LIST OF FIGURES

Figure No. Page No.

3.1 Matches of Cryptographic Hash Functions and Symmetric-Key

Algorithms 12
4.1 The generation procedure of the EENP 17
4.2 Negative Database Generation 18
4.3 The verification procedure of the EENP 19
4.4 Block diagram of AES Algorithm 22
4.5 AddRound Key generation 23
4.6 SubByte generation 23
4.7 8 Bit Lookup Table 24
4.8 ShiftRows generation 24
4.9 MixColumn generation 25
5.1 Block Diagram for Registration phase 28
5.2 Flow diagram for ENP-As -A-Service 29
5.3 Flow Diagram of ENP 29
5.4 Use Case Diagram for ENP 30
5.5 Sequence Diagram 1 31
7.1 Anaconda Navigator Interface 42
9.1 User Registration in Web App 47
9.2 User Information Stored in SQLite Database 48
9.3 User Authentication Successful 48
 LIST OF TABLES

Table No. Page No.

5.1 Mode of User Operation 28

7.2 Software Requirements 40
7.2 Hardware Requirements 40
8.1 Presents A Set of Malfunctions 45
 CHAPTER 1

INTRODUCTION
---------------------------------------------------------------------------------------------------------------
1.1 Introduction
Due to the development of the Internet, a vast number of online services
have emerged, in which password authentication is the most widely used
authentication technique, for it is available at a low cost and easy to deploy.
Hence, password security always attracts great interest from academia and
industry. Despite great research achievements on password security, passwords
are still cracked since users’ careless behaviours. For instance, many users often
select weak passwords; they tend to reuse same passwords in different systems;
they usually set their passwords using familiar vocabulary for its convenience to
remember. In addition, system problems may cause password compromises. It is
very difficult to obtain passwords from high security systems. On the one hand,
stealing authentication data tables (containing usernames and passwords) in high
security systems is difficult. On the other hand, when carrying out an online
guessing attack, there is usually a limit to the number of login attempts. However,
passwords may be leaked from weak systems. Vulnerabilities are constantly
being discovered, and not all systems could be timely patched to resist attacks,
which gives adversaries an opportunity to illegally access weak systems. In fact,
some old systems are more vulnerable due to their lack of maintenance. Finally,
since passwords are often reused, adversaries may log into high security systems
through cracked passwords from systems of low security.
After obtaining authentication data tables from weak systems, adversaries
can carry out offline attacks. Passwords in the authentication data table are
usually in the form of hashed passwords. However, because processor resources
and storage resources are becoming more and more abundant, hashed passwords
cannot resist precomputation attacks, such as rainbow table attack and lookup
table attack. Note that there is a trend of generalization of adversaries, because
anyone could obtain access to information on vulnerabilities from vulnerability
databases, such as the Open-Source Vulnerability Database (OSVDB), National
Vulnerability Database (NVD), and the Common Vulnerabilities and Exposures
1
 (CVE), and then make use of these information to crack systems. Moreover, they
could download and use attack tools without the need for very professional security
knowledge. Some powerful attack tools, such as hash cat, Rainbow Crack and John
the Ripper, provide a variety of functions, such as multiple hash algorithms,
multiple attack models, multiple operating systems, and multiple platforms,
which raises a higher demand for secure password storage. In these situations,
attacks are usually carried out as follows. First, adversaries pre-compute a lookup
table, where the keys are the hash values of elements in a password list
containing frequently-used passwords, and the records are the corresponding plain
passwords in the password list. Next, they obtain an authentication data table
from low security systems. Then, they search for the plain passwords in the
lookup table by matching hashed passwords in the authentication data table and
the keys in the lookup table. Finally, the adversaries log into higher security
systems through cracked usernames and passwords, so that they could steal
more sensitive information of users and obtain some other benefits. A
considerable number of attacks are carried out in this way, so that adversaries
could obtain passwords at a low cost, which is advantageous to their goals. One of
the main reasons for the success of the above lookup table attack is that the
corresponding hashed password is determined for a given plain password.
Therefore, the lookup table could be quickly constructed, and the size of the
lookup
table could be sufficiently large, which results in a high success rate of cracking
hashed passwords.

1.2 Typical Password Protection Schemes

 Hashed Password:
The simplest scheme to store passwords is to directly store plain
passwords. However, this scheme presents a problem that once adversaries
obtain the authentication data table, all passwords are immediately
compromised. To safely store passwords, a common scheme is to hash passwords
using a cryptographic hash function, because it is infeasible to directly recover
plain passwords from hashed passwords. The cryptographic hash function
quickly maps data of arbitrary size to a fixed-size sequence of bits. In the
2
 authentication system using the hashed password scheme, only hashed
passwords are stored. However, hashed passwords

3
 cannot resist lookup table attack. Furthermore, rainbow table attack is more
practical for its space-time trade-off. Processor resources and storage resources are
becoming richer, which makes the precomputed tables used in the above two
attacks sufficiently large, so that adversaries could obtain a higher success rate of
cracking hashed passwords.

 Salted Password:
To resist precomputation attacks, the most common scheme is salted
password. In this scheme, the concatenation of a plain password and a random
data (called salt) is hashed through a cryptographic hash function. The salt is
usually generated at random, which ensures that the hash values of the same
plain passwords are almost always different. The greater the size of the salt is, the
higher the password security is. However, under dictionary attack, salted
passwords are still weak. Note that compared with salted password, the ENP
proposed in this paper guarantees the diversity of passwords without the need
for extra elements (e.g., salt).

