A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM

A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM

ABSTRACT

Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

CHAPTER 1

INTRODUCTION

1.1 OVERVIEW

Dependability is first introduced as a global concept that subsumes the usual attributes of reliability, availability, safety, integrity, maintainability, etc. The consideration of security brings in concerns for confidentiality, in addition to availability and integrity. Computing and communication systems are characterized by fundamental properties: functionality, performance, dependability and security, and cost.

1.2 DEPENDABILITY, SECURITY, AND THEIR ATTRIBUTES

Dependability is the ability to deliver service that can justifiably be trusted. This definition stresses the need for justification of trust. The alternate definition that provides the criterion for deciding if the service is dependable is the dependability of a system is the ability to avoid service failures that are more frequent and more severe than is acceptable.

It is usual to say that the dependability of a system should suffice for the dependence being placed on that system. The dependence of system A on system B, thus, represents the extent to which system A’s dependability is (or would be) affected by that of System B. The concept of dependence leads to that of trust, which can very conveniently be defined as accepted dependence.

As developed over the past three decades, dependability is an integrating concept that encompasses the following attributes:

1.      Availability: readiness for correct service.

2.      Reliability: continuity of correct service.

3.      Safety: absence of catastrophic consequences on the user(s) and the environment.

4.      Integrity: absence of improper system alterations.

5.      Maintainability: ability to undergo modifications and repairs.

When addressing security, an additional attribute has great prominence, confidentiality, i.e., the absence of unauthorized disclosure of information. Security is a composite of the attributes of confidentiality, integrity, and availability, requiring the concurrent existence of 1) availability for authorized actions only, 2) confidentiality, and 3) integrity with “improper” meaning “unauthorized.”

Fig. 1 summarizes the relationship between dependability and security in terms of their principal attributes. The picture should not be interpreted as indicating that, for example, security developers have no interest in maintainability, or that there has been no research at all in the dependability field related to confidentiality—rather it

Fig. 1. Dependability and security attributes

indicates where the main balance of interest and activity lies in each case. The dependability and security specification of a system must include the requirements for the attributes in terms of the acceptable frequency and severity of service failures for specified classes of faults and a given use environment. One or more attributes may not be required at all for a given system.

1.3 THE MEANS TO ATTAIN DEPENDABILITY AND SECURITY

Over the course of the past 50 years many means have been developed to attain the various attributes of dependability and security. Those means can be grouped into four major categories:

·        Fault prevention means to prevent the occurrence or introduction of faults.

·        Fault tolerance means to avoid service failures in the presence of faults.

·        Fault removal means to reduce the number and severity of faults.

·        Fault forecasting means to estimate the present number, the future incidence, and the likely consequences of faults.

Fault prevention and fault tolerance aim to provide the ability to deliver a service that can be trusted, while fault removal and fault forecasting aim to reach confidence in that ability by justifying that the functional and the dependability and security specifications are adequate and that the system is likely to meet them.

Fig.2: The dependability and security tree.

CHAPTER 2

LITERATURE SURVEY

2.1 OVERVIEW:

A literature review is an account of what has been published on a topic by accredited scholars and researchers. Occasionally you will be asked to write one as a separate assignment, but more often it is part of the introduction to an essay, research report, or thesis. In writing the literature review, your purpose is to convey to your reader what knowledge and ideas have been established on a topic, and what their strengths and weaknesses are. As a piece of writing, the literature review must be defined by a guiding concept (e.g., your research objective, the problem or issue you are discussing or your argumentative thesis). It is not just a descriptive list of the material available, or a set of summaries. Besides enlarging your knowledge about the topic, writing a literature review lets you gain and demonstrate skills in two areas

1.      INFORMATION SEEKING: the ability to scan the literature efficiently, using manual or computerized methods, to identify a set of useful articles and books

2.      CRITICAL APPRAISAL: the ability to apply principles of analysis to identify unbiased and valid studies.

PAPER 1: T. Kwon, S. Shin, and S. Na, “Covert attentional shoulder surfing: Human adversaries are more powerful than expected,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 44, no. 6, pp. 716–727, June 2014.

ABSTRACT:

When a user interacts with a computing system to enter a secret password, shoulder surfing attacks are of great concern. To cope with this problem, previous methods presumed limited cognitive capabilities of a human adversary as a deterrent, but there was a pitfall with the assumption. In this paper, we show that human adversaries, even without a recording device, can be more effective at eavesdropping than expected, in particular by employing cognitive strategies and by training themselves. Our novel approach called covert attentional shoulder surfing indeed can break the well known PIN entry method previously evaluated to be secure against shoulder surfing. Another contribution in this paper is the formal modeling approach by adapting the predictive human performance modeling tool for security analysis and improvement. We also devise a defense technique in the modeling paradigm to deteriorate severely the perceptual performance of the adversaries while preserving that of the user. To the best of our knowledge, this is the first work to model and defend the new form of attack through human performance modeling. Real attack experiments and user studies are also conducted.

PAPER 2: I. Oakley and A. Bianchi, “Multi-touch passwords for mobile device access,” in Proceedings of the 2012 ACM Conference on Ubiquitous Computing, ser. UbiComp ’12. New York, NY, USA: ACM, 2012, pp. 611–612.

ABSTRACT:

Draw-a-Secret password schemes, like the Google Android Pattern Lock, entail stroking out a shape on a touch screen. This paper explores techniques for expanding the richness of this input modality (multitouch input, off-target interaction) in order to increase password entropy and resistance to observation. A formative user study highlights user perceptions and usability issues relating to this design space and suggests directions for future development of this concept.

PAPER 3: M. Martinez-Diaz, J. Fierrez, and J. Galbally, “The doodb graphical password database: Data analysis and benchmark results,” Access, IEEE, vol. 1, pp. 596–605, 2013.

