You are on page 1of 77

CHAPTER 1

INTRODUCTION
INFORMATION SECURITY
A principle which is a core requirement of information security for the safe utilization, flow, and
storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability
and these are the three main objectives of information security.
Below is an illustration of the CIA triad along with the four layers of information security. These
four layers represent the way systems communicate and how information flows among systems.
Тhe concept of layers illustrates that data communications and computer network protocols are
designated to function in a layered manner, transferring the data from one layer to the next.

Fig 1: Four layers of information security

 The Application Access Layer describes the notion that access to end-user applications
have to be constrained to business ought-to-know

1
 The Infrastructure Access Layer describes the notion that access to infrastructure
components has to be constrained to business ought-to-know. For instance, access to
servers.

 The Physical Access Layer describes the notion that the physical access to any system,
server, computer, data center, or another physical object storing confidential information.

 The Data In Motion Layer describes the notion that data ought to be secured while in
motion.

This little icon in the middle of the illustration shows the center of information security and
the reason for the emergence of the CIA principles; the icon represents information and
represents the need to protect sensitive information. we proposed a novel authentication
system Pass Matrix, based on graphical passwords to resist shoulder surfing attacks. With a
one-time valid login indicator and circulative horizontal and vertical bars covering the entire
scope of pass-images, Pass Matrix offers no hint for attackers to figure out or narrow down
the password even they conduct multiple camera-based attacks.Various graphical password
authentication schemes were developed to address the problems and weaknesses associated
with textual passwords.

1.1 OBJECTIVE
Textual passwords have been the most widely used authentication method for decades.
Comprised of numbers and upper- case and lower-case letters, textual passwords are considered
strong enough to resist against brute force attacks. However, a strong textual password is hard to
memorize and recollect[1]. Therefore, users tend to choose passwords that are either short or
from the dictionary, rather than random alphanumeric strings. Various graphical password
authentication schemes[4],[5],[6],[7] were developed to address the problems and weaknesses
associated with textual passwords. Based on some studies such as those in[8],[9], humans have a
better ability to memorize images with long-term memory(LTM) than verbal representations.
Image-based passwords were proved to be easier to recollect in several user studies[10],[11],[12]
As a result, users can set up a complex authentication password and are capable of recollecting it

2
after a long time even if the memory is not activated periodically. Even worse it is not a rare
case that users may use only one username and password for multiple accounts . According to an
article in Computer world, a security team at a large company ran a network password cracker
and surprisingly cracked approximately 80% of the employees’ passwords within 30 seconds.
Textual passwords are often insecure due to the difficulty of maintaining strong ones. This type
of attack either uses direct observation, such as watching over someone’s shoulder or
applies video capturing techniques to get passwords, PINs, or other sensitive personal
information[13],[14],[15] .

The human actions such as choosing bad passwords for new accounts and inputting passwords in
an insecure way for later logins are regarded as the weakest link in the authentication chain[16] .
Therefore, an authentication scheme should be designed to overcome these vulnerabilities. In this
paper, we present a secure graphical authentication system named Pass Matrix that protects users
from becoming victims of shoulder surfing attacks when inputting passwords in public through
the usage of one-time login indicators. A login indicator is randomly generated for each pass-
image and will be useless after the session terminates. The login indicator provides better
security against shoulder surfing attacks, since users use a dynamic pointer to point out the
position of their passwords rather than clicking on the password object directly.

1.2 MOTIVATION

As the mobile marketing statistics compilation by Danyl, the mobile shipments had overtaken PC
shipments in 2011, and the number of mobile users also overtaken desktop users at 2014, which
closed to 2 billion [17]. However, shoulder surfing attacks have posed a great threat to users’
privacy and confidentiality as mobile devices are becoming indis-pensable in modern life. People
may log into web services and apps in public to access their personal accounts with their smart
phones, tablets or public devices, like bank ATM. Shoulder-surfing attackers can observe how
the passwords were entered with the help of reflecting glass windows, or let alone monitors
hanging everywhere in public places. Passwords are exposed to risky environments, even if the
passwords themselves are complex and secure. A secure authentication system should be able to
defend against shoulder surfing attacks and should be applicable to all kinds of devices.
Authentication schemes in the literature such as those in [6], [18], [19], [20], [21], [22], [23],

3
[24], [25] are resistant to shoulder-surfing, but they have either usability limitations or small
password space. Some of them are not suitable to be applied in mobile devices and most of them
can be easily compromised to shoulder surfing attacks if attackers use video capturing techniques
like Google Glass [15], [26]. The limitations of usability include issues such as taking more time
to log in, passwords being too difficult to recall after a period of time, and the authentication
method being too complicated for users without proper education and practice.

1.3 PROBLEM STATEMENT


Textual passwords have been the most widely used authentication method for decades.
Comprised of numbers and upper- and lower-case letters, textual passwords are considered
strong enough to resist against brute force attacks. Textual passwords are often insecure due to
the difficulty of maintaining strong ones. Various graphical password authentication schemes
were developed to address the problem and weakness associated with the textual passwords such
as image based passwords.

Image based passwords were proved to be easier to recollect in several user studies. As a result
users can set up a complex authentication password and are capable of recollecting it after a long
time .However most of these image based passwords are vulnerable to shoulder surfing attacks.
we proposed a novel authentication system Pass Matrix, based on graphical passwords to resist
shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and
vertical bars covering the entire scope of pass-images, Pass Matrix offers no hint for attackers to
figure out or narrow down the password even they conduct multiple camera-based
attacks.Various graphical password authentication schemes were developed to address the
problems and weaknesses associated with textual passwords.

4
CHAPTER 2
LITERATURE SURVEY
According to Steichen [1], there are several principles of information security. We know to use
confidentiality, integrity and availability which known as the CIA Triad for over twenty years, as
the core principles of information security.

2.1 Confidentiality
The aim of confidentiality is to ensure that information is hidden from people unauthorized to
access it. The confidentiality principle dictates that information should solely be viewed by
people with appropriate and correct privileges. The science (and art) used to ensure data
confidentiality is cryptography, which involves encryption and decryption methods.
To continue, confidentiality can be easily breached so each employee in an organization or
company should be aware of his responsibilities in maintaining confidentiality of the information
delegated to him for the exercise of his duties. For instance, if an employee allows someone to
take a glimpse of his computer screen while he is, at that moment, displaying confidential
information on the computer screen may have already constituted a breach of confidentiality.
Furthermore, confidentiality and privacy are often used interchangeably.

Below, we discuss cryptography, effective manners of protecting confidentiality.

2.1.1 Cryptography
Cryptography’s beginning can be traced thousands of years ago. However, the contemporary
cryptography differs substantially from the classic one, which used pen and paper for encryption
and which was far less complex. The establishment of the Enigma rotor machine and the
subsequent emergence of electronics and computing enabled the usage of much more elaborate
schemes and allowed confidentiality to be protected much more effectively.

Encryption is an accepted and effective way of protecting data in transit but is increasingly being
used for protecting data at rest as well. The Computer Security Institute published the results of a
survey in 2007, which showed that 71% of the businesses used encryption for various data in
transit while 53% used encryption for selections of data at rest. Furthermore, there are different

5
techniques for preserving confidentiality depending on whether the data is in motion, at rest or a
physical object. Naturally, access controls are also a necessity for maintaining confidentiality.
Access controls can consist of passwords, biometrics, or a mixture of both. As regards to
physical data, its means of protection are somewhat similar access to the area where the
information is kept may be granted only with the proper badge or any different form of
authorization,it can be physically locked in a safe or a file cabinet, there could be access
controls,cameras.

Encryption consists of changing the data located in files into unreadable bits of characters unless
a key to decode the file is provided.In manual encryption, the user utilizes software and initiates
the encryption. In transparent encryption, the encryption happens automatically without any
intervention on the side of the user.Symmetric encryption occurs by utilizing character
substitution with a key that will be the only means of decrypting the bits of information.
Conversely, asymmetric encryption is used when there are two keys, a public key, and a private
key. Any person may encrypt the information with the public key but it can only be decrypted by
the private key.
1. Encryption: if you encrypt your data, it will be unreadable for any third-party which may get
hold of it. You can encrypt your hard drive using Microsoft’s BitLocker software if you are
using the Ultimate or Enterprise version of Windows 7 or Vista or Enterprise/Pro version of
Windows 8. To do so, you only have to enable BitLocker in Control Panel > System and
Security > BitLocker Drive. Alternatively, you can use TrueCrypt or DiskCryptor (free of
charge).
2. Two-factor authentication: Requiring two-factor authentication increases the safety of the
confidential data and decreases the probability of data leakage. Two-factor authentication
enables you to access the information only if you have both a physical object (like a card) and an
immaterial* one (like a security code). Thus, two-factor authentication means that there must be
a thing that you know* and a thing that you possess in order to gain access.

*It is presumed that you know the code as most companies require you to memorize the security
code as if you keep it written down it may be stolen. To add, the security code or password
should be a mixture of lowercase and uppercase letters, numbers, and symbols and be at least 10

6
characters.

3. Encrypt your interactions: you would not want your communications being intercepted and
confidential data in motion being leaked to third parties. Firstly, you should configure your IM,
and whenever it is possible – any communication software, to use SSL or TSL. Secondly, you
should disable logging of past conversations and remove any logs that leak confidential
information. Thirdly, you should encrypt your internet traffic as it can be intercepted. When
using an unsecured Wi-Fi network, encrypt it by creating a secure tunnel to a trusted third-party
server (VPN). So, do not send confidential information without proper encryption.

4. Safeguard your keys: remember that sometimes access to the keys equals access to the
information. One should keep a second set of keys in a safe place because the information can be
lost or taken advantage of if he cannot access it or if he cannot access it on time in case of loss or
theft of the first set of the keys to provide security to the safeguard our keys

5. Backup your information: and make sure the backup is safe and protected: the information
should be accessible but encrypted and stored in a secure place.

Note that the average overall cost per business that reported a data breach in 2011 was 5.5
million dollars. Thus, not only confidentiality has a central role in avoiding data breaches but it
can also save your company millions of dollars.

Business contracts often have confidential information clause(s), which is (are) inserted to
protect information they deem proprietary and sensitive from disclosure to unauthorized third
parties. These clauses usually state what is deemed as confidential information and what is not
deemed as such. Typically, the confidentiality provisions that enumerate what the parties
consider confidential are highly variable depending on the parties’ type of business whereas
there is, to some extent, a common stand on what is defined as non-confidential information.

