REVISITING PRIOR PROPOSALS FOR DEFENSES AGAINST LARGE-SCALE ONLINE PASSWORD GUESSING ATTACKS

A PROJECT REPORT Submitted by

ARUL ISAI.U.S-32308205004 PRIYADHARSHINI.S-32308205039 SUDHA.S-32308205047

in partial fulfillment for the award of the degree of

BACHELOR OF TECHNOLOGY
in

INFORMATION TECHNOLOGY MEENAKSHI COLLEGE OF ENGINEERING, CHENNAI

ANNA UNIVERSITY:: CHENNAI 600 025

MAY 2012

ANNA UNIVERSITY::CHENNAI 600 025 BONAFIDE CERTIFICATE

Certified that this project report REVISITING PRIOR PROPOSALS FOR DEFENSES AGAINST LARGE-SCALE ONLINE PASSWORD GUESSING ATTACKS is the bonafide work of ARUL ISAI.U.S, PRIYADHARSHINI.S and SUDHA.S who carried out the project work under my supervision.

SIGNATURE

SIGNATURE

Mr.Upendra Babu M.E., (Ph.D)

HEAD OF THE DEPARTMENT

Mrs.S.Rama (M.E.)
SUPERVISOR

Department of Information Technology Meenakshi College of Engineering West K.K.Nagar Chennai-600 078.

Assistant Professor Department of Information Technology Meenakshi College of Engineering West K.K.Nagar Chennai-600 078.

Submitted For the Project Viva-Voce held on

INTERNAL EXAMINER

EXTERNAL EXAMINER

ii

ACKNOWLEDGEMENT

We sincerely and whole heartedly express our gratitude and indebtness to our esteemed founder, chair person and the authorities of MEENAKSHI AMMAL EDUCATIONAL TRUST for the patronage and parental care showered on our welfare rooted in the academic career. We deeply thank our Director Mrs.R.PREMALATHA KANIKANNAN, M.E., MBA, for providing immense laboratory and library facilities that helped us to complete our project successfully. We express our deep sense of gratitude for to his our principal and

Dr.G.GUNASEKARAN,B.E.,M.E.,Ph.D(Engg) encouragement throughout our course of study.

support

We express our sincere thanks to Mr.UPENDRA BABU, M.E., (Ph.D) Head of the Department, Information Technology for giving constructive ideas and valuable criticism on our project. We immensely oblige to our internal project guide Mrs.S.RAMA, M.E., for her valuable suggestion, guidance and sustained interest in completing the project successfully. We extend our gratitude to all our department teaching, non-teaching staff members and friends and for their immense guidance throughout our project work.

iii

ABSTRACT Nowadays, there is an alarming increase of certain Brute Force and dictionary attacks on password by remote login services. It is a difficult problem to prevent such attacks in the real-time network so that the legitimate users will find a convenient login. The widely used method is Automated Turing Tests (ATTs). It is an easy approach to identify automated malicious login attempts with reasonable cost of inconvenience, to users. One effective defense against automated online password guessing attacks is to restrict the number of failed trials without ATTs to a very small number (e.g., three),limiting automated programs as used by attackers to three free password guesses for target account , even if different machines from a botnet are used. However, this inconveniences the legitimate user who then must answer an ATT on the next login attempt. Here we analyze the inadequacy of existing protocols and the proposed login protocols designed to prevent large scale online dictionary attacks. We propose a new Password Guessing Resistant Protocol (PGRP) derived upon revisiting prior proposals to restrict such attacks. It limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username. Legitimate users can make several failed login proposals before being challenged with an ATT. We shall prove that this method is more promising than all the existing proposals.
iv

