Professional Documents
Culture Documents
Figure No. Page No.: List of Figures
Figure No. Page No.: List of Figures
INTRODUCTION
---------------------------------------------------------------------------------------------------------------
1.1 Introduction
Due to the development of the Internet, a vast number of online services
have emerged, in which password authentication is the most widely used
authentication technique, for it is available at a low cost and easy to deploy.
Hence, password security always attracts great interest from academia and
industry. Despite great research achievements on password security, passwords
are still cracked since users’ careless behaviours. For instance, many users often
select weak passwords; they tend to reuse same passwords in different systems;
they usually set their passwords using familiar vocabulary for its convenience to
remember. In addition, system problems may cause password compromises. It is
very difficult to obtain passwords from high security systems. On the one hand,
stealing authentication data tables (containing usernames and passwords) in high
security systems is difficult. On the other hand, when carrying out an online
guessing attack, there is usually a limit to the number of login attempts. However,
passwords may be leaked from weak systems. Vulnerabilities are constantly
being discovered, and not all systems could be timely patched to resist attacks,
which gives adversaries an opportunity to illegally access weak systems. In fact,
some old systems are more vulnerable due to their lack of maintenance. Finally,
since passwords are often reused, adversaries may log into high security systems
through cracked passwords from systems of low security.
After obtaining authentication data tables from weak systems, adversaries
can carry out offline attacks. Passwords in the authentication data table are
usually in the form of hashed passwords. However, because processor resources
and storage resources are becoming more and more abundant, hashed passwords
cannot resist precomputation attacks, such as rainbow table attack and lookup
table attack. Note that there is a trend of generalization of adversaries, because
anyone could obtain access to information on vulnerabilities from vulnerability
databases, such as the Open-Source Vulnerability Database (OSVDB), National
Vulnerability Database (NVD), and the Common Vulnerabilities and Exposures
1
(CVE), and then make use of these information to crack systems. Moreover, they
could download and use attack tools without the need for very professional security
knowledge. Some powerful attack tools, such as hash cat, Rainbow Crack and John
the Ripper, provide a variety of functions, such as multiple hash algorithms,
multiple attack models, multiple operating systems, and multiple platforms,
which raises a higher demand for secure password storage. In these situations,
attacks are usually carried out as follows. First, adversaries pre-compute a lookup
table, where the keys are the hash values of elements in a password list
containing frequently-used passwords, and the records are the corresponding plain
passwords in the password list. Next, they obtain an authentication data table
from low security systems. Then, they search for the plain passwords in the
lookup table by matching hashed passwords in the authentication data table and
the keys in the lookup table. Finally, the adversaries log into higher security
systems through cracked usernames and passwords, so that they could steal
more sensitive information of users and obtain some other benefits. A
considerable number of attacks are carried out in this way, so that adversaries
could obtain passwords at a low cost, which is advantageous to their goals. One of
the main reasons for the success of the above lookup table attack is that the
corresponding hashed password is determined for a given plain password.
Therefore, the lookup table could be quickly constructed, and the size of the
lookup
table could be sufficiently large, which results in a high success rate of cracking
hashed passwords.
3
cannot resist lookup table attack. Furthermore, rainbow table attack is more
practical for its space-time trade-off. Processor resources and storage resources are
becoming richer, which makes the precomputed tables used in the above two
attacks sufficiently large, so that adversaries could obtain a higher success rate of
cracking hashed passwords.
Salted Password:
To resist precomputation attacks, the most common scheme is salted
password. In this scheme, the concatenation of a plain password and a random
data (called salt) is hashed through a cryptographic hash function. The salt is
usually generated at random, which ensures that the hash values of the same
plain passwords are almost always different. The greater the size of the salt is, the
higher the password security is. However, under dictionary attack, salted
passwords are still weak. Note that compared with salted password, the ENP
proposed in this paper guarantees the diversity of passwords without the need
for extra elements (e.g., salt).
Key Stretching:
To resist dictionary attack, key stretching, which converts weak passwords
to enhanced passwords, was proposed. Key stretching could increase the time
cost required to every password attempt, so that the power of defending against
dictionary attack is increased. In the ENP proposed in this paper, like key
stretching, multi-iteration encryption is used to further improve password
security under dictionary attack, and compared with key stretching, the ENP does
not introduce extra elements (e.g., salt).