A standard clause extracted from a non-disclosure agreement of Microsoft goes like this:
“‘Confidential Information’ means nonpublic information that Microsoft designates as being

7
confidential or which, under the circumstances surrounding disclosure ought to be treated as
confidential by Recipient”. It is worth mentioning that it is much more desirable to enlist the
types of information that are to be considered confidential and, in this way, create a narrow and
unambiguous clause. Mary Hanson, a California business lawyer, asserts that “Trying to cover
too much information by defining the confidential information as ‘all business information’ may
backfire. It is important to try to identify particular information, without giving out valuable
information.” Accordingly, the confidential information involved in the agreement must be
defined to the extent which makes it enforceable in court without any particular sensitive
information being disclosed in it.

The definition of confidential information can be narrowed down to (1) marked information, (2)
written information, (3) information disclosed during a particular period of time and (4)
particular categories of information.

However, a breach of confidentiality can occur even without a signed confidentiality provision or
agreement. In the US, employees or other parties to a business contract are required to keep
confidential any secret information disclosed to them by the other party and breaches of
confidentiality may be sanctioned in courts. The courts will ask the following questions, which if
answered affirmatively will result into a reimbursement of the injured party:

 Whether the information was confidential by its nature

 Whether the information was disclosed in circumstances which show that it was
confidential

 Whether the party who received the information misuse it

It has to be noted that although the law implies a duty of confidentiality – its scope, nature, and
obligations are indeterminate and subject to judicial determination.

8
1. Statistics and discussion as regards to data breaches (failures to attain the objectives of
information security and complying with the CIA principles).

Frequent manners of leakage of confidential data are enumerated below to understand what
problems may occur when handling such information:

1. Theft (of laptop, computer, paper, etc. – physical security)


2. Improper disposal (it is a must to use a shredder)
3. Unauthorized access/disclosure (access controls, authentication, lack of understanding of
confidentiality agreements, negligence, etc.)
4. Loss (negligence, etc.)
5. Hacking/ IT incident, etc. ( most often Internet security )
 The ways of leakage are enumerated in a random sequence.

In 2011, negligence was the cause of 39% of all reported data breaches while malicious attacks
(defined as a mixture of hacking and insider theft) accounted for 37% of the data breaches
whereas the cause was hacking in more than one-quarter of these malicious attacks. On a global
scale, 232.4 million identities were exposed and endangered in 2011. Deliberate breaches were
chiefly aimed at gathering client-related information as this information can be utilized for
various fraud schemes. Businesses and companies in the computer software, IT, and healthcare
sectors accounted for 93% of the overall number of stolen identities in 2011. Loss or theft was
the most recurrent cause in all sectors and it accounted for 34.3% of exposed identities. The
attacks were mostly undertaken because the criminals saw the crime easy to perform. Hence,
79% of the victims were chosen because of opportunity while 96% of the attacks did not appear
to be very difficult.
Concerning insider intellectual property thefts, statistics show that it is usually done by men who
serve in various positions such as scientists, managers, programmers within a month of leaving
the company from which they steal. Often they have created their own business or have started
working for another, only 20% steal the information as a consequence of recruitment by an
outsider that wants the information. 75% of the perpetrators stole material to which they were
granted access in the course of employment and trade secrets were unlawfully taken in 52% of

9
the thefts. Furthermore, most insider thieves of intellectual property were caught by non-
technical.

It can be concluded that data breaches are a frequently occurring phenomena, and that not only
CISOs’ and other personnel in charge of information security ought to undertake measures to
attain the objectives of InfoSec but also that non-technical staff in companies shall be aware of
the risks and educated in maintaining the CIA principles in the course of their employment. This
is so as most criminals or cyber-criminals perform their attack because they see an easy prey in
their targets as their security is loose. Staff from all levels of the organization’s hierarchy shall
take measures to prevent theft, loss and take reasonable measures to protect the confidential
information they have been granted access to for the fulfillment of their duties.

2.1.2 Top five methods for abiding by the CIA principles.

Below is an illustration of the top five layers that information security offers in terms of attaining
the goals laid out in the CIA triad. It is presented in order to reveal the most commonly used
manners of safeguarding the CIA principles and defending any system from a potential data
breach.
 The core of the chart is represented by the CIA principles
 Firewalls can be hardware-based and software-based. Firewalls are a piece of equipment
or software that are designed to block unsolicited connections, protocols, unwanted
network activity and block spam and other malicious requests while you are connected a
third-party network (usually the Internet). The hardware firewall utilizes packet filtering
to examine the header of a packet and decide if the packet should be forwarded or
dropped. Firewalls serve as an intermediary between your computer and the Internet
connection. Thus, firewalls can block connections that their user did not wish to make,
filter out bad data and prevent outside endeavors to gain control or access to your
machine. They have a set of predefined rules that enable them to allow, deny or drop
connections and as such their function is of a filtering gateway.

10
 A server, through hardware such as proxy server can regulate what the external world
sees of the network, this could be a type of protection by providing a “smoke screen” on
the network. It can disguise the real network and display a minimal connection to the
Internet

 Routers, another piece of hardware, can regulate access to the network, just like firewalls,
it may have access lists that allow or deny acess into the network. Nonetheless, they route
IP packets to the other networks, a thing which is neither performed by firewalls, nor by
any other appliance on the network or the Internet.

 Network controls are implemented at local level, they involve authentication like logins
and passwords.

 Software controls are software that prevent malware from penetrating the machines.
Should a malware infest the system, software controls are in charge of removing the
infection and returning the system to the pre-infestation state. Unlike firewalls, software
controls can remove existent malware, malware that has already affected the machine,
whereas firewalls cannot deal with malware that has already been loaded on your
computer.
 Encryption has already been discussed above (Cryptography)

2.2 Integrity

In information security, integrity means that data cannot be modified without authorization. This
is not the same thing as referential integrity in databases. Integrity is violated when an employee
accidentally or with malicious intent deletes important data files, when a computer virus infects a
computer, when an employee is able to modify his own salary in a payroll database, when an
unauthorized user vandalizes a web site, when someone is able to cast a very large number of
votes in an online poll, and so on.

11
2.3 Availability

For any information system to serve its purpose, the information must be available when it is
needed. This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be
functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial -of- service attacks. Later Parker [2] proposed “the
Parkerian hexad” which adds three additional attributes to the three classic security attributes of
the CIA triad. It is a set of six elements of information security model. These attributes of
information are not broken down into further constituents, also all of them are non-overlapping
[3].

2.4 RELATED WORK

As the mobile marketing statistics compilation by Danyl, the mobile shipments had overtaken PC
shipments in 2011, and the number of mobile users also overtaken desktop users at 2014, which
closed to 2 billion[17]. However, shoulder surfing attacks have posed a great threat to users’
privacy and confidentiality as mobile devices are becoming indis-pensable in modern life. People
may log into web services and apps in public to access their personal accounts with their smart
phones, tablets or public devices, like bank ATM. Shoulder-surfing attackers can observe how
the passwords were entered with the help of reflecting glass windows, or let alone monitors
hanging everywhere in public places. Passwords are exposed to risky environments, even if the
passwords themselves are complex and secure. A secure authentication system should be able to
defend against shoulder surfing attacks and should be applicable to all kinds of devices.
Authentication schemes in the literature such as those in,[6],[18],[19],[20],[21],[22],[23],[24]
resistant to shoulder-surfing, but they have either usability are limitations or small password
space. Some of them are not suitable to be applied in mobile devices and most of them can be
easily compromised to shoulder surfing attacks if attackers use video capturing techniques like
Google Glass[15],[26]. The limitations of usability include issues such as taking more time to log
in, passwords being too difficult to recall after a period of time, and the authentication method
being too complicated for users without proper education and practice.

12
In 2006, Wiedenbeck et al. proposed PassPoints[7] in which the user picks up several points (3
to 5) in an image during the password creation phase and re-enters each of these pre-selected
click-points in a correct order within its tolerant square during the login phase. Com-paring to
traditional PIN and textual passwords, the Pass-Points scheme substantially increases the
password space and enhances password memorability. Unfortunately, this graphical
authentication scheme is vulnerable to shoulder surfing attacks. Hence, based on the
PassPoints, we add the idea of using one-time session passwords and distractors to develop our
PassMatrix authentication system that is resistant to shoulder surfing attacks.also extended the
DAS[6] based on finger-drawn doodles and pseudosignatures in recent mobile device. This
authentication system is based on features which are extracted from the dynamics of the gesture
drawing process (e.g., speed or acceleration). These features contain behavioral biometric
characteristic. In other words, the attacker would have to imitate not only what the user draws,
but also how the user draws it. However, these three authentication schemes are still all
vulnerable to shoulder surfing attacks as they may reveal the graphical passwords directly to
some unknown observers in public.

Fig.2.1. (a) Pixel squares selected by users as authentication passwords in PassPoints [7]. (b)
Authentication password drew by users and the raw bits recorded by the system database [6].

In addition to graphical authentication schemes, there was some research on the extension of
conventional personal identification number (PIN) entry authentication sys-tems. In 2004, Roth
et al. [34] presented an approach for PIN entry against shoulder surfing attacks by increasing the
noise to observers. In their approach, the PIN digits are displayed in either black or white
randomly in each round. The user must respond to the system by identifying the color for each
password digit. After the user has made a series of binary choices (black or white), the system

13
can figure out the PIN number the user intended to enter by intersecting the user’s choices. This
approach could confuse the observers if they just watch the screen without any help of video
capturing devices. However, if observers are able to capture the whole authentication process,
the passwords can be cracked easily

14
CHAPTER 3
SYSTEM ANALYSIS

3.1 EXISTING SYSTEM:


Textual passwords have been the most widely used authentication method for decades.
Comprised of numbers and upper- and lower-case letters, textual passwords are considered
strong enough to resist against brute force attacks. Textual passwords are often insecure due
to the difficulty of maintaining strong ones. Various graphical password authentication
schemes were developed to address the problem and weakness associated with the textual
passwords such as image based passwords.

Image based passwords were proved to be easier to recollect in several user studies. As a
result users can set up a complex authentication password and are capable of recollecting it
after a long time .However most of these image based passwords are vulnerable to shoulder
surfing attacks.

Wiedenbeck et al. proposed PassPoints in which the user picks up several points (3 to 5) in
an image during the password creation phase and re-enters each of these pre-selected click-
points in a correct order within its tolerant square during the login phase. Comparing to
traditional PIN and textual passwords, the Pass-Points scheme substantially increases the
password space and enhances password memorability.
David Kim et al. proposed a visual authentication scheme for tabletop interfaces called
”Color Rings”, where the user is assigned i authentication (key) icons, which are collectively
assigned one of the four color-rings: red, green, blue, or pink.

3.1.1 DISADVANTAGES OF EXISTING SYSTEM:

 Textual passwords are vulnerable to eves dropping, dictionary attacks.


 Graphical passwords are introduced as alternative techniques to textual passwords. Most
of the graphical schemes are vulnerable to shoulder surfing.

15
 Because of this the passwords are undergoing many attacks and the sensitive information
is leaked.
 Most of the existing system image-based passwords are vulnerable to shoulder surfing
attacks (SSAs). This type of attack either uses direct observation, such as watching over
someone’s shoulder or applies video capturing techniques to get passwords, PINs, or
other sensitive personal information
 Some of them are not suitable to be applied in mobile devices and most of them can be
easily compromised to shoulder surfing attacks if attackers use video capturing
techniques like Google Glass.
 The limitations of usability include issues such as taking more time to log in, passwords
being too difficult to recall after a period of time, and the authentication method being too
complicated for users without proper education and practice.
 If observers are able to capture the whole authentication process, the passwords can be
cracked easily.
 A large number of objects will crowd the display and may make objects
indistinguishable.
 These kinds of passwords can be cracked by intersecting the user’s selections in each
login because the color of the assigned ring is fixed and a ring can include at most seven
icons. Thus, the attacker only requires a limited number of trials to guess the user’s
password.

Attack Models
 Shoulder Surfing Attacks
Based on previous research [20], [21], [25], [34], [35], users’ actions such as typing from their keyboard,
or clicking on the pass-images or pass-points in public may reveal their passwords to people with bad
intention. In this paper, based on the means the attackers use, we categorize shoulder-surfing attacks into
three types as below:

1) Type-I: Naked eyes.


2) Type-II: Video captures the entire authentication process only once.
3) Type-III: Video captures the entire authentication process more than once.

16
The latter types of attacks require more effort and techniques from attackers. Thus, if an authentication
scheme is able to resist against these attacks, it is also secure against previous types of attacks. Some of
the proposed authentication schemes [4], [5], [6], [7], [25], [38], including traditional text-password and
PIN, are vulnerable to shoulder surfing Type-I attacks and thus are also subject to Type-II and Type-III
attacks. These schemes reveal passwords to attackers as soon as users enter their passwords by directly
pressing or clicking on specific items on the screen. Other schemes such as those in [19], [34] can resist
against Type-I but are vulnerable to Type-II and Type-III attacks since the attackers can crack passwords
by intersecting their video captures from multiple steps of the entire authentication process.
 Smudge Attacks
According to previous study [39] authentication schemes that require users to touch that require
users to touch or fling on computer monitors or display screens during the login phase are
vulnerable to smudge attacks. The attacker can obtain the user’s password easily by observing
the smudge left on the touch screen.

3.2 PROPOSED SYSTEM:


This evolution brings great convenience but also increases the probability of exposing passwords
to shoulder surfing attacks. Attackers can observe directly or use external recording devices to
collect users’ credentials. To overcome this problem, we proposed a novel authentication system
Pass Matrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time
valid login indicator and circulative horizontal and vertical bars covering the entire scope of
pass-images, Pass Matrix offers no hint for attackers to figure out or narrow down the password
even they conduct multiple camera-based attacks.Various graphical password authentication
schemes were developed to address the problems and weaknesses associated with textual
passwords. Based on some studies such as those in , humans have a better ability to memorize
images with long-term memory(LTM) than verbal representations. Image-based passwords were
proved to be easier to recollect in several user studies As a result, users can set up a complex
authentication password and are capable of recollecting it after a long time even if the memory is
not activated periodically.

The human actions such as choosing bad passwords for new accounts and inputting passwords
in an insecure way for later logins are regarded as the weakest link in the authentication chain .
Therefore, an authentication scheme should be designed to overcome these vulnerabilities.In this
17
paper, we present a secure graphical authentication system named Pass Matrix that protects users
from becoming victims of shoulder surfing attacks when inputting passwords in public through
the usage of one-time login indicators. A login indicator is randomly generated for each pass-
image and will be useless after the session terminates. The login indicator provides better
security against shoulder surfing attacks, since users use a dynamic pointer to point out the
position of their passwords rather than clicking on the password object directly. And we provide
the most secure way so that their pixel range of their passwords will not be visible to anyone.

To defeat this issue, we proposed a shoulder-surfing safe authentication system based on


graphical passwords, named PassMatrix. Utilizing a one-time login marker per picture, clients
can call attention to the area of their pass-square without straightforwardly clicking or contacting
it ,and furthermore we give the stature and width pixel go in most secure way so it can't be
obvious to the unapproved clients so which is an activity powerless against bear surfing assaults.

3.2.1 ADVANTAGES OF PROPOSED SYSTEM:

 Multi layered approach offers more security for the system


 Techniques are proposed to generate session passwords using text and colours which
are resistant to shoulder surfing.
 The habitual movements and the preference of users that the attacker may take
advantage of to figure out the potential passwords.
 Any communication between the client device and the server is protected by SSL so
that packets or information will not be eavesdropped or intercepted by attackers
during transmission.
 The server and the client devices in our authentication system are trustworthy.

 The passwords of our PassMatrix are easy to memorize.


 Users can log into the system with only 1:64 (Median=1) authentication requests on
average, and the Total Accuracy of all login trials is 93:33% even after two weeks.
 Passwords are not exposed to risky environments.
 The proposed system acts as a secure authentication system and will be able to defend
against shoulder surfing attacks and will be applicable to all kinds of devices.

18
3.3 PRELIMINARY INVESTIGATION

The first and foremost strategy for development of a project starts from the thought of designing
a mail enabled platform for a small firm in which it is easy and convenient of sending and
receiving messages, there is a search engine ,address book and also including some entertaining
games. When it is approved by the organization and our project guide the first activity, ie.
preliminary investigation begins. The activity has three parts:

 Request Clarification

 Feasibility Study

 Request Approval

3.3.1 REQUEST CLARIFICATION

After the approval of the request to the organization and project guide, with an investigation
being considered, the project request must be examined to determine precisely what the system
requires.

Here our project is basically meant for users within the company whose systems can be
interconnected by the Local Area Network(LAN). In today’s busy schedule man need everything
should be provided in a readymade manner. So taking into consideration of the vastly use of the
net in day to day life, the corresponding development of the portal came into existence.

3.3.2 FEASIBILITY ANALYSIS

An important outcome of preliminary investigation is the determination that the system request is
feasible. This is possible only if it is feasible within limited resource and time. The different
feasibilities that have to be analyzed are

 Operational Feasibility
 Economic Feasibility
 Technical Feasibility

19
Operational Feasibility
Operational Feasibility deals with the study of prospects of the system to be developed.
This system operationally eliminates all the tensions of the Admin and helps him in effectively
tracking the project progress. This kind of automation will surely reduce the time and energy,
which previously consumed in manual work. Based on the study, the system is proved to be
operationally feasible.

Economic Feasibility

Economic Feasibility or Cost-benefit is an assessment of the economic justification for a


computer based project. As hardware was installed from the beginning & for lots of purposes
thus the cost on project of hardware is low. Since the system is a network based, any number of
employees connected to the LAN within that organization can use this tool from at anytime. The
Virtual Private Network is to be developed using the existing resources of the organization. So
the project is economically feasible.

Technical Feasibility
According to Roger S. Pressman, Technical Feasibility is the assessment of the technical
resources of the organization. The organization needs IBM compatible machines with a graphical
web browser connected to the Internet and Intranet. The system is developed for platform
Independent environment. Java Server Pages, JavaScript, HTML, SQL server and Web Logic
Server are used to develop the system. The technical feasibility has been carried out. The system
is technically feasible for development and can be developed with the existing facility.

3.3.3 REQUEST APPROVAL

Not all request projects are desirable or feasible. Some organization receives so many project
requests from client users that only few of them are pursued. However, those projects that are
both feasible and desirable should be put into schedule. After a project request is approved, it
cost, priority, completion time and personnel requirement is estimated and used to determine
where to add it to any project list. Truly speaking, the approval of those above factors,
development works can be launched.

20
3.3.4 MODULES

1. Multi Layer Image Authentication


2. Grid Image Authentication
3. Random Guess Attack
4. Login / Register
5. Upload Image
6. View Status
7. View Requests
8. Approve / Cancel

1.Multi Layer Image Authentication

To overcome the security weakness of the traditional PIN method, the easiness of obtaining
passwords by observers in public, and the compatibility issues to devices, we introduced a
graphical authentication system called Pass Matrix. In Pass Matrix, a password consists of only
one pass-square per pass-image for a sequence of n images. The number of images (i.e., n) is
user-defined. Bellow figure demonstrates the proposed scheme, in which the first pass-square is
located at in the first image, the second pass-square is on the top of the smoke in the second
image at , and the last pass-square is at in the third image. In Pass Matrix, users choose one
square per image for a sequence of n images rather than n squares in one image as that in the
Pass Points scheme. Based on the user study of Cued Click Points . CCP method does a good job
in helping users recollect and remember their passwords. If the user clicks on an incorrect region
within the image the login will be failed

21
2. Grid Image Authentication

In this type of authentication multiple images can be provided to the user, the user has the select
the image that he can to log in, this will the provide more security.

2. Random Guess Attack

Random Guessing attack is also known as Brute Force attack It is a common threat faced by
CAPTCHA developers. A brute-force attack is an attempt to discover a Captcha break by
systematically trying every possible combination of letters, numbers, and symbols until the
machine discover the one correct combination that works. Generally image based Captcha are
prone to this attack because in image based Captcha the database of images are limited, and it is
not too much tedious task for a machine to generate different solution for a problem in a limited
time frame.

To perform a random guess attack, the attacker randomly tries each square as a possible pass-
square for each pass image until a successful login occurs. The key security determinants of the
system are the number of pass-images and the degree of discretization of each image. To
quantify the security of Pass Matrix against random guess attacks, we define the entropy of a
password space as in equation 3. Table 7 defines the notations used in the equation. If the
entropy of a password space is k bits, there will be 2kpossible passwords in that space.