TABLE OF CONTENTS CHAPTER NO TITLE

ABSTRACT LIST OF TABLES LIST OF FIGURES LIST OF ABBREVATIONS 1. INTRODUCTION 1.1 General Description 1.2 Project Overview 1.3 Existing system 1.4 Proposed system 2. 3. LITERATURE SURVEY REQUIREMENT SPECIFICATION 3.1 Introduction 3.2 Hardware and Software specification 3.3 Technologies Used 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 4. Java Introduction to Java Working of Java Java Server Pages Java Server Faces 20 20 21 25 28 19 19 2 4 9 10 13

PAGE NO
iv viii ix xi

SYSTEM DESIGN 4.1 Introduction 4.2 Overall Architecture

v

30 34

4.3 Introduction to UML Representation 4.4 Activity Diagram 4.5 Sequence Diagram 4.6 Use Case Diagram 4.7 Class Diagram 5. SYSTEM DESCRIPTION 5.1 List of Modules 5.1.1 Captcha Security 5.1.2 Password Guessing Resistant Protocol 5.1.3 Implementation of captcha security 6. SYSTEM TESTING 6.1 Types of Testing 6.2 Software Testing Strategies 6.3 Objectives of Testing 6.4 Error finding Test Methods 6.5 Test Case 6.5.1 Test Case Format 6.5.2 Purpose of a good Test Case 6.5.3 Review of Software Test Cases 6.5.4 Structure of Test Case 6.5.5 Test Case Design

36 40 42 43 44

46 46 47 49

53 64 65 69 70 70 71 72 74 74

vi

6.5.6 Guidelines To Prepare Test Case 6.6 Test Case Report Generation 7. CODING 7.1 Coding standards 7.2 Source code 8. 9. 10. 10. SCREENSHOTS CONCLUSION FUTURE ENHANCEMENT REFERENCES

75 77

82 85 146 155 157 159

vii

LIST OF TABLES TABLE NO. 1 2 3 4 5 6 7 TITLE Description of UML Diagrams Error Finding Test Methods Test Case Report for the Entire Project Test Case Report for Negative Testing Test Case Report for Positive Testing Test Case Report for Black-Box Testing Test Case Report for White-Box Testing PAGE NO. 38 69 77 78 79 80 80

viii

LIST OF FIGURES

FIGURE NO. 1.1 1.2 3.1

TITLE EXISTING CAPTCHA PROPOSED ARCHITECTURE FLOW OF PLATFORM INDEPENDENT JAVA CODE BETWEEN DIFFERENT PLATFORM JAVA PROGRAM USING JAVA PLATFORM TO GAIN PLATFORM INDEPENDENCY SDLC Life Cycle OVERALL ARCHITECTURE TYPES OF UML DIAGRAMS ACTIVITY DIAGRAM SEQUENCE DIAGRAM USECASE DIAGRAM CLASS DIAGRAM CAPTCHA GENERATION USER LOGIN PAGE EXAMPLE OF IMAGE CAPTCHA SNAPSHOT FOR HOME PAGE SNAPSHOT FOR LOGIN PAGE
ix

PAGE NO. 10 11 24

3.2

25

4.1 4.2 4.3 4.4 4.5 4.6 4.7 5.1 5.2 5.3 8.1 8.2

32 34 37 40 42 43 44 47 50 50 147 148

8.3

SNAPSHOT FOR REGISTRATION PAGE SNAPSHOT FOR LOGIN PAGE WITH USERNAME FIELD ENABLED SNAPSHOT FOR CAPTCHA GENERATION SNAPSHOT FOR IDENTIFYING CAPTCHA SNAPSHOT OF LOGIN PAGE WITH PASSWORD FIELD ENABLED SNAPSHOT OF THE WEBPAGE FOR THE DESIRD USER

149

8.4

150

8.5

151

8.6

152

8.7

153

8.8

154

LIST OF ABBREVATIONS

ATT JVM JSP JSF MVC VDL API HTML PGRP

Automated Turing Tests Java Virtual Machine Java Server Pages Java Server Faces Model Viewing Controller View Description Language Application Programming Interface Hyper Text Markup Language Password Guessing Resistant Protocol

xi