Professional Documents
Culture Documents
1. ABSTRACT
1
A Practical Password based Two Server Authentication and Key Exchange System
2
A Practical Password based Two Server Authentication and Key Exchange System
3. INTRODUCTION
The attackers try with possible password from dictionary. Dictionary attacks are
classified as offline and online attacks. In case of online attack, attackers attempt to log in
to the server by trying all passwords from dictionary, but in case of offline attack;
attackers store all past successful login session between a user and a server and then
check the passwords in the dictionary against the login transcript. In the most rigorous
password-only security models, there is no requirement for the user of the method to
remember any secret or public data other than the password.
3
A Practical Password based Two Server Authentication and Key Exchange System
Description of Organization:
1. Password guessing
2. Password cracking
1. Password Guessing:
Password guessing is guessing the password when a valid user ID is known. It can be
done either manually or automatically, submitting the password of a particular user. For
example, if the user ID is John attacker tries Jack and some other password until finds one
or locked out. In any case, complex passwords provide protection against this type of
attack.
4
A Practical Password based Two Server Authentication and Key Exchange System
2. Password Cracking:
Password cracking is done using a copy of the system file that stores account
passwords in encrypted form. All current operating systems store passwords in an
encrypted form by running the passwords through a one way hash. The hash is then
stored, not the clear text password.
1. Dictionary attacks
2. Brute force attacks
3. Hybrid attacks
1. Dictionary attacks:
If dictionary words are used as passwords, they can be readily broken, even when
encrypted. That's because software has been created that gives the intruder the ability to
take an entire dictionary's worth of words, run it through various encryption algorithms,
and compare the results with the encrypted password file. If a match is found to the
password hash, the cracker works backswords to discover what the password is. Simply
put, dictionary words offer no protection at all as passwords. If you are thinking of using
foreign words, forget it.
A brute force attack tries every possible combination of letter, number, and
punctuation value and format. A brute force attack will always succeed in cracking a
password hash. However, depending on the strength of the password, the hashing
formula, and the speed of the computer, it could take many years to crack some
passwords. In our proposed system the Bit length of |h|, |n| and |p| are minimum of 64 bits
length so the intruders could take a years to crack them.
5
A Practical Password based Two Server Authentication and Key Exchange System
3. Hybrid attacks:
In this world of increasing globalization, Our Company moves forward to meet the
challenges of the future through the development of R & D projects in various domains. R
& D project sector attracts the most prominent thinkers and practitioners in a range of
fields that impinge on development. The global presence and reach attained by us are not
only substantiated by its presence, but also in terms of the training students in R & D
project development.
Over the decade, provides a wide range of R & D project development training. Our
uniqueness lies in the exclusive R & D project development. Accordingly, we created a
setting that is enabling, dynamic and inspiring for the increase of solutions to global
problems by R & D project development. Developing appropriate, responsible, innovative
and practical solutions to students, