A Hack Free Authentication and Authorization System Using 3
Layered Security
Aishani Priyal Singh1, Antaja Dey2, Dhanya Maria D3 and Srividhya Ganesan4
Computer Science & Engineering, AMC Engineering College, Bengaluru
Abstract-The overall objective is to
develop an application that primarily aims
at creating a definite solution to tackle
shoulder surfing attacks as well as third
party system hackers to make it an
impenetrable system to secure
confidential data. The first module is
basically a Graphical Authentication
System which involves a one-time login
indicator as well as circulating horizontal
and vertical bars covering the entire scope
of the pass images and functions using
the pass matrix mechanism. The second
level of authentication is a passkey
module and a honey-pot database scheme.
Authorised users are given access to the
original database when they enter the
pass key while other unauthorised users
are given access to the fake database
which consists of irrelevant data. The
security scheme is believed to be
impossible to break through by hackers
and also would provide adequate security
for confidential and important data like
finance transactions, project reports,
passcode etc. With the combination of
these three layers, the hacker would not
be able to crack through the software for
the confidential files of the user.
Keywords-PassMatrix,
AES,Honeypot,Authentication
I. INTRODUCTION
Passwords are largely used in
application authentication for computer
security and privacy. However, with the
vulnerability involved with human actions
that could compromise the security of
systems, such as choosing a bad password
and inputting passwords in an insecure way
are regarded as ”the weakest link” in the
authentication chain. Rather than choosing
arbitrary alphanumeric strings, users tend
to choose passwords that are either short or
meaningful for the sake of easy
memorization and convenience. With the
augment of web applications and mobile
apps revolving around every domain that
an enterprise or an individual is connected
to, there has been a huge rise in demand for
an impenetrable authentication system that
can match up to the vulnerabilities the
hackers of today pose to confidential data.
These applications can be accessed only by
authentic users only. Different graphical
secret word verification plans were created
to address the issues and shortcomings
related with printed passwords. Various
graphical watchword validation plans were
produced to address the issues and
shortcomings related with literary
passwords. In light of a few reviews, for
example, those in people have a superior
capacity to remember pictures with long
haul memory (LTM) than verbal portrayals.
Picture based passwords were turned out to
be less demanding to remember in a few
client thinks about. Therefore, clients can
set up an intricate verification secret word
and are fit for recalling it after quite a while
regardless of the possibility that the
memory is not enacted occasionally. Be
that as it may, the greater part of these
picture based passwords are powerless
against shoulder surfing assaults (SSAs).
This kind of assault either utilizes
coordinate perception, for example,
viewing behind someone or applies video
catching systems to get passwords, PINs, or
other touchy individual data
A. Pass Matrix
Aggressors can watch straight-forwardly or
utilize outer recording gadgets to gather
clients' accreditations. To defeat this issue,
we proposed a novel validation framework
Pass Matrix, in light of graphical
passwords to oppose bear surfing assaults.
We utilize a one-time legitimate login
pointer and circulating flat and vertical bars
which would cover the whole extent of the
pass-pictures being utilized. With Pass
Matrix alone holding the security for the
system, the chances for a system to be
hacked is reduced unless and until the
hacker doesn’t get access to it.
B. AES Encryption and Decryption
Nothing is so certain in the field of
security. Hackers can crack anything
nowadays and so the Pass Matrix by some
attempts. So, we came up with the next
layer in our security system, where the next
level in data access requires the user to
enter the passkey in order to perform any
functions on the file such as read, write etc.
The second level solely controls the
authentication based on the passkey. This
passkey is a registered key which is given
to the user at the time of account creation
and would only be known by him.
C. Honeypot Database Model
To make sure that the hacker never
fans access to the database which consists
of important data, we use Honeypot
database model, where the unauthorised
users trying to access the files would be
given access to a false database and at the
same time, the system tries to retrieve the
details of the person using IP address,
Location etc. With this 3 layered security
architecture, we can achieve a hack free
system with complete security.
II. METHODOLOGY
With the increase in shoulder surfing
attacks as well as camera based attacks to
login passwords we propose a pass matrix
system based on graphical passwords to
overcome this problem. Shoulder-Surfing
is a recognized hazard where an attacker
can capture a password by means of direct
observation or by way of recording the
authentication. There were some graphical
schemes resistant to SSAs; however they
have got substantial usability drawbacks,
generally in the time and effort to login. In
this paper, we suggest and compare a brand
new shoulder-browsing resistant scheme
which has a proper usability for PDAs. The
new scheme requires users to attract
throughout their password picks orderly in
preference to click directly on them. We
have used this in the initial login process.
Pass Matrix was developed by Hung-Min
Sun, Shiuan Tung Chen, Jyh-Haw Yeh,
Chia-Yun Cheng and the paper can be
found at [1].

Figure 1: Image for Pass
Matrix
A. MD5 Algorithm
To generate the OTP for the pass
matrix we have used MD5 Algorithm
(Message-Digest Algorithm).There will be
three otp generated each for different
image, toproide high security. The MD5
message-process calculation is a generally
utilized cryptographic hash function
creating a 128-bit (16-byte) hash value,
normally communicated in content
organization as a 32 digit hexadecimal
number. MD5 were concocted by Ron
Rivest as an enhanced variant of MD4.
MD5 has been used in a wide assortment of
cryptographic applications, and is
additionally ordinarily used to check
information trustworthiness. It is intended
where a substantial document must be
"packed" in a protected way before being
scrambled with a private key under an open
key crypto-framework, for example, PGP.
MD5 can be utilized to store one-route
hash of a secret key, regularly with key
extending.
At the same time, keeping in mind
the possibility of the system still being
vulnerable to Hackers we propose a Honey
pot to enable the hacker to access a fake
database while at the same time track down
his location. Another layer of encryption is
added to each file in the real database to
prevent unauthorized users from being
granted access to confidential files. This
would help in a preventing shoulder surfing
attacks and provide adequate security to the
users. These files can be financial files,
project code, ideologies for future and
many more.
B. AES Algorithm
The all the more outstanding and
by and large got symmetric encryption
figuring prone to be encountered nowadays
is the Advanced Encryption Standard
(AES). It is found to be under six times
snappier than triple DES.
An exchange for DES was
required as its key size was close to
nothing. With increasing figuring power, it
was seen as exposed against complete key
pursuit attack. Triple DES was expected to
vanquish this drawback anyway it was
discovered direct. The components of AES
are according to the accompanying –
· Symmetric key symmetric piece
figure
· 128-bit data, 128/192/256-piece keys
· Stronger and snappier than Triple-
DES
· Provide full assurance and setup
purposes of intrigue.
· Software implementable in C and Java
AES Operation:
AES is an iterative instead of
Feistel figure. It relies upon substitution–
permutation arrange. It incorporates a
movement of associated operations, some
of which include supplanting commitments
by specific yields (substitutions) and others
incorporate rearranging bits around
(stages).
Unusually, AES plays out each
one of its estimations on bytes rather than
bits. In this manner, AES treats the 128 bits
of a plaintext deter as 16 bytes. These 16
bytes are composed in four fragments and
four sections for taking care of as a system.
Not at all like DES, the amount of
rounds in AES is variable and depends on
upon the length of the key. AES uses 10
rounds for 128-piece keys, 12 rounds for
192-piece keys and 14 rounds for 256-piece
keys. Each of these rounds utilizes an
alternate 128-bit round key, which is
figured from the first AES key.
Figure 2: Schematic AES Structure
Encryption Process:
● Byte Substitution:
The 16 input bytes are
substituted by investigating a
settled table (S-box) given in
outline. The result is in a grid of
four lines and four fragments.
● Shift rows:
Each of the four lines of the
system is moved to the other side. Any
entries that 'tumble off are re-implanted on
the right half of segment. Move is finished
as takes after:
· First line is not moved.
· Second section is moved one (byte)
position to the other side.
· Third section is moved two positions to
the other side.
· Fourth section is moved three positions
to the other side.
· The outcome is another matrix including
a comparable 16 bytes yet moved with
respect to each other.
● Mix Columns:
Each segment of four bytes is right
now changed using an exceptional
numerical capacity. This limit takes as data
the four bytes of one segment and yields
four absolutely new bytes, which supplant
the main area. The result is another new
lattice including 16 new bytes. It should be
seen that this movement is not performed
in the last round.