Entropy = log2((Dx _ Dy)i)n

22
4. Login / Register

The application will provide a secure user-id/password based secured login mechanism to access
its services.

5. Upload Image

This is the main module in this application. The Main Process in the Mex application will be
worked here. The bill picture is already stored in the mobile gallery, the user will select the
picture from the gallery and upload in to the server. And also upload the details like employee
name, employee id and Bill details. All the details uploaded here is stored in to the wamp server

6. View Status

After uploading the details the user can check the status of the request using the same
application. The status will be shown as pending until the higher authority accept or cancel the
Request

7. View Request

The User Requested data can be view by the Higher authority. Admin is the authority to accept
or reject the request. This module is done by using PHP. The Admin will use System to view the
request
8. Approve / Cancel

After viewing the Request the admin can have the permission to accept or reject the request. The
user can check the status

3.4 SOFTWARE REQUIREMENT SPECIFICATION

3.4.1 FUNCTIONAL REQUIREMENTS

Functional Requirement defines a function of a software system and how the system must
behave when presented with specific inputs or conditions. These may include calculations, data
manipulation and processing and other specific functionality.

 Admin: In this admin has to login with valid username and password. After login
successful he can do some operations such as view all user, their details and authorize
23
them, View all users graphical authentication points, view all blocked users ,View
unblock requests and unblock them, upload documents with image and view all uploaded
documents with rank and comments of it, View users results chart based on number of
users active and blocked, View the documents results based on rank.

 User: In this there are n numbers of users are present. User should register before doing
some operations and also set graphical authentication points while registration. After
registration successful he can login by using valid user name and password and also
graphical authentication points . Login successful he will do some operations like view
profile details, Chang graphical authentication points, search documents and
download/View and comment on it/recommend to others , View all recommended
documents.

3.4.2 NON FUNCTIONAL REQUIREMENTS


Non – Functional requirements, as the name suggests, are those requirements that are not directly
concerned with the specific functions delivered by the system. They may relate to emergent
system properties such as reliability response time and store occupancy. Alternatively, they may
define constraints on the system such as the capability of the Input Output devices and the data
representations used in system interfaces. Many non-functional requirements relate to the system
as whole rather than to individual system features. This means they are often critical than the
individual functional requirements. The following non-functional requirements are worthy of
attention.

THE KEY NON-FUNCTIONAL REQUIREMENTS:

SECURITY: The system should allow a secured communication between Cs and

Data Owner, User and File Owner

ENERGY EFFICIENCY: The Energy consumed by the Users to receive the File information
from the cloud server and sensor router.

RELIABILITY: The system should be reliable and must not degrade the performance of the
existing system and should not lead to the hanging of the system.

24
3.4.3 SYSTEM REQUIREMENTS

This Chapter describes about the requirements. It specifies the hardware and software
requirements that are required in order to run the application properly. The Software
Requirement Specification (SRS) is explained in detail, which includes overview of this
dissertation as well as the functional and non-functional requirement of this dissertation

SOFTWARE REQUIREMENTS

 Operating System : Windows


 Technology : Java and JEE
 Web Technologies : Html, JavaScript, CSS
 IDE : Eclipse
 Web Server : Apache Tomcat
 Database : My SQL

HARDWARE REQUIREMENTS

 Processor : I3 processor
 RAM : 1GB minimum
 Hard Disk : 20 GB min

25
CHAPTER 4
SYSTEM DESIGN

4.1 INPUT AND OUTPUT DESIGN


INPUT DESIGN:

Input Design plays a vital role in the life cycle of software development, it requires very careful
attention of developers. The input design is to feed data to the application as accurate as possible.
So inputs are supposed to be designed effectively so that the errors occurring while feeding are
minimized. According to Software Engineering Concepts, the input forms or screens are
designed to provide to have a validation control over the input limit, range and other related
validations. This system has input screens in almost all the modules. Error messages are
developed to alert the user whenever he commits some mistakes and guides him in the right way
so that invalid entries are not made. Let us see deeply about this under module design.

Input design is the process of converting the user created input into a computer-based format.
The goal of the input design is to make the data entry logical and free from errors. The error is in
the input are controlled by the input design. The application has been developed in user-friendly
manner. The forms have been designed in such a way during the processing the cursor is placed
in the position where must be entered. The user is also provided within an option to select an
appropriate input from various alternatives related to the field in certain cases.

Validations are required for each data entered. Whenever a user enters an erroneous data, error
message is displayed and the user can move on to the subsequent pages after completing all the
entries in the current page.

OUTPUT DESIGN

The Output from the computer is required to mainly create an efficient method of
communication within the company primarily among the project leader and his team members,
in other words, the administrator and the clients. The output of VPN is the system which allows
the project leader to manage his clients in terms of creating new clients and assigning new
projects to them, maintaining a record of the project validity and providing folder level access to

26
each client on the user side depending on the projects allotted to him. After completion of a
project, a new project may be assigned to the client. User authentication procedures are
maintained at the initial stages itself. A new user may be created by the administrator himself or
a user can himself register as a new user but the task of assigning projects and validating a new
user rests with the administrator only.

The application starts running when it is executed for the first time. The server has to be started
and then the internet explorer in used as the browser. The project will run on the local area
network so the server machine will serve as the administrator while the other connected systems
can act as the clients. The developed system is highly user friendly and can be easily understood
by anyone using it even for the first time.

4.2 UML DIAGRAMS

UML (Unified Modeling Language) is a standard language for specifying, visualizing,


constructing, and documenting the artifacts of software systems. UML was created by the Object
Management Group (OMG) and UML 1.0 specification draft was proposed to the OMG in
January 1997. It was initially started to capture the behavior of complex software and non-
software system and now it has become an OMG standard. This tutorial gives a complete
understanding on UML.

UML is a standard language for specifying, visualizing, constructing, and documenting the
artifacts of software systems.

There are several types of UML diagrams and each one of them serves a different purpose
regardless of whether it is being designed before the implementation or after (as part of
documentation).

The two most broad categories that encompass all other types are Behavioral UML diagram
and Structural UML diagram. As the name suggests, some UML diagrams try to analyze and
depict the structure of a system or process, whereas other describe the behavior of the system, its
actors, and its building components.

27
4.2.1 CLASS DIAGRAM:

Class diagram is a static diagram. It represents the static view of an application. Class diagram
is not only used for visualizing, describing, and documenting different aspects of a system but
also for constructing executable code of the software application.

Class diagram describes the attributes and operations of a class and also the constraints imposed
on the system.

Fig 4.2.1: Class Diagram

28
4.2.2 USECASE DIAGRAM:

Use case diagrams are usually referred to as behavior diagrams used to describe a set of actions
(use cases) that some system or systems (subject) should or can perform in collaboration with
one or more external users of the system (actors). Each use case should provide some
observable and valuable result to the actors or other stakeholders of the system.

Fig 4.2.2: Usecase Diagram

29
4.2.3 SEQUENCE DIAGRAM

A sequence diagram simply depicts interaction between objects in a sequential order i.e. the
order in which these interactions take place. We can also use the terms event diagrams or event
scenarios to refer to a sequence diagram. Sequence diagrams describe how and in what order the
objects in a system function. These diagrams are widely used by businessmen and software
developers to document and understand requirements for new and existing systems.

Fig 4.2.3: Sequence Diagram

30
4.3 DATA FLOW DIAGRAMS

Data flow diagram is graphical representation of flow of data in an information system. It is


capable of depicting incoming data flow, outgoing data flow and stored data. The DFD does not
mention anything about how data flows through the system.

There is a prominent difference between DFD and Flowchart. The flowchart depicts flow of
control in program modules. DFDs depict flow of data in the system at various levels. DFD
does not contain any control or branch elements.

Level -0

UserName

Register the

Admin Users
Server Password

Validation
validate the user

Login with
all the
Registered
User

Fig 4.3.1 :level0 dataflow diagram

31
Level -1
Gets Views All the implement Images
Pass Matrix
Registered

T
Checks
Checks the for any
validity Inferenc
User e Attack
F

Checks if the User Retweets the Data

Fig 4.3.2 :level1 dataflow diagram

Level -2

End User Sends the Pass Matrix Data


Tweet Data
Messages

Checks the User for Msgs

Verifies the
tweet
messages

Displays the Pass


Chart DB Res Matrix Messages
Fig 4.3.3 :level2 dataflow diagram

32
5.2 FLOW CHART
Start
Admin:

Admin registration

Yes No
Login

View all users,View Admin name and


all Graphical password wrong
Authentication
Points

View all blocked users


and unblock based on
authentication

Logout
Upload documents with
Doc image,View all doc
recommendations with
ranks and comments

View chart results of


blocked and un blocked
users,View all docs rank
results in chart

33
User:
user registration

Yes No

Login

Enter user name and User name and


password and all other password wrong
details with profile
image

Display 3 images
and select a
portion from each
and every image
to register and go Logout
to main
Enter your page and
username
password,Display three
images and select portion
from 3 images each then
go to main page

Search documents
and download,
recommend to
others with
comments

View other
recommended
documents with
comments
34
4.4 SYSTEM ARCHITECTURE

Fig4.4 : System Architecture

4.5 METHODOLOGY

4.5.1 PASS MATRIX

To maintain a strategic distance from the distinctive sorts of attacks which is happens in user
account. To overcomes security weakness, the easiness of obtaining password by observers in
public. We will utilize graphical validation system called PassMatrix. In PassMatrix, a password
comprises of just selecting pass-squares per pass-image send for authentication form a sequence
of n images. The image will be send by server. In the event that the If the user select incorrect
pass-squares within the pass-image then user does not login into system. Be that as it may,
primary motivation to oppose shoulder surfing attacks and maintain user privacy as well as
authentication.

PassMatrix is used to overcome the security weakness of the traditional PIN method

35
and easiness of obtaining passwords by observers in public and also the compatibility
issues to the devices.

PassMatrix is composed of the following components (see below figure):

 Image Discretization Module

 Login Indicator generator Module

 Horizontal and Vertical Axis Control Module

 Communication Module

 Password Verification Module

 Database

Fig.4.5.1: Overview of the PassMatrix system.

Image Discretization Module. This module divides each image into squares internally, from
which users would hoose one as the pass-square. An image is divided into a 7 11 grid. The
smaller the image is discretized, the larger the password space is. However, the overly
concentrated division may result in recognition problem of specific objects and increase the
difficulty of user interface operations on palm-sized mobile devices. Hence, in our
implementation, a division was set at 60-pixel intervals in both horizontal and vertical directions,
since 60 pixels2 is the best size to accurately select specific objects on touch screens.