ABSTRACT:

We present DooDB, a doodle database containing data from 100 users captured with a touch screen-enabled mobile device under realistic conditions following a systematic protocol. The database contains two corpora: 1) doodles and 2) pseudo-signatures, which are simplified finger-drawn versions of the handwritten signature. The dataset includes genuine samples and forgeries, produced under worst-case conditions, where attackers have visual access to the drawing process. Statistical and qualitative analyzes of the data are presented, comparing doodles and pseudo-signatures to handwritten signatures. Time variability, learning curves, and discriminative power of different features are also studied. Verification performance against forgeries is analyzed using state-of-the-art algorithms and benchmark results are provided.

PAPER 4: M. Martinez-Diaz, J. Fierrez, and J. Galbally, “Graphical passwordbased user authentication with free-form doodles,” IEEE Transactions on Human-Machine Systems, vol. PP, no. 99, pp. 1–8, 2015.

ABSTRACT:

User authentication using simple gestures is now common in portable devices. In this work, authentication with free-form sketches is studied. Verification systems using dynamic time warping and Gaussian mixture models are proposed, based on dynamic signature verification approaches. The most discriminant features are studied using the sequential forward floating selection algorithm. The effects of the time lapse between capture sessions and the impact of the training set size are also studied. Development and validation experiments are performed using the DooDB database, which contains passwords from 100 users captured on a smartphone touchscreen. Equal error rates between 3% and 8% are obtained against random forgeries and between 21% and 22% against skilled forgeries. High variability between capture sessions increases the error rates.

PAPER 5: A. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. Smith, “Smudge attacks on smartphone touch screens,” in USENIX 4th Workshop on Offensive Technologies, 2010.

ABSTRACT

Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred. In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first investigate the conditions (e.g., lighting and camera orientation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that interfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we provide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android password pattern.

PAPER 6: E. von Zezschwitz, A. De Luca, and H. Hussmann, “Honey, i shrunk the keys: Influences of mobile devices on password composition and authentication performance,” in Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational, ser. NordiCHI ’14. New York, NY, USA: ACM, 2014, pp. 461–470.

ABSTRACT

In this paper, we present the results of two studies on the influence of mobile devices on authentication performance and password composition. A pre-study in the lab (n = 24) showed a lower performance for password-entry on mobile devices, in particular on smartphones. The main study (n = 450) showed a trend that alphanumeric passwords are increasingly created on smartphones and tablets. Moreover, a negative effect on password security could be observed as users fall back to using passwords that are easier to enter on the respective devices.

This work contributes to the understanding of mobile password-entry and its effects on security in the following ways: (a) we tested different types of commonly used passwords (b) on all relevant devices, and (c) we present analytic and empirical evidence for the differences that (d) are likely to influence overall security or reduce secure behavior with respect to password-entry on mobile devices.

CHAPTER 3

SYSTEM ANALYSIS

3.1 EXISTING SYSTEM

Textual passwords have been the most widely used authentication method for decades. Comprised of numbers and upper- and lower-case letters, textual passwords are considered strong enough to resist against brute force attacks. However, a strong textual password is hard to memorize and recollect. Therefore, users tend to choose passwords that are either short or from the dictionary, rather than random alphanumeric strings. Even worse, it is not a rare case that users may use only one username and password for multiple accounts. According to an article in Computer world, a security team at a large company ran a network password cracker and surprisingly cracked approximately 80% of the employees’ passwords within 30 seconds. Textual passwords are often insecure due to the difficulty of maintaining strong ones.

3.2 PROBLEM DEFINITION:

·        Image-based passwords are vulnerable to shoulder surfing attacks

·        Choosing bad passwords is insecure way for later logins

·        Attackers can observe directly or use external recording devices to collect users’ credentials

3.3 PROPOSED SYSTEM

In proposed system, we present a secure graphical authentication system named PassMatrix that protects users from becoming victims of shoulder surfing attacks when inputting passwords in public through the usage of one-time login indicators. A login indicator is randomly generated for each pass-image and will be useless after the session terminates. The login indicator provides better security against shoulder surfing attacks, since users use a dynamic pointer to point out the position of their passwords rather than clicking on the password object directly.

3.4 ADVANTAGES

·        PassMatrix offers no hint for Attackers

·        Our proposed scheme achieves better resistance to shoulder surfing attacks

·        Provides better security

CHAPTER 4

SYSTEM DESIGN

4.1 SYSTEM ARCHITECTURE:           

System architecture is a conceptual model that defines the structure, behavior, and more views of a system. An architecture description is a formal description and representation of a system, organized in a way that supports reasoning about the structures and behaviours of the system

4.2 UML DIAGRAMS

UML stands for Unified Modeling Language. UML is a standardized general-purpose modeling language in the field of object-oriented software engineering. The standard is managed, and was created by, the Object Management Group.

The goal is for UML to become a common language for creating models of object oriented computer software. In its current form UML is comprised of two major components: a Meta-model and a notation. In the future, some form of method or process may also be added to; or associated with, UML.

          The Unified Modeling Language is a standard language for specifying, Visualization, Constructing and documenting the artifacts of software system, as well as for business modeling and other non-software systems.

The UML represents a collection of best engineering practices that have proven successful in the modeling of large and complex systems.

 The UML is a very important part of developing objects oriented software and the software development process. The UML uses mostly graphical notations to express the design of software projects.

4.2.1 GOALS:

          The Primary goals in the design of the UML are as follows:

1.     Provide users a ready-to-use, expressive visual modeling Language so that they can develop and exchange meaningful models.

2.     Provide extendibility and specialization mechanisms to extend the core concepts.

3.     Be independent of particular programming languages and development process.

4.     Provide a formal basis for understanding the modeling language.

5.     Encourage the growth of OO tools market.

6.     Support higher level development concepts such as collaborations, frameworks, patterns and components.

7.     Integrate best practices.

4.2.2 USECASE DIAGRAM:

A use case diagram in the Unified Modeling Language (UML) is a type of behavioral diagram defined by and created from a Use-case analysis. Its purpose is to present a graphical overview of the functionality provided by a system in terms of actors, their goals (represented as use cases), and any dependencies between those use cases. The main purpose of a use case diagram is to show what system functions are performed for which actor. Roles of the actors in the system can be depicted.