 Key Stretching:
To resist dictionary attack, key stretching, which converts weak passwords
to enhanced passwords, was proposed. Key stretching could increase the time
cost required to every password attempt, so that the power of defending against
dictionary attack is increased. In the ENP proposed in this paper, like key
stretching, multi-iteration encryption is used to further improve password
security under dictionary attack, and compared with key stretching, the ENP does
not introduce extra elements (e.g., salt).

1.3 Negative Database

In the NDB, the compression of the complement of a positive database
(denoted as DB) is stored. U = f0; 1gn denotes the universal set of n-bit
sequences; x2 U denotes an n-bit sequence; DB = fx1; x2; · · ·; xmg denotes a
positive database that contains m entries; then NDB stores the compression
(implemented using the wildcard ‘*’) of (U − DB). Some concepts of NDB are given
below. Every entry in an NDB contains three symbols: ‘0’, ‘1’, and ‘*’. The symbol
4
 ‘0’ only match the bit 0,

5
 and the symbol ‘1’ only match the bit 1; The symbol ‘*’ can match either the bit 0
or 1. Every entry in an NDB consists of two kinds of positions: specified positions
and unspecified positions. Positions where the symbols are ‘0’ or ‘1’ are called
specified positions, while positions where the symbols are ‘*’ are called
unspecified positions. Accordingly, both ‘0’ and ‘1’ are specified symbols, and the
‘*’ is the unspecified symbol. A sequence of bits is covered by one entry in an NDB;
that is to say, the bits of the sequence are matched by the symbols of the entry at
the specified positions. If a sequence of bits is covered by one entry in an NDB, we
say that the sequence is covered by the NDB. If an NDB covers every entry in the
(U- DB), we say that the NDB is complete; otherwise, it is incomplete. The NDB
converted from a DB with only one entry is called the single NDB; otherwise, it is
called the multiple NDB.
There are two types of NDB generation algorithms, one for single NDBs and
one for multiple NDBs. In the first type, clause distribution control algorithm, 1-
hidden algorithm, 2-hidden algorithm, q-hidden algorithm, hybrid algorithm, p-
hidden algorithm, and K-hidden algorithm were proposed successively. In the
second type, the prefix algorithm, Randomize_NDB (abbreviated as RNDB),
multiple-solution algorithm was proposed successively; certainly, these
algorithms could also be used to generate single NDBs. Among NDBs generated by
these generation algorithms, under certain conditions, some are hard-to-reverse,
and others are easy-to-reverse. In our work, we employ two easy-to-reverse
complete single NDB generation algorithms to generate negative passwords.

1.4 Objective of The Project

 To implement a computationally light weight efficient password protection
scheme called Encrypted Negative Password (abbreviated as ENP)
 To implement the solution in such a way that it should be easier to integrate
this with existing systems
 To prove that the proposed scheme provides a strong security against various
kinds of attacks.

6
 1.5 Problem Statement
In our framework, first, the received plain password from a client is hashed
through a cryptographic hash function (e.g., SHA-256). Then, the hashed
password is converted into a negative password. Finally, the negative password is
encrypted into an Encrypted Negative Password (abbreviated as ENP) using a
symmetric-key algorithm (e.g., AES), and multi-iteration encryption could be
employed to further improve security.
The cryptographic hash function and symmetric encryption make it difficult
to crack passwords from ENPs. Moreover, there are lots of corresponding ENPs
for a given plain password, which makes pre-computation attacks (e.g., lookup
table attack and rainbow table attack) infeasible. The algorithm complexity
analyses and comparisons show that the ENP could resist lookup table attack and
provide stronger password protection under dictionary attack. It is worth
mentioning that the ENP does not introduce extra elements (e.g., salt); besides
this, the ENP could still resist pre-computation attacks. Most importantly, the ENP
is the first password protection scheme that combines the cryptographic hash
function, the negative password and the symmetric-key algorithm, without the
need for additional information except the plain password.

7
 CHAPTER 2

LITERATURE SURVEY
-------------------------------------------------------------------------------------------------------------------------
2.1 Introduction
A literature survey is a body of textual content that pursues assessing the
critical factors of current understanding and or methodological approaches on a
specific topic. Its final intention is to carry the reader up to date with current
literature on a subject. And the groundwork for any other goal, such as future
research, may also be wanted in the area. A literature survey is a proof essay of
sorts. It is a study and review of relevant literature materials concerning a topic
given.

2.2 Related Work

[1] Passwords and the evolution of imperfect authentication.

Authors: Joseph Bonneau, et al.

They proposed the theory on passwords has lagged behind the practice,
where large providers use back-end smarts to survive with imperfect technology.
Simplistic models of the user and attacker behaviors have led the research
community to emphasize the wrong threats. Authentication is a classification
problem amenable to machine learning, with many signals in addition to the
password available to large Web services. Passwords will continue as a useful signal
for the foreseeable future, where the goal is not impregnable security but
reducing harm at an acceptable cost.

[2] Securing passwords from dictionary attack with character-tree.

Authors: Jacob Jose, et al.

They propose a novel method for ensuring security for passwords against
such dictionary attacks. Most websites use passwords for authenticating user
identity and for allowing access to website resources that may contain sensitive
information. A large number of people use dictionary words for creating passwords.
These user passwords are subjected to one-way hash functions and are stored
8
 inside the database as corresponding hash values instead of plaintext. A potential
hacker can use precomputation attacks (brute-force, rainbow table or dictionary
attacks.,) to get the input password from the hash values and the most reported
real-life hacks were done by cracking password hashes using dictionary attack.
Currently, users are allowed to register on websites only with passwords that
obey the security policies. It is noted that, even though passwords with certain
patterns are accepted as strong by the existing policies, they are vulnerable for a
dictionary attack based on those patterns. This method checks the strength of the
user passwords using a dictionary which is stored as a character tree. This system
helps to create strong password hashes that are resistant to dictionary attacks.
This approach thus offers advanced and superior protection for passwords from
cracking attempts.

[3] Argon2: New generation of memory-hard functions for password hashing

and other applications.

Authors: Alex Biryukov, et al.

They proposed a new hash function Argon2(Hashing Algorithm), which is

oriented at the protection of low-entropy secrets without secret keys. It requires
a certain (adaptive) amount of memory, imposes prohibitive time-memory and
computation-memory tradeoffs on memory-saving users, and is exceptionally fast

on regular PC. Overall, it can provide ASIC (Application-specific integrated

circuit)- and botnet-resistance by filling the memory in 0.6 cycles per byte in a
non- compressible way.

[4] Password Hashing Competition.

Authors: George Hatzivasilis1, et al.

They conducted PHC. Password hashing is the common approach for

maintaining users’ password-related information that is later used for
authentication. A hash for each password is calculated and maintained at the
service provider end. When a user login the service, the hash of the given password
9
 is computed and contrasted with the stored hash. If the two hashes match, the
authentication is successful. However, in many cases, the passwords are just
hashed by a cryptographic hash function or even stored in clear. These poor
password protection practices have led to efficient attacks that expose the users’
passwords. PBKDF2 is the only standardized construction for password hashing.
Other widely used primitives are bcrypt and scrypt. The low variety of methods
derive the international cryptographic community to conduct the Password
Hashing Competition (PHC). The competition aims to identify new password
hashing schemes suitable for widespread adoption. It started in 2013 with 22 active
submissions. Nine finalists are announced during 2014. In 2015, a small portfolio
of schemes will be proposed. This paper provides the first survey and benchmark
analysis of the 22 proposals. All proposals are evaluated on the same platform over
a common benchmark suite. We measure the complexities (execution time, code
size and memory consumption) of PBKDF2, bcrypt, scrypt, and the 22 PHC
schemes. The first-round results are summarized along with a benchmark analysis
that is focused on the nine finalists and contributes to the final selection of the
winners.

[5] Dynamic salt generation and placement for secure password storing.

Authors: Sirapat Boonkrong, et al.

They used Cryptographic hash functions such as MD5 and SHA-1 are the
most popular functions used for storing passwords. The main problem is that
they were not designed to serve such a purpose. Therefore, using them for storing
passwords has generated a vulnerability. An attack using a rainbow table is
possible. In order to counter this type of attack, a salt value has been introduced.
However, attaching a salt value to a password is still found not to be enough. This
research, therefore, proposes a method that helps generate and place a salt value
into a password dynamically. After the implementation and mathematical
analysis, the results show that if our method is applied, passwords will become more
tolerant of the attack, which makes it more difficult to compromise.

10
 [6] Online negative databases.

Authors: Fernando Esponda, et al.

They propose a theory based on the novel technique of Artificial Immune

Systems (AIS). The benefits of negative detection for obscuring information are
explored in the context of AIS. AIS based on string matching has the potential for
an extra security feature in which the “normal” profile of a system is hidden from
its possible hijackers. Even if the model of normal behavior falls into the wrong
hands, reconstructing the set of valid or “normal” strings is an NP-hard problem.
The data-hiding aspects of negative detection are explored in the context of an
application to negative databases. Previous work is reviewed describing possible
representations and reversibility properties for privacy-enhancing negative
databases. New algorithms are presented which allow on-line creation, updates,
and clean-up of negative databases, some experimental results illustrate the
impact of these operations on the size of the negative database.

[7] Authentication by Encrypted Negative Password

Authors: Wenjian Luo, et al.

They proposed that the plain password which is received from the client is
hashed to Cryptographic hash function like SHA-256. Then, the hashed password
is converted into a negative password. Finally, the negative password is
encrypted into an encrypted negative password (ENP) using a symmetric-key
algorithm like AES, and multi-iteration encryption could be utilized to further
improve security. The Cryptographic hash function and symmetric encryption,
make it difficult to crack passwords from ENPs. Moreover, there are lots of
corresponding ENPs for a given plain password which makes pre-computation
attacks (e.g., lookup table attack, and rainbow table attack) infeasible. The algorithm
complexity analyses and comparisons show that the ENP could resist lookup table
attacks and provide stronger password protection under the dictionary attack. It
is worth mentioning that the ENP does not introduce extra elements (e.g., salt);
besides this, the ENP could still resist pre-computation attacks. Most importantly,
the ENP is the first password protection scheme that combines the
11
 Cryptographic hash function, the

12
 negative password, and the symmetric-key algorithm, without the need for
additional information except the plain password.

[8] Enhancing privacy through negative representations of data.

Authors: Fernando Esponda, et al.

They discussed, in a negative representation, a set of elements (the positive

representation) is depicted by its complement set. That is, the elements in the
positive representation are not explicitly stored, and those in the negative
representation are. The concept, feasibility, and properties of negative
representations are explored in the paper; in particular, its potential to address
privacy concerns. It is shown that a positive representation consisting of null-bit
strings can be represented negatively using only O(ln)strings, through the use of
an additional symbol. It is also shown that membership queries for the positive
representation can be processed against the negative representation in time no
worse than linear in its size while reconstructing the original positive set from its
negative representation is an NP-hard problem. The paper introduces algorithms
for constructing negative representations as well as operations for updating and
maintaining them.

[9] A future-adaptive password scheme.

Authors: N. Provos, et al.

[10] The scrypt Password-Based Key Derivation Function.

Authors: RFC 7914, https://tools.ietf.org/html/rfc7914;

[11] Argon2: New generation of memory hard functions for password hashing
and other applications.

Authors: A. Biryukov, et al.

The above Key Stretching schemes [9], [10], and [11] are used to defend
against dictionary attack.

13
 Drawbacks:

Although key stretching schemes provide stronger password protection

than salted password under dictionary attack, they impose an extra burden on
programmers for configuring more parameters.

[12] Security analysis of MD5 algorithm in password storage.

Authors: M. C. Ah Kioon, et al.

In the above paper, a scheme based on MD5 was proposed. It is a variant of

salted password, where the salt is two random strings.

Drawbacks:

Although it could resist lookup table attack and make dictionary attack
difficult, it introduces many parameters, which makes it complicated and
inconvenient to use.

[13] Dynamic salt generation and placement for secure password storing.

Authors: S. Boonkrong, et al.

Here, the dynamic salt generation and placement are used to improve
password security. Essentially, this scheme is also a variant of salted password,
where the salt is a random string that is dependent on the original password.

Drawbacks:

It could resist lookup table attack; however, it could not defend against
dictionary attack and also introduces an extra element (i.e., salt).

14
 CHAPTER 3

SYSTEM ANALYSIS
-----------------------------------------------------------------------------------------------------------------------------------

3.1 Introduction
The Analysis Phase is where the project lifecycle begins. The Analysis Phase
is where you break down the deliverables in the high-level Project Charter into
the more detailed business requirements. The Analysis Phase is also the part of
the project where you identify the overall direction that the project will take
through the creation of the project strategy documents.

3.2 Existing System

This framework includes two phases: the registration phase and
authentication phase. When adopting our framework to protect passwords in an
authentication data table, the system designer must first select a cryptographic
hash function and a symmetric-key algorithm, where the condition that must be
satisfied is that the size of the hash value of the selected cryptographic hash
function is equal to the key size of the selected symmetric-key algorithm. For
convenience, some matches of cryptographic hash functions and symmetric-key
algorithms. In addition, cryptographic hash functions and symmetric-key
algorithms that are not listed here could also be used in the ENP, which
adequately indicates the flexibility of our framework.

Figure 3.1 Matches of Cryptographic Hash Functions and Symmetric-Key Algorithms

15
 A. Registration Phase
The registration phase is divided into six steps.
(1) On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a
secure channel;
(2) If the received username exists in the authentication data table, “The
username already exists!” is returned, which means that the server has
rejected the registration request, and the registration phase is terminated;
otherwise, go to step (3);
(3) The received password is hashed using the selected cryptographic hash
function;
(4) The hashed password is converted into a negative password using an NDB
generation algorithm (i.e., Algorithm A.1 or Algorithm A.2 in the Appendix);
(5) The negative password is encrypted to an ENP using the selected
symmetric- key algorithm, where the key is the hash value of the plain
password. Here, as an additional option, multi-iteration encryption could
be used to further enhance passwords;
(6) The username and the resulting ENP are stored in the authentication data
table and “Registration success” is returned, which means that the server
has accepted the registration request.

B. Authentication Phase
The authentication phase is divided into five steps.
(1) On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a
secure channel.
(2) If the received username does not exist in the authentication data table,
then “Incorrect username or password!” is returned, which means that the
server has rejected the authentication request, and the authentication
phase is terminated; otherwise, go to Step (3);
(3) Search the authentication data table for the ENP corresponding to the
received username;

16
 (4) The ENP is decrypted (one or more times according to the encryption setting
in the registration phase) using the selected symmetric-key algorithm, where
the key is the hash value of the plain password; thus, the negative password
is obtained;
(5) If the hash value of the received password is not the solution of the
negative password (verified by Algorithm 1 or Algorithm 2), then “Incorrect
username or password!” is returned, which means that the server has
rejected the authentication request, and the authentication phase is
terminated; otherwise, “Authentication success” is returned, which means
that the server has accepted the authentication request.

C. Encrypted Negative Password

ENPs could be obtained through the following steps. The received plain
password (i.e., a sequence of characters) from a client is first hashed using a
cryptographic hash function. Next, the hashed password is converted into a
negative password using an NDB generation algorithm (i.e., Algorithm A.1 or
Algorithm A.2 in the Appendix). Then, the negative password is encrypted using a
symmetric-key algorithm. Thus, the ENP is obtained. The solution of the negative
password is the hash value of the received plain password. In the above processing,
each component (i.e., the cryptographic hash function, the symmetric-key
algorithm, and the NDB generation algorithm) is indispensable. The cryptographic
hash function converts plain passwords to hashed passwords; the fixed length
property of resulting hashed passwords offers convenience for the subsequent
encryption, since the length requirement for the secret key in the symmetric key
algorithm; and other properties (such as avalanche effect and collision resistance)
are also crucial factors of employing the cryptographic hash function. The reasons
for employing the symmetric-key algorithm are given below. The conversion from a
hashed password to a negative password is not irreversible; therefore, if no
encryption, when an adversary obtains a negative password, the adversary
immediately obtains the corresponding hashed password, which makes the
strength of the ENP equivalent to that of the hashed password essentially. However,
when adopting encryption, the adversary does not know the key (i.e., the hashed
password converted from the original plain password), so the adversary could not
17
 decrypt the ENP to get the negative password. The NDB generation algorithm is
selected for converting a hashed password to the corresponding negative password;
there are several reasons listed below. The NDB generation algorithm is a one-to-
many mapping; simultaneously, it is reversible; additionally, while keeping the one-
to-many relationship, it does not introduce extra elements (such as salt).
Specifically, given a hashed password, there are lots of corresponding negative
passwords; a negative password has one and only one corresponding hashed
password; this conversion is done by the NDB generation algorithm itself, and not
dependent on extra elements. The value space of negative passwords for a hashed
password is big enough for resisting pre-computation attacks. The NDB
generation algorithms are simple and efficient. The pseudo-code of the NDB
generation algorithms are easy to implement and analyze; thus, it helps achieve
confidence on the use of the ENP; based on random permutation and inverse
permutation, randomness is introduced to implement reversible one-to-many
mapping, which is straightforward and efficient.
Before encryption, every entry in a negative password is encoded as the
concatenation of two-bit pairs. The two-bit pairs have four forms: 00, 01, 10, and
11, where 00 denotes the symbol ‘0’, 01 denotes the symbol ‘1’, and both 10 and
11 denote the symbol ‘*’. For example, the sequence of bits 00101101 denotes the
entry “0**1”. Note that the symbol ‘*’ is denoted by either 10 or 11 randomly instead
of just 10 or 11, which ensures that any sequence of bits can be a legal negative
password. As a result, under dictionary attack, adversaries cannot exclude any
password in the password list based on the form of the negative password (i.e.,
not including 10 or 11). Moreover, multi-iteration encryption could be introduced
to further improve ENPs strength, which is an implementation of the key
stretching technique. The greater the number of encryptions is, the more secure
the ENPs are; however, the authentication speed decreases. The system designer
must balance the speed of authentication against password security, and then
selects a proper number of encryptions.

18
 3.3 Proposed System
In this project, the proposed framework is based on the Encrypted Negative
Password (ENP) and the Negative Database (abbreviated as NDB). Which is based
on cryptographic hash function, symmetric encryption, and a password
authentication framework. The NDB is a new security technique that is inspired
by biological immune systems and has a wide range of applications. In the ENP,
the secret key is the hash value of the password of each user, so it is almost
always different and does not need to be specially generated and stored.
Consequently, the ENP enables symmetric encryption to be used for password
protection
 To enhance the security to the existing system,
 Multiple Iterations will be done to the ENP as additional strength by using
the encryption technique or the symmetric key algorithm.
 Considering the key as the same hash value which is produced at the time
of hashing.
 Compared with the salted password scheme and key stretching, the ENP
guarantees the diversity of passwords by itself without introducing extra
elements.
 Stronger security algorithm which provides resistance to various kind of
attacks including dictionary attacks and look-up table attack
 No extra burden on programmers for configuring more parameters
 Simple and convenient to use

19
 CHAPTER 4

METHODOLOGY
---------------------------------------------------------------------------------------------------------------
4.1 Introduction
Systems design is the process of defining the architecture, components,
modules, interfaces, and data for a system to satisfy specified requirements.
Systems design could see it as the application of systems theory to product
development. There is some overlap with the disciplines of systems analysis,
systems architecture and systems engineering.

4.2 System Architecture

User

Plain Password

Hash

Hashed Password

Generate Negative
Password

Negative Password (Data) and Hashed Password (Key)

Encrypt

EENP

Authentication Data Table

Figure 4.1. The generation procedure of the EENP

20
 4.2.1 Verification of ENP

User

Plain Password

Authentication Data Table Hash

ENP (Data) Hashed Password (Key)

Decrypt

Negative Password and Hashed Password

Is solution?

Accept or Reject Request

User

Figure 4.3. The verification procedure of the EENP

4.3 Methodology
The proposed framework includes two phases: the registration phase and
authentication phase. When adopting our framework to protect passwords in an
authentication data table, the system designer must first select a cryptographic
hash function and a symmetric-key algorithm, where the condition that must be
satisfied is that the size of the hash value of the selected cryptographic hash
function is equal to the key size of the selected symmetric-key algorithm.

21
 a) Registration phase

On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username exists in the authentication data table, “The
username already exists!” is returned, which means that the server has rejected
the registration request, and the registration phase is terminated; otherwise, go
to Step (3); The received password is hashed using the selected cryptographic
hash function; The hashed password is converted into a negative password using
an NDB generation algorithm. The negative password is encrypted to an ENP
using the selected symmetric-key algorithm, where the key is the hash value of
the plain password. Here, as an additional option, multi-iteration encryption
could be used to further enhance passwords; The username and the resulting ENP
are stored in the authentication data table and “Registration success” is returned,
which means that the server has accepted the registration request.

b) Authentication phase

On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username does not exist in the authentication data table,
then “Incorrect username or password!” is returned, which means that the server
has rejected the authentication request, and the authentication phase is
terminated; otherwise, go to Step (3), Search the authentication data table for the
ENP corresponding to the received username. The ENP is decrypted (one or more
times according to the encryption setting in the registration phase) using the
selected symmetric-key algorithm, where the key is the hash value of the plain
password; thus, the negative password is obtained; If the hash value of the
received password is not the solution of the negative password then “Incorrect
username or password!” is returned, which means that the server has
rejected the authentication request, and the authentication phase is terminated;
otherwise, “Authentication success” is returned, which means that the server has
accepted the authentication request.

22
 4.4 Modules

Generation of Verification of
the ENP the ENP

4.5 AES Algorithm

AES has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits.
AES operates on a 4 × 4 column-major order matrix of bytes.

For instance, if there are 16 bytes, b0, b1, b2, b15 these bytes are represented as

this matrix:

The key size used for an AES cipher specifies the number of repetitions of
transformation rounds that convert the input, called the plaintext, into the final
output, called the cipher text. The number of cycles of repetition are as follows:

 10 cycles of repetition for 128-bit keys.

 12 cycles of repetition for 192-bit keys.
 14 cycles of repetition for 256-bit keys.

23
 Figure 4.4. Block diagram of AES Algorithm

Step 1: KeyExpansions

Round keys are derived from the cipher key using Rijndael's key schedule. AES
requires a separate 128-bit round key block for each round plus one more.

Step 2: InitialRound

 AddRoundKey: Each byte of the state is combined with a block of the round
key using bitwise xor.

Step 3: Rounds

 SubBytes: a non-linear substitution step where each byte is replaced with

another according to a lookup table.
 ShiftRows: a transposition step where the last three rows of the state are
shifted cyclically a certain number of steps.
 MixColumns: a mixing operation which operates on the columns of the
state, combining the four bytes in each column.
 AddRoundKey
24
 Step 4: Final Round (no MixColumns)

Figure 4.5. AddRound Key generation

In the AddRoundKey step, each byte of the state is combined with a byte of the
round subkey using the XOR operation (⊕).

The SubBytes step

Figure 4.6. SubByte generation

In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-
bit lookup table, S; bij = S(aij).

25
 Figure 4.7. 8 Bit Lookup Table

The ShiftRows step

Figure 4.8. ShiftRows generation

In the ShiftRows step, bytes in each row of the state are shifted cyclically to the
left. The number of places each byte is shifted differs for each row. Row {n} is shifted
left circular by {n-1} bytes
26
 The MixColumn step

Figure 4.9. MixColumn generation

In the MixColumns step, each column of the state is multiplied with a fixed
polynomial

C(x).

27
 Chapter 5

SYSTEM DESIGN
---------------------------------------------------------------------------------------------------------------

5.1 Introduction
Analysis specifies what a new or modified system does. The design specifies
how to accomplish the same. Design is essentially a bridge between requirement
specification and the final solution satisfying the requirements. The design
process focuses on depending on which modules are needed for the system, the
specification of these modules, and how the modules should be interconnected.

5.2 Mode of Operation of System:

5.2.1 Registration Phase

On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username exists in the authentication data table, “The
username already exists!” is returned, which means that the server has rejected
the registration request, and the registration phase is terminated; otherwise, go
to Step (3); The received password is hashed using the selected cryptographic
hash function; The hashed password is converted into a negative password using
an NDB generation algorithm the negative password is encrypted to an ENP using
the selected symmetric-key algorithm, where the key is the hash value of the plain
password. Here, as an additional option, multi-iteration encryption could be used
to further enhance passwords; The username and the resulting ENP are stored in
the authentication data table and “Registration success” is returned, which means
that the server has accepted the registration request.

5.2.2 Authentication Phase

On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username does not exist in the authentication data table,
then “Incorrect username or password!” is returned, which means that the server
28
 has rejected the authentication request, and the authentication phase is
terminated; otherwise, go to Step (3); Search the authentication data table for the
ENP corresponding to the received username; The ENP is decrypted (one or more
times according to the encryption setting in the registration phase) using the
selected symmetric-key algorithm, where the key is the hash value of the plain
password; thus, the negative password is obtained; If the hash value of the
received password is not the solution of the negative password then “Incorrect
username or password!” is returned, which means that the server has
rejected the authentication request, and the authentication phase is terminated;
otherwise, “Authentication success” is returned, which means that the server has
accepted the authentication request.

5.2.3 ENP – As – Service

This portal enables the owner of the product to share the solution we have
proposed to the external applications. The user just has to add a new client by
entering the client’s email ID. The portal will then generate the Client Identifier
and the unique PIN and sends it across an email to the client. The client will also
get the API details which has to be invoked to consume the web services we are
exposing. The client identifier and the client PIN are mandatory to be included in
each client request. Basically, two APIs are been exposed to the external clients

• Registration Service

• Verification Service

These APIs are exposed as a RESTful web services. REST stands for
Representational State Transfer. REST is web standards-based architecture and
uses HTTP Protocol. It revolves around resource where every component is a
resource and a resource is accessed by a common interface using HTTP standard
methods. REST was first introduced by Roy Fielding in 2000. In REST architecture, a
REST Server simply provides access to resources and REST client accesses and
modifies the resources. Here each resource is identified by URIs/ global IDs. REST
uses various representation to represent a resource like text, JSON, XML. JSON is the
most popular one.
29
 5.3 Mode of User Operation:
Registration Phase Here the users can create a new
account by providing their email ID and
password
Authentication Phase Here the users can verify if the entered
credentials are valid or not.
ENP – As – Service Here the users can verify if the entered
credentials are valid or not
Table 5.1. Mode of User Operation

5.4 Data Flow Diagram

5.4.1 Registration Phase

Registration.py web.xml

datatable.py aes.py enp.py

Figure 5.1. Block Diagram for Registration phase

30
 5.4.2 ENP As A Service

Figure 5.2: Flow diagram for ENP-As -A-Service

Figure 5.3. Flow Diagram of ENP

31
 5.5 UML Diagrams
Unified Modeling Language is one of the most existing tools in the world of
system development today Because UML enables system builders to create
blueprints that capture their visions in a standard, easy to understand way and
communicate them to others. The UML is a language for Visualizing, Specifying,
Constructing, and Documenting.