Login Indicator Generator Module. This module generates a login indicator consisting of
several distinguishable characters (such as alphabets and numbers) or visual materials (such as

36
colors and icons) for users during the authentication phase. In our implementation, we used
characters A to G and 1 to 11 for a 7 11 grid. Both letters and numbers are generated randomly
and therefore a different login indicator will be provided each time the module is called. The
generated login indicator can be given to users visually or acoustically.

For the former case, the indicator could be shown on the display (see Figure 3(a)) directly or
through another predefined image. If using a predefined image, for instance, if the user chooses
the square (5, 9) in the image as in Figure

3(b), then the login indicator will be (E, 11). For the acoustical delivery, the indicator can be
received by an audio signal through the ear buds or Bluetooth. One principle is to keep the
indicators secret from people other than the user, since the password (the sequence of pass-
squares) can be reconstructed easily if the indicators are known.

Fig:(a) Obtain the login indicator(E, 11) directly 3(b)Obtain the login indicator
through predefined image

Horizontal and Vertical Axis Control Module. There are two scroll bars: a horizontal bar with
a sequence of letters and a vertical bar with a sequence of numbers. This control module
provides drag and fling functions for users to control both bars. Users can fling either bar using
their finger to shift one alphanumeric at a time. They can also shift several checks at a time by
dragging the bar for a distance. Both bars are circulative, i.e., if the user shifts the horizontal bar

37
.The bars are used to implicitly point out (or in other words, align the login indicator to) the
location of the user’s pass-square.

Communication Module. This module is in charge of all the information transmitted between
the client devices and the authentication server. Any communication is protected by SSL (Secure
Socket Layer) protocol and thus, is safe from being eavesdropped and intercepted.

Password Verification Module. This module verifies the user password during the
authentication phase. A pass-square acts similar to a password digit in the text-based password
system. The user is authenticated only if each pass-square in each pass-image is correctly aligned
with the login indicator. The details of how to align a login indicator to a pass-square will be
described in the next section

Database. The database server contains several tables that store user accounts, passwords (ID
numbers of pass-images and the positions of pass-squares), and the time duration each user spent
on both registration phase and login phase.

The PassMatrix based shoulder surfing resistance graphical authentication system used two
factor authentication processes to signup user and login user as follow-

A) Two Factor Signup Process

In Two Factor Signup process user fill the personal detail in normal the signup form and
submit details. If details are valid then user is sign up into two factor form. In two factor signup
form random pass-image which uploaded by admin save on server side local storage as shown in
fig.5 or user select their own image and upload new image as shown in fig.3. Pass-image splits
into the grid and display user. Users are select pass-squares sequential of pass-image and submit.
In this way user register and user data send to the server and stored into a database for
authentication.

B) Two Factor Login Process

In two factor login process, the user fills normal detail such as username and password which is
used as Signup process. If login is valid then for two factor authentication QR code display to
the user as shown in fig.4. In QR code encoded image URL user scan the image from Android
application and download image. The image split into the grid and user has select pass-image

38
sequence same as used in signup process. For remember we give short notify for a second
display on user screen, the server verify authorized user or not as shown in fig.4. If selected
pass-image is correct then user login into website and Android logout timer start after session
end user logout and return into login page.

4.5.2 PHASES OF PASSMATRIX

PassMatrix’s authentication consists of a registration phase and an authentication phase as


described below:

Registration phase

Figure 4.5.1 is the flowchart of the registration phase. At this stage, the user creates an account
which contains a user-name and a password. The password consists of only one pass-square per
image for a sequence of n images. The number of images (i.e., n) is decided by the user after
considering the trade-off between security and usability of the system .

The only purpose of the username is to give the user an imagination of having a personal
account. The username can be omitted if PassMatrix is applied to authentication systems like
screen lock. The user can either choose images from a provided list or upload images from their
device as pass-images. Then the user will pick a pass-square for each selected pass-image from
the grid, which was divided by the image discretization module. The user repeats this step until
the password is set.

Authentication phase

Figure 4.5.2 is the flowchart of the authentication phase. At this stage, the user uses his/her
username, password and login indicators to log into PassMatrix. The following describes all the
steps in detail:

1) The user inputs his/her username which was created in the registration phase.

2) A new indicator comprised of a letter and a number is created by the login indicator generator
module. The indicator will be shown when the user uses his/her hand to form a circle and then
touch the screen. In this case, the indicator is conveyed to the user by visual feedback. The
39
indicator can also be delivered through a predefined image or by audio feedback that we have
mentioned in the previous section.

Fig.4.5.2.1.The flowchart of registration phase in Fig.4.5.2.2.The flowchart of authentication


PassMatrix phase in PassMatrix

3) Next, the first pass-image will be shown on the display, with a horizontal bar and a vertical
bar on its top and left respectively. To respond to the challenge, the user flings or drags the bars
to align the pre-selected pass-square of the image with the login indicator. For example, if the
indicator is (E, 11) and the pass-square is at (5, 7) in the grid of the image, the user shifts the
character ”E” to the 5th column on the horizontal bar and ”11” to the 7th row on the vertical bar.

4) Repeat step 2 and step 3 for each pre-selected pass-image.

5) The communication module gets user account information from the server through
HttpRequest POST method.

40
6) Finally, for each image, the password verification module verifies the alignment between the
pass-square and the login indicator. Only if all the align-ments are correct in all images, the user
is allowed to log into PassMatrix.

41
CHAPTER 5
SYSTEM IMPLEMENTATION
5.1 MODULES
 User Registration
In this module user has to register by giving his information such as user id, user name,
password valid email id etc, and after giving this information, randomly three images will be
assigned to the user, in those images he has to select the coordinate squares of the images as the
graphical password. The details of coordinates of all images will be stored in the database with
respect to the specific user.

 Hash code generation


After successful setting of the coordinates of the images those details will be stored in the
database, concatenating all the three images coordinates and generate hash code for that and
store in the database with respect to the user.

 User Login Process


Registered user will be login to the application by using his user id and password, if the user id
and password is valid One Time Password(OTP) will be sent to the user’s e-mail, whereas OTP
contains the random pair of vertical and horizontal slider coordinate points of all the three
images. After successful login three assigned images will be displayed to the user with horizontal
and vertical sliders user has to set the horizontal and vertical sliders for all the three images
where the OTP coordinate value should be equal to the coordinates chosen by the user at the time
of password setting. The hash code will be generated for all OTP coordinates by concatenating if
the hash code is matched with the existing hash code user can successful enter in to the home
page else, process ends and login page will display.

 Admin

In this module, admin has to login with valid username and password. After login successful he
can do some operations such as view all user, their details and authorize them , View all users
graphical authentication points, view all blocked users (who tried wrong graphical authentication

42
points 3 time) ,View unblock requests and unblock them, upload documents with image and
view all uploaded documents with rank and comments of it, View users results chart based on
number of users active and blocked, View the documents results based on rank.

5.3 TECHNOLOGIES USED


5.3.1 JAVA
Java technology is both a programming language and a platform. The Java programming
language is a high-level language that can be characterized by all of the following buzzwords:

o Simple
o Architecture neutral
o Object oriented
o Portable
o Distributed
o High performance
o Interpreted
o Multithreaded
o Robust
o Dynamic
o Secure

With most programming languages, you either compile or interpret a program so that you can
run it on your computer. The Java programming language is unusual in that a program is both
compiled and interpreted. With the compiler, first you translate a program into an intermediate
language called Java byte codes —the platform-independent codes interpreted by the interpreter
on the Java platform. The interpreter parses and runs each Java byte code instruction on the
computer. Compilation happens just once; interpretation occurs each time the program is
executed. The following figure illustrates how this works.

43
Fig 5.3.1:Java Overview

You can think of Java byte codes as the machine code instructions for the Java Virtual
Machine (Java VM). Every Java interpreter, whether it’s a development tool or a Web browser
that can run applets, is an implementation of the Java VM. Java byte codes help make “write
once, run anywhere” possible. You can compile your program into byte codes on any platform
that has a Java compiler. The byte codes can then be run on any implementation of the Java VM.
That means that as long as a computer has a Java VM, the same program written in the Java
programming language can run on Windows 2000, a Solaris workstation, or on an iMac.

Fig 5.3.2:Java Compiler

What can java technology do ? :

The most common types of programs written in the Java programming language are
applets and applications. If you’ve surfed the Web, you’re probably already familiar with

44
applets. An applet is a program that adheres to certain conventions that allow it to run within a
Java-enabled browser.

However, the Java programming language is not just for writing cute, entertaining applets for the
Web. The general-purpose, high-level Java programming language is also a powerful software
platform. Using the generous API, you can write many types of programs.

How does the API support all these kinds of programs? It does so with packages of software
components that provides a wide range of functionality. Every full implementation of the Java
platform gives you the following features:

The essentials: Objects, strings, threads, numbers, input and output, data structures, system
properties, date and time, and so on.

Applets: The set of conventions used by applets.

Networking: URLs, TCP (Transmission Control Protocol), UDP (User Data gram Protocol)
sockets, and IP (Internet Protocol) addresses.

Internationalization: Help for writing programs that can be localized for users worldwide.
Programs can automatically adapt to specific locales and be displayed in the appropriate
language.

Security: Both low level and high level, including electronic signatures, public and private key
management, access control, and certificates.

Software components: Known as JavaBeans, can plug into existing component architectures.

Object serialization: Allows lightweight persistence and communication via Remote Method
Invocation (RMI).

Java Database Connectivity (JDBCTM)

Provides uniform access to a wide range of relational databases. The Java platform also has
APIs for 2D and 3D graphics, accessibility, servers, collaboration, telephony, speech, animation,
and more. The following figure depicts what is included in the Java 2 SDK.

45
Fig5.3.3:Java IDE

Get started quickly: Although the Java programming language is a powerful object-oriented
language, it’s easy to learn, especially for programmers already familiar with C or C++.

Write less code: Comparisons of program metrics (class counts, method counts, and so on)
suggest that a program written in the Java programming language can be four times smaller than
the same program in C++.

Write better code: The Java programming language encourages good coding practices, and its
garbage collection helps you avoid memory leaks. Its object orientation, its JavaBeans
component architecture, and its wide-ranging, easily extendible API let you reuse other people’s
tested code and introduce fewer bugs.