4.2.3 CLASS DIAGRAM:

In software engineering, a class diagram in the Unified Modeling Language (UML) is a type of static structure diagram that describes the structure of a system by showing the system's classes, their attributes, operations (or methods), and the relationships among the classes. It explains which class contains information.

4.2.4 SEQUENCE DIAGRAM:

A sequence diagram in Unified Modeling Language (UML) is a kind of interaction diagram that shows how processes operate with one another and in what order. It is a construct of a Message Sequence Chart. Sequence diagrams are sometimes called event diagrams, event scenarios, and timing diagrams.

COLLABRATION DIAGRAM:

Collabration diagram shows the object organization as shown below. Here in collaboration diagram the method call sequence is indicated by some numbering technique as shown below. The number indicates how the methods are called one after another. We have taken the same order management system to describe the collaboration diagram.

The method calls are similar to that of a sequence diagram. But the difference is that the sequence diagram does not describe the object organization where as the collaboration diagram shows the object organization.

Now to choose between these two diagrams the main emphasis is given on the type of requirement. If the time sequence is important then sequence diagram is used and if organization is required then collaboration diagram is used.

ACTIVITY DIAGRAM:

Activity diagrams are graphical representations of workflows of stepwise activities and actions with support for choice, iteration and concurrency. In the Unified Modeling Language, activity diagrams can be used to describe the business and operational step-by-step workflows of components in a system. An activity diagram shows the overall flow of control.

CHAPTER 5

IMLEMENTATION

Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the user, confidence that the new system will work and be effective.

The implementation stage involves careful planning, investigation of the existing system and it’s constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods.

6.1 MODULES

A module is a part of a program. Programs are composed of one or more independently developed modules that are not combined until the program is linked. A single module can contain one or several routines.

·        Image discretization module

·        Login indicator generator module

·        Horizontal and vertical axis control module

·        Communication module

·        Password verification module

·        Database

6.1.1 IMAGE DISCRETIZATION MODULE

This module divides each image into squares, from which users would choose one as the pass-square. An image is divided into a 7 _ 11 grid. The smaller the image is discretized, the larger the password space is. However, the overly concentrated division may result in recognition problem of specific objects and increase the difficulty of user interface operations on palm-sized mobile devices. Hence, in our implementation, a division was set at 60-pixel intervals in both horizontal and vertical directions, since 60 pixels2 is the best size to accurately select specific objects on touch screens.

6.1.2 LOGIN INDICATOR GENERATOR MODULE

This module generates a login indicator consisting of several distinguishable characters (such as alphabets and numbers) or visual materials (such as colors and icons) for users during the authentication phase. In our implementation, we used characters A to G and 1 to 11 for a 7 _ 11 grid. Both letters and numbers are generated randomly and therefore a different login indicator will be provided each time the module is called. The generated login indicator can be given to users visually or acoustically. If using a predefined image, for instance, if the user chooses the square (5, 9) in the image, then the login indicator will be (E,11). For the acoustical delivery, the indicator can be received by an audio signal through the ear buds or Bluetooth. One principle is to keep the indicators secret from people other than the user, since the password (the sequence of passsquares) can be reconstructed easily if the indicators are known.

6.1.3 HORIZONTAL AND VERTICAL AXIS CONTROL MODULE

There are two scroll bars: a horizontal bar with a sequence of letters and a vertical bar with a sequence of numbers. This control module provides drag and fling functions for users to control both bars. Users can fling either bar using their finger to shift one alphanumeric at a time. They can also shift several checks at a time by dragging the bar for a distance. Both bars are circulative. The bars are used to implicitly point out (or in other words, align the login indicator to) the location of the user’s pass-square.

6.1.4 COMMUNICATION MODULE

This module is in charge of all the information transmitted between the client devices and the authentication server. Any communication is protected by SSL (Secure Socket Layer) protocol and thus, is safe from being eavesdropped and intercepted.

6.1.5 PASSWORD VERIFICATION MODULE

This module verifies the user password during the authentication phase. A pass- square acts similar to a password digit in the text-based password system. The user is authenticated only if each pass-square in each pass-image is correctly aligned with the login indicator. The details of how to align a login indicator to a pass-square will be described in the next section.

6.1.6 DATABASE

The database server contains several tables that store user accounts, passwords (ID numbers of passimages and the positions of pass-squares), and the time duration each user spent on both registration phase and login phase. PassMatrix has all the required privileges to perform operations like insert, modify, delete and search.

CHAPTER 6

SYSTEM SPECIFICATION

The purpose of system requirement specification is to produce the specification analysis of the task and also to establish complete information about the requirement, behavior and other constraints such as functional performance and so on. The goal of system requirement specification is to completely specify the technical requirements for the product in a concise and unambiguous manner.

6.1 HARDWARE REQUIREMENTS:

     Processor       - Pentium –III

     Speed                         - 1.1 Ghz

     RAM               - 256 MB(min)

     Hard Disk      - 20 GB

     Floppy Drive - 1.44 MB

     Key Board     - Standard Windows Keyboard

     Mouse                        - Two or Three Button Mouse

     Monitor          - SVGA

6.2 SOFTWARE REQUIREMENTS:

     Operating System     - Windows 7/8

     Application Server  -  Tomcat 5.0

     Front - End                - Java

     Back – End                - MySQL

CHAPTER 7

SOFTWARE ENVIRONMENT

7.1 JAVA:

Java is a high-level programming language originally developed by Sun Microsystems and released in 1995. Java runs on a variety of platforms, such as Windows, Mac OS, and the various versions of UNIX. 

One design goal of Java is portability, which means that programs written for the Java platform must run similarly on any combination of hardware and operating system with adequate runtime support. This is achieved by compiling the Java language code to an intermediate representation called Java bytecode, instead of directly to architecture-specific machine code. 

Java is −

·        Object Oriented − In Java, everything is an Object. Java can be easily extended since it is based on the Object model.

·        Platform Independent − Unlike many other programming languages including C and C++, when Java is compiled, it is not compiled into platform specific machine, rather into platform independent byte code. This byte code is distributed over the web and interpreted by the Virtual Machine (JVM) on whichever platform it is being run on.

·        Simple − Java is designed to be easy to learn. If you understand the basic concept of OOP Java, it would be easy to master.

·        Secure − With Java's secure feature it enables to develop virus-free, tamper-free systems. Authentication techniques are based on public-key encryption.

·        Architecture-neutral − Java compiler generates an architecture-neutral object file format, which makes the compiled code executable on many processors, with the presence of Java runtime system.

·        Portable − Being architecture-neutral and having no implementation dependent aspects of the specification makes Java portable. Compiler in Java is written in ANSI C with a clean portability boundary, which is a POSIX subset.

·        Robust − Java makes an effort to eliminate error prone situations by emphasizing mainly on compile time error checking and runtime checking.

·        Multithreaded − With Java's multithreaded feature it is possible to write programs that can perform many tasks simultaneously. This design feature allows the developers to construct interactive applications that can run smoothly.

·        Interpreted − Java byte code is translated on the fly to native machine instructions and is not stored anywhere. The development process is more rapid and analytical since the linking is an incremental and light-weight process.

·        High Performance − With the use of Just-In-Time compilers, Java enables high performance.

·        Distributed − Java is designed for the distributed environment of the internet.

·        Dynamic − Java is considered to be more dynamic than C or C++ since it is designed to adapt to an evolving environment. Java programs can carry extensive amount of run-time information that can be used to verify and resolve accesses to objects on run-time.

7.2 INTEGRATED DEVELOPMENT ENVIRONMENT (IDE)

NetBeans is a Java-based integrated development environment (IDE). The term also refers to the IDE’s underlying application platform framework. The IDE is designed to limit coding errors and facilitate error correction with tools such as the NetBeans Find Bugs to locate and fix common Java coding problems and Debugger to manage complex code with field watches, breakpoints and execution monitoring. Although the NetBeans IDE is designed specifically for Java developers, it also supports C/C++, PHP, Groovy, and HTML5 in addition to Java, JavaScript and JavaFX.

Tools and capabilities of the NetBeans IDE include a feature-rich text editor with refactoring tools and code templates, high level and granular views of applications, a drag and drop GUI design, and versioning using out-of-the-box integration with tools such as Git. The NetBeans IDE can run on any operating system that supports a compatible JVM including Linux, Windows and OS X. The underlying NetBeans platform supports creation of new applications and further development of existing applications using modular software components.

As an application running on the NetBeans Platform, the NetBeans IDE itself is extensible and can be extended to support new languages. The IDE and Platform were converted to open source by Sun Microsystems in 2000. Oracle continues to sponsor the NetBeans project since acquiring Sun in 2010

           

            Features of NetBeans can be mentioned as follows

·        Fast & Smart Code Editing

·        Easy & Efficient Project Management

·        Rapid User Interface Development

·        Write Bug Free Code

·        Support for Multiple Languages

·        Cross Platform Support

·        Rich Set of Community Provided Plugins

7.3 APACHE TOMCAT

Apache Tomcat, often referred to as Tomcat, is an open-source Java Servlet Container developed by the Apache Software Foundation (ASF). Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run.

Tomcat is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation, released under the Apache License 2.0 license, and is open-source software.

I. COMPONENTS

Tomcat 4.x was released with Catalina (a servlet container), Coyote (an HTTP connector) and Jasper (a JSP engine).

Catalina: Catalina is Tomcat's servlet container. Catalina implements Sun Microsystems's specifications for servlet and JavaServer Pages (JSP). In Tomcat, a Realm element represents a "database" of usernames, passwords, and roles assigned to those users. Different implementations of Realm allow Catalina to be integrated into environments where such authentication information is already being created and maintained, and then use that information to implement Container Managed Security as described in the Servlet Specification.

Coyote: Coyote is a Connector component for Tomcat that supports the HTTP 1.1 protocol as a web server. This allows Catalina, nominally a Java Servlet or JSP container, to also act as a plain web server that serves local files as HTTP documents.

Jasper: Jasper is Tomcat's JSP Engine. Jasper parses JSP files to compile them into Java code as servlets. At runtime, Jasper detects changes to JSP files and recompiles them. Three new components were added with the release of Tomcat 7:

Cluster: This component has been added to manage large applications. It is used for load balancing that can be achieved through many techniques. Clustering support currently requires the JDK version 1.5 or later.

High availability: A high-availability feature has been added to facilitate the scheduling of system upgrades without affecting the live environment. This is done by dispatching live traffic requests to a temporary server on a different port while the main server is upgraded on the main port. It is very useful in handling user requests on high-traffic web applications.

Web application: It has also added user- as well as system-based web applications enhancement to add support for deployment across the variety of environments. It also tries to manage sessions as well as applications across the network.

II. FEATURES

Tomcat 7.x implements the Servlet 3.0 and JSP 2.2 specifications. It requires Java version 1.6, although previous versions have run on Java 1.1 through 1.5. Versions 5 through 6 saw improvements in garbage collection, JSP parsing, performance and scalability. Native wrappers, known as "Tomcat Native", are available for Microsoft Windows and Unix for platform integration.

Tomcat 8.x implements the Servlet 3.1 and JSP 2.4 Specifications. Apache Tomcat 8.5.x is intended to replace 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged.

7.4 MYSQL

MySQL is a fast, easy-to-use RDBMS being used for many small and big businesses. MySQL is developed, marketed, and supported by MySQL AB, which is a Swedish company. MySQL is becoming so popular because of many good reasons:

ü  MySQL is released under an open-source license. So you have nothing to pay to use it.