5.5.1 Use Case Diagram

Figure 5.4. Use Case Diagram For ENP

32
 5.5.2 Sequence Diagram

Figure 5.5. Sequence Diagram 1

33
 Figure 5.6. Sequence Diagram 2

34
 Figure 5.7. Sequence Diagram 3

Figure 5.8. Sequence Diagram 4

35
 CHAPTER 6

SYSTEM IMPLEMENTATIONS
---------------------------------------------------------------------------------------------------------------
6.1 Introduction
Implementation is the realization of an application, or execution of a plan,
idea, model, design, specification, standard, algorithm, or policy. In other words,
an implementation is a realization of a technical specification or algorithm as a
program, software component, or other computer system through programming
and deployment.
Implementation is one of the most important phases of the Software
Development Life Cycle (SDLC). It encompasses all the processes involved in getting
new software or hardware operating properly in its environment, including
installation, conFigureuration, running, testing, and making necessary changes.
Specifically, it involves coding the system using a particular programming
language and transferring the design into an actual working system. This
phase of the system is conducted with the idea that whatever is designed
should be implemented; keeping in mind that it fulfills user requirements, objective
and scope of the system. The implementation phase produces the solution to the
user problem.

6.2 Overview of System Implementation

This project is implemented considering the following aspects:
1. Generation procedure of the ENP
2. Verification of the ENP

36
 6.3Implemtation

6.3 inverse permutation

37
 6.4 Negitive password

38
 6.5output:

CHAPTER 7

SYSTEM ENVIRONMENTS
---------------------------------------------------------------------------------------------------------------
7.1 Introduction
It is a process of planning the new or modified system. Analysis specifies
what a new modified system does. The design specifies how to accomplish the
same. Design is essentially a bridge between requirement specification and the final
solution satisfying the requirements. The design of a system is essentially a
blueprint or a solution for the system.

7.2 Software Requirements

39
 Operating System Windows 7, 8.1,10

Programming language Python.

Development environment IDLE Python

Table 7.1. Software Requirements

7.3 Hardware Requirements

Processor Intel Core i3 with clock speed of 2.4 GHz or above

RAM 4GB or above
Hard disk 40 GB or above
Table 7.2. Hardware Requirements

7.4 Reason for Using Python Language

Python programming language is stable, flexible, and has tools available,
which is why I use Python to implement the data collection, processing, etc., From
development to deployment and maintenance, Python helps developers be
productive and confident about they’re building. Benefits that make Python the
best fit for machine learning and AI-based projects include simplicity and

40
 consistency, access to great libraries, and frameworks for AI and machine
learning (ML), flexibility, platform independence.

Simple and consistent:

 Python offers a brief and readable code. While complex algorithms and
versatile workflows stand behind machine learning, Python’s simplicity
allows developers to write reliable systems. Python code is understandable
by humans, which makes it easier to build models for machine learning.

An extensive selection of libraries and frameworks:

 Implementing AI and ML algorithms can be tricky and require a lot of time.
To reduce development time, programmers turn to several Python
frameworks and libraries.
 A software library is a pre-written code that developers use to solve common
programming tasks. Python, with its rich technology stack, has an extensive
set of libraries for artificial intelligence and machine learning. Here are some
of them:
o Pandas for general-purpose data analysis.
o Cryptography for Cryptography is a python package that is helpful in
Encrypting and Decrypting the data in python.
o Simple-Crypt for converts the plaintext to ciphertext and ciphertext
to plain text and very fast.
o Hashlib for an open-source python library used for encoding and it
contains most of the popular hashing algorithms i.e., MD5 & SHA256,
512(Most secured).

Platform independence:
 Platform independence refers to a programming language or framework
allowing developers to implement things on one machine and use them on
another machine without any changes. Python is supported by many
platforms including Linux, Windows, and macOS.

41
 CHAPTER 8

SYSTEM TESTING
-----------------------------------------------------------------------------------------------
8.1 Introduction
Testing is the process of evaluating a system or its components with the
intent to find whether it satisfies the specified requirements or not. Testing is
executing a system to identify any gaps, errors, or missing requirements contrary
to the actual desire or requirements. This chapter assistances the testing
methodologies that were applied during development, under the test-driven
development recommendations. As such, unit testing was exhaustively used for
each component module of the engine. Also, end to end testing was performed on
the two major parts of the system: the real-time component and the long-term
component.

8.2 Testing Strategies

To make sure that the system does not have any errors, the different levels
of testing strategies that are applied at different phases of software development
are

8.2.1 Unit Testing

The goal of unit testing is to isolate each part of the program and show that
individual parts are correct in terms of requirements and functionality. For the
engine, unit testing was done systematically, each module being tested during or
immediately after it was developed. The expected behavior is defined and tested
against the input. Consequently, all the modules developed were tested using the
same format. This approach was useful in discovering errors that affected the
system. Also, Table 8.1 presents a set of malfunctions that were found for the
modules tested. The ordering in the table was done based on the error disposed to
each module. As such, the stream module and the pre-processing module required
a significant amount of time for debugging compared to the other modules.

42
 No Module Source Error-Behaviour Fixed
1 Generation Multi Permutation rounds are very high that Yes
of ENP Iteration leads to hang the system.
2 Verification Comparing ENP can’t verify the password Yes
of ENP Values
Table 8.1. Presents A Set of Malfunctions

8.2.2 System Testing

While most of the inaccurate behavior was discovered and solved using
unit testing, end to end system testing was necessary to establish the reliability
and the performance of the system as a whole, so that interaction between
modules is as expected. Besides, end to end testing was required to ensure that
the tests employed to cover a significant amount of the code produced.