5
and the symbol ‘1’ only match the bit 1; The symbol ‘*’ can match either the bit 0
or 1. Every entry in an NDB consists of two kinds of positions: specified positions
and unspecified positions. Positions where the symbols are ‘0’ or ‘1’ are called
specified positions, while positions where the symbols are ‘*’ are called
unspecified positions. Accordingly, both ‘0’ and ‘1’ are specified symbols, and the
‘*’ is the unspecified symbol. A sequence of bits is covered by one entry in an NDB;
that is to say, the bits of the sequence are matched by the symbols of the entry at
the specified positions. If a sequence of bits is covered by one entry in an NDB, we
say that the sequence is covered by the NDB. If an NDB covers every entry in the
(U- DB), we say that the NDB is complete; otherwise, it is incomplete. The NDB
converted from a DB with only one entry is called the single NDB; otherwise, it is
called the multiple NDB.
There are two types of NDB generation algorithms, one for single NDBs and
one for multiple NDBs. In the first type, clause distribution control algorithm, 1-
hidden algorithm, 2-hidden algorithm, q-hidden algorithm, hybrid algorithm, p-
hidden algorithm, and K-hidden algorithm were proposed successively. In the
second type, the prefix algorithm, Randomize_NDB (abbreviated as RNDB),
multiple-solution algorithm was proposed successively; certainly, these
algorithms could also be used to generate single NDBs. Among NDBs generated by
these generation algorithms, under certain conditions, some are hard-to-reverse,
and others are easy-to-reverse. In our work, we employ two easy-to-reverse
complete single NDB generation algorithms to generate negative passwords.
6
1.5 Problem Statement
In our framework, first, the received plain password from a client is hashed
through a cryptographic hash function (e.g., SHA-256). Then, the hashed
password is converted into a negative password. Finally, the negative password is
encrypted into an Encrypted Negative Password (abbreviated as ENP) using a
symmetric-key algorithm (e.g., AES), and multi-iteration encryption could be
employed to further improve security.
The cryptographic hash function and symmetric encryption make it difficult
to crack passwords from ENPs. Moreover, there are lots of corresponding ENPs
for a given plain password, which makes pre-computation attacks (e.g., lookup
table attack and rainbow table attack) infeasible. The algorithm complexity
analyses and comparisons show that the ENP could resist lookup table attack and
provide stronger password protection under dictionary attack. It is worth
mentioning that the ENP does not introduce extra elements (e.g., salt); besides
this, the ENP could still resist pre-computation attacks. Most importantly, the ENP
is the first password protection scheme that combines the cryptographic hash
function, the negative password and the symmetric-key algorithm, without the
need for additional information except the plain password.
7
CHAPTER 2
LITERATURE SURVEY
-------------------------------------------------------------------------------------------------------------------------
2.1 Introduction
A literature survey is a body of textual content that pursues assessing the
critical factors of current understanding and or methodological approaches on a
specific topic. Its final intention is to carry the reader up to date with current
literature on a subject. And the groundwork for any other goal, such as future
research, may also be wanted in the area. A literature survey is a proof essay of
sorts. It is a study and review of relevant literature materials concerning a topic
given.
They proposed the theory on passwords has lagged behind the practice,
where large providers use back-end smarts to survive with imperfect technology.
Simplistic models of the user and attacker behaviors have led the research
community to emphasize the wrong threats. Authentication is a classification
problem amenable to machine learning, with many signals in addition to the
password available to large Web services. Passwords will continue as a useful signal
for the foreseeable future, where the goal is not impregnable security but
reducing harm at an acceptable cost.
They propose a novel method for ensuring security for passwords against
such dictionary attacks. Most websites use passwords for authenticating user
identity and for allowing access to website resources that may contain sensitive
information. A large number of people use dictionary words for creating passwords.
These user passwords are subjected to one-way hash functions and are stored
8
inside the database as corresponding hash values instead of plaintext. A potential
hacker can use precomputation attacks (brute-force, rainbow table or dictionary
attacks.,) to get the input password from the hash values and the most reported
real-life hacks were done by cracking password hashes using dictionary attack.
Currently, users are allowed to register on websites only with passwords that
obey the security policies. It is noted that, even though passwords with certain
patterns are accepted as strong by the existing policies, they are vulnerable for a
dictionary attack based on those patterns. This method checks the strength of the
user passwords using a dictionary which is stored as a character tree. This system
helps to create strong password hashes that are resistant to dictionary attacks.
This approach thus offers advanced and superior protection for passwords from
cracking attempts.
[5] Dynamic salt generation and placement for secure password storing.
They used Cryptographic hash functions such as MD5 and SHA-1 are the
most popular functions used for storing passwords. The main problem is that
they were not designed to serve such a purpose. Therefore, using them for storing
passwords has generated a vulnerability. An attack using a rainbow table is
possible. In order to counter this type of attack, a salt value has been introduced.
