1.

INTRODUCTION
1.1. Introduction to Project:

Owing to the development of the Internet, a vast number of online services have
emerged, in which password authentication is the most widely used authentication
technique, for it is available at a low cost and easy to deploy. Hence, password security
always attracts great interest from academia and industry. Despite great research
achievements on password security, passwords are still cracked since users’ careless
behaviors. For instance, many users often select weak passwords; they tend to reuse same
passwords in different systems; they usually set their passwords using familiar
vocabulary for its convenience to remember. In addition, system problems may cause
password compromises. It is very difficult to obtain passwords from high security
systems. On the one hand, stealing authentication data tables (containing usernames and
passwords) in high security systems is difficult. On the other hand, when carrying out an
online guessing attack, there is usually a limit to the number of login attempts.

However, passwords may be leaked from weak systems. Vulnerabilities are

constantly being discovered, and not all systems could be timely patched to resist attacks,
which gives adversaries an opportunity to illegally access weak systems. In fact, some
old systems are more vulnerable due to their lack of maintenance. Finally, since
passwords are often reused, adversaries may log into high security systems through
cracked passwords from systems of low security.

1.1:Purpose of the Project:

The purpose of this document is to provide Software Requirement Specification for “Design and
Implementation of Authentication scheme by Encrypted Negative Password”.

1.2 Scope:
The software product produced is an application by name “Design and Implementation
of Authentication scheme by Encrypted Negative Password ".

In our framework, first, the received plain password from a client is hashed through a
cryptographic hash function (e.g., SHA-256). Then, the hashed password is converted
into a negative password. Finally, the negative password is encrypted into an Encrypted
Negative Password (abbreviated as ENP) using a symmetric-key algorithm (e.g., AES),
and multi-iteration encryption could be employed to further improve security.

The cryptographic hash function and symmetric encryption make it difficult to crack
passwords from ENPs. Moreover, there are lots of corresponding ENPs for a given plain
password, which makes precomputation attacks (e.g., lookup table attack and rainbow
table attack) infeasible. The algorithm complexity analyses and comparisons show that
the ENP could resist lookup table attack and provide stronger password protection under
dictionary attack.

It is worth mentioning that the ENP does not introduce extra elements (e.g., salt); besides
this, the ENP could still resist precomputation attacks. Most importantly, the ENP is the
first password protection scheme that combines the cryptographic hash function, the
negative password and the symmetric-key algorithm, without the need for additional
information except the plain password

[Link] System:
Hashed Password: The simplest scheme to store passwords is to directly store plain
passwords. However, this scheme presents a problem that once adversaries obtain the
authentication data table, all passwords are immediately compromised. To safely store
passwords, a common scheme is to hash passwords using a cryptographic hash function
[17], because it is infeasible to directly recover plain passwords from hashed passwords.
The cryptographic hash function quickly maps data of arbitrary size to a fixed-size
sequence of bits. In the authentication system using the hashed password scheme, only
hashed passwords are stored. However, hashed passwords cannot resist lookup table
attack [17]. Furthermore, rainbow table attack is more practical for its space-time tradeoff
[18]. Processor resources and storage resources are becoming richer, which makes the
precomputed tables used in the above two attacks sufficiently large, so that adversaries
could obtain a higher success rate of cracking hashed passwords.
Salted Password: To resist precomputation attacks, the most common scheme is salted
password [17]. In this scheme, the concatenation of a plain password and a random data
(called salt) is hashed through a cryptographic hash function. The salt is usually
generated at random, which ensures that the hash values of the same plain passwords are
almost always different. The greater the size of the salt is, the higher the password
security is. However, under dictionary attack, salted passwords are still weak. Note that
compared with salted password, the ENP proposed in this paper guarantees the diversity
of passwords without the need for extra elements (e.g., salt).
 Key Stretching: To resist dictionary attack, key stretching [38], which converts weak
passwords to enhanced passwords, was proposed. Key stretching could increase the time
cost required to every password attempt, so that the power of
defending against dictionary attack is increased. In the ENP proposed in this paper, like
key stretching, multi-iteration encryption is used to further improve password security
under dictionary attack, and compared with key stretching, the ENP does not introduce
extra elements (e.g., salt).

