text/html". The getWriter() method in the response returns
a PrintWriter object that is used to write the data that is sent to the client. The println(String)
method is called to write the "Hello, world!" string to the response and then the close() method
is called to close the print writer, which causes the data that has been written to the stream to be
returned to the client.

CHAPTER-5
JAVA BEANS

5.1 Introduction
JavaBeans are reusable software components for Java that can be manipulated visually in a
builder tool. Practically, they are classes written in the Java programming language conforming
to a particular convention. They are used to encapsulate many objects into a single object (the
bean), so that they can be passed around as a single bean object instead of as multiple individual
objects. A JavaBean is a Java Object that isserializable, has a nullary constructor, and allows
access to properties using getter and setter methods.

The required conventions are:



The class must have a public default constructor. This allows easy instantiation within editing
and activation frameworks.

The class properties must be accessible using get, set, and other methods (so-called accessor
methods and mutator methods), following a standard naming convention. This allows easy
automated inspection and updating of bean state within frameworks, many of which include
custom editors for various types of properties.

The class should be serializable. This allows applications and frameworks to reliably save,
store, and restore the bean's state in a fashion that is independent of the VM and platform.
Because these requirements are largely expressed as conventions rather than by

implementing interfaces, some developers view JavaBeans as Plain Old Java Objects that follow
specific naming conventions.

5.2 Visualization of Textual Passwords

Passwords are now everywhere. The main form of passwords is based on characters you can
type on your keyboard, normally called textual passwords. One major security problem with
textual passwords is its vulnerability to dictionary attack, namely, brute-force attack based on a
dictionary which is much smaller than the whole password space. In this project, you will
develop an interactive program to visualize the security of a textual password w.r.t. one or more

given dictionaries, and to help the user to select a more secure textual password while he/she is
typing the password.

The second part of the system is called a proactive password checker (PPC). All existing
PPCs we can find on the Internet have very limited visualization effect, and cannot clearly show
the reason why a password is weak or strong, and give no clue how the user should react. The
goal of the project is to have the first fully visualized PPC.

5.3 ATTACKS AGAINST TEXTUAL PASSWORDS

Attackers generally compromise passwords in one of four ways:
1. By gathering enough information about users to guess their password;
2. By social engineering, e.g., tricking users into revealing their usernames and/or passwords;
3. By capturing users passwords, e.g., via shoulder surfing or spyware
4. By cracking passwords using a software program, such as John the Ripper.

5.3.1 Human Selection of Mnemonic Phrase-based Passwords

Textual passwords are often the only mechanism used to authenticate users of a networked
system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to
strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords.
A mnemonic password is one where a user chooses a memorable phrase and uses a character
(often the first letter) to represent each word in the phrase. In this paper, we hypothesize that
users will select mnemonic phrases that are commonly available on the Internet, and that it is
possible to build a dictionary to crack mnemonic phrase-based passwords.

We conduct a survey to gather user-generated passwords. We show the majority of survey

respondents based their mnemonic passwords on phrases that can be found on the Internet, and
we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry
dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2

million entries cracked 11% of control passwords. The user generated mnemonic passwords
were also slightly more resistant to brute force attacks than control passwords. These results
suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic
passwords could become ore vulnerable in the future and should not be treated as a panacea.

5.3.2 Picture Password:

A Visual Login Technique for Mobile Devices Adequate user authentication is a persistent
problem, particularly with handheld devices such as Personal Digital Assistants (PDAs), which
tend to be highly personal and at the fringes of an organization's influence. Yet, these devices
are being used increasingly in corporate settings where they pose a security risk, not only by
containing sensitive information, but also by providing the means to access such information
over wireless network interfaces. User authentication is the first line of defense for a lost or
stolen PDA. However, motivating users to enable simple PIN or password mechanisms and
periodically update their authentication information is a constant struggle. This paper describes a
general purpose mechanism for authenticating a user to a PDA using a visual login technique
called Picture Password.