However, attaching a salt value to a password is still found not to be enough. This
research, therefore, proposes a method that helps generate and place a salt value
into a password dynamically. After the implementation and mathematical
analysis, the results show that if our method is applied, passwords will become more
tolerant of the attack, which makes it more difficult to compromise.
10
[6] Online negative databases.
They proposed that the plain password which is received from the client is
hashed to Cryptographic hash function like SHA-256. Then, the hashed password
is converted into a negative password. Finally, the negative password is
encrypted into an encrypted negative password (ENP) using a symmetric-key
algorithm like AES, and multi-iteration encryption could be utilized to further
improve security. The Cryptographic hash function and symmetric encryption,
make it difficult to crack passwords from ENPs. Moreover, there are lots of
corresponding ENPs for a given plain password which makes pre-computation
attacks (e.g., lookup table attack, and rainbow table attack) infeasible. The algorithm
complexity analyses and comparisons show that the ENP could resist lookup table
attacks and provide stronger password protection under the dictionary attack. It
is worth mentioning that the ENP does not introduce extra elements (e.g., salt);
besides this, the ENP could still resist pre-computation attacks. Most importantly,
the ENP is the first password protection scheme that combines the
11
Cryptographic hash function, the
12
negative password, and the symmetric-key algorithm, without the need for
additional information except the plain password.
[11] Argon2: New generation of memory hard functions for password hashing
and other applications.
The above Key Stretching schemes [9], [10], and [11] are used to defend
against dictionary attack.
13
Drawbacks:
Drawbacks:
Although it could resist lookup table attack and make dictionary attack
difficult, it introduces many parameters, which makes it complicated and
inconvenient to use.
[13] Dynamic salt generation and placement for secure password storing.
Here, the dynamic salt generation and placement are used to improve
password security. Essentially, this scheme is also a variant of salted password,
where the salt is a random string that is dependent on the original password.
Drawbacks:
It could resist lookup table attack; however, it could not defend against
dictionary attack and also introduces an extra element (i.e., salt).
14
CHAPTER 3
SYSTEM ANALYSIS
-----------------------------------------------------------------------------------------------------------------------------------
3.1 Introduction
The Analysis Phase is where the project lifecycle begins. The Analysis Phase
is where you break down the deliverables in the high-level Project Charter into
the more detailed business requirements. The Analysis Phase is also the part of
the project where you identify the overall direction that the project will take
through the creation of the project strategy documents.
B. Authentication Phase
The authentication phase is divided into five steps.
(1) On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a
secure channel.
(2) If the received username does not exist in the authentication data table,
then “Incorrect username or password!” is returned, which means that the
server has rejected the authentication request, and the authentication
phase is terminated; otherwise, go to Step (3);
(3) Search the authentication data table for the ENP corresponding to the
received username;
16
(4) The ENP is decrypted (one or more times according to the encryption setting
in the registration phase) using the selected symmetric-key algorithm, where
the key is the hash value of the plain password; thus, the negative password
is obtained;
(5) If the hash value of the received password is not the solution of the
negative password (verified by Algorithm 1 or Algorithm 2), then “Incorrect
username or password!” is returned, which means that the server has
rejected the authentication request, and the authentication phase is
terminated; otherwise, “Authentication success” is returned, which means
that the server has accepted the authentication request.
18
3.3 Proposed System
In this project, the proposed framework is based on the Encrypted Negative
Password (ENP) and the Negative Database (abbreviated as NDB). Which is based
on cryptographic hash function, symmetric encryption, and a password
authentication framework. The NDB is a new security technique that is inspired
by biological immune systems and has a wide range of applications. In the ENP,
the secret key is the hash value of the password of each user, so it is almost
always different and does not need to be specially generated and stored.
Consequently, the ENP enables symmetric encryption to be used for password
protection
To enhance the security to the existing system,
Multiple Iterations will be done to the ENP as additional strength by using
the encryption technique or the symmetric key algorithm.
Considering the key as the same hash value which is produced at the time
of hashing.
Compared with the salted password scheme and key stretching, the ENP
guarantees the diversity of passwords by itself without introducing extra
elements.
Stronger security algorithm which provides resistance to various kind of
attacks including dictionary attacks and look-up table attack
No extra burden on programmers for configuring more parameters
Simple and convenient to use
19
CHAPTER 4
METHODOLOGY
---------------------------------------------------------------------------------------------------------------
4.1 Introduction
Systems design is the process of defining the architecture, components,
modules, interfaces, and data for a system to satisfy specified requirements.