8.2.3 Acceptance Testing

The main purpose of this Testing is to find whether the application meets the
intended specifications and satisfies the client’s requirements. We will follow two
different methods in this testing.
a) Alpha Testing
This test is the first stage of testing and will be performed amongst the teams.
Unit testing, integration testing and system testing when combined are known as
alpha testing. During this phase, the following will be tested in the application:
 Spelling Mistakes.
 Broken Links.
 The Application will be tested on machines with the lowest specification to
test loading times and any latency problems.
b) Beta Testing
In beta testing, a sample of the intended audience tests the application and send
their feedback to the project team. By getting the feedback, the project team can
fix the problems before releasing the software to the actual users.

43
 8.2.4 Integration Testing
The testing of combined parts of an application to determine if they function
correctly together is Integration testing. This testing can be done by using two
different methods.
a) Top-Down Integration Testing
In Top-Down integration testing, the highest-level modules are tested first and then
progressively lower-level modules are tested.
b) Bottom-Up Integration Testing
Testing can be performed starting from the smallest and lowest level modules and
proceeding one at a time. When bottom level modules are tested attention turns to
those on the next level that use the lower-level ones they are tested individually
and then linked with the previously examined lower-level modules. In a
comprehensive software development environment, bottom-up testing is usually
done first, followed by top-down testing.

8.3 Testing Methods

a) White Box Testing
White box testing is a detailed investigation of the internal logic and structure of
the Code. To perform white box testing on an application, the tester needs to
possess knowledge of the internal working of the code. The tester needs to have a
look inside the source code and find out which unit/chunk of the code is behaving
inappropriately.
b) Black Box Testing
The technique of testing without having any knowledge of the interior workings
of the application is Black Box testing. The tester is oblivious to the system
architecture and does not have access to the source code. Typically, when
performing a black-box test, a tester will interact with the system’s user interface
by providing inputs and examining outputs without knowing how and where the
inputs are worked upon.
8.4 Validation
All the levels in the testing (unit, integration, system) and methods (black
box, white box) are implemented on our application successfully and the results
obtained as expected.
44
 CHAPTER 9

RESULTS
CHAPTER 10

CONCLUSION & FUTURE WORK

-----------------------------------------------------------------------------------------------

In this project, I proposed a password protection scheme called EENP, and

presented a password authentication framework based on the EENP. In this
framework, the entries in the authentication data table are EENPs. It is worth
mentioning that the EENP does not need extra elements (e.g., salt) while resisting
pre-computational attacks.
To enhance the password protection, I added multi-iterations for already-
analyzed and compared the attack complexity of hashed password, salted
password, key stretching and the ENP for which the results show that the ENP
could resist lookup table attack and provide stronger password protection under
dictionary attack

Future work
In the future, other NDB generation algorithms will be studied and
introduced to the ENP to further improve password security. Furthermore, other
techniques, such as multi–factor authentication and challenge–response
authentication, will be introduced into our password authentication framework.

45
 CHAPTER 11

REFERENCES
-----------------------------------------------------------------------------------------------

[1] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “Passwords and

the evolution of imperfect authentication,” Communications of the ACM, vol. 58,
no. 7, pp. 78–87, Jun. 2015.

[2] J. Jose, T. T. Tomy, V. Karunakaran, A. K. V, A. Varkey, and N. C. A., “Securing

passwords from dictionary attack with character-tree,” in Proceedings of 2016
International Conference on Wireless Communications, Signal Processing and
Networking, Mar. 2016, pp. 2301–2307.

[3] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation of

memory- hard functions for password hashing and other applications,” in
Proceedings of 2016 IEEE European Symposium on Security and Privacy, Mar.
2016, pp. 292– 302.

[4] “Password Hashing Competition,” https://password-hashing.net/.

[5] S. Boonkrong and C. Somboonpattanakit, “Dynamic salt generation and

placement for secure password storing,” IAENG International Journal of
Computer Science, vol. 43, no. 1, pp. 27–36, 2016.

[6] F. Esponda, E. S. Ackley, S. Forrest, and P. Helman, “Online negative

databases,” in Proceedings of Artificial Immune Systems. Springer Berlin
Heidelberg, 2004, pp. 175–188.

[7] Wenjian Luo, Senior Member, IEEE, Yamin Hu, Hao Jiang, and Junteng Wang,”
Authentication by Encrypted Negative Password”, 2018, pp. 1556-6013.

46
 [8] F. Esponda, S. Forrest, and P. Helman, “Enhancing privacy through negative
representations of data,” Department of Computer Science, University of New
Mexico, Tech. Rep., 2004

[9] N. Provos and D. Mazi`eres, “A future-adaptive password scheme,” in

Proceedings of the Annual Conference on USENIX Annual Technical Conference.
USENIX Association, 1999, pp. 32–32.

[10] “RFC 7914: The scrypt Password-Based Key Derivation Function,”

https://tools.ietf.org/html/rfc7914

[11] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation of

memoryhard functions for password hashing and other applications,” in
Proceedings of 2016 IEEE European Symposium on Security and Privacy, Mar.
2016, pp. 292–302.

[12] M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of MD5

algorithm in password storage,” in Proceedings of Instruments, Measurement,
Electronics and Information Engineering. Trans Tech Publications, Oct. 2013, pp.
2706–2711.

[13] S. Boonkrong and C. Somboonpattanakit, “Dynamic salt generation and

placement for secure password storing,” IAENG International Journal of
Computer Science, vol. 43, no. 1, pp. 27–36, 2016.

[14] E. H. Spafford, “Opus: Preventing weak password choices,” Computers &

Security, vol. 11, no. 3, pp. 273–278, 1992.

[15] M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of MD5

algorithm in password storage,” in Proceedings of Instruments, Measurement,
Electronics and Information Engineering. Trans Tech Publications, Oct. 2013, pp.
2706–2711.

47
48