Embed Size (px)
Citation preview
REVISITING PRIOR PROPOSALS FOR DEFENSES
AGAINST LARGE-SCALE ONLINE PASSWORD
GUESSING ATTACKS
A PROJECT REPORT
Submitted by
ARUL ISAI.U.S-32308205004
PRIYADHARSHINI.S-32308205039
SUDHA.S-32308205047
in partial fulfillment for the award of the degree
of
BACHELOR OF TECHNOLOGY
in
INFORMATION TECHNOLOGY
MEENAKSHI COLLEGE OF ENGINEERING, CHENNAI
ANNA UNIVERSITY:: CHENNAI 600 025
MAY 2012
i
ANNA UNIVERSITY::CHENNAI 600 025
BONAFIDE CERTIFICATE
Certified that this project report “REVISITING PRIOR PROPOSALS FOR
DEFENSES AGAINST LARGE-SCALE ONLINE PASSWORD GUESSING
ATTACKS” is the bonafide work of “ARUL ISAI.U.S, PRIYADHARSHINI.S
and SUDHA.S” who carried out the project work under my supervision.
SIGNATURE SIGNATURE
Mr.Upendra Babu M.E., (Ph.D) Mrs.S.Rama (M.E.)
HEAD OF THE DEPARTMENT SUPERVISOR
Department of Information TechnologyMeenakshi College of EngineeringWest K.K.NagarChennai-600 078.
Assistant ProfessorDepartment of Information TechnologyMeenakshi College of EngineeringWest K.K.NagarChennai-600 078.
Submitted For the Project Viva-Voce held on ……………………
INTERNAL EXAMINER EXTERNAL EXAMINER
ACKNOWLEDGEMENT
ii
We sincerely and whole heartedly express our gratitude and indebtness to
our esteemed founder, chair person and the authorities of MEENAKSHI
AMMAL EDUCATIONAL TRUST for the patronage and parental care
showered on our welfare rooted in the academic career.
We deeply thank our Director Mrs.R.PREMALATHA KANIKANNAN,
M.E., MBA, for providing immense laboratory and library facilities that helped us
to complete our project successfully.
We express our deep sense of gratitude to our principal
Dr.G.GUNASEKARAN,B.E.,M.E.,Ph.D(Engg) for his support and
encouragement throughout our course of study.
We express our sincere thanks to Mr.UPENDRA BABU, M.E., (Ph.D)
Head of the Department, Information Technology for giving constructive
ideas and valuable criticism on our project.
We immensely oblige to our internal project guide Mrs.S.RAMA, M.E., for
her valuable suggestion, guidance and sustained interest in completing the project
successfully.
We extend our gratitude to all our department teaching, non-teaching staff
members and friends and for their immense guidance throughout our project work.
ABSTRACT
iii
Nowadays, there is an alarming increase of certain Brute Force and
dictionary attacks on password by remote login services. It is a difficult problem to
prevent such attacks in the real-time network so that the legitimate users will find a
convenient login.
The widely used method is Automated Turing Tests (ATTs). It is an easy
approach to identify automated malicious login attempts with reasonable cost of
inconvenience, to users. One effective defense against automated online password
guessing attacks is to restrict the number of failed trials without ATTs to a very
small number (e.g., three),limiting automated programs as used by attackers to
three free password guesses for target account , even if different machines from a
botnet are used. However, this inconveniences the legitimate user who then must
answer an ATT on the next login attempt.
Here we analyze the inadequacy of existing protocols and the proposed login
protocols designed to prevent large scale online dictionary attacks. We propose a
new Password Guessing Resistant Protocol (PGRP) derived upon revisiting prior
proposals to restrict such attacks. It limits the total number of login attempts from
unknown remote hosts to as low as a single attempt per username. Legitimate users
can make several failed login proposals before being challenged with an ATT. We
shall prove that this method is more promising than all the existing proposals.
iv
TABLE OF CONTENTS
CHAPTER NO TITLE PAGE NO
ABSTRACT iv
LIST OF TABLES viii
LIST OF FIGURES ix
LIST OF ABBREVATIONS
xi
1. INTRODUCTION
1.1 General Description 2
1.2 Project Overview 4
1.3 Existing system 9
1.4 Proposed system 10
2. LITERATURE SURVEY 13
3. REQUIREMENT SPECIFICATION
3.1 Introduction 19
3.2 Hardware and Software specification 19
3.3 Technologies Used
3.3.1 Java 20
3.3.2 Introduction to Java 20
3.3.3 Working of Java 21
3.3.4 Java Server Pages 25
3.3.5 Java Server Faces 28
v
4. SYSTEM DESIGN
4.1 Introduction 30
4.2 Overall Architecture 34
4.3 Introduction to UML Representation 36
4.4 Activity Diagram
40
4.5 Sequence Diagram 42
4.6 Use Case Diagram 43
4.7 Class Diagram 44
5. SYSTEM DESCRIPTION
5.1 List of Modules 46
5.1.1 Captcha Security 46
5.1.2 Password Guessing Resistant Protocol 47
5.1.3 Implementation of captcha security 49
6. SYSTEM TESTING
6.1 Types of Testing 53
6.2 Software Testing Strategies 64
6.3 Objectives of Testing 65
6.4 Error finding Test Methods 69
6.5 Test Case 70
6.5.1 Test Case Format 70
6.5.2 Purpose of a good Test Case 71
vi
6.5.3 Review of Software Test Cases 72
6.5.4 Structure of Test Case 74
6.5.5 Test Case Design 74
6.5.6 Guidelines To Prepare Test Case 75
6.6 Test Case Report Generation 77
7. CODING
7.1 Coding standards 82
7.2 Source code 85
8. SCREENSHOTS 146
9. CONCLUSION 155
10. FUTURE ENHANCEMENT 157
10. REFERENCES 159
vii
LIST OF TABLES
TABLE NO. TITLE PAGE NO.
1 Description of UML Diagrams 38
2 Error Finding Test Methods 69
3 Test Case Report for the Entire Project 77
4 Test Case Report for Negative Testing 78
5 Test Case Report for Positive Testing 79
6 Test Case Report for Black-Box Testing 80
7 Test Case Report for White-Box Testing 80
viii
LIST OF FIGURES
FIGURE NO. TITLE PAGE NO.
1.1 EXISTING CAPTCHA 101.2 PROPOSED
ARCHITECTURE11
3.1 FLOW OF PLATFORM INDEPENDENT JAVA CODE BETWEEN DIFFERENT PLATFORM
24
3.2 JAVA PROGRAM USING JAVA PLATFORM TO GAIN PLATFORM INDEPENDENCY
25
4.1 SDLC Life Cycle 324.2 OVERALL
ARCHITECTURE34
4.3 TYPES OF UML DIAGRAMS
37
4.4 ACTIVITY DIAGRAM 404.5 SEQUENCE DIAGRAM 424.6 USECASE DIAGRAM 434.7 CLASS DIAGRAM 445.1 CAPTCHA
GENERATION47
5.2 USER LOGIN PAGE 50
ix
5.3 EXAMPLE OF IMAGE CAPTCHA
50
8.1 SNAPSHOT FOR HOME PAGE
147
8.2 SNAPSHOT FOR LOGIN PAGE
148
8.3 SNAPSHOT FOR REGISTRATION PAGE
149
8.4 SNAPSHOT FOR LOGIN PAGE WITH USERNAME FIELD ENABLED
150
8.5 SNAPSHOT FOR CAPTCHA GENERATION
151
8.6 SNAPSHOT FOR IDENTIFYING CAPTCHA
152
8.7 SNAPSHOT OF LOGIN PAGE WITH PASSWORD FIELD ENABLED
153
8.8 SNAPSHOT OF THE WEBPAGE FOR THE DESIRD USER
154
x
LIST OF ABBREVATIONS
ATT - Automated Turing Tests
JVM - Java Virtual Machine
JSP - Java Server Pages
JSF - Java Server Faces
MVC - Model Viewing Controller
VDL - View Description Language
API - Application Programming Interface
HTML - Hyper Text Markup Language
PGRP - Password Guessing Resistant Protocol
xi
xii