Systems design could see it as the application of systems theory to product
development. There is some overlap with the disciplines of systems analysis,
systems architecture and systems engineering.
User
Plain Password
Hash
Hashed Password
Generate Negative
Password
Encrypt
EENP
20
4.2.1 Verification of ENP
User
Plain Password
Decrypt
Is solution?
User
4.3 Methodology
The proposed framework includes two phases: the registration phase and
authentication phase. When adopting our framework to protect passwords in an
authentication data table, the system designer must first select a cryptographic
hash function and a symmetric-key algorithm, where the condition that must be
satisfied is that the size of the hash value of the selected cryptographic hash
function is equal to the key size of the selected symmetric-key algorithm.
21
a) Registration phase
On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username exists in the authentication data table, “The
username already exists!” is returned, which means that the server has rejected
the registration request, and the registration phase is terminated; otherwise, go
to Step (3); The received password is hashed using the selected cryptographic
hash function; The hashed password is converted into a negative password using
an NDB generation algorithm. The negative password is encrypted to an ENP
using the selected symmetric-key algorithm, where the key is the hash value of
the plain password. Here, as an additional option, multi-iteration encryption
could be used to further enhance passwords; The username and the resulting ENP
are stored in the authentication data table and “Registration success” is returned,
which means that the server has accepted the registration request.
b) Authentication phase
On the client side, a user enters his/her username and password. Then, the
username and plain password are transmitted to the server through a secure
channel; If the received username does not exist in the authentication data table,
then “Incorrect username or password!” is returned, which means that the server
has rejected the authentication request, and the authentication phase is
terminated; otherwise, go to Step (3), Search the authentication data table for the
ENP corresponding to the received username. The ENP is decrypted (one or more
times according to the encryption setting in the registration phase) using the
selected symmetric-key algorithm, where the key is the hash value of the plain
password; thus, the negative password is obtained; If the hash value of the
received password is not the solution of the negative password then “Incorrect
username or password!” is returned, which means that the server has
rejected the authentication request, and the authentication phase is terminated;
otherwise, “Authentication success” is returned, which means that the server has
accepted the authentication request.
22
4.4 Modules
Generation of Verification of
the ENP the ENP
For instance, if there are 16 bytes, b0, b1, b2, b15 these bytes are represented as
this matrix:
The key size used for an AES cipher specifies the number of repetitions of
transformation rounds that convert the input, called the plaintext, into the final
output, called the cipher text. The number of cycles of repetition are as follows:
23
Figure 4.4. Block diagram of AES Algorithm
Step 1: KeyExpansions
Round keys are derived from the cipher key using Rijndael's key schedule. AES
requires a separate 128-bit round key block for each round plus one more.
Step 2: InitialRound
AddRoundKey: Each byte of the state is combined with a block of the round
key using bitwise xor.
Step 3: Rounds
In the AddRoundKey step, each byte of the state is combined with a byte of the
round subkey using the XOR operation (⊕).
In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-
bit lookup table, S; bij = S(aij).
25
Figure 4.7. 8 Bit Lookup Table
In the ShiftRows step, bytes in each row of the state are shifted cyclically to the
left. The number of places each byte is shifted differs for each row. Row {n} is shifted
left circular by {n-1} bytes
26
The MixColumn step
In the MixColumns step, each column of the state is multiplied with a fixed
polynomial
C(x).
27
Chapter 5
SYSTEM DESIGN
---------------------------------------------------------------------------------------------------------------
5.1 Introduction
Analysis specifies what a new or modified system does. The design specifies
how to accomplish the same. Design is essentially a bridge between requirement
specification and the final solution satisfying the requirements. The design
process focuses on depending on which modules are needed for the system, the
specification of these modules, and how the modules should be interconnected.
• Registration Service
• Verification Service
These APIs are exposed as a RESTful web services. REST stands for
Representational State Transfer. REST is web standards-based architecture and
uses HTTP Protocol. It revolves around resource where every component is a
resource and a resource is accessed by a common interface using HTTP standard
methods. REST was first introduced by Roy Fielding in 2000. In REST architecture, a
REST Server simply provides access to resources and REST client accesses and
modifies the resources. Here each resource is identified by URIs/ global IDs. REST
uses various representation to represent a resource like text, JSON, XML. JSON is the
most popular one.
29
5.3 Mode of User Operation:
Registration Phase Here the users can create a new
account by providing their email ID and
password
Authentication Phase Here the users can verify if the entered
credentials are valid or not.
ENP – As – Service Here the users can verify if the entered
credentials are valid or not
Table 5.1. Mode of User Operation
Registration.py web.xml
30
5.4.2 ENP As A Service
31
5.5 UML Diagrams
Unified Modeling Language is one of the most existing tools in the world of
system development today Because UML enables system builders to create
blueprints that capture their visions in a standard, easy to understand way and
communicate them to others. The UML is a language for Visualizing, Specifying,
Constructing, and Documenting.
32
5.5.2 Sequence Diagram
33
Figure 5.6. Sequence Diagram 2
34
Figure 5.7. Sequence Diagram 3
35
CHAPTER 6
SYSTEM IMPLEMENTATIONS
---------------------------------------------------------------------------------------------------------------
6.1 Introduction
Implementation is the realization of an application, or execution of a plan,
idea, model, design, specification, standard, algorithm, or policy. In other words,
an implementation is a realization of a technical specification or algorithm as a
program, software component, or other computer system through programming
and deployment.
Implementation is one of the most important phases of the Software
Development Life Cycle (SDLC). It encompasses all the processes involved in getting
new software or hardware operating properly in its environment, including
installation, conFigureuration, running, testing, and making necessary changes.
Specifically, it involves coding the system using a particular programming
language and transferring the design into an actual working system. This
phase of the system is conducted with the idea that whatever is designed
should be implemented; keeping in mind that it fulfills user requirements, objective
and scope of the system. The implementation phase produces the solution to the
user problem.
36
6.3Implemtation
37
6.4 Negitive password
38
6.5output:
CHAPTER 7
SYSTEM ENVIRONMENTS
---------------------------------------------------------------------------------------------------------------
7.1 Introduction
It is a process of planning the new or modified system. Analysis specifies
what a new modified system does. The design specifies how to accomplish the
same. Design is essentially a bridge between requirement specification and the final
solution satisfying the requirements. The design of a system is essentially a
blueprint or a solution for the system.
39
Operating System Windows 7, 8.1,10
40
consistency, access to great libraries, and frameworks for AI and machine
learning (ML), flexibility, platform independence.
Platform independence:
Platform independence refers to a programming language or framework
allowing developers to implement things on one machine and use them on
another machine without any changes. Python is supported by many
platforms including Linux, Windows, and macOS.
41
CHAPTER 8
SYSTEM TESTING
-----------------------------------------------------------------------------------------------
8.1 Introduction
Testing is the process of evaluating a system or its components with the
intent to find whether it satisfies the specified requirements or not. Testing is
executing a system to identify any gaps, errors, or missing requirements contrary
to the actual desire or requirements. This chapter assistances the testing
methodologies that were applied during development, under the test-driven
development recommendations. As such, unit testing was exhaustively used for
each component module of the engine. Also, end to end testing was performed on
the two major parts of the system: the real-time component and the long-term
component.
42
No Module Source Error-Behaviour Fixed
1 Generation Multi Permutation rounds are very high that Yes
of ENP Iteration leads to hang the system.
2 Verification Comparing ENP can’t verify the password Yes
of ENP Values
Table 8.1. Presents A Set of Malfunctions
43
8.2.4 Integration Testing
The testing of combined parts of an application to determine if they function
correctly together is Integration testing. This testing can be done by using two
different methods.
a) Top-Down Integration Testing
In Top-Down integration testing, the highest-level modules are tested first and then
progressively lower-level modules are tested.
b) Bottom-Up Integration Testing
Testing can be performed starting from the smallest and lowest level modules and
proceeding one at a time. When bottom level modules are tested attention turns to
those on the next level that use the lower-level ones they are tested individually
and then linked with the previously examined lower-level modules. In a
comprehensive software development environment, bottom-up testing is usually
done first, followed by top-down testing.
RESULTS
CHAPTER 10
-----------------------------------------------------------------------------------------------
Future work
In the future, other NDB generation algorithms will be studied and
introduced to the ENP to further improve password security. Furthermore, other
techniques, such as multi–factor authentication and challenge–response
authentication, will be introduced into our password authentication framework.
45
CHAPTER 11
REFERENCES
-----------------------------------------------------------------------------------------------
[7] Wenjian Luo, Senior Member, IEEE, Yamin Hu, Hao Jiang, and Junteng Wang,”
Authentication by Encrypted Negative Password”, 2018, pp. 1556-6013.
46
[8] F. Esponda, S. Forrest, and P. Helman, “Enhancing privacy through negative
representations of data,” Department of Computer Science, University of New
Mexico, Tech. Rep., 2004
47
48