ü  MySQL is a very powerful program in its own right. It handles a large subset of the functionality of the most expensive and powerful database packages.

ü  MySQL uses a standard form of the well-known SQL data language.

ü  MySQL works on many operating systems and with many languages including PHP, PERL, C, C++, JAVA, etc.

ü  MySQL works very quickly and works well even with large data sets.

ü  MySQL is very friendly to PHP, the most appreciated language for web development.

ü  MySQL supports large databases, up to 50 million rows or more in a table. The default file size limit for a table is 4GB, but you can increase this (if your operating system can handle it) to a theoretical limit of 8 million terabytes (TB).

ü  MySQL is customizable. The open-source GPL license allows programmers to modify the MySQL software to fit their own specific environments.

CHAPTER 8

INPUT DESIGN AND OUTPUT DESIGN

8.1 INPUT DESIGN

The input design is the link between the information system and the user. It comprises the developing specification and procedures for data preparation and those steps are necessary to put transaction data in to a usable form for processing can be achieved by inspecting the computer to read data from a written or printed document or it can occur by having people keying the data directly into the system. The design of input focuses on controlling the amount of input required, controlling the errors, avoiding delay, avoiding extra steps and keeping the process simple. The input is designed in such a way so that it provides security and ease of use with retaining the privacy. Input Design considered the following things:’

·        What data should be given as input?

·        How the data should be arranged or coded?

·        The dialog to guide the operating personnel in providing input.

·        Methods for preparing input validations and steps to follow when error occur.

8.1.1 OBJECTIVES

1. Input Design is the process of converting a user-oriented description of the input into a computer-based system. This design is important to avoid errors in the data input process and show the correct direction to the management for getting correct information from the computerized system.

2. It is achieved by creating user-friendly screens for the data entry to handle large volume of data. The goal of designing input is to make data entry easier and to be free from errors. The data entry screen is designed in such a way that all the data manipulates can be performed. It also provides record viewing facilities.

3.When the data is entered it will check for its validity. Data can be entered with the help of screens. Appropriate messages are provided as when needed so that the user

 will not be in maize of instant. Thus the objective of input design is to create an input layout that is easy to follow

8.2 OUTPUT DESIGN

A quality output is one, which meets the requirements of the end user and presents the information clearly. In any system results of processing are communicated to the users and to other system through outputs. In output design it is determined how the information is to be displaced for immediate need and also the hard copy output. It is the most important and direct source information to the user. Efficient and intelligent output design improves the system’s relationship to help user decision-making.

1. Designing computer output should proceed in an organized, well thought out manner; the right output must be developed while ensuring that each output element is designed so that people will find the system can use easily and effectively. When analysis design computer output, they should Identify the specific output that is needed to meet the requirements.

2.Select methods for presenting information.

3.Create document, report, or other formats that contain information produced by the system.

The output form of an information system should accomplish one or more of the following objectives.

·        Convey information about past activities, current status or projections of the

·        Future.

·        Signal important events, opportunities, problems, or warnings.

·        Trigger an action.

·         Confirm an action.

CHAPTER 9

SYSTEM STUDY

FEASIBILITY STUDY:

 The feasibility of the project is analyzed in this phase and business proposal is put forth with a very general plan for the project and some cost estimates. During system analysis the feasibility study of the proposed system is to be carried out. This is to ensure that the proposed system is not a burden to the company.  For feasibility analysis, some understanding of the major requirements for the system is essential.

Three key considerations involved in the feasibility analysis are

·Economical feasibility

·Technical feasibility

·Social feasibility

ECONOMICAL FEASIBILITY:                 

This study is carried out to check the economic impact that the system will have on the organization. The amount of fund that the company can pour into the research and development of the system is limited. The expenditures must be justified. Thus the developed system as well within the budget and this was achieved because most of the technologies used are freely available. Only the customized products had to be purchased.

TECHNICAL FEASIBILITY:            

This study is carried out to check the technical feasibility, that is, the technical requirements of the system. Any system developed must not have a high demand on the available technical resources. This will lead to high demands on the available technical resources. This will lead to high demands being placed on the client. The developed system must have a modest requirement, as only minimal or null changes are required for implementing this system.  

SOCIAL FEASIBILITY:      

           The aspect of study is to check the level of acceptance of the system by the user. This includes the process of training the user to use the system efficiently. The user must not feel threatened by the system, instead must accept it as a necessity. The level of acceptance by the users solely depends on the methods that are employed to educate the user about the system and to make him familiar with it. His level of confidence must be raised so that he is also able to make some constructive criticism, which is welcomed, as he is the final user of the system.

CHAPTER 10

SYSTEM TESTING

            The purpose of testing is to discover errors. Testing is the process of trying to discover every conceivable fault or weakness in a work product. It provides a way to check the functionality of components, sub assemblies, assemblies and/or a finished product It is the process of exercising software with the intent of ensuring that the Software system meets its requirements and user expectations and does not fail in an unacceptable manner. There are various types of test. Each test type addresses a specific testing requirement.

TYPES OF TESTS:

            Testing is the process of trying to discover every conceivable fault or weakness in a work product.  The different type of testing are given below:

UNIT TESTING:

          Unit testing involves the design of test cases that validate that the internal program logic is functioning properly, and that program inputs produce valid outputs. All decision branches and internal code flow should be validated. It is the testing of individual software units of the application .it is done after the completion of an individual unit before integration.

This is a structural testing, that relies on knowledge of its construction and is invasive. Unit tests perform basic tests at component level and test a specific business process, application, and/or system configuration. Unit tests ensure that each unique path of a business process performs accurately to the documented specifications and contains clearly defined inputs and expected results.