Develop programs more quickly: Your development time may be as much as twice as fast
versus writing the same program in C++. Why? You write fewer lines of code and it is a simpler
programming language than C++.

Avoid platform dependencies with 100% Pure Java: You can keep your program portable by
avoiding the use of libraries written in other languages. The 100% Pure JavaTMProduct
Certification Program has a repository of historical process manuals, white papers, brochures,
and similar materials online.

Write once, run anywhere: Because 100% Pure Java programs are compiled into machine-
independent byte codes, they run consistently on any Java platform.

46
Distribute software more easily: You can upgrade applets easily from a central server. Applets
take advantage of the feature of allowing new classes to be loaded “on the fly,” without
recompiling the entire program.

5.3.2 OBJECT DATABASE CONNECTIVY (ODBC):

Microsoft Open Database Connectivity (ODBC) is a standard programming interface for


application developers and database systems providers. Before ODBC became a de facto
standard for Windows programs to interface with database systems, programmers had to use
proprietary languages for each database they wanted to connect to. Now, ODBC has made the
choice of the database system almost irrelevant from a coding perspective, which is as it should
be. Application developers have much more important things to worry about than the syntax that
is needed to port their program from one database to another when business needs suddenly
change.

Through the ODBC Administrator in Control Panel, you can specify the particular database that
is associated with a data source that an ODBC application program is written to use. Think of an
ODBC data source as a door with a name on it. Each door will lead you to a particular database.
For example, the data source named Sales Figures might be a SQL Server database, whereas the
Accounts Payable data source could refer to an Access database. The physical database referred
to by a data source can reside anywhere on the LAN.

The ODBC system files are not installed on your system by Windows 95. Rather, they are
installed when you setup a separate database application, such as SQL Server Client or Visual
Basic 4.0. When the ODBC icon is installed in Control Panel, it uses a file called
ODBCINST.DLL. It is also possible to administer your ODBC data sources through a stand-
alone program called ODBCADM.EXE. There is a 16-bit and a 32-bit version of this program
and each maintains a separate list of ODBC data sources.
From a programming perspective, the beauty of ODBC is that the application can be written to
use the same set of function calls to interface with any data source, regardless of the database
vendor. The source code of the application doesn’t change whether it talks to Oracle or SQL
Server. We only mention these two as an example. There are ODBC drivers available for several
dozen popular database systems. Even Excel spreadsheets and plain text files can be turned into

47
data sources. The operating system uses the Registry information written by ODBC
Administrator to determine which low-level ODBC drivers are needed to talk to the data source
(such as the interface to Oracle or SQL Server). The loading of the ODBC drivers is transparent
to the ODBC application program. In a client/server environment, the ODBC API even handles
many of the network issues for the application programmer.

The advantages of this scheme are so numerous that you are probably thinking there must
be some catch. The only disadvantage of ODBC is that it isn’t as efficient as talking directly to
the native database interface. ODBC has had many detractors make the charge that it is too slow.
Microsoft has always claimed that the critical factor in performance is the quality of the driver
software that is used. In our humble opinion, this is true. The availability of good ODBC drivers
has improved a great deal recently. And anyway, the criticism about performance is somewhat
analogous to those who said that compilers would never match the speed of pure assembly
language. Maybe not, but the compiler (or ODBC) gives you the opportunity to write cleaner
programs, which means you finish sooner. Meanwhile, computers get faster every year.

5.3.3 JAVA DATABASE CONNECTIVITY (JDBC):

In an effort to set an independent database standard API for Java; Sun Microsystems
developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL database access
mechanism that provides a consistent interface to a variety of RDBMSs. This consistent interface
is achieved through the use of “plug-in” database connectivity modules, or drivers. If a database
vendor wishes to have JDBC support, he or she must provide the driver for each platform that the
database and Java run on.

To gain a wider acceptance of JDBC, Sun based JDBC’s framework on ODBC. As you
discovered earlier in this chapter, ODBC has widespread support on a variety of platforms.
Basing JDBC on ODBC will allow vendors to bring JDBC drivers to market much faster than
developing a completely new connectivity solution.

JDBC was announced in March of 1996. It was released for a 90 day public review that ended
June 8, 1996. Because of user input, the final JDBC v1.0 specification was released soon after.
The remainder of this section will cover enough information about JDBC for you to know what it

48
is about and how to use it effectively. This is by no means a complete overview of JDBC. That
would fill an entire book.

5.3.4 SQL

The designers felt that their main goal was to define a SQL interface for Java. Although not the
lowest database interface level possible, it is at a low enough level for higher-level tools and
APIs to be created. Conversely, it is at a high enough level for application programmers to use it
confidently. Attaining this goal allows for future tool vendors to “generate” JDBC code and to
hide many of JDBC’s complexities from the end user.

SQL CONFORMANCE:

SQL syntax varies as you move from database vendor to database vendor. In an effort to
support a wide variety of vendors, JDBC will allow any query statement to be passed through it
to the underlying database driver. This allows the connectivity module to handle non-standard
functionality in a manner that is suitable for its users.

JDBC must be implemental on top of common database interfaces:


The JDBC SQL API must “sit” on top of other common SQL level APIs. This goal
allows JDBC to use existing ODBC level drivers by the use of a software interface. This
interface would translate JDBC calls to ODBC and vice versa.

Provide a java interface that is consistent with the rest of the java system:

Because of Java’s acceptance in the user community thus far, the designers feel that they
should not stray from the current design of the core Java system.

Keep it simple:

This goal probably appears in all software design goal listings. JDBC is no exception.
Sun felt that the design of JDBC should be very simple, allowing for only one method of
completing a task per mechanism. Allowing duplicate functionality only serves to confuse the
users of the API.

Use strong, static typing wherever possible:


49
Strong typing allows for more error checking to be done at compile time; also, less error appear
at runtime.

Keep the common cases simple:

Because more often than not, the usual SQL calls used by the programmer are simple
SELECT’s, INSERT’s, DELETE’s and UPDATE’s, these queries should be simple to perform
with JDBC. However, more complex SQL statements should also be possible.

Finally we decided to proceed the implementation using Java Networking and for
dynamically updating the cache table we go for MS Access database.Java is also unusual in that
each Java program is both compiled and interpreted. With a compile you translate a Java
program into an intermediate language called Java byte codes the platform-independent code
instruction is passed and run on the computer.Compilation happens just once; interpretation
occurs each time the program is executed.

5.3.5 JAVASCRIPT
JavaScript is a script-based programming language that was developed by Netscape
Communication Corporation. JavaScript was originally called Live Script and renamed as
JavaScript to indicate its relationship with Java. JavaScript supports the development of both
client and server components of Web-based applications. On the client side, it can be used to
write programs that are executed by a Web browser within the context of a Web page. On the
server side, it can be used to write Web server programs that can process information submitted
by a Web browser and then updates the browser’s display accordingly

Even though JavaScript supports both client and server Web programming, we prefer JavaScript
at Client side programming since most of the browsers supports it. JavaScript is almost as easy to
learn as HTML, and JavaScript statements can be included in HTML documents by enclosing
the statements between a pair of scripting tags

<SCRIPTS>..</SCRIPT>.

<SCRIPT LANGUAGE = “JavaScript”>

JavaScript statements

50
</SCRIPT>

Here are a few things we can do with JavaScript :

 Validate the contents of a form and make calculations.


 Add scrolling or changing messages to the Browser’s status line.
 Animate images or rotate images that change when we move the mouse over
them.
 Detect the browser in use and display different content for different browsers.
 Detect installed plug-ins and notify the user if a plug-in is required.
We can do much more with JavaScript, including creating entire application.

5.3.6 Hyper Text Markup Language

Hypertext Markup Language (HTML), the languages of the World Wide Web (WWW), allows
users to produces Web pages that include text, graphics and pointer to other Web pages
(Hyperlinks).

HTML is not a programming language but it is an application of ISO Standard 8879, SGML
(Standard Generalized Markup Language), but specialized to hypertext and adapted to the Web.
The idea behind Hypertext is that instead of reading text in rigid linear structure, we can easily
jump from one point to another point. We can navigate through the information based on our
interest and preference. A markup language is simply a series of elements, each delimited with
special characters that define how text or other items enclosed within the elements should be
displayed. Hyperlinks are underlined or emphasized works that load to other documents or some
portions of the same document.

HTML can be used to display any type of document on the host computer, which can be
geographically at a different location. It is a versatile language and can be used on any platform
or desktop.

HTML provides tags (special codes) to make the document look attractive. HTML tags are not
case-sensitive. Using graphics, fonts, different sizes, color, etc., can enhance the presentation of
the document. Anything that is not a tag is part of the document itself

51
CHAPTER 6
SYSTEM TESTING

52
6.1 INTRODUCTION
The purpose of testing is to discover errors. Testing is the process of trying to discover every
conceivable fault or weakness in a work product. It provides a way to check the functionality of
components, sub assemblies, assemblies and/or a finished product It is the process of exercising
software with the intent of ensuring that the

Software system meets its requirements and user expectations and does not fail in an
unacceptable manner. There are various types of test. Each test type addresses a specific testing
requirement.

6.2 TYPES OF TESTING TECHNIQUES


Unit testing
Unit testing involves the design of test cases that validate that the internal program logic is
functioning properly, and that program inputs produce valid outputs. All decision branches and
internal code flow should be validated. It is the testing of individual software units of the
application .it is done after the completion of an individual unit before integration. This is a
structural testing, that relies on knowledge of its construction and is invasive. Unit tests perform
basic tests at component level and test a specific business process, application, and/or system
configuration. Unit tests ensure that each unique path of a business process performs accurately
to the documented specifications and contains clearly defined inputs and expected results.

Integration testing
Integration tests are designed to test integrated software components to determine if they
actually run as one program. Testing is event driven and is more concerned with the basic
outcome of screens or fields. Integration tests demonstrate that although the components were
individually satisfaction, as shown by successfully unit testing, the combination of components is
correct and consistent. Integration testing is specifically aimed at exposing the problems that
arise from the combination of components.

Functional test
Functional tests provide systematic demonstrations that functions tested are available as
specified by the business and technical requirements, system documentation, and user manuals.
53
Functional testing is centered on the following items:

Valid Input : identified classes of valid input must be accepted.

Invalid Input : identified classes of invalid input must be rejected.

Functions : identified functions must be exercised.

Output : identified classes of application outputs must be exercised.