The underlying rationale is that image recall is an easy and natural way for users to
authenticate, removing a serious barrier to compliance with organizational policy. Features of
Picture Password include style dependent image selection, password reuse, and embedded
salting, which overcome a number of problems with knowledge-based authentication for
handheld devices. Though designed specifically for handheld devices, Picture Password is also
suitable for notebooks, workstations, and other computational devices.

Normally, Passwords are used for,

(a) Authentication (Establishes that the user is who they say they are),
(b) Authorization (The process used to decide if the authenticated person is allowed to access
specific information or functions) and
(c) Access Control (Restriction of access-includes authentication & authorization).

Here a graphical password system with a supportive sound signature to increase the
remembrance of the password is discussed.

5.3.4 Java (programming language)

Java is a programming language originally developed by James Gosling at Sun
Microsystems (which is now a subsidiary of Oracle Corporation) and released in 1995 as a core
component of Sun Microsystems' Java platform. The language derives much of its syntax from C
and C++ but has a simpler object model and fewer low-level facilities. Java applications are
typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM)
regardless of computer architecture. Java is general-purpose, concurrent, class-based, and objectoriented, and is specifically designed to have as few implementation dependencies as possible. It
is intended to let application developers "write once, run anywhere". Java is considered by many
as one of the most influential programming languages of the 20th century, and widely used from
application software to web application.

The original and reference implementation Java compilers, virtual machines, and class
libraries were developed by Sun from 1995. As of May 2007, in compliance with the
specifications of the Java Community Process, Sun relicensed most of their Java technologies
under the GNU General Public License. Others have also developed alternative implementations
of these Sun technologies, such as the GNU Compiler for Java and GNU Classpath

5.3.5 J2EE application

A J2EE application or a Java 2 Platform Enterprise Edition application is any
deployable unit of J2EE functionality. This can be a single J2EE module or a group of modules
packaged into an EAR file along with a J2EE application deployment descriptor. J2EE
applications are typically engineered to be distributed across multiple computing tiers.

Enterprise applications can consist of the following:



EJB modules (packaged in JAR files);

Web modules (packaged in WAR files);

connector modules or resource adapters (packaged in RAR files);

Session Initiation Protocol (SIP) modules (packaged in SAR files);

application client modules;

Additional JAR files containing dependent classes or other components required by the
application;

Any combination of the above.

CHAPTER-6
TESTING
The various levels of testing are:
1. White Box Testing
2. Black Box Testing
3. Unit Testing
4. Functional Testing
5. Performance Testing
6. Integration Testing
7. Objective
8. Integration Testing
9. Validation Testing
10. System Testing
11. Structure Testing
12. Output Testing
13. User Acceptance Testing

White Box Testing

Execution of every path in the program.
Black Box Testing

Exhaustive input testing is required to find all errors.

Unit Testing

Unit testing, also known as Module Testing, focuses verification efforts on the

module. The module is tested separately and this is carried out at the programming stage
itself.

Unit Test comprises of the set of tests performed by an individual programmer

before integration of the unit into the system.

Unit test focuses on the smallest unit of software design- the software component

or module.

Using component level design, important control paths are tested to uncover

errors within the boundary of the module.

Unit test is white box oriented and the step can be conducted in parallel for

multiple components.

6.1 Functional Testing:

Functional test cases involve exercising the code with normal input values for which the
expected results are known, as well as the boundary values

6.1.2 Objective:

The objective is to take unit-tested modules and build a program structure that has been
dictated by design.

Performance Testing:


Performance testing determines the amount of execution time spent in various parts of the
unit, program throughput, and response time and device utilization of the program unit. It
occurs throughout all steps in the testing process.

Integration Testing:

It is a systematic technique for constructing the program structure while at the same time
conducting tests to uncover errors associated with in the interface.

It takes the unit tested modules and builds a program structure.

All the modules are combined and tested as a whole.

Integration of all the components to form the entire system and a overall testing is
executed.