Disadvantages:

System is not secured due to lack of improved dynamic Key-Hashed Message Authentication Code
function (abbreviated as d-HMAC).
Password protection scheme called Encrypted Negative Password is absent.

1.4. Proposed systems with Features

In this project, a password protection scheme called Encrypted Negative Password

(abbreviated as ENP) is proposed, which is based on the Negative Database (abbreviated

as NDB), cryptographic hash function and symmetric encryption, and a password
authentication framework based on the ENP is presented. The NDB is a new security
technique that is inspired by biological immune systems and has a wide range of

applications.

In the ENP, the secret key is the hash value of the password of each user, so it is almost
always different and does not need to be specially generated and stored. Consequently,
the

ENP enables symmetric encryption to be used for password protection

 2. LITERATURE SURVEY

Below are the Typical Password Protection Schemes

1. Hashed Password

The simplest scheme to store passwords is to directly store plain passwords. However,
this scheme presents a problem that once adversaries obtain the authentication data
table, all passwords are immediately compromised. To safely store passwords, a
common scheme is to hash passwords using a cryptographic hash function, because it is
infeasible to directly recover plain passwords from hashed passwords. The
cryptographic hash function quickly maps data of arbitrary size to a fixed-size sequence
of bits. In the authentication system using the hashed password scheme, only hashed
passwords are stored. However, hashed passwords cannot resist lookup table attack.
Furthermore, rainbow table attack is more practical for its space-time tradeoff].
Processor resources and storage resources are becoming richer, which makes the
precomputed tables used in the above two attacks sufficiently large, so that adversaries
could obtain a higher success rate of cracking hashed passwords

2. Salted Password

To resist precomputation attacks, the most common scheme is salted password. In this
scheme, the concatenation of a plain password and a random data (called salt) is
hashed through a cryptographic hash function. The salt is usually generated at random,
which ensures that the hash values of the same plain passwords are almost always
different. However, under dictionary attack, salted passwords are still weak.

Note that compared with salted password, the ENP proposed in this paper

guarantees the diversity of passwords without the need for extra elements (e.g., salt)

3. Key Stretching

To resist dictionary attack, key stretching, which converts weak passwords to enhanced
passwords, was proposed. Key stretching could increase the time cost required to every
password attempt, so that the power of defending against dictionary attack is
increased. In this scheme, multi-iteration encryption is used to further improve
password security under dictionary attack, and compared with key stretching, the ENP
does not introduce extra elements (e.g., salt).

N. Provos and D. Mazi`eres, “A future-adaptive password scheme,” in Proceedings of the

Annual Conference on USENIX Annual Technical Conference. USENIX

Association, 1999, pp. 32–32.

“RFC 7914: The scrypt Password-Based Key Derivation Function,”

[Link]

A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation of memoryhard functions

for password hashing and other applications,” in Proceedings of 2016 IEEE European

Symposium on Security and Privacy, Mar. 2016, pp. 292–302.

The above Key Stretching schemes are used to defend against dictionary attack.

Drawbacks:

Although key stretching schemes provide stronger password protection than salted
password under dictionary attack, they impose an extra burden on programmers for
configuring more parameters.

M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of MD5 algorithm in password

storage,” in Proceedings of Instruments, Measurement, Electronics and Information

Engineering. Trans Tech Publications, Oct. 2013, pp. 2706–2711. In the above paper, a scheme

based on MD5 was proposed. It is a variant of salted password, where the salt is two random

strings.

Drawbacks:

Although it could resist lookup table attack and make dictionary attack difficult, it

introduces many parameters, which makes it complicated and inconvenient to use S.

Boonkrong and C. Somboonpattanakit, “Dynamic salt generation and placement for secure

password storing,” IAENG International Journal of Computer Science, vol. 43, no. 1, pp. 27–36,

2016.

Here, the dynamic salt generation and placement are used to improve password
security. Essentially, this scheme is also a variant of salted password, where the salt is a
random string that is dependent on the original password

Drawbacks:
 It could resist lookup table attack, however it could not defend against dictionary attack
and also introduces an extra element (i.e., salt).

3. SOFTWARE REQUIREMENT ANALYSIS

3.3. Functional Requirements:

To implement a computationally light weight efficient password protection scheme

called Encrypted Negative Password (abbreviated as ENP)

To design and implement the service layers to expose this password protection layer to

various other layers in the server side architecture

To implement the solution in such a way that it should be easier to integrate this with

existing systems

To prove that the proposed scheme provides a strong security against various kinds of

attacks.

To provide an efficient user interface access to the clients to access the portal

To deploy the project over the cloud so that it can be accessed from various

geographical location from any device.

3.4. Non-Functional Requirements

Should be easier to access it from the various browsers available.

Response time of the applications should reflect the real time observations.

The algorithm should never fail in any of the test cases.

There shouldn’t be any security concerns on the merged data.

Each user’s activity should be separated from the other user’s activities
 3.5. FEASIBILITY ANALYSIS:
An important outcome of preliminary investigation is the determination that the system
request is feasible. This is possible only if it is feasible within limited resource and time. The
different feasibilities that have to be analyzed are

 Operational Feasibility
 Economic Feasibility
 Technical Feasibility

Operational Feasibility
Operational Feasibility deals with the study of prospects of the system to be developed.
This system operationally eliminates all the tensions of the Admin and helps him in effectively
tracking the project progress. This kind of automation will surely reduce the time and energy,
which previously consumed in manual work. Based on the study, the system is proved to be
operationally feasible.

Economic Feasibility

Economic Feasibility or Cost-benefit is an assessment of the economic justification for a

computer based project. As hardware was installed from the beginning & for lots of purposes
thus the cost on project of hardware is low. Since the system is a network based, any number of
employees connected to the LAN within that organization can use this tool from at anytime. The
Virtual Private Network is to be developed using the existing resources of the organization. So
the project is economically feasible.

Technical Feasibility
According to Roger S. Pressman, Technical Feasibility is the assessment of the technical
resources of the organization. The organization needs IBM compatible machines with a graphical
web browser connected to the Internet and Intranet. The system is developed for platform
Independent environment. Java Server Pages, JavaScript, HTML, SQL server and WebLogic
Server are used to develop the system. The technical feasibility has been carried out. The system
is technically feasible for development and can be developed with the existing facility.

4. Software and Hardware Requirements :

4.1. Software Requirements

Table 1:
Software Requirements
Operating System Windows

Programming Language – Core Java, Advanced Java, J2EE, Map Reduce

Backend Framework, MVC Framework

Programming language - Bootstrap Framework, HTML, CSS, JavaScript, Ajax,

Frontend JQuery

Development Eclipse Oxygen IDE

environment

Application Server Apache Tomcat v9.0

Database HDFS

4.2 Hardware Requirements

Table 2:
Hardware Requirements
 Processor Intel Core i5 or AMD FX 8 core series with clock speed of 2.4

GHz or above

RAM 2GB or above

Hard disk 40 GB or above

Input device Keyboard or mouse or compatible pointing devices

Display XGA (1024*768 pixels) or higher resolution monitor with 32

bit color settings

Miscellaneous USB Interface, Power adapter, etc.

5. SOFTWARE DESIGN :

5.1. Data flow Diagram:

1. On the client side, a user enters his/her username and password. Then, the username and plain

password are transmitted to the server through a secure channel;

1. If the received username exists in the authentication data table, “The username already exists!”

is returned, which means that the server has rejected the registration request, and the

registration phase is terminated; otherwise, go to Step (3);

2. The received password is hashed using the selected cryptographic hash function;

3. The hashed password is converted into a negative password using an NDB generation algorithm
 ATTACKER
In case of file is not
safe, Delete the file Req File Name, & makes
changes on to cloud sever

Send File Name, URL, Mac,

Data Description etc. and One More
Owner Copy of File Details in Owner,
,Verify Your Password Web SERVER

Request Skey, Category &

information type & downloads
the file

END USER
[Link] Chart : End User

Start

User Register

Yes Login No

View User Profile Username &

Password Wrong

Request Owner

Search File

Logout

Download File

Top N File, ,Verify Your

Password
 SCREEN SHOTS
9.1 Screenshot 1:
~ ➔ C 0 localhost8080/ENP/ ~
* ABP I- ( .,J C9(i
.: Apps p cs575Piazza Rh Blackboard , . University Library0~ Mail -lch1dn@cpp Java Tutorial for Co
rdProgram Compute job CPP Health lnsuran ~ Common Git Com p Portfohum ))

Encrypted Negative Password (ENP)

Home
[? RegistrationPhase

c(J VerificationPhase
by Encrypted Negative Password
Designand Implementation of Authentication scheme
• ENP-AS-A-SERVICE

1~ UsageStatistics
Secure password storage is a vital aspect in systems based on password authentication, which is still the most widely used authentication technique, despite its some security flaws. In this project, we propose a password authentication
framework that is designed for secure password storage and could be easily integrated into existing authentication
In our framework,
systems.
first, the received plain password from a client is hashed through a cryptographic hash function
(e.g.,SHA-256).Then, the hashed password is converted into a negative password. Finally, the negative password is encrypted into an Encrypted Negative Password (abbreviated as ENP) using a symmetric-key algorithm (e.g., AES),a nd multi­
iteration encryption could be employed to further improve security. The cryptographic hash function and symmetric encryption make it difficult to crack passwords from
lotsofENPs.
corresponding
Moreover,
ENPs
therefor
are
a given plain
password, which makes precomputation attacks (e.g., lookup table attack and rainbow table attack) infeasible. The algorithm complexity analyses and comparisons show that the ENP could resist lookup table attack and provide stronger
password protection under dictionary attack.
It is worth mentioning that the ENP does not introduce extra elements {e.g., salt); besides this, the ENP could still resist precomputation attacks. Most importantly, the ENP is the first password
protection scheme that combines the cryptographic hash function, the negative password and the symmetric-key algorithm, without the need for additional information except the plain password

Existing Systems

Owing to the development ofInternet,

the a vast number of on line services have emerged, in which password authentication is the most widely used authentication technique, for it is available at a low cost and easy to deploy. Hence, password
security always attracts great interest from academia and industry. Despite great research achievements on password security, passwords are still cracked since usersa£™ careless behaviors. For instance, many users often select weak
passwords; they tend to reuse same passwords in different systems; they usually set their passwords using familiar vocabulary for itsIn
convenience
addition, system
to remember.
problems may cause password compromises.
It is very
difficult to obtain passwords from high security systems. On the one hand, stealing authentication data tables (containing usernames
in high security
and passwords)
systems is difficult. On the other hand, when carrying out an on line guessing
attack, there
is usually a limit to the number
login
of attempts. However, passwords may be leaked from weak systems. Vulnerabilities are constantly being discovered, and not all systems could be timely patched to resist attacks, which gives
adversaries an opportunity to illegally access weak systems. In fact, some old systems are more vulnerable
lackof maintenance.
due to theirFinally, since passwords are often reused, adversaries
loginto high
maysecurity systems through
crackedpasswordsfromsystemsoflowsecurity

Proposed Solution

In this project, a password protection scheme called Encrypted Negative Password (abbreviated as ENP) is proposed, which is based on the Negative Database (abbreviated as NDB), cryptographic hash function and symmetric encryption, and a
password authentication framework based on the ENP is presented. The NDB is a new security technique that is inspired by biological immune systems and has a wide range of applications. In the ENP, the secret key is the hash value of the
password of each user, so it is almost always different and does not need to be specially generated and stored. Consequently, the ENP enables symmetric encryption to be used for password protection

Advantages

Figure 24:HomePage Screenshot 9.2

Screenshot 2:
Encrypted Negative Password (ENP)

Figure 25:Registration Phase Screenshot

9.3 Screenshot 3:
 Encrypted Negative Password (ENP)

Verification

(7 RegistrationPhase

<ClVerificationPhase

• ENP-AS-A-SERVICE

!5 UsageStatistics

Verify

Figure 26:Verification Phase Screenshot

9.4: Screenshot 4:
Encrypted Negative Password (ENP)

11 Home ENP-AS-A-SERVICE

[J' RegistrationPhase

<ClVerificationPhase

• ENP-AS-A-SERVICE Messagefrom the Server:

!§ UsageStatistics
Deleted the Access to the Client CLIENT-08120656043

Figure 27: ENP-As-A-Service Screenshot

9.5 Screenshot 5:
 Negative Password(ENP)

Figure 28:Usage Statistics of ENP service

CONCLUSION AND FUTURE WORK Conclusion

In this project, we proposed a password protection scheme called ENP, and presented a
password authentication framework based on the ENP. In our framework, the entries in the
authentication data table are ENPs. In the end, we analyzed and compared the attack
complexity of hashed password, salted password, key stretching and the ENP. The results show
that the ENP could resist lookup table attack and provide stronger password protection under
dictionary attack. It is worth mentioning that the ENP does not need extra elements (e.g., salt)
while resisting lookup table attack.

Future work

In the future, other NDB generation algorithms will be studied

and introduced to the ENP to further improve password security.
Furthermore, other techniques, such as multi–factor authentication
and challenge–response authentication, will be introduced into our
password authentication framework.

REFERENCES

[1] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “Passwords and the evolution
of imperfect authentication,” Communications of the ACM, vol. 58, no. 7, pp.

78–87, Jun. 2015.

[2] M. A. S. Gokhale and V. S. Waghmare, “The shoulder surfing resistant graphical
password authentication technique,” Procedia Computer Science, vol. 79, pp. 490–498, 2016.

[3] J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password models,” in
Proceedings of 2014 IEEE Symposium on Security and Privacy, May 2014, pp. 689–704. [4] A.
Adams and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no.
12, pp. 40–46, Dec. 1999.

[5] E. H. Spafford, “Opus: Preventing weak password choices,” Computers & Security, vol.
11, no. 3, pp. 273–278, 1992.

[6] Y. Li, H. Wang, and K. Sun, “Personal information in passwords and its security
implications,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 10, pp.
2320–2333, Oct. 2017.

[7] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings
of the 16th International Conference on World Wide Web. ACM, 2007, pp. 657–666.

[8] R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L.

Bauer, N. Christin, and L. F. Cranor, “Designing password policies for strength and usability,”
ACM Transactions on Information and System Security, vol. 18, no. 4, pp. 13:1–13:34, May
2016.

[9] D. Wang, D. He, H. Cheng, and P. Wang, “fuzzyPSM: A new password strength meter
using fuzzy probabilistic context-free grammars,” in Proceedings of 2016 46th Annual IEEE/IFIP
International Conference on Dependable Systems and Networks, Jun. 2016, pp. 595–606.

[10] H. M. Sun, Y. H. Chen, and Y. H. Lin, “oPass: A user authentication protocol resistant to
password stealing and password reuse attacks,” IEEE Transactions on Information Forensics and
Security, vol. 7, no. 2, pp. 651–663, Apr. 2012.

[11] M. Zviran and W. J. Haga, “Password security: An empirical study,” Journal of

Management Information Systems, vol. 15, no. 4, pp. 161– 185, 1999.

[12] P. Andriotis, T. Tryfonas, and G. Oikonomou, “Complexity metrics and user strength
perceptions of the pattern-lock graphical authentication method,” in Proceedings of Human
Aspects of Information Security, Privacy, and Trust. Springer International Publishing, 2014, pp.
115– 126.

[13] D. P. Jablon, “Strong password-only authenticated key exchange,” SIGCOMM Computer

Communication Review, vol. 26, no. 5, pp. 5–26, Oct. 1996.

[14] J. Jose, T. T. Tomy, V. Karunakaran, A. K. V, A. Varkey, and N. C. A., “Securing passwords

from dictionary attack with character-tree,” in Proceedings of 2016 International Conference on
Wireless Communications, Signal Processing and Networking, Mar. 2016, pp. 2301–2307.

[15] A. Arora, A. Nandkumar, and R. Telang, “Does information security attack frequency
increase with vulnerability disclosure? an empirical analysis,” Information Systems Frontiers,
vol. 8, no. 5, pp. 350–362, Dec. 2006.

[16] R. Song, “Advanced smart card based password authentication protocol,” Computer
Standards & Interfaces, vol. 32, no. 5, pp. 321–325, 2010.

[17] M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of MD5 algorithm in
password storage,” in Proceedings of Instruments, Measurement, Electronics and Information
Engineering. Trans Tech Publications, Oct. 2013, pp. 2706–2711.

[18] P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” in Proceedings of

Advances in Cryptology - CRYPTO 2003. Springer Berlin Heidelberg, 2003, pp. 617– 630.

[19] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O’Hare, and K. Prole,

“Advances in topological vulnerability analysis,” in Proceedings of
2009 Cybersecurity Applications Technology Conference for
Homeland Security, Mar. 2009, pp. 124–129.