Systems/Procedures: interfacing systems or procedures must be invoked.

Organization and preparation of functional tests is focused on requirements, key functions, or


special test cases. In addition, systematic coverage pertaining to identify Business process flows;
data fields, predefined processes, and successive processes must be considered for testing.
Before functional testing is complete, additional tests are identified and the effective value of
current tests is determined.

System Test
System testing ensures that the entire integrated software system meets requirements. It tests a
configuration to ensure known and predictable results. An example of system testing is the
configuration oriented system integration test. System testing is based on process descriptions
and flows, emphasizing pre-driven process links and integration points.

White Box Testing


White Box Testing is a testing in which in which the software tester has knowledge of the inner
workings, structure and language of the software, or at least its purpose. It is purpose. It is used
to test areas that cannot be reached from a black box level.

Black Box Testing


Black Box Testing is testing the software without any knowledge of the inner workings, structure
or language of the module being tested. Black box tests, as most other kinds of tests, must be
written from a definitive source document, such as specification or requirements document, such
as specification or requirements document. It is a testing in which the software under test is
treated, as a black box .you cannot “see” into it. The test provides inputs and responds to outputs
without considering how the software works.

54
6.2.1 Unit Testing:

Unit testing is usually conducted as part of a combined code and unit test phase of the software
lifecycle, although it is not uncommon for coding and unit testing to be conducted as two distinct
phases.

Test strategy and approach


Field testing will be performed manually and functional tests will be written in detail.
Test objectives
 All field entries must work properly.
 Pages must be activated from the identified link.
 The entry screen, messages and responses must not be delayed.
Features to be tested
 Verify that the entries are of the correct format
 No duplicate entries should be allowed
 All links should take the user to the correct page.

6.2.2 Integration Testing


Software integration testing is the incremental integration testing of two or more integrated
software components on a single platform to produce failures caused by interface defects.

The task of the integration test is to check that components or software applications, e.g.
components in a software system or – one step up – software applications at the company level –
interact without error.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

6.2.3 Acceptance Testing


User Acceptance Testing is a critical phase of any project and requires significant participation
by the end user. It also ensures that the system meets the functional requirements.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.
55
6.3 TESTING METHODOLOGIES
The following are the Testing Methodologies:

o Unit Testing.
o Integration Testing.
o User Acceptance Testing.
o Output Testing.
o Validation Testing.

Unit Testing

Unit testing focuses verification effort on the smallest unit of Software design that is the module.
Unit testing exercises specific paths in a module’s control structure to ensure complete coverage
and maximum error detection. This test focuses on each module individually, ensuring that it
functions properly as a unit. Hence, the naming is Unit Testing.

During this testing, each module is tested individually and the module interfaces are verified for
the consistency with design specification. All important processing path are tested for the
expected results. All error handling paths are also tested.

Integration Testing

Integration testing addresses the issues associated with the dual problems of verification and
program construction. After the software has been integrated a set of high order tests are
conducted. The main objective in this testing process is to take unit tested modules and builds a
program structure that has been dictated by design.

The following are the types of Integration Testing:

1)Top Down Integration

This method is an incremental approach to the construction of program structure. Modules are
integrated by moving downward through the control hierarchy, beginning with the main program

56
module. The module subordinates to the main program module are incorporated into the
structure in either a depth first or breadth first manner.
In this method, the software is tested from main module and individual stubs are replaced when
the test proceeds downwards.

2. Bottom-up Integration

This method begins the construction and testing with the modules at the lowest level in the
program structure. Since the modules are integrated from the bottom up, processing required for
modules subordinate to a given level is always available and the need for stubs is eliminated. The
bottom up integration strategy may be implemented with the following steps:

 The low-level modules are combined into clusters into clusters that
perform a specific Software sub-function.
 A driver (i.e.) the control program for testing is written to coordinate test case
Input and output.
 The cluster is tested.
 Drivers are removed and clusters are combined moving upward in the
program structure
The bottom up approaches tests each module individually and then each module is module is
integrated with a main module and tested for functionality.

User Acceptance Testing

User Acceptance of a system is the key factor for the success of any system. The system under
consideration is tested for user acceptance by constantly keeping in touch with the prospective
system users at the time of developing and making changes wherever required. The system
developed provides a friendly user interface that can easily be understood even by a person who
is new to the system.

Output Testing

57
After performing the validation testing, the next step is output testing of the proposed system,
since no system could be useful if it does not produce the required output in the specified format.
Asking the users about the format required by them tests the outputs generated or displayed by
the system under consideration. Hence the output format is considered in 2 ways – one is on
screen and another in printed format.

Validation Testing:

Validation checks are performed on the following fields.

Text Field:

The text field can contain only the number of characters lesser than or equal to its size. The text
fields are alphanumeric in some tables and alphabetic in other tables. Incorrect entry always
flashes and error message.
Numeric Field:

The numeric field can contain only numbers from 0 to 9. An entry of any character flashes an
error messages. The individual modules are checked for accuracy and what it has to perform.
Each module is subjected to test run along with sample data. The individually tested modules
are integrated into a single system. Testing involves executing the real data information is used
in the program the existence of any program defect is inferred from the output. The testing
should be planned so that all the requirements are individually tested.
A successful test is one that gives out the defects for the inappropriate data and produces and
output revealing the errors in the system.

Preparation of Test Data

Taking various kinds of test data does the above testing. Preparation of test data plays a vital role
in the system testing. After preparing the test data the system under study is tested using that test
data. While testing the system by using test data errors are again uncovered and corrected by
using above testing steps and corrections are also noted for future use.

Using Live Test Data:

58
Live test data are those that are actually extracted from organization files. After a system is
partially constructed, programmers or analysts often ask users to key in a set of data from their
normal activities. Then, the systems person uses this data as a way to partially test the system. In
other instances, programmers or analysts extract a set of live data from the files and have them
entered themselves.

It is difficult to obtain live data in sufficient amounts to conduct extensive testing. And, although
it is realistic data that will show how the system will perform for the typical processing
requirement, assuming that the live data entered are in fact typical, such data generally will not
test all combinations or formats that can enter the system. This bias toward typical values then
does not provide a true systems test and in fact ignores the cases most likely to cause system
failure.

Using Artificial Test Data:

Artificial test data are created solely for test purposes, since they can be generated to test all
combinations of formats and values. In other words, the artificial data, which can quickly be
prepared by a data generating utility program in the information systems department, make
possible the testing of all login and control paths through the program.

The most effective test programs use artificial test data generated by persons other than those
who wrote the programs. Often, an independent team of testers formulates a testing plan, using
the systems specifications.

The package “Virtual Private Network” has satisfied all the requirements specified as per
software requirement specification and was accepted.

User Training:

Whenever a new system is developed, user training is required to educate them about the
working of the system so that it can be put to efficient use by those for whom the system has
been primarily designed. For this purpose the normal working of the project was demonstrated to

59
the prospective users. Its working is easily understandable and since the expected users are
people who have good knowledge of computers, the use of this system is very easy.

MAINTAINENCE

This covers a wide range of activities including correcting code and design errors. To reduce the
need for maintenance in the long run, we have more accurately defined the user’s requirements
during the process of system development. Depending on the requirements, this system has been
developed to satisfy the needs to the largest possible extent. With development in technology, it
may be possible to add many more features based on the requirements in future. The coding and
designing is simple and easy to understand which will make maintenance easier.

TESTING STRATEGY :

A strategy for system testing integrates system test cases and design techniques into a well
planned series of steps that results in the successful construction of software. The testing strategy
must co-operate test planning, test case design, test execution, and the resultant data collection
and evaluation .A strategy for software testing must accommodate low-level tests that are
necessary to verify that a small source code segment has been correctly implemented as well
as high level tests that validate major system functions against user requirements.

Software testing is a critical element of software quality assurance and represents the ultimate
review of specification design and coding. Testing represents an interesting anomaly for the
software. Thus, a series of testing are performed for the proposed system before the system is
ready for user acceptance testing.

SYSTEM TESTING:

Software once validated must be combined with other system elements (e.g. Hardware, people,
database). System testing verifies that all the elements are proper and that overall system
function performance is achieved. It also tests to find discrepancies between the system and its
original objective, current specifications and system documentation.

UNIT TESTING:

60
In unit testing different are modules are tested against the specifications produced during the
design for the modules. Unit testing is essential for verification of the code produced during the
coding phase, and hence the goals to test the internal logic of the modules. Using the detailed
design description as a guide, important Conrail paths are tested to uncover errors within the
boundary of the modules. This testing is carried out during the programming stage itself. In this
type of testing step, each module was found to be working satisfactorily as regards to the
expected output from the module.

In Due Course, latest technology advancements will be taken into consideration. As part of
technical build-up many components of the networking system will be generic in nature so that
future projects can either use or interact with this. The future holds a lot to offer to the
development and refinement of this project.

6.4 TESTCASES

Project Name: Pass Matrix

Test Case

Test Case ID: T003 Test Designed by: Swetha

Test Priority (Low/Medium/High): Med Test Designed date: 19-04-18

Module Name: Pass Matrix Test Executed by: Swetha

Test Title: Pass Matrix Test Execution Login Module

Description: Pass Matrix

Pre-conditions: User has valid username and password with cued clicks

Dependencies: Text Box,Password Box, Button widgets etc.

Table 1: Test Cases

Step Test Steps Test Data Expected Result Actual Result Status Notes

61
(Pass/Fail)

Request For user User should be User is navigated to Pass


1 Name User= username displayed

Request for Friend Friends Name dashboard with Pass


2 Navigation Navigate the details successful

Gets the details user Name Login Pass


3 User Navigation after navigation

Proposal for Finally generate the User Name


4 Navigation response

These selection points Coordinates are PAss


must give the registered
Clicks on the image to Three selection coordinates of the
navigate points are selected system

Post-conditions:

User is validated with database and successfully login to account. The account session details are logged
in database.

CHAPTER 7
EXPERIMENTAL RESULTS

62
7.1 EXECUTION SCREEN SHOTS

Fig7.1:Home Page

Fig 7.2:User Login page

63
Fig 7.3:User Registration page

Fig 7.4:Admin page

64
Fig 7.5:Admin Main page

Fig 7.6:All Users page

65
Fig 7.7:Add Document page

Fig 7.8: Document Result page

66
Fig 7.9: Unblock Request page

Fig 7.10: Click Points page

67
Fig 7.11: User Main page

Fig 7.12: User Details page

68
CHAPTER 8
CONCLUSION AND FUTURE SCOPE
A subject's sensitive information can be considered as leaked if an adversary can infer its real
value with a high confidence.[2] This is an example of breached information security. An
Inference attack occurs when a user is able to infer from trivial information more robust
information about a database without directly accessing it. The object of Inference attacks is to
piece together information at one security level to determine a fact that should be protected at a
higher security level.