INTEGRATION TESTING:

             Integration tests are designed to test integrated software components to determine if they actually run as one program.  Testing is event driven and is more concerned with the basic outcome of screens or fields. Integration tests demonstrate that although the components were individually satisfaction, as shown by successfully unit testing, the combination of components is correct and consistent. Integration testing is specifically aimed at   exposing the problems that arise from the combination of components.

FUNCTIONAL TEST:

        Functional tests provide systematic demonstrations that functions tested are available as specified by the business and technical requirements, system documentation, and user manuals.

Functional testing is centered on the following items:

Valid Input      :  identified classes of valid input must be accepted.

Invalid Input   :  identified classes of invalid input must be rejected.

Functions         :  identified functions must be exercised.

Output               : identified classes of application outputs must be                              exercised.

Systems/ Procedures:  interfacing systems or procedures must be invoked.

     Organization and preparation of functional tests is focused on requirements, key functions, or special test cases. In addition, systematic coverage pertaining to identify Business process flows; data fields, predefined processes, and successive processes must be considered for testing. Before functional testing is complete, additional tests are identified and the effective value of current tests is determined.

SYSTEM TEST:

     System testing ensures that the entire integrated software system meets requirements. It tests a configuration to ensure known and predictable results. An example of system testing is the configuration oriented system integration test. System testing is based on process descriptions and flows, emphasizing pre-driven process links and integration point.

WHITE BOX TESTING:

        White Box Testing is a testing in which in which the software tester has knowledge of the inner workings, structure and language of the software, or at least its purpose. It is purpose. It is used to test areas that cannot be reached from a black box level.

BLACK BOX TESTING:

        Black Box Testing is testing the software without any knowledge of the inner workings, structure or language of the module being tested. Black box tests, as most other kinds of tests, must be written from a definitive source document, such as specification or requirements document, such as specification or requirements document. It is a testing in which the software under test is treated, as a black box .you cannot “see” into it. The test provides inputs and responds to outputs without considering how the software works.

UNIT TESTING:

            Unit testing is usually conducted as part of a combined code and unit test phase of the software lifecycle, although it is not uncommon for coding and unit testing to be conducted as two distinct phases.

Test strategy and approach

            Field testing will be performed manually and functional tests will be written in detail.

Test objectives

·        All field entries must work properly.

·        Pages must be activated from the identified link.

·        The entry screen, messages and responses must not be delayed.

Features to be tested

·        Verify that the entries are of the correct format

·        No duplicate entries should be allowed

·        All links should take the user to the correct page.

INTEGRATION TESTING:

            Software integration testing is the incremental integration testing of two or more integrated software components on a single platform to produce failures caused by interface defects.

            The task of the integration test is to check that components or software applications, e.g. components in a software system or – one step up – software applications at the company level – interact without error.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

ACCEPTANCE TESTING:

            User Acceptance Testing is a critical phase of any project and requires significant participation by the end user. It also ensures that the system meets the functional requirements.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

APPENDIX 1

SCREEN SHOT

HOME PAGE:

REGISTER:

COLOR VERIFICATION:

PATTERN VERIFICATION

ADMIN:

ADMIN HOME:

USER INFO:

VIEW FULL INFO:

FILE INFO:

APPENDIX II

SOURCE CODE

UPLOAD ACTION:

<%@page import="com.oreilly.servlet.*,java.sql.*,java.lang.*,databaseconnection.*,java.text.SimpleDateFormat,java.util.*,java.io.*,javax.servlet.*, javax.servlet.http.*"  errorPage="Error.jsp"%>

<%@page import="javax.crypto.*"%>

<%@ page import="java.net.InetAddress"%>

<%@page import="java.io.File"%>

<%@page import=" java.security.MessageDigest"%>

<%@ page import="java.sql.*,databaseconnection.*"%>

<%@page import="java.io.IOException.*"%>

<%@page import="java.io.InputStreamReader.*"%>

<html>

<body>

<%

        ArrayList list = new ArrayList();

                        ServletContext context = getServletContext();

                        String dirName =context.getRealPath("\\Gallery");

               

                        String paramname=null;

                        String name = (String) session.getAttribute("name");

                System.out.println(name);

                        //int appid=(Integer)(session.getAttribute( "appid" ));

                        String filename=null,keyword=null,document=null,filetype=null,cloud=null,domain=null;

                       

                  java.util.Date now = new java.util.Date();

                     String DATE_FORMAT1 = "dd/MM/yyyy hh:mm:ss a";

                     SimpleDateFormat sdf1 = new SimpleDateFormat(DATE_FORMAT1);

                 String  date= sdf1.format(now);

            

           Random r = new Random();

           

            int ii = r.nextInt(100000-50000)+50000;

            String k = Integer.toString(ii);

            String key="D0SKzyt?="+ii;

           // String k1 = ii+"";

            System.out.println("DATAOWNER KEY: "+key);

                        File file1 = null;

              

                        try {

                                   

                                    MultipartRequest multi = new MultipartRequest(request, dirName,  10 * 1024 * 1024); // 10MB

                   

                                    Enumeration params = multi.getParameterNames();

                                    while (params.hasMoreElements())

                                    {

                                                paramname = (String) params.nextElement();

                                               

                                                if(paramname.equalsIgnoreCase("file"))

                                                {

                                                            document=multi.getParameter(paramname);

                                                }

                               if(paramname.equalsIgnoreCase("username"))

                                                {

                                                            name=multi.getParameter(paramname);

                                                }

                                               

                                                if(paramname.equalsIgnoreCase("keyword"))

                                                {

                                                            filename=multi.getParameter(paramname);

                                                }

                                      

                               

                                if(paramname.equalsIgnoreCase("key"))

                                                {

                                                            key=multi.getParameter(paramname);

                                                }

                              

                               

                              if(paramname.equalsIgnoreCase("date"))

                                                {

                                                            date=multi.getParameter(paramname);

                                                }

                                        

                                                            }

                           

                                                           

                                    int f = 0;

            Enumeration files = multi.getFileNames();         

            while (files.hasMoreElements())

            {

                        paramname = (String) files.nextElement();