● Include Round-key:
The 16 bytes of the cross section
are presently considered as 128 bits and are
XORed to the 128 bits of the round key. In
case this is the last round then the yield is
the cipher-text. Something else, the ensuing
128 bits are deciphered as 16 bytes and we
start another practically identical round.
● Decoding Process:
The procedure of
decoding of an AES cipher-text
is like the encryption process
in the switch arrange. Each
round comprises of the four
procedures conducted in the
turnaround request −
• Add round key
• Mix sections
• Shift lines
• Byte substitution
AES Analysis:
In present day cryptography, AES
is comprehensively gotten and reinforced in
both equipment and programming. Till
date, no logical cryptanalytic ambush
against AES has been found. Likewise,
AES has worked in flexibility of key
length, which allows a level of 'future-
fixing' against progress in the ability to
perform exhaustive key searches. However,
comparably concerning DES, the AES
security is guaranteed just in case it is
precisely executed and incredible key
organization is utilized.
Figure 3: AES Encryption
We have used driveHQ (i.e cloud)
to store the encrypted user’s data and also
created a honeypot database to direct the
fake users to the wrong database which
consists of similar but irrelevant data. A
file can be opened, closed or even edited.
Below is the data flow diagram and
flow chart of the,
Figure 4: Flow Chart
Figure 5: Data-Flow Diagram
III. RESULT ANALYSIS
We have developed the project to provide
authentication security in the form of
OTP which carries the co-ordinates of the
pass matrix.We have written code to split
image into chunks and get them back into
one during the login phase.
The user would get the
coordinates in the from of an OTP and he
needs to align the sliders in order to
login.
The files can only be
downloaded but not viewed without
entering the decryption key which was
generated when the files were being
uploaded into user’s storage.
The administrator has the
provision to check the user details and
has all rights to block an unauthorized
user or say hacker who has tried to login
with wrong credentials. He would be able
to see the IP address of the hacker and
also would alert the legit user that his
storage details are under risk.
The project would be completed
when we successfully get the sample
results of some test cases for user and
hacker modules. We need to create
sample datasets and store them on cloud [2] Ashwini M. Deshpande, Mangesh S.
storage and make sure the retrieval Deshpande, Devendra N. Kayatanavar, ‘
process works exactly as we have FPGA ‘ Implementation of AES
expected. Encryption and Decryption’, August 2009,
Control, Automation, Communication and
IV. CONCLUSION Energy Conservation.

Many projects are rendered less effective [3] S.K. Gupta, Anand Gupta, Renu
because the change management Damor, Vikram Goyal, Sangeetha
imperative is often overlooked and/or Sabarwal, ‘Context Honeypot: A
underestimated and is therefore not framework for anticipatory privacy
managed as an integral part of the planning violation’ July 2008, Emerging Trends in
and execution of the project concerned. Engineering& Technology.
The literature survey done at the start
of this study confirmed the importance of [4] S. Sood, A. Sarje, and K. Singh,
proper change management and revealed “Cryptanalysis of password authentication
that the absence of such management can schemes: Current status and key issues,” in
have a negative impact on a project’s Methods and Models in Computer Science,
outcome. 2009. ICM2CS 2009.
In the traditional network security
system passwords where either short
alphanumeric strings or meaningful for the
sake of easy memorization and
convenience. We wish to change that into
graphical passwords using Pass Matrix
concepts.
Hackers can crack anything nowadays
and so the Pass Matrix by some attempts.
The second level will solely controls the
authentication based on the passkey, where
we wish to generate a pass key for each
subsequent encryption and decryption of
files stored in the database.
To make sure that the hacker never
fans access to the database which consists
of important data, we wish to use Honeypot
database model, where the unauthorised
users trying to access the files would be
given access to a false database.

REFERENCES
[1] Hung-Min Sun, Shiuan Tung Chen,
Jyh-Haw Yeh , Chia-Yun Cheng , ‘A
Shoulder Surfing Resistant Graphical
Authentication System’, March 2016, IEEE
Transactions on Dependable and Secure
Computing, Volume 99.