With the increasing trend of web services and apps, users are able to access these applications
anytime and anywhere with various devices. In order to protect users’ digital property,
authentication is required every time they try to access their personal account and data. However,
conducting the authentication process in public might result in potential shoulder surfing attacks.
Even a complicated password can be cracked easily through shoulder surfing. Using traditional
textual passwords or PIN method, users need totype their passwords to authenticate themselves
and thus these passwords can be revealed easily if someone peeks over shoulder or uses video
recording devices such as cell phones.

To overcome this problem, we proposed a shoulder surfing resistant authentication system based
on graphical passwords, named Pass Matrix. Using a one-time login indicator per image, users
can point out the location of their pass-square without directly clicking or touching it,
which is an action vulnerable to shoulder surfing attacks. Because of the design of the horizontal
and vertical bars that cover the entire pass-image, it offers no clue for attackers to narrow down
the password space even if they have more than one login records of that account. Furthermore,
we implemented a Pass Matrix prototype on Android and carried out user experiments to
evaluate the memorability and usability. The experimental result showed that users can log into
the system with an average of 1:64 tries (Median=1), and the Total Accuracy of all login trials is
93:33% even two weeks after registration. The total time consumed to log into Pass Matrix with
an average of 3:2 pass-images is between 31:31 and 37:11 seconds and is considered acceptable
by 83:33% of participants in our user study.

69
Based on the experimental results and survey data, Pass Matrix is a novel and easy-to-use
graphical password authentication system, which can effectively alleviate shoulder-surfing
attacks. In addition, Pass Matrix can be applied To any authentication scenario and device with
simple input and output capabilities. The survey data in the user study also showed that Pass
Matrix is practical in the real world. The Application is one of the useful application in the
current situation. This is the easy way to communicate with the admin. Employee expense claim
workflow became an early candidate for enablement as it could eliminate handling of supporting
expense bills and instead use the camera of Smartphone to capture the bill. As a future enhance
we can delete the documents which are not needed and not in used for a long period so that we
can free up the storeage space .

70
REFERENCES

[1] S. Sood, A. Sarje, and K. Singh, “Cryptanalysis of password authentication schemes: Current
status and key issues,” in Methods and Models in Computer Science, 2009. ICM2CS 2009.
Proceeding of International Conference on, Dec 2009, pp. 1–7.

[2] S. Gurav, L. Gawade, P. Rane, and N. Khochare, “Graphical password authentication: Cloud
securing scheme,” in Electronic Systems, Signal Processing and Computing Technologies
(ICESC), 2014 International Conference on, Jan 2014, pp. 479–483.

[3] K. Gilhooly, “Biometrics: Getting back to business,” Computerworld, May, vol. 9, 2005.

[4] R. Dhamija and A. Perrig, “Deja vu: A user study using images for authentication,” in
Proceedings of the 9th conference on USENIX Security Symposium-Volume 9. USENIX
Association, 2000, pp. 4–4.

[5] “Realuser,” http://www.realuser.com/.

[6] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and analysis of
graphical passwords,” in Proceedings of the 8th conference on USENIX Security Symposium-
Volume 8. USENIX Association, 1999, pp. 1–1.

[7] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Passpoints: Design and
longitudinal evaluation of a graphical password system,” International Journal of Human-
Computer Studies, vol. 63, no. 1-2, pp. 102–127, 2005.

[8] A. Paivio, T. Rogers, and P. Smythe, “Why are pictures easier to recall than words?”
Psychonomic Science, 1968.

[9] D. Nelson, U. Reed, and J. Walling, “Picture superiority effect,” Journal of Experimental
Psychology: Human Learning and Memory, vol. 3, pp. 485–497, 1977.

71
[10] S. Brostoff and M. Sasse, “Are passfaces more usable than passwords? a field trial
investigation,” PEOPLE AND COMPUTERS, pp. 405–424, 2000.

[11] A. De Angeli, M. Coutts, L. Coventry, G. Johnson, D. Cameron, and M. Fischer, “Vip: a


visual approach to user authentication,” in Proceedings of the Working Conference on Advanced
Visual Interfaces. ACM, 2002, pp. 316–323.

[12] B. Ives, K. Walsh, and H. Schneider, “The domino effect of password reuse,”
Communications of the ACM, vol. 47, no. 4, pp. 75–78, 2004.

[13] J. Long and K. Mitnick, No Tech Hacking: A Guide to Social Engineering, Dumpster
Diving, and Shoulder Surfing. Elsevier Science, 2011.

[14] T. Kwon, S. Shin, and S. Na, “Covert attentional shoulder surfing: Human adversaries are
more powerful than expected,” IEEE Transactions on Systems, Man, and Cybernetics: Systems,
vol. 44, no. 6, pp. 716–727, June 2014.

[15] “Google glass snoopers can steal your passcode with a glance,”
http://www.wired.com/2014/06/google-glass-snoopers-cansteal- your-passcode-with-a-glance/.

[16] M. Sasse, S. Brostoff, and D. Weirich, “Transforming the weakest linka human/computer
interaction approach to usable and effective security,” BT technology journal, vol. 19, no. 3, pp.
122–131, 2001.

[17] “Mobile marketing statistics compilation,” http://www.smartinsights.com/mobile-


marketing/mobilemarketing- analytics/mobile-marketing-statistics/.

[18] D. Hong, S. Man, B. Hawes, and M. Mathews, “A password scheme strongly resistant to
spyware,” in Proceedings of International conference on security and management, 2004.

72
[19] D. Tan, P. Keyani, and M. Czerwinski, “Spy-resistant keyboard: Towards more secure
password entry on publicly observable touch screens,” in Proceedings of OZCHI-Computer-
Human Interaction Special Interest Group (CHISIG) of Australia. Canberra, Australia: ACM
Press. Citeseer, 2005.

[20] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, “Reducing shoulder-surfing by using


gaze-based password entry,” in Proceedings of the 3rd symposium on Usable privacy and
security. ACM, 2007, pp. 13–19.

[21]H. Zhao and X. Li, “S3pas: A scalable shoulder-surfing resis-tant textual-graphical password
authentication scheme,” in Ad-vanced Information Networking and Applications Workshops,
2007, AINAW’07. 21st International Conference on, vol. 2. IEEE, 2007, pp 476-452

[22] X. Bai, W. Gu, S. Chellappan, X. Wang, D. Xuan, and B. Ma, “Pas: predicate-based
authentication services against powerful passive adversaries,” in 2008 Annual Computer
Security Applications Conference. IEEE, 2008, pp. 433–442.

[23] Z. Zheng, X. Liu, L. Yin, and Z. Liu, “A stroke-based textual password authentication
scheme,” in Education Technology and Computer Science, 2009. ETCS’09. First International
Workshop on, vol. 3. IEEE, 2009, pp. 90–95.

[24] L. Wang, X. Chang, Z. Ren, H. Gao, X. Liu, and U. Aickelin, “Against spyware using
captcha in graphical password scheme,” in 2010 24th IEEE International Conference on
Advanced Information Networking and Applications. IEEE, 2010, pp. 760–767.

[25] D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nichol-son, and P. Olivier, “Multi-
touch authentication on tabletops,” in
Proceedings of the 28th international conference on Human factors in computing systems.
ACM, 2010, pp. 1093–1102.

73
[26] “Black hat: Google glass can steal your passcodes,”
https://www.technologyreview.com/s/529896/black-hat-google-glass-can-steal-your-passcodes/.

[27] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a
shoulder-surfing resistant graphical password scheme,” in Proceedings of the working
conference on Advanced visual interfaces, ser. AVI ’06. New York, NY, USA: ACM, 2006, pp.
177– 184.

[28] E. von Zezschwitz, A. De Luca, and H. Hussmann, “Honey, i shrunk the keys: Influences of
mobile devices on password composition and authentication performance,” in Proceedings of
the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational, ser.
NordiCHI ’14. New York, NY, USA: ACM, 2014,pp. 461–470.

[29] A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The phone lock: Audio and haptic
shoulder-surfing resistant pin entry meth-ods for mobile devices,” in Proceedings of the Fifth
International Conference on Tangible, Embedded, and Embodied Interaction, ser. TEI ’11. New
York, NY, USA: ACM, 2011, pp. 197–200.

[30] A. Bianchi, I. Oakley, and D. S. Kwon, “The secure haptic keypad: A tactile password
system,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems,
ser. CHI ’10. New York, NY, USA: ACM, 2010, pp. 1089–1092.

[31] M. Martinez-Diaz, J. Fierrez, and J. Galbally, “The doodb graphical password database:
Data analysis and benchmark results,” Access, IEEE, vol. 1, pp. 596–605, 2013.

[32] S. Chiasson, P. van Oorschot, and R. Biddle, “Graphical pass-word authentication using
cued click points,” Computer Security– ESORICS 2007, pp. 359–374, 2007

[33] A. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. Smith, “Smudge attacks on smartphone
touch screens,” in USENIX 4th Workshop on Offensive Technologies, 2010

[34] X. Suo, Y. Zhu, and G. Owen, “Analysis and design of graphical password techniques,”
Advances in Visual Computing, pp. 741–749, 2006.

74
[35] J. Thorpe and P. van Oorschot, “Human-seeded attacks and exploiting hot-spots in graphical
passwords,” in Proceedings of 16th USENIX Security Symposium on USENIX Security
Symposium. USENIX Association, 2007, p. 8.

[36] S. Chiasson, P. van Oorschot, and R. Biddle, “Graphical pass-word authentication using
cued click points,” Computer Security– ESORICS 2007, pp. 359–374, 2007.

[37] “Secure socket layer ssl,” http://en.wikipedia.org/wiki/ Transportn Layern Security.

[38] L. Cranor and S. Garfinkel, Security and Usability. O’Reilly Media, Inc., 2005.

[39] “Google play,” https://play.google.com/store/.

[40] “Android developer,” http://developer.android.com/index.html.

[41] “Android version of distribution,” http://developer.android.


com/resources/dashboard/platform-versions.html.

75
76
77