                        if(paramname.equals("d1"))

                        {

                                    paramname = null;

                        }

                       

                        if(paramname != null)

                        {

                                    f = 1;

                                document= multi.getFilesystemName(paramname);

                                    String fPath = context.getRealPath("\\Gallery\\"+document);

                                    file1 = new File(fPath);

                                    FileInputStream fs = new FileInputStream(file1);

                                    list.add(fs);

                        }                     

             

            }

                   FileInputStream fs1 = null;

         

                                    int count= 0;

                                   

                                    Class.forName("com.mysql.jdbc.Driver");         

                                    Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/shoulder_surf","root","root");

                       

                        PreparedStatement ps=con.prepareStatement("INSERT INTO upload VALUES(?,?,?,?,?,?)");

                                    //PreparedStatement ps=con.prepareStatement("insert into upload(document,username,filename,secretkey,keyword,date,count) values ('"+username+"','"+filename+"','"+ky+"','"+strDateNew1+"')");

                                               

                                               

                                ps.setString(1,document);

                            

                                                ps.setString(2,name);

                                ps.setString(3,filename);

                                ps.setString(4,key);

                              

                                ps.setInt(5,count);

                                ps.setString(6,date);

                              

                                //ps.setInt(9,result);

       if(f == 0)

                                    ps.setObject(1,null);

                        else if(f == 1)

                        {

                                    fs1 = (FileInputStream)list.get(0);

                                    ps.setBinaryStream(1,fs1,fs1.available());

                        }         

                                    int x=ps.executeUpdate();

                       

                                    if(x!=0)

                                    {

                                                response.sendRedirect("Upload.jsp?msg=success");

                                    }

                                    else

                                    {

                                                response.sendRedirect("Upload.jsp?msg=fails");

                                    }

                                               

                        }

                        catch (Exception e)

                        {

                                    out.println(e.getMessage());

            }

 %>

</body>

</html>

REGISTRATION PROCESS:: COLOR

<%@page import="java.sql.ResultSet"%>

<%@page import="java.util.Random"%>

<%@page import="java.sql.Statement"%>

<%@page import="java.sql.DriverManager"%>

<%@page import="java.net.InetAddress"%>

<%@page import="java.sql.Connection"%>

<%@page import="java.sql.*" import="databaseconnection.*"%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>

<!DOCTYPE html>

<html>

<head>

            <title>Show form data</title>

</head>

<body>

<%

 Connection con = null;

Statement st = null;

ResultSet rs1 = null;

   String name=(String)session.getAttribute("name");

System.out.println(name);       

String color=null, color1=null, color2=null, color3=null, color4=null, color5=null;

color=request.getParameter("color1");

color1=request.getParameter("color2");

color2=request.getParameter("color3");

color3=request.getParameter("color4");

color4=request.getParameter("color5");

color5=request.getParameter("color6");

try{               

String query1 = "SELECT * FROM reg WHERE name='"+ name + "' ";

                                               

con = databasecon.getconnection();

Statement st1 = con.createStatement();

ResultSet rs2 = st1.executeQuery(query1);

if (rs2.next()) {

Statement st2=con.createStatement();

st2.executeUpdate("UPDATE reg SET color1='"+color+"', color2='"+color1+"',color3='"+color2+"',color4='"+color3+"',color5='"+color4+"',color6='"+color5+"' WHERE name='"+name+"'");

response.sendRedirect("RegPattern.jsp?Message=success");

}

else

       {

out.print("Error");

}

}

catch(Exception ex)

{

            out.println(ex);

}

%>

</body>

</html>

REGISTER PATTERN

<%@page import="java.sql.ResultSet"%>

<%@page import="java.util.Random"%>

<%@page import="java.sql.Statement"%>

<%@page import="java.sql.DriverManager"%>

<%@page import="java.net.InetAddress"%>

<%@page import="java.sql.Connection"%>

<%@page import="java.sql.*" import="databaseconnection.*"%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>

<!DOCTYPE html>

<html>

<head>

            <title>Show form data</title>

</head>

<body>

<%

Connection con = null;

Statement st = null;

ResultSet rs1 = null;

 String name=(String)session.getAttribute("name");

String color=null, color1=null, color2=null;

color=request.getParameter("password");

try{               

String query1 = "SELECT * FROM reg WHERE name='"+ name + "' ";

                                               

con = databasecon.getconnection();

Statement st1 = con.createStatement();

ResultSet rs2 = st1.executeQuery(query1);

if (rs2.next()) {

Statement st2=con.createStatement();

st2.executeUpdate("UPDATE reg SET pattern='"+color+"' WHERE name='"+name+"'");

response.sendRedirect("RegSuccess.jsp?Message=success");

}

else

       {

out.print("Error");

}

}

catch(Exception ex)

{

            out.println(ex);

}

%>

</body>

</html>

USER LOGIN ACTION:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

            pageEncoding="ISO-8859-1"%>

<%@page import="java.util.*"%>

<%@ include file="connect.jsp"%>

<%

            String name = request.getParameter("username");

            String pass = request.getParameter("pswd");

        String user=null;

            try {

                       

                        String sql = "SELECT * FROM reg where name='" + name+ "' and pass='" + pass + "'";

                        Statement stmt = connection.createStatement();

                        ResultSet rs = stmt.executeQuery(sql);

                       

                        if (rs.next()) {

                                    String id=rs.getString(1);

                                    name=rs.getString(2);

                                    application.setAttribute("name", name);

                                    application.setAttribute("id", id);

                                    session.setAttribute("name",name);

                        session.setAttribute("id",id);

                       

                                    response.sendRedirect("LoginColor.jsp");

                        }

                    else {

                        response.sendRedirect("wrong.html");

                    }

                       

                  

            } catch (Exception e) {

                        out.print(e);

                        e.printStackTrace();

            }

%>

DOWNLOAD ACTION:

