secure login scheme
TRANSCRIPT
SECURE LOGIN SCHEME BY STEGANOGRAPHIC
CODING OF A VIRTUALLY TRANSLATED
PASSWORD ON A UNIQUE SIGN IN SEAL IMAGE
A PROJECT REPORT
SUBMITTED BY
RAMANAN.R-11407106073
RAMESH KRISHNAN.G-11407106074
SATHYA NARAYANA.KN-11407106083
in partial fulfillment for the award of the degree
of
BACHELOR OF ENGINEERING
IN
ELECTRONICS AND COMMUNICATION ENGINEERING
S.A.ENGINEERING COLLEGE, CHENNAI-77
ANNA UNIVERSITY: CHENNAI 600 025
APRIL 2011
ANNA UNIVERSITY: CHENNAI 600 025
BONAFIDE CERTIFICATE
Certified that this project report “SECURE LOGIN SCHEME BY
STEGANOGRAPHIC CODING OF A VIRTUALLY TRANSLATED
PASSWORD ON A UNIQUE SIGN IN SEAL IMAGE” is the bonafide
work of
RAMANAN. R [11407106073]
RAMESH KRISHNAN. G [11407106074]
SATHYA NARAYANA. KN [11407106083]
who carried out the project work under my supervision.
SIGNATURE SIGNATURE
Mr.B.R.Tapas Bapu M.E, (Ph.D)., Mrs.S.Sathiya priya M.E,(Ph.D).,
HEAD OF THE DEPARTMENT SUPERVISOR
Asst.Professor, Asst.Professor,Department of ECE, Department of ECE,S.A.Engineering College, S.A.Engineering College,Chennai- 600077. Chennai-600077.
Submitted for the Viva-Voce held on __________________
INTERNAL EXAMINER EXTERNAL EXAMINER
ACKNOWLEDGEMENT
A project of this magnitude and nature requires kind co-operation and support
from many, for successful completion. We wish to express our sincere thanks to all those
who are involved in the completion of this project.
It is our immense pleasure to express our peer sense of gratitude to our Chairman
Thiru D. DURAISWAMY, our Correspondent Thiru S. AMARNAATH M.Com., and
our Director Thiru P.VENKATESH RAJA, B.E, M.S., for the facilities and support
given by them in college.
We are extremely thankful to our dynamic Principal Dr. S.
SUYAMBAZHAHAN, M.E, Ph.D (IITM)., having given us an opportunity to serve the
purpose of any education.
We are indebted to Mr. B. R. TAPAS BAPU, M.E, (PhD)., Head of the
Department of Electronics and Communication Engineering, for this valuable guidance
and useful suggestions during the course of the project.
We are obliged to our project coordinator Mr.C. ARUNACHALA PERUMAL
M.E,(Ph.D)., Asst Professor , Mrs. C. SUBASHINI,M.E., Asst Professor, and internal
guide , Mrs. S. SATHIYA PRIYA, M.E, (PhD)., Asst Professor in Department of
Electronics and Communication Engineering , S.A. Engineering College for her valuable
guidance and immense support given to us throughout the project.
We are thankful to Mr. B. RAJAGOPALAN, Software Engineer, Polaris
Software Labs Ltd, for providing us valuable guidelines in shaping the project to what it
is now.
We are forever in gratitude and in debt to the Divine power and our Parents
without whose austere presence and support none of our efforts would have provided
fruits.
TABLE OF CONTENTS
CHAPTER NO TITLE PAGE.NO
ABSTRACT i
LIST OF FIGURES ii
LIST OF SYMBOLS iii
LIST OF ABBERIVATION iv
1 INTRODUCTION 1
1.1 OVERVIEW 1
1.2 EXISTING METHOD 3
1.2.1PHISHING PREVENTION 3
1.2.2KEYLOGGING PREVENTION 5
1.2.3BRUTEFORCE ATTACK 5
1.3 LITERATURE SURVEY 6
1.4 PROPOSED METHOD 12
1.4.1PHISHING PREVENTION 12
1.4.2 KEYLOGGING PREVENTION 12
1.4.3 BRUTE FORCE PREVENTION 12
1.5 REPORT ORGANISATION 12
2 MODULES 13
2.1WEB APPLICATION DEVELOPMENT
AND DEPLOYMENT 13
2.1.1WEB APPLICATION DEVELOPMENT 13
2.1.2 WEB APPLICATION DEPLOYMENT 23
2.2 DATABASE MANAGEMENT 26
2.2.1 JAVA DATABASE CONNECTIVITY 26
2.2.2 MICROSOFT SQL SERVER 27
2.3 STEGANOGRAPHY 29
3 IMPLEMENTATION 33
3.1DESIGN 33
3.1.1 ALGORITHM 33
3.1.2 FLOWCHART 34
3.2 SYSTEM REQUIREMENTS 37
3.2.1SOFTWARE REQUIREMENTS 37
3.2.2 HARDWARE REQUIREMENTS 37
4 RESULTS 38
5 CONCLUSION& FUTURE WORKS 49
REFERENCES 50
LIST OF BOOKS &JOURNALS 50
LIST OF WEBSITES 50
ABSTRACT
Out of the diverse hacking techniques on the Internet, the three
most widely known are: Phishing, Key-logging and Network Attacks. In our
project, we make an attempt to prevent all these schemes by our proposed
method. To prevent Phishing, our method proposes placing the unique image
pre-assigned by the user during the sign-up process every time he wishes to
sign-in and thereby making the user feel secure that the page to is indeed the
original page. To prevent Key-logging, we propose a preventive method
where the server randomly sends a Key-translation scheme to the client in
which the keys are jumbled and the user is made to type the original
password but it gets translated to a session password and travels through the
PC terminal and the Network as the translated password itself and gets
reverted to the original password at the server end. To prevent Brute force
attacks, we propose a scheme where the translated password is encoded on
the existing unique sign-in seal image.
LIST OF FIGURES
FIGURE NO TITLE PAGE NO
2.2 The Java Platform 16
3.1.2 Flow Chart 36
4.1 Home Page 38
4.2 Signup page with validation 39
4.3 Sign in seal upload page 40
4.4 Registration complete page 41
4.5 Username entry page 42
4.6 Display page 43
4.7 Verify the seal page 44
4.8 Password entry page 45
4.9 Login success page 46
4.10 The image stored in the SQL server 47
4.11 Translated password 1 48
4.12 Translated password 2 48
LIST OF SYMBOLS
SYMBOLS DESCRIPTION
Teriminal Point
Start/Stop
Process
Flow line
Decision Box
Process (db)
LIST OF ABBREVATIONS
IDE Integrated Development Environment
JVM Java Virtual Machine
JRE Java Runtime Environment
SQL Structured Query Language
HTTP Hypertext Transfer Protocol
URL Uniform Resource Locator
CGI Common Gateway Interface
WAR Web Archive
PDU Protocol Data Unit
JDBC Java Database Connectivity
ODBC open Database Connectivity
UI User Interface
WLAN Wireless Local Area Network
SP Service Provider
SSL Secure Socket Layer
PKI Public Key InfraStrucute
MSB Most Significant Bit
LSB Least Significant Bit
J2EE Java 2 Enterprise Edition
DD Deployment Descriptor
XML Extended Markup Language
JSF JavaServer Faces
API Application Programming Interface
JSTL Java Server Pages Standard Tag Library
TCP Transmission Control Protocol
CHAPTER 1
INTRODUCTION
1.1 OVERVIEW
In the recent developments of the Internet, life has literally been
transferred to the cyber world. Every business has extended itself to an
'online' version wherein, users create a profile for themselves on the
organization's respective websites. These profiles will have sensitive
information like the username and the password of the specific user. This
method of having profiles over the internet has been successfully used in
business such as Banking, Money transactions etc.
When an evolution orients itself towards betterment, negative things
does come in the package. Here, these online transactions take place over the
common network known as the World Wide Web. This World Wide Web is
an arena with hackers spawning all around to snatch away sensitive
information either for money oriented goals or just for the thrill of it. They
use numerous methods to tactically 'hack' their information. Out of the
diverse hacking techniques, the three most widely known are: Phishing, Key-
logging and Brute Force Attacks.
A brief description of the above-said methods is given below.
1.1.1 PHISHING
Phishing is a way of attempting to acquire sensitive information such
as usernames, passwords and credit card details by masquerading as a
trustworthy entity in an electronic communication. Communications
purporting to be from popular social web sites, auction sites, online payment
processors or IT administrators are commonly used to lure the unsuspecting
public. Phishing is typically carried out by e-mail or instant messaging, and
it often directs users to enter details at a fake website whose look and feel are
almost identical to the legitimate one. Phishing is an example of social
engineering techniques used to fool users, and exploits the poor usability of
current web security technologies. Attempts to deal with the growing
number of reported phishing incidents include legislation, user training,
public awareness, and technical security measures.
1.1.2 KEY LOGGING
Keystroke logging (often called key logging) is the action of tracking
(or logging) the keys struck on a keyboard, typically in a covert manner so
that the person using the keyboard is unaware that their actions are being
monitored. There are numerous key logging methods, ranging from
hardware and software-based approaches to electromagnetic and acoustic
analysis.
1.1.3 BRUTE FORCE ATTACK
In cryptography, a brute force attack or exhaustive key search is a
strategy that can in theory be used against any encrypted data by an attacker
who is unable to take advantage of any weakness in an encryption system
that would otherwise make his/her task easier. It involves systematically
checking all possible keys until the correct key is found. In the worst case,
this would involve traversing the entire search space.
The key length used in the encryption determines the practical
feasibility of performing a brute force attack, with longer keys exponentially
more difficult to crack than shorter ones. Brute force attacks can be made
less effective by obfuscating the data to be encoded, something that makes it
more difficult for an attacker to recognize when he/she has cracked the code.
One of the measures of the strength of an encryption system is how long it
would theoretically take an attacker to mount a successful brute force attack
against it.
Brute-force attacks are an application of brute-force search, the
general problem-solving technique of enumerating all candidates and
checking each one.
1.2 EXISTING METHODS
Few of the methods that exist today to prevent these hacking
techniques are listed below
1.2.1 PHISHING PREVENTION
Anti-phishing measures have been implemented as features embedded
in browsers, as extensions or toolbars for browsers, and as part of website
login procedures. The following are some of the main approaches to the
problem.
1.2.1.1 HELPING TO IDENTIFY MOST LEGITIMATE WEBSITE
Most websites targeted for phishing are secure websites meaning that
SSL with strong PKI cryptography is used for server authentication, where
the website's URL is used as identifier. In theory it should be possible for the
SSL authentication to be used to confirm the site to the user, and this was
SSL v2's design requirement and the Meta of secure browsing. But in
practice, this is easy to trick.
The superficial flaw is that the browser's security user interface (UI) is
insufficient to deal with today's strong threats. There are three parts to secure
authentication using TLS and certificates: indicating that the connection is in
authenticated mode, indicating which site the user is connected to, and
indicating which authority says it is this site. All three are necessary for
authentication, and need to be confirmed by/to the user.
1.2.1.2 SECURE CONNECTION
The standard display for secure browsing from the mid-1990s to mid-
2000s was the padlock. In 2005, Mozilla fielded a yellow URL bar 2005 as a
better indication of the secure connection. This innovation was later reversed
due to the EV certificates, which replaced certain certificates providing a
high level of organization identity verification with a green display, and
other certificates with an extended blue favicon box to the left of the URL
bar (in addition to the switch from "http" to "https" in the URL itself).
1.2.1.3 WHICH SITE
The user is expected to confirm that the domain name in the browser's
URL bar was in fact where they intended to go. URLs can be too complex to
be easily parsed. Users often do not know or recognize the URL of the
legitimate sites they intend to connect to, so that the authentication becomes
meaningless. A condition for meaningful server authentication is to have a
server identifier that is meaningful to the user; many ecommerce sites will
change the domain names within their overall set of websites, adding to the
opportunity for confusion. Simply displaying the domain name for the
visited website as some anti-phishing toolbars do is not sufficient.
Some newer browsers, such as Internet Explorer 8, display the entire
URL in grey, with just the domain name itself in black, as a means of
assisting users in identifying fraudulent URLs.
An alternate approach is the pet name extension for Firefox which lets
users type in their own labels for websites, so they can later recognize when
they have returned to the site. If the site is not recognized, then the software
may either warn the user or block the site outright. This represents user-
centric identity management of server identities. Some suggest that a
graphical image selected by the user is better than a pet name.
With the advent of EV certificates, browsers now typically display the
organization’s name in green, which is much more visible and is hopefully
more consistent with the user's expectations. Unfortunately, browser vendors
have chosen to limit this prominent display only to EV certificates, leaving
the user to fend for him with all other certificates.
1.2.2 KEY LOGGING PREVENTION
ON-SCREEN KETBOARD
Most on screen keyboards (such as the onscreen keyboard that comes
with Microsoft Windows XP) send normal keyboard event messages to the
external target program to type text. Every software key logger can log these
typed characters sent from one program to another. Additionally, key
logging software can take screenshots of what is displayed on the screen
(periodically, and/or upon each mouse click).
1.2.3 BRUTE FORCE ATTACK
In the case of an offline attack where the attacker has access to the
encrypted material, he can try key combinations at his leisure without the
risk of discovery or interference. However database and directory
administrators can take countermeasures against online attacks, for example
by limiting the number of attempts that a password can be tried, by
introducing time delays between successive attempts and locking accounts
out after unsuccessful logon attempts. Website administrators may prevent a
particular IP address from trying more than a predetermined number of
password attempts against any account on the site.
1.3 LITERARY SURVEY
[1]Overview of Phishing
While fraud has been part of human society for as long as we know,
the automated type of fraud that is known as phishing is a relatively recent
phenomenon. It is becoming clear to society that phishing is a problem of
quite catastrophic dimensions. Phishing is a multifaceted techno-social
problem for which there is no known single silver bullet. As a result of these
insights, an increasing number of researchers and practitioners are
attempting to quantify risks and degrees of vulnerabilities in order to
understand where to focus protective measures. When academic researchers
plan phishing studies, they are faced with the reality that such studies must
not only be conducted in an ethical manner, but they also must be reviewed
and approved by their Institutional Review Board (IRB). This article
provides an overview of the review process used by IRBs, an outline of the
section of the federal regulations, 45 CFR 46, 116(d)(14), that provide the
circumstances where aspects of the informed consent process can be waived.
Moreover, it contains a discussion of the controversial ethical issues inherent
in phishing studies that request a waiver of aspects of the informed consent
requirement. Finally, this paper outlines the process of designing and
analyzing phishing experiments in an ethical manner, and in accordance with
the principles and regulations guiding IRBs
[2] Scott Bishop California State University, Hayward August 18, 2004 CS
6520 Cryptography & Data Security Ping Wah Wang: Steganographic
Techniques Using Digital Images.
During the construction of the application several iterations of
replacement strategies were used. The following images show the difference
between a Most Significant Bit (MSB) replacement scheme and a least
significant replacement scheme. As can be seen from image 1 and image 2,
there are noticeable differences to the cover during the most significant bit
replacement. Images 3 and 4 show a similar pattern. Also, Image 4 shows the
results after embedding the text phrase (Flowers).
[3] Attacksuan Chen ChuanxiongGuo Inst. of Commun. Eng., Nanjing
Communications and Networking in China, 2006. ChinaCom '06: Online
Detection and Prevention of Phishing.
Phishing is a new type of network attack where the attacker creates a
replica of an existing Web page to fool users (e.g., by using specially
designed e-mails or instant messages) into submitting personal, financial, or
password data to what they think is their service providers' Web site. In this
paper, we propose a new end-host based anti-phishing algorithm, which we
call LinkGuard, by utilizing the generic characteristics of the hyperlinks
inphishing attacks. These characteristics are derived by analyzing the
phishing data archive provided by the anti-phishing working group (APWG).
Because it is based on the generic characteristics of phishing attacks,
LinkGuard can detect not only known but also unknown phishing attacks.
We have implemented LinkGuard in Windows XP. Our experiments verified
that LinkGuard is effective to detect and prevent both known and unknown
phishing attacks with minimal false negatives. LinkGuard successfully
detects 195 out of the 203phishing attacks. Our experiments also showed that
LinkGuard is lightweighted and can detect and preventphishing attacks in
real-time.
[4] Yu, W.D. Nargundkar, S. Tiruthani, N.San Jose .
10.1109/ISCC.2008.4625681 : A phishing vulnerability analysis of web
based systems.
Phishing, a criminal act of collecting personal, bank and credit card
information by sending out forged e-mails with fake websites, has become
the most popular practice among the criminals of the Web. Phishing attacks
are becoming more and more sophisticated and are constantly on the rise.
The impact of phishing is quite drastic since it involves the threat of identity
theft and financial losses. A lot of groups and organizations are trying to
study this act and also inform and update the public on what are the latest
tactics being used in the phishingsector. According to industry estimates,
phishing attacks are on the rise every year and the existing antiphishing
solutions fall short in detecting phishing. Moreover, phishers come up with
innovative methods ofphishing everyday making it even more difficult to
detect and prevent phishing. This paper explains in detail the various
methods used in phishing. We perform a root-cause analysis of the methods
used in phishing, the motivation for phishing and in the process come up
with a fishbone diagram outlining the causes and methodologies used in
phishing. This analysis is aimed at helping developers to design and develop
better antiphishing solutions.
[5] Ying Liu Fushan Wei Chuangui Ma Zhengzhou Inf. Sci. & Technol. Inst.,
Zhengzhou, China Multimedia Information Networking and Security
(MINES), 2010 International Conference : Formal Analysis and
Improvement of Two-Factor Authenticated Key Exchange Protocol
Many two-factor authenticated key exchange protocols have been
proposed, and the common ones are based on a secure device and a user's
password. But most of them do not use the one-time password system. In
one-time password systems, users have many passowrds and use each
password only once. This paper presents a new two-factor authenticated key
exchange protocol using one-time passwords and a secure device, which
achieves mutual authentication, session key agreement, and resistance to
phishing attacks. This paper also gives a formal proof for security of the
protocol.
[6] Ming Lei Yang Xiao Vrbsky, S.V. Chung-Chih Li Li Liu Dept. of
Computer. Sci., Univ. of Alabama, Tuscaloosa, AL Communications, 2008.
ICC '08. IEEE International Conference: A Virtual Password Scheme to
Protect Passwords
In this paper, we discuss how to prevent users' passwords from being
stolen by adversaries. We propose a virtual password concept involving a
small amount of human computing to secure users' passwords in on-line
environments. We adopt user-determined randomized linear generation
functions to secure users' passwords based on the fact that a server has more
information than any adversary does. We analyze how the proposed scheme
defends against phishing, key logger, and shoulder-surfing attacks.
[7]Shujun Li, Syed Ali Khayam, Ahmad-Reza Sadeghi and Roland
Schmitz,Department of Computer and Information Science, University of
Konstanz, Germany. School of Electrical Engineering and Computer Science
(SEECS), NUST, Islamabad, Pakistan System Security Group, Ruhr-
University of Bochum, Germany Department of Computer Science and
Media, Stuttgart Media University, Germany: Breaking Randomized Linear
Generation Functions based Virtual Password System.
In ICC2008 and subsequent work, Lei et al. proposed a user
authentication system (virtual password system), which is claimed to be
secure against identity theft attacks, including phishing, keylogging and
shoulder surfing. Their authentication system is a challenge-response
protocol based on a randomized linear generation function, which uses a
random integer in the responses of each login session to offer security
against assorted attacks. In this paper we show that their virtual password
system is insecure and vulnerable to multiple attacks. We show that with
high probability an attacker can recover an equivalent password with only
two (or a few more) observed login sessions. We also give a brief survey of
the related work and discuss the main challenges in designing user
authentication methods secure against identity theft.
[8]Baig, M.M.Mahmood, W.Univ. of Eng. & Technol., Lahore: Digital
EcoSystems and Technologies Conference, 2007. DEST '07. Inaugural
IEEE-IES: A Robust Technique of Anti Key-Logging using Key-Logging
Mechanism
System security and privacy always have to face new confronts.
Continuous updates in the operating systems and anti-virus applications
strive to amplify the system security level. In recent years 'key-loggers' have
proved to be one of the prevalent intimidations to security and privacy. Key-
logger is a surreptitious surveillance application, which is used to keep
record of user's activities on the computer in various ways like keyboard
logging, screen logging, mouse logging and voice logging, completely in
imperceptible mode. Although key-loggers can also be used for prolific
purposes but due to the tremendous increase in the Internet usage, the caustic
use of key-loggers simply surmounts its advantages. Key-loggers have
gained so much supremacy in their execution that they have become a
serious intimidation to the privacy and security of a computer. The fact
which makes the key-loggers more perilous is their undetectable nature
against anti-virus and spy-where applications. This paper discusses some
existing techniques of fortification against key-loggers and also exemplifies
a new technique along with its proved advantages.
[9]Artz,D.Los Alamos Nat. Lab., NM, Internet Computing, IEEE Digital
steganography: hiding data within data
Digital steganography is the art of inconspicuously hiding data within
data. Steganography's goal in general is to hide data well enough that
unintended recipients do not suspect the steganographic medium of
containing hidden data. The software and links mentioned in this article are
just a sample of the steganography tools currently available. As privacy
concerns continue to develop along with the digital communication
domain,steganography will undoubtedly play a growing role in society. For
this reason, it is important that we are aware of digital steganography
technology and its implications. Equally important are the ethical concerns
of usingsteganography and steganalysis. Steganography enhances rather than
replaces encryption. Messages are not secure simply by virtue of being
hidden. Likewise, steganography is not about keeping your message from
being known - it's about keeping its existence from being known
[10] Tao Zhang Wenxiang Li Yan Zhang Xijian Ping Zhengzhou Inf. Sci. &
Technol. Inst., Zhengzhou, China: Image Analysis and Signal Processing
(IASP), 2010 International Conference : Detection of LSB matching
steganography based on distribution of pixel differences in natural images
In this paper, a new steganalytic method based on statistical
distribution of pixel differences is proposed, which is designed to detect the
presence of spatial LSB matching steganography in high-resolution natural
images. This paper establishes a statistical model for the distribution of pixel
differences in natural images based on the Laplacian distribution and
estimates the number of zero pixel difference values based on the number of
non-zero pixel difference values according to the characteristics of LSB
matching steganography. The estimated error is used as distinguishing
feature for steganography classification. Experimental results show that the
proposed method exhibits excellent performance for the detection of LSB
matching steganography in high-resolution images. Moreover, it has a low
computational complexity and fast computational speed.
1.4 PROPOSED METHODS
1.4.1 PHISHING PREVENTION
To prevent phishing, the user selects a unique sign-in seal image and
saves it on the server and produce it to the user on the web browser every
time he wishes to login to the website, thereby, authenticating the identity of
the website.
1.4.2 KEY LOGGING PREVENTION
For every individual session, a unique set of randomly jumbled keys
are available at the client side for the original password to be translated into
a unique session dependant password that varies for each session.
1.4.3 BRUTE FORCE ATTACK PREVENTION
This translated password is then encrypted by using steganography on
the available sign-in seal and is sent over to the server through the network.
The decryption is carried out at the server side and the user thus enters the
website in a secure way.
1.5 REPORT ORGANISATION
In chapter 1 we give an introduction about our project, the existing
method, literature survey and proposed methods. Chapter 2 is about the
modules of the project, technology used for the front & back end. Chapter 3
deals with the design, implementation and system Requirements. Chapter 4
shows the Results of the project. Chapter 5 gives the conclusion and future
works.
CHAPTER 2
MODULES
The various modules of this project can be broadly categorized as:
Web application development and deployment, Database management and
Steganography. A brief study of the modules is given below
2.1 WEB APPLICATION DEVELOPMENT AND DEPLOYMENT
2.1.1 WEB APPLICATION DEVELOPMENT
The programming language used to develop the web application for
log-in is J2EE (Java 2 Enterprise Edition) which is a disciple of the JAVA
Programming language specific towards web application development.
2.1.1.1 JAVA
Java is a programming language originally developed by James
Gosling at Sun Microsystems (which is now a subsidiary of Oracle
Corporation) and released in 1995 as a core component of Sun
Microsystems' Java platform. The language derives much of its syntax from
C and C++ but has a simpler object model and fewer low-level facilities.
Java applications are typically compiled to bytecode (class file) that can run
on any Java Virtual Machine (JVM) regardless of computer architecture.
Java is a general-purpose, concurrent, class-based, object-oriented language
that is specifically designed to have as few implementation dependencies as
possible. It is intended to let application developers "write once, run
anywhere". Java is currently one of the most popular programming
languages in use, and is widely used from application software to web
applications.
There were five primary goals in the creation of the Java language:
1. It should be "simple, object oriented and familiar".
2. It should be "robust and secure".
3. It should be "architecture neutral and portable".
4. It should execute with "high performance".
5. It should be "interpreted, threaded, and dynamic".
2.1.1.2 JAVA PLATFORM
One characteristic of Java is portability, which means that computer
programs written in the Java language must run similarly on any supported
hardware/operating-system platform. This is achieved by compiling the Java
language code to an intermediate representation called Java byte code,
instead of directly to platform-specific machine code. Java byte code
instructions are analogous to machine code, but are intended to be
interpreted by a virtual machine (VM) written specifically for the host
hardware. End-users commonly use a Java Runtime Environment (JRE)
installed on their own machine for standalone Java applications, or in a Web
browser for Java applets.
Standardized libraries provide a generic way to access host-specific
features such as graphics, threading, and networking.
A major benefit of using byte code is porting. However, the overhead
of interpretation means that interpreted programs almost always run more
slowly than programs compiled to native executables would. Just-in-Time
compilers were introduced from an early stage that compiles byte codes to
machine code during runtime.Platform-independent Java is essential to the
Java EE strategy, and an even more rigorous validation is required to certify
an implementation. This environment enables portable server-side
applications, such as Web services, Java Servlets, and Enterprise JavaBeans,
as well as with embedded systems based on OSGi, using Embedded Java
environments. Through the new GlassFish project, Sun is working to create a
fully functional, unified open source implementation of the Java EE
technologies.
Programs written in Java have a reputation for being slower and
requiring more memory than those written in C. However, Java programs'
execution speed improved significantly with the introduction of Just-in-time
compilation in 1997/1998 for Java 1.1, the addition of language features
supporting better code analysis (such as inner classes, StringBuffer class,
optional assertions, etc.), and optimizations in the Java Virtual Machine
itself, such as HotSpot becoming the default for Sun's JVM in 2000.
Currently, Java code has approximately half the performance of C code.
2.1.1.3AUTOMATIC MEMORY MANAGEMENT
Java uses an automatic garbage collector to manage memory in the
object lifecycle. The programmer determines when objects are created, and
the Java runtime is responsible for recovering the memory once objects are
no longer in use. Once no references to an object remain, the unreachable
memory becomes eligible to be freed automatically by the garbage collector.
Something similar to a memory leak may still occur if a programmer's code
holds a reference to an object that is no longer needed, typically when
objects that are no longer needed are stored in containers that are still in use.
If methods for a nonexistent object are called, a "null pointer exception" is
thrown.
Figure 2.1: The Java Platform
2.1.1.4 JAVA VIRTUAL ENVIRONMENT
A Java Virtual Machine (JVM) enables a set of computer software
programs and data structures to use a virtual machine model for the
execution of other computer programs and scripts. The model used by a
JVM accepts a form of computer intermediate language commonly referred
to as Java bytecode. This language conceptually represents the instruction set
of a stack-oriented, capability architecture. Sun Microsystems states there
are over 4.5 billion JVM-enabled devices
2.1.1.5 J2EE
Java Platform, Enterprise Edition or Java EE is a widely used platform
for server programming in the Java programming language. The Java
platform (Enterprise Edition) differs from the Java Standard Edition
Platform (Java SE) in that it adds libraries which provide functionality to
deploy fault-tolerant, distributed, multi-tier Java software, based largely on
modular components running on an application server.
The J2EE basically runs with the help of Servlets and JavaServer
Pages which are studied below.
2.1.1.6 JAVA SERVLET
A Servlet is a Java class in Java EE that conforms to the Java Servlet
API, a protocol by which a Java class may respond to HTTP requests. They
are not tied to a specific client-server protocol, but are most often used with
this protocol. The word "Servlet" is often used in the meaning of "HTTP
Servlet". Thus, a software developer may use a servlet to add dynamic
content to a Web server using the Java platform. The generated content is
commonly HTML, but may be other data such as XML. Servlets are the Java
counterpart to non-Java dynamic Web content technologies such as CGI and
ASP.NET. Servlets can maintain state in session variables across many
server transactions by using HTTP cookies, or URL rewriting.
The servlet API, contained in the Java package hierarchy
javax.servlet, defines the expected interactions of a Web container and a
servlet A Web container is essentially the component of a Web server that
interacts with the servlets. The Web container is responsible for managing
the lifecycle of servlets, mapping a URL to a particular servlet and ensuring
that the URL requester has the correct access rights.
A Servlet is an object that receives a request and generates a response
based on that request. The basic servlet package defines Java objects to
represent servlet requests and responses, as well as objects to reflect the
servlet's configuration parameters and execution environment. The package
javax.servlet.http defines HTTP-specific subclasses of the generic servlet
elements, including session management objects that track multiple requests
and responses between the Web server and a client. Servlets may be
packaged in a WAR file as a Web application.
Servlets can be generated automatically from JavaServer Pages (JSP)
by the JavaServer Pages compiler. The difference between Servlets and JSP
is that Servlets typically embed HTML inside Java code, while JSPs embed
Java code in HTML. While the direct usage of Servlets to generate HTML
(as shown in the example below) is relatively rare nowadays, the higher level
MVC web framework in Java EE (JSF) still explicitly uses the Servlet
technology for the low level request/response handling via the FacesServlet.
A somewhat older usage is to use servlets in conjunction with JSPs in a
pattern called "Model 2", which is a flavour of the model-view-controller
pattern.
ADVANTAGE OVER CGI
The advantages of using servlets are their fast performance and ease of
use combined with more power over traditional CGI (Common Gateway
Interface). Traditional CGI scripts written in Java have a number of
disadvantages when it comes to performance:
* When a HTTP request is made, a new process is created for each call of
the CGI script. This overhead of process creation can be very system-
intensive, especially when the script does relatively fast operations. Thus,
process creation will take more time than CGI script execution. Java servlets
solve this, as a servlet is not a separate process. Each request to be handled
by a servlet is handled by a separate Java thread within the Web server
process, omitting separate process forking by the HTTP daemon.
* Simultaneous CGI request causes the CGI script to be copied and loaded
into memory as many times as there are requests. However, with servlets,
there is the same amount of threads as requests, but there will only be one
copy of the servlet class created in memory that stays there also between
requests.
* Only a single instance answers all requests concurrently. This reduces
memory usage and makes the management of persistent data easy.
* A servlet can be run by a servlet engine in a restrictive environment,
called a sandbox. This is similar to an applet that runs in the sandbox of the
Web browser. This makes a restrictive use of potentially harmful servlets
possible.
1. The container calls the no-arg constructor.
2. The Web container calls the init() method. This method initializes the
servlet and must be called before life of a servlet, the init() method is called
only once.
3. After initialization, the servlet can service client requests. Each request
is serviced in its own separate thread. The Web container calls the service()
method of the servlet for every request. The service() method determines the
kind of request being made and dispatches it to an appropriate method to
handle the request. The developer of the servlet must provide an
implementation for these methods. If a request for a method that is not
implemented by the servlet is made, the method of the parent class is called,
typically resulting in an error being returned to the requester.
4. Finally, the Web container calls the destroy() method that takes the
servlet out of service. The destroy() method, like init(), is called only once in
the lifecycle of a servlet.
USAGE
Servlets are most often used to
* Process or store data that was submitted from an HTML form
* Provide dynamic content such as the results of a database query
* Manage state information that does not exist in the stateless HTTP
protocol, such as filling the articles into the shopping cart of the appropriate
customer
2.1.1.7 JSP
Java Server Pages (JSP) is a Java technology that helps software
developers serve dynamically generated web pages based on HTML, XML,
or other document types. Released in 1999 as Sun's answer to ASP and PHP,
JSP was designed to address the perception that the Java programming
environment didn't provide developers with enough support for the Web.
Architecturally, JSP may be viewed as a high-level abstraction of Java
servlets. JSP pages are loaded in the server and operated from a structured
special installed Java server packet called a Java EE Web Application, often
packaged as a .war or .ear file archive.
JSP allows Java code and certain pre-defined actions to be interleaved
with static web markup content, with the resulting page being compiled and
executed on the server to deliver an HTML or XML document. The
compiled pages and any dependent Java libraries use Java byte code rather
than a native software format and must therefore be executed within a Java
virtual machine (JVM) that integrates with the host operating system to
provide an abstract platform-neutral environment.
JSP syntax is a fluid mix of two basic content forms: scriptlet
elements and markup. Markup is typically standard HTML or XML, while
scriptlet elements are delimited blocks of Java code which may be
intermixed with the markup. When the page is requested the Java code is
executed and its output is added, in situ, with the surrounding markup to
create the final page. JSP pages must be compiled to Java bytecode classes
before they can be executed, but such compilation is needed only when a
change to the source JSP file has occurred.
Java code is not required to be complete (self contained) within its
scriptlet element block, but can straddle markup content providing the page
as a whole is syntactically correct (for example, any Java if/for/while blocks
opened in one scriptlet element must be correctly closed in a later element
for the page to successfully compile). This system of split inline coding
sections is called step over scripting because it can wrap around the static
markup by stepping over it. Markup which falls inside a split block of code
is subject to that code, so markup inside an if block will only appear in the
output when the if condition evaluates to true; likewise markup inside a loop
construct may appear multiple times in the output depending upon how
many times the loop body runs.
The JSP syntax adds additional XML-like tags, called JSP actions, to
invoke built-in functionality. Additionally, the technology allows for the
creation of JSP tag libraries that act as extensions to the standard HTML or
XML tags.
JVM operated tag libraries provide a platform independent way of
extending the capabilities of a web server. Note that not all commercial Java
servers are Java EE specification compliant.
Starting with version 1.2 of the JSP specification, JavaServer Pages
have been developed under the Java Community Process. JSR 53 defines
both the JSP 1.2 and Servlet 2.3 specifications and JSR 152 defines the JSP
2.0 specification. As of May 2006 the JSP 2.1 specification has been
released under JSR 245 as part of Java EE 5. As of Dec 10, 2009 the JSP 2.2
specification has been released as a maintenance release of JSR 245.
2.1.1.7.1 JSP 2.0
The new version of the JSP specification includes new features meant to
improve programmer productivity. Namely:
* An Expression Language (EL) which allows developers to create
Velocity-style templates (among other things).
* A faster/easier way to display parameter values.
* A clear way to navigate nested beans.
The Java EE 5 Platform has focused on easing development by
making use of Java language annotations that were introduced by J2SE 5.0.
JSP 2.1 supports this goal by defining annotations for dependency injection
on JSP tag handlers and context listeners.
Another key concern of the Java EE 5 specification has been the
alignment of its web tier technologies, namely JavaServer Pages (JSP),
JavaServer Faces (JSF), and the JavaServer Pages Standard Tag Library
(JSTL).
The outcome of this effort has been the Unified Expression Language
(EL), which integrates the expression languages defined by JSP 2.0 and JSF
1.1.
The main key additions to the Unified EL that came out of the
alignment work have been: A pluggable API for resolving variable
references into Java objects and for resolving the properties applied to these
Java objects, support for deferred expressions, which may be evaluated by a
tag handler when needed, unlike their regular expression counterparts, which
get evaluated immediately when a page is executed and rendered, and
support for l-value expression, which appear on the left hand side of an
assignment operation. When used as an l-value, an EL expression represents
a reference to a data structure, for example: a JavaBeans property, that is
assigned some user input. The new Unified EL is defined in its own
specification document, which is delivered along with the JSP 2.1
specification.
JSTL tags, such as the JSTL iteration tags, can now be used with JSF
components in an intuitive way.
JSP 2.0 introduced a problem in the tag library section on how the JSP
version information was represented. The specification itself is inconsistent,
sometimes referring to a jsp-version element, and at other times a version
attribute on the root element. JSF specifications have gone with the later
interpretation; however some JSP implementations still expect the jsp-
version element.
JSP 2.1 leverages the Servlet 2.5 specification for its web semantics.
2.1.2 WEB APPLICATION DEPLOYMENT
2.1.2.1 DEPLOYMENT DESCRIPTOR
A deployment descriptor (DD) refers to a configuration file for an
artifact that is deployed to some container/engine.
In the Java Platform, Enterprise Edition, a deployment descriptor
describes how a component, module or application (such as a web
application or enterprise application) should be deployed. It directs a
deployment tool to deploy a module or application with specific container
options, security settings and describes specific configuration requirements.
XML is used for the syntax of these deployment descriptor files.
For web applications, the deployment descriptor must be called
web.xml and must reside in the WEB-INF directory in the web application
root. For Java EE applications, the deployment descriptor must be named
application.xml and must be placed directly in the META-INF directory at
the top level of the application .ear file.
2.1.2.1.1TYPES OF DEPLOYMENT DESCRIPTOR
In Java EE, there are two types of deployment descriptor: Java EE
deployment descriptors, and runtime deployment descriptors. The Java EE
deployment descriptors are defined by the language specification, whereas
the runtime descriptors are defined by the vendor of each container
implementation.
For example, the web.xml file is a standard Java EE deployment
descriptor, specified in the Java Servlet specification, but the sun-web.xml
file contains configuration data specific to the Sun GlassFish Enterprise
Server implementation. In addition to that there are other types of descriptors
as we move forward to other section of the studies.
2.1.2.2 WEB CONTAINER
In Java Platform, Enterprise Edition, a web container, also known as a
Servlet container "implements the web component contract of the Java EE
architecture". This contract specifies a runtime environment for web
components that includes security, concurrency, lifecycle management,
transaction, deployment, and other services. A web container provides the
same services as a JSP container as well as a federated view of the Java EE
(formerly J2EE) platform APIs.
Examples of web containers are:
• Tomcat
• Jetty
• Sun Java System Application Server (is an Application Server, but
includes a web container)
• Sun Java System Web Server
2.1.2.3 APACHE TOMCAT
Apache Tomcat (or Jakarta Tomcat or simply Tomcat) is an open
source servlet container developed by the Apache Software Foundation
(ASF). Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Sun Microsystems, and provides a "pure Java" HTTP
web server environment for Java code to run.
Tomcat should not be confused with the Apache web server, which is
a C implementation of an HTTP web server; these two web servers are not
bundled together. Apache Tomcat includes tools for configuration and
management, but can also be configured by editing XML configuration files.
2.1.2.4 COMPONTENTS
2.1.2.4.1 CATALINA
Catalina is Tomcat's servlet container. Catalina implements Sun
Microsystems' specifications for servlet and JavaServer Pages (JSP). In
Tomcat, a Realm element represents a "database" of usernames, passwords,
and roles (similar to Unix groups) assigned to those users.
Different implementations of Realm allow Catalina to be integrated
into environments where such authentication information is already being
created and maintained, and then utilize that information to implement
Container Managed Security as described in the Servlet Specification.
2.1.2.4.2 COYOTE
Coyote is Tomcat's HTTP Connector component that supports the HTTP 1.1
protocol for the web server or application container. Coyote listens for
incoming connections on a specific TCP port on the server and forwards the
request to the Tomcat Engine to process the request and send back a
response to the requesting client.
2.1.2.4.3 JASPER
Jasper is Tomcat's JSP Engine. Tomcat 5.x uses Jasper 2, which is an
implementation of the Sun Microsystems's JavaServer Pages 2.0
specification. Jasper parses JSP files to compile them into Java code as
servlets (that can be handled by Catalina). At runtime, Jasper detects changes
to JSP files and recompiles them.
2.2 DATABASE MANAGEMENT
2.2.1 JAVA DATABASE CONNECTIVITY
Java DataBase Connectivity, commonly referred to as JDBC, is an
API for the Java programming language that defines how a client may access
a database. It provides methods for querying and updating data in a database.
JDBC is oriented towards relational databases. A JDBC-to-ODBC bridge
enables connections to any ODBC-accessible data source in the JVM host
environment.
JDBC connections support creating and executing statements. These
may be update statements such as SQL's CREATE, INSERT, UPDATE and
DELETE, or they may be query statements such as SELECT. Additionally,
stored procedures may be invoked through a JDBC connection. JDBC
represents statements using one of the following classes:
* Statement – the statement is sent to the database server each and every
time.
* PreparedStatement – the statement is cached and then the execution path
is pre determined on the database server allowing it to be executed multiple
times in an efficient manner.
* CallableStatement – used for executing stored procedures on the
database.
Update statements such as INSERT, UPDATE and DELETE return an
update count that indicates how many rows were affected in the database.
These statements do not return any other information.
Query statements return a JDBC row result set. The row result set is
used to walk over the result set. Individual columns in a row are retrieved
either by name or by column number. There may be any number of rows in
the result set. The row result set has metadata that describes the names of the
columns and their types.
There is an extension to the basic JDBC API in the javax.sql.
JDBC connections are often managed via a connection pool rather
than obtained directly from the driver. Examples of connection pools include
BoneCP, C3P0 and DBCP
2.2.2 MICROSOFT SQL SERVER
Microsoft SQL Server is a relational model database server produced
by Microsoft. Its primary query languages are T-SQL and ANSI SQL.
2.2.2.1 SQL SERVER 2005
SQL Server 2005 (codenamed Yukon), released in October 2005, is
the successor to SQL Server 2000. It included native support for managing
XML data, in addition to relational data. For this purpose, it defined an xml
data type that could be used either as a data type in database columns or as
literals in queries. XML columns can be associated with XSD schemas;
XML data being stored is verified against the schema. XML is converted to
an internal binary data type before being stored in the database. Specialized
indexing methods were made available for XML data. XML data is queried
using XQuery; Common Language Runtime (CLR) integration was a main
features with this edition, enabling one to write SQL code as Managed Code
by the CLR. SQL Server 2005 added some extensions to the T-SQL
language to allow embedding XQuery queries in T-SQL. In addition, it also
defines a new extension to XQuery, called XML DML that allows query-
based modifications to XML data. SQL Server 2005 also allows a database
server to be exposed over web services using TDS packets encapsulated
within SOAP (protocol) requests. When the data is accessed over web
services, results are returned as XML.
For relational data, T-SQL has been augmented with error handling
features (try/catch) and support for recursive queries with CTEs (Common
Table Expressions). SQL Server 2005 has also been enhanced with new
indexing algorithms, syntax and better error recovery systems. Data pages
are checksummed for better error resiliency, and optimistic concurrency
support has been added for better performance. Permissions and access
control have been made more granular and the query processor handles
concurrent execution of queries in a more efficient way. Partitions on tables
and indexes are supported natively, so scaling out a database onto a cluster is
easier. SQL CLR was introduced with SQL Server 2005 to let it integrate
with the .NET Framework.
SQL Server 2005 introduced "MARS" (Multiple Active Results Sets),
a method of allowing usage of database connections for multiple purposes.
SQL Server 2005 introduced DMVs (Dynamic Management Views),
which are specialized views and functions that return server state
information that can be used to monitor the health of a server instance,
diagnose problems, and tune performance.
SQL Server 2005 introduced Database Mirroring, but it was not fully
supported until the first Service Pack release (SP1). In the initial release
(RTM) of SQL Server 2005, database mirroring was available, but
unsupported. In order to implement database mirroring in the RTM version,
you had to apply trace flag 1400 at startup. Database mirroring is a high
availability option that provides redundancy and failover capabilities at the
database level. Failover can be performed manually or can be configured for
automatic failover. Automatic failover requires a witness partner and an
operating mode of synchronous (also known as high-safety or full safety).
2.3 STEGANOGRAPHY
Steganography is the art and science of writing hidden messages in
such a way that no one, apart from the sender and intended recipient,
suspects the existence of the message, a form of security through obscurity.
The word steganography is of Greek origin and means "concealed writing"
from the Greek words steganos (στεγανός) meaning "covered or protected",
and graphein (γράφειν) meaning "to write". The first recorded use of the
term was in 1499 by Johannes Trithemius in his Steganographia, a treatise
on cryptography and steganography disguised as a book on magic.
Generally, messages will appear to be something else: images, articles,
shopping lists, or some other covertext and, classically, the hidden message
may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that
messages do not attract attention to themselves. Plainly visible encrypted
messages (no matter how unbreakable) will arouse suspicion, and may in
themselves be incriminating in countries where encryption is illegal.
Therefore, whereas cryptography protects the contents of a message,
steganography can be said to protect both messages and communicating
parties.
Steganography includes the concealment of information within
computer files. In digital steganography, electronic communications may
include steganographic coding inside of a transport layer, such as a
document file, image file, program or protocol. Media files are ideal for
steganographic transmission because of their large size. As a simple
example, a sender might start with an innocuous image file and adjust the
color of every 100th pixel to correspond to a letter in the alphabet, a change
so subtle that someone not specifically looking for it is unlikely to notice it.
2.3.1 DIGITAL STEGANOGRAPHY
Modern steganography entered the world in 1985 with the advent of
the personal computer being applied to classical steganography problems.
Development following that was slow, but has since taken off, going by the
number of "stego" programs available: Over 800 digital steganography
applications have been identified by the Steganography Analysis and
Research Center. Digital steganography techniques include:
• Concealing messages within the lowest bits of noisy images or sound
files.
• Concealing data within encrypted data or within random data. The
data to be concealed is first encrypted before being used to overwrite part of
a much larger block of encrypted data or a block of random data (an
unbreakable cipher like the one-time pad generates ciphertexts that look
perfectly random if you don't have the private key).
• Chaffing and winnowing.
• Mimic functions convert one file to have the statistical profile of
another. This can thwart statistical methods that help brute-force attacks
identify the right solution in a ciphertext-only attack.
• Concealed messages in tampered executable files, exploiting
redundancy in the targeted instruction set.
• Pictures embedded in video material (optionally played at slower or
faster speed).
• Injecting imperceptible delays to packets sent over the network from
the keyboard. Delays in keypresses in some applications (telnet or remote
desktop software) can mean a delay in packets, and the delays in the packets
can be used to encode data.
• Changing the order of elements in a set.
• Content-Aware Steganography hides information in the semantics a
human user assigns to a datagram. These systems offer security against a
non-human adversary/warden.
• Blog-Steganography. Messages are fractionalized and the (encrypted)
pieces are added as comments of orphaned web-logs (or pin boards on social
network platforms). In this case the selection of blogs is the symmetric key
that sender and recipient are using; the carrier of the hidden message is the
whole blogosphere and Modifying the echo of a sound file (Echo
Steganography)&Secure Steganography for Audio Signals.
2.3.2 NETWORK STEGANOGRAPHY
All information hiding techniques that may be used to exchange
steganograms in telecommunication networks can be classified under the
general term of network steganography. This nomenclature was originally
introduced by Krzysztof Szczypiorski in 2003. Contrary to the typical
steganographic methods which utilize digital media (images, audio and video
files) as a cover for hidden data, network steganography utilizes
communication protocols' control elements and their basic intrinsic
functionality. As a result, such methods are harder to detect and eliminate.
Typical network steganography methods involve modification of the
properties of a single network protocol. Such modification can be applied to
the PDU (Protocol Data Unit), to the time relations between the exchanged
PDUs, or both (hybrid methods).
Moreover, it is feasible to utilize the relation between two or more
different network protocols to enable secret communication. These
applications fall under the term inter-protocol steganography.
Network steganography covers a broad spectrum of techniques, which
include, among others:
• Steganophony - the concealment of messages in Voice-over-IP
conversations, e.g. the employment of delayed or corrupted packets that
would normally be ignored by the receiver (this method is called LACK -
Lost Audio Packets Steganography), or, alternatively, hiding information in
unused header fields.
• WLAN Steganography – the utilization of methods that may be
exercised to transmit steganograms in Wireless Local Area Networks. A
practical example of WLAN Steganography is the HICCUPS system
(Hidden Communication System for Corrupted Networks).
CHAPTER 3
IMPLEMENTATION
3.1 DESIGN
Here we give the stepwise algorithm for the design and
implementation of the project. For easier understanding we have provided
with a flowchart.
3.1.1 ALGORITHM
Step 1: Enter the URL of the site on the browser
Step 2: Submit the details of the user who is to register an account in the
site
Step 3: Click the submit button to submit the data to the database
Step 4: Upload the unique seal to the database for the user registered
Step 5: The registration process is now over. Click on the Login link to
login to the service.
Step 6: Enter the username and press the display seal button.
Step 7: After the seal image is displayed, click the Submit username
button.
Step 8: A verification window is shown. Click the "Yes this is my seal" to
proceed with entering the password if the displayed seal is correct or "No
this is not my seal" if the displayed seal is incorrect. This will lead to a
password entry page or an error page respectively.
Step 9: On the password entry box, enter your password and click submit.
Step 10: The password translation and steganography is carried out on the
client side.
Step 11: The reverse of password translation and steganography is done at
the server side and the entered password is checked with the password
stored in the database.
Step 12: If both the passwords are same, a Success message is displayed
and the user is allowed to enter the service.
Step 13: If the passwords are not same, the user is redirected to login page.
3.1.2 FLOWCHART
START
ENTER THE URL OF THE SITE
ENTER THE DETAILS OF THE USER IN THE REGISTRATION FORM
CLICK THE SUBMIT BUTTON
DATA IS SUBMITTED TO THE DATABASE
UPLOAD THE UNIQUE SEAL IMAGE FOR THIS USER ACCOUNT
REGISTRATION PROCESS COMPLETE. ENTER THE LOGIN PROCESS
A
YES NO
A
THE SEAL IMAGE IS DISPLAYED
IS THE IMAGE
CORRECT
PROCEED TO ENTER THE PASSWORD
PRESS “YES THIS IS MY
SEAL”PRESS “NO THIS
IS NOT MY SEAL”
ENTER THE PASSWORD IN THE TEXT FIELD AND
CLICK SUBMIT
B
C
ENTER THE USERNAME AND PRESS DISPLAY SEAL
BUTTON
YES NO
Fig 3.1.2 FLOWCHART
AN ERROR PAGE IS
DISPLAYED
B
IS THE ENTERED
PASSWORD CORRECT?
DISPLAY THE SUCCESS PAGE.
C
END
3.2 SYSTEM REQUIREMENTS
The software and hardware requirements of the project are listed below.
3.2.1 SOFTWARE REQUIREMENTS
PROGRAMMING LANGUAGE – JAVA
OPERATING SYSTEM – WINDOWS 7
TEXT EDITOR – NOTEPAD ++
FRONT-END TOOL – ECLIPSE IDE (HELIOS)
BACK-END TOOL – MS SQL SERVER 2005
DEPLOYMENT TOOL – APACHE TOMCAT 6.0
WEB BROWSER – MOZILLA FIREFOX
3.2.2 HARDWARE REQUIREMENTS:
STANDARD DESKTOP COMPUTER
PROCESSOR – PENTIUM IV (3.00GHz)
MOTHERBOARD – D945GCCR
RAM – 1GB DDR2
HARD DISK – 160 GB SATA
ETHERNET CARD WITH WORKING INTERNET CONNECTION
CHAPTER 4
RESULTS
The modules were executed in the in-built browser for Eclipse under the
Tomcat deployment tool and the screenshots of the same are displayed
below.
SCREENSHOTS
Fig. 4.1 Home page.
This is the page where the user will be able to choose whether to create a
new account or login using an existing account.
Fig. 4.2 Sign up page with Validation.
This is the page where the user is asked to enter his details during
registration. The validation for data such as email id, length of the username,
matching of password is done using JavaScript.
Fig. 4.3 Signin seal upload page
This is the page where the user is asked to upload his unique signin seal to
complete his registration. The user shall upload any image from his local
disk.
Fig. 4.4 Registration complete page
This is a page to indicate the completion of the registration process to the
user. The link for login process is hyperlinked here.
Fig. 4.5 Username entry page
In this page, the user enters his username. The submit username button will
not be enabled until the display seal button pressed. Which is to verify the
identity of this page.
Fig. 4.6 Display seal page
After the user has pressed the display seal button, the image he had stored in
the Database against his username is displayed.
Fig. 4.7 Verify the seal page
After the seal is displayed, the user is asked to verify the identity of the seal.
If the user clicks yes, he will be redirected to the password entry page.
If the user clicks no, an error page will be displayed.
Fig. 4.8 Password entry page
The user is asked to enter his password here in this page after the verification
of his seal.
Fig. 4.9 Login success page
This page is displayed after the entered password matches with that of the
one stored in the database against the entered username. If the password is
incorrect, an error page is displayed. This can ideally be replaced by any
transaction or web service page in a commercial web application.
Fig. 4.10 The image stored in the SQL Server.
This is a sample display of the image stored in the database against the
username. It is stored as a binary data by using the ‘image’ datatype in the
MS SQL SERVER 2005.
Fig. 4.11 Translated password 1
Fig. 4.12 Translated password 2
Fig 4.11 &4.12 shows the virtually translated password after user enters his
original password in the website.
CHAPTER 5
CONCLUSION
CONCLUSION
With the methods proposed above, we can prevent the popular
hacking techniques: Phishing, Key logging and Brute Force attack. Though
we have implemented this as a prototype in the localhost of an ordinary
desktop computer using Apache Tomcat server, the real time implementation
of the project is not too far. We expect the method to be simple, effective
and efficient means to prevent hacking of a user’s password.
FUTURE WORKS
In the near future, we are planning to implement the same method in a
commercial web service and test it out under real-time scenarios.
REFERENCES
1. LIST OF BOOKS & JOURNALS:
1. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of AppliedCryptography. CRC Press, 1996.
2. Bryan Basham,Kathy Sierra& Bert Bates ,“Head First Servlets and JSP”2nd
Edition O’Reilly Media ,Inc.,Fourteenth Indian Reprint 2010.
3. David Hunter,Jeff Rafter,Joe Fawcett, “Beginning XML”4th EditionWiley Publishing, Inc.
4. Elliotte Rusty Harold, "Java Network Programming", O'Reilly Publishers, 2002.
5. J. L. Jun Cheng, Alex C. Kot and H. Cao, “Steganalysis of Data Hiding in binary Text Messages,” in ISCAS, pp. 4405–4408, May 2005.
6. M. Lei, Y. Xiao, S. V. Vrbsky, and C.-C. Li, “Virtual password using random linear functions for on-line services, ATM machines, and pervasive computing,” Computer Communications, vol. 31, no. 18, pp. 4367–4375, 2008.
7. Naughton, "The Complete Reference - Java2", Tata McGraw-Hill, 3rd edition, 1999
8. Niels Provos and Peter Honeyman Hide and Seek: An Introduction to Steganography Published by IEEE Computer society , 1540-7993/03, 2003
9. Provos, N., Honeyman, P, Hide and seek: An introduction to steganography, IEEE Security & Privacy Magazine 1 (2003) pp. 32-44
2. LIST OF WEBSITES.
http://www.roseindia.net/java/example/java/io/
http://java.sun.com/docs/books/tutorial/collections/index.html
http://www.dreamincode.net/forums
http://www.javaranch.com
http://www.eclipse.org