6.2 Validation Testing:

Validation test succeeds when the software functions in a manner that can be reasonably
expected by the client.

Software validation is achieved through a series of black box testing which confirms to
the requirements.

Black box testing is conducted at the software interface.

The test is designed to uncover interface errors, is also used to demonstrate that software
functions are operational, input is properly accepted, output are produced and that the
integrity of external information is maintained.
6.3 System Testing:

Tests to find the discrepancies between the system and its original objective, current
specifications and system documentation.

6.4 Structure Testing:

It is concerned with exercising the internal logic of a program and traversing particular
execution paths.

6.5 Output Testing:

Output of test cases compared with the expected results created during design of test
cases.

Asking the user about the format required by them tests the output generated or displayed
by the system under consideration.

Here, the output format is considered into two was, one is on screen and another one is
printed format.

The output on the screen is found to be correct as the format was designed in the system
design phase according to user needs.

The output comes out as the specified requirements as the users hard copy.
6.6 User acceptance Testing:

Final Stage, before handling over to the customer which is usually carried out by the
customer where the test cases are executed with actual data.

The system under consideration is tested for user acceptance and constantly keeping
touch with the prospective system user at the time of developing and making changes
whenever required.

It involves planning and execution of various types of test in order to demonstrate that the
implemented software system satisfies the requirements stated in the requirement
document

Two set of acceptance test to be run:

1. Those developed by quality assurance group.
2. Those developed by customer.

6.7 Feasibility Study

Feasibility study is the test of a system proposal according to its workability, impact on the
organization, ability to meet user needs, and effective use of recourses. It focuses on the
evaluation of existing system and procedures analysis of alternative candidate system cost
estimates. Feasibility analysis was done to determine whether the system would be feasible.

The development of a computer based system or a product is more likely plagued by

resources and delivery dates. Feasibility study helps the analyst to decide whether or not to
proceed, amend, postpone or cancel the project, particularly important when the project is large,
complex and costly.Once the analysis of the user requirement is complement, the system has to
check for the compatibility and feasibility of the software package that is aimed at. An important
outcome of the preliminary investigation is the determination that the system requested is
feasible.

6.8 Technical Feasibility:

The technology used can be developed with the current equipments and has the technical
capacity to hold the data required by the new system.

This technology supports the modern trends of technology.

Easily accessible,more secure technologies.

Technical feasibility on the existing system and to what extend it can support the proposed
addition.We can add new modules easily without affecting the Core Program. Most of parts are
running in the server using the concept of stored procedures.

6.9 Operational Feasibility:

This proposed system can easily implemented, as this is based on JSP coding (JAVA) &
HTML .The database created is with MySql server which is more secure and easy to handle.
The resources that are required to implement/install these are available. The personal of the
organization already has enough exposure to computers. So the project is operationally feasible.

6.10 Economical Feasibility:

Economic analysis is the most frequently used method for evaluating the effectiveness of a
new system. More commonly known cost/benefit analysis, the procedure is to determine the
benefits and savings that are expected from a candidate system and compare them with costs. If
benefits outweigh costs, then the decision is made to design and implement the system. An
entrepreneur must accurately weigh the cost versus benefits before taking an action. This system
is more economically feasible which assess the brain capacity with quick & online test. So it is
economically a good project.

CHAPTER-7
SOURCE CODE
//Employee login
import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class emplogin extends HttpServlet {

String eid="";
String password="";
String email="";
String Limageset="";
Connection con=null;
Statement st=null;
ResultSet rs=null;
RequestDispatcher rd=null;
HttpSession sn=null;
PrintWriter out=null;
public void doPost(HttpServletRequest req, HttpServletResponse res) throws
IOException,ServletException {
eid = req.getParameter("eid");
password = req.getParameter("password");
Limageset=req.getParameter("Limageset");
email=req.getParameter("email");
res.setContentType("text/html");
out = res.getWriter();
HttpSession sn = req.getSession(true);
sn.setAttribute("eid",eid);
sn.setAttribute("password",password);
RequestDispatcher rd;
try {
Class.forName("com.mysql.jdbc.Driver");
con =
DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");
st = con.createStatement();
rs = st.executeQuery("select * from profile where username='"+eid+"' &&
password='"+password+"'");
if(rs.next())
{
email=rs.getString(11);
sn.setAttribute("email",email);
System.out.println(email);
if(Limageset.equals("set1"))
{
String destination ="/Multilevelsecurity/Loginset1.jsp";
res.sendRedirect(res.encodeRedirectURL(destination));
//rd=req.getRequestDispatcher("passGen");
}
else if(Limageset.equals("set2"))
{
String destination ="/Multilevelsecurity/Loginset4.jsp";
res.sendRedirect(res.encodeRedirectURL(destination));

}
//rd =
getServletConfig().getServletContext().getRequestDispatcher("/run.html");
// reqDispatcher.forward(req,res);
}
else {
String destination ="/Multilevelsecurity/failure.jsp";
res.sendRedirect(res.encodeRedirectURL(destination));
// out.println("welcome");
}
// rd.forward(req,res);
} catch(Exception e2) {
//System.out.println("Exception : "+e2.toString());
out.println(e2);
}
}
}

//Create user account

import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class createuseraccount extends HttpServlet {
Connection con=null;
Statement st=null;
ResultSet rs=null;
RequestDispatcher rd=null;
public void doPost(HttpServletRequest req, HttpServletResponse res) throws
IOException,ServletException {
HttpSession sn = req.getSession(true);
String username= req.getParameter("username");
String password= req.getParameter("password");
String firstname= req.getParameter("firstname");
String lastname= req.getParameter("lastname");
String address1= req.getParameter("address1");
String address2= req.getParameter("address2");
String city= req.getParameter("city");
String state= req.getParameter("state");

String zipcode= req.getParameter("zipcode");

String telephone= req.getParameter("telephone");
String emailid= req.getParameter("email");
String imageset=req.getParameter("Imageset");
sn.setAttribute("username", username);
sn.setAttribute("password", password);
sn.setAttribute("firstname", firstname);
sn.setAttribute("lastname", lastname);
sn.setAttribute("address1", address1);
sn.setAttribute("address2", address2);
sn.setAttribute("city", city);
sn.setAttribute("state", state);
sn.setAttribute("zipcode", zipcode);
sn.setAttribute("telephone", telephone);
sn.setAttribute("emailid", emailid);

System.out.println(telephone+zipcode+state+city+address2+address1+lastname+firstname+pass
word+username);
RequestDispatcher rd;
try {
Class.forName("com.mysql.jdbc.Driver");
con =
DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");
st = con.createStatement();
// int add=st.executeUpdate("insert into
profile(username,password,firstname,lastname,address1,address2,city,state,zipcode,telephone)
values('"+username+"','"+password+"','"+firstname+"','"+lastname+"','"+address1+"','"+address2
+"','"+city+"','"+state+"','"+zipcode+"','"+telephone+"')");
//int i=st.executeUpdate("update log set username='"+username+"'");
// rd=req.getRequestDispatcher("adminlogin.jsp");
// rd.forward(req,res);
con.close();

if(imageset.equals("set1"))
{
String destination ="/Multilevelsecurity/set1.jsp";
res.sendRedirect(res.encodeRedirectURL(destination));
}
else if(imageset.equals("set2"))
{
String destination ="/Multilevelsecurity/set4.jsp";
res.sendRedirect(res.encodeRedirectURL(destination));
}
} catch(Exception e2) {

rd=req.getRequestDispatcher("failure.jsp");
}
}
}
//User login
import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class userlogin extends HttpServlet {
String username="";
String email="";
String eid="";
Connection con=null;
Statement st=null;
ResultSet rs=null;
RequestDispatcher rd=null;
public void doPost(HttpServletRequest req, HttpServletResponse res) throws
IOException,ServletException {
username = req.getParameter("username");
email=req.getParameter("email");
System.out.println(email);
HttpSession sn = req.getSession(true);
sn.setAttribute("eid",username);
RequestDispatcher rd;
try {
Class.forName("com.mysql.jdbc.Driver");
con =
DriverManager.getConnection("jdbc:mysql://localhost:3306/captcha","root","password");
st = con.createStatement();
rs = st.executeQuery("select email from profile where username");
if(rs.next()) {
email=rs.getString(11);
rd=req.getRequestDispatcher("mailAPI.jsp");
//
sn.setAttribute("dpm",department);
} else {
rd=req.getRequestDispatcher("failure.jsp");
}
rd.forward(req,res);
}
catch(Exception e2)
{
System.out.println("Exception : "+e2.toString());

}
}
}

CHAPTER-8
RESULTS AND ANALYSIS
Home page:

FIG:8.1Home Page
This is a home page of the application which links to registration and login page.

Registration form:

FIG:8.2 Registration Page

This is registration page. It is used to get the user details username address and email id etc

Registration page

FIG8.3 Registration page

Registration Grid 1

FIG:8.4 Registration-Grid1

This is a image password registration page at level-2 and grid-1 stage. User need to select an
image as a password.

Registration Grid 2

FIG:8.5 Registration Grid2

This is a image password registration page at level-2 and grid-2 stage. User need to select an
image as a password.

Registration-Grid 3

FIG:8.6 Registration Grid3

This is a image password registration page at level-2 and grid-3 stage. User need to select an
image as a password.

Success page:

FIG:8.7.Success Page
Successful completion of registration links to this page

Login page:

FIG 8.8 Login Page

This login page. User need to login after completion of registration page.

One time password:

FIG:8.9 One Time Password

This page is level3 validation page. User has to enter his OTP password in this page.

User Verification Success:

FIG:8.10 User Verification Success Page

This is a successful login page. It means user successfully completed all the 3 levels.

Redirected Griet Home Page

FIG:8.11 Griet Home Page

This is a redirected page of successful completion of 3 levels of login and links to
http://griet.ac.in

CHAPTER-9
CONCLUSION AND FUTURE WORK
The three level security approach applied on the above system, makes it highly secure along
with being more user friendly. This system will definitely help thwarting Shoulder attack,
Tempest attack and brute-force attack at the client side.3-Level Security system is definitely a
time consuming approach, as the user has to traverse through the three levels of security, and will
need to refer to his email-id for the one-time automated generated password. Therefore, this
system cannot be a suitable solution for general security purposes, where time complexity will be
an issue. But will definitely be a boon in areas where high security is the main issue, and time
complexity is secondary, as an example we can take the case of a firm where this system will be
accessible only to some higher designation holding people, who need to store and maintain their
crucial and confidential data secure. In
our system customizable.

near future not only we will

add more features but also make

REFERENCES

[1] Nitin, Durg Singh Chauhan, Sohit Ahuja, Pallavi Singh, Ankit Mahanot,Vineet
Punjabi, Shivam Vinay, Manisha Rana, Utkarsh Shrivastava and Nakul Sharma, Security
Analysis and Implementation of JUIT-IBA System using Kerberos Protocol, Proceedings
of the 7th IEEE International Conference on Computer and Information Science, Oregon,
USA, pp. 575-580, 2008

[2] Nitin, Durg Singh Chauhan and Vivek Kumar Sehgal, On a Software Architecture of
JUIT-Image Based Authentication System, Advances in Electrical and Electronics
Engineering, IAENG Transactions on Electrical and Electronics Engineering Volume ISpecial Edition of the World Congress on Engineering and Computer Science, IEEE
Computer Society Press, ISBN: 978-0-7695-3555-5, pp. 35-46, 2009.

[3] http://en.wikipedia.org/wiki/Hue

[4] http://en.wikipedia.org/wiki/Color_vision

[5] http://en.wikipedia.org/wiki/Indigo

[6] http://www.ancientegyptonline.co.uk/hieroglyphs.html