<%@page import="java.sql.ResultSet"%>

<%@page import="java.sql.Statement"%>

<%@page import="java.sql.Connection"%>

<%@ page import="java.sql.*,java.io.*"  %>

<%@page import="com.oreilly.servlet.*,java.sql.*,java.lang.*,databaseconnection.*,java.text.SimpleDateFormat,java.util.*" %>

<%@ page import = "java.util.Date,java.text.SimpleDateFormat,java.text.ParseException"%>

<%@page import="java.io.OutputStream"%>

<%

   

 String fname = (String) session.getAttribute("filename");

 System.out.println(fname);

 

Blob b=null;

 

     String getFile = request.getQueryString();

     Connection con = databasecon.getconnection();

     Statement st = con.createStatement();

     ResultSet rs = st.executeQuery("select * from upload where filename = '" + fname + "'");

     if (rs.next())

             {

                        b = rs.getBlob(1);

                        String document= null;

                                document+=".doc";

                                    byte[] ba = b.getBytes(1, (int)b.length());

                                    response.setContentType("application/txt");

                                    response.setHeader("Content-Disposition", "attachment; filename="+rs.getString(3));

                        OutputStream os = response.getOutputStream();

                                    os.write(ba);

                                    os.close();

                                    ba = null;

 fname=rs.getString("filename");

        try{

                        Class.forName("com.mysql.jdbc.Driver");         

                                    st=con.createStatement();

                                    String sql1="select * from upload where filename='"+fname+"'";

                       

                       

                                    rs=st.executeQuery(sql1);

                                    while(rs.next())

                       {

                                                int count=0;

                                   

                                                try{

                                                Class.forName("com.mysql.jdbc.Driver");         

                                                Connection con2 = DriverManager.getConnection("jdbc:mysql://localhost:3306/shoulder_surf","root","root");

                                                PreparedStatement ps=con.prepareStatement("Update upload set count=count+1 where filename='"+fname+"' ");

                                                //ps.setInt(1,hit);

                          

                                                int x=ps.executeUpdate();

                                               

                                                }

                                                catch (Exception ex)

                                                {

                                                            out.println(ex.getMessage());

                                                }

                                    }         

                         

       

        }

            catch (Exception e)

                        {

                        out.println(e.getMessage());

                        }

               }

        

%>

APPENDIX III

TABLE DESIGN

REGISTER TABLE:

UPLOAD TABLE:

ADMIN TABLE:

REFERENCES

[1] E. von Zezschwitz, A. De Luca, and H. Hussmann, “Honey, i shrunk the keys: Influences of mobile devices on password composition and authentication performance,” in Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational, ser. NordiCHI ’14. New York, NY, USA: ACM, 2014,pp. 461–470.

[2] A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The phone lock: Audio and haptic shoulder-surfing resistant pin entry methods for mobile devices,” in Proceedings of the Fifth International Conference on Tangible, Embedded, and Embodied Interaction, ser. TEI ’11. New York, NY, USA: ACM, 2011, pp. 197–200.

[3] A. Bianchi, I. Oakley, and D. S. Kwon, “The secure haptic keypad: A tactile password system,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’10. New York, NY, USA: ACM, 2010, pp. 1089–1092.

[4] I. Oakley and A. Bianchi, “Multi-touch passwords for mobile device access,” in Proceedings of the 2012 ACM Conference on Ubiquitous Computing, ser. UbiComp ’12. New York, NY, USA: ACM, 2012, pp. 611–612.

[5] M. Martinez-Diaz, J. Fierrez, and J. Galbally, “The doodb graphical password database: Data analysis and benchmark results,” Access, IEEE, vol. 1, pp. 596–605, 2013.

[6] M. Martinez-Diaz, J. Fierrez, and J. Galbally, “Graphical password based user authentication with free-form doodles,” IEEE Transactions on Human-Machine Systems, vol. PP, no. 99, pp. 1–8, 2015.

[7] V. Roth, K. Richter, and R. Freidinger, “A pin-entry method resilient against shoulder surfing,” in Proceedings of the 11th ACM conference on Computer and communications security, ser. CCS ’04. New York, NY, USA: ACM, 2004, pp. 236–245.

[8] T. Takada, “fakepointer: An authentication scheme for improving security against peeping attacks using video cameras,” in Mobile Ubiquitous Computing, Systems, Services and Technologies, 2008. UBICOMM’ 08. The Second International Conference on. IEEE, 2008, pp.395–400.

[9] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password scheme,” in Proceedings of the working conference on Advanced visual interfaces, ser. AVI ’06. New York, NY, USA: ACM, 2006, pp. 177– 184.

[10] B. Laxton, K. Wang, and S. Savage, “Reconsidering physical key secrecy: Teleduplication via optical decoding,” in Proceedings of the 15th ACM conference on Computer and communications security. ACM, 2008, pp. 469–478.

[11] X. Suo, Y. Zhu, and G. Owen, “Analysis and design of graphical password techniques,” Advances in Visual Computing, pp. 741–749, 2006.

[12] A. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. Smith, “Smudge attacks on smartphone touch screens,” in USENIX 4th Workshop on Offensive Technologies, 2010.

[13] J. Long and K. Mitnick, No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Elsevier Science, 2011.

[14] T. Kwon, S. Shin, and S. Na, “Covert attentional shoulder surfing: Human adversaries are more powerful than expected,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 44, no. 6, pp. 716–727, June 2014.

[15] “Google glass snoopers can steal your passcode with a glance,” http://www.wired.com/2014/06/google-glass-snoopers-cansteal-your-passcode-with-a-glance/.

[16] M. Sasse, S. Brostoff, and D. Weirich, “Transforming the weakest linka human/computer interaction approach to usable and effective security,” BT technology journal, vol. 19, no. 3, pp. 122–131,2001.

[17] “Mobile marketing statistics compilation,” http://www.smartinsights.com/mobile-marketing/mobilemarketing- analytics/mobile-marketing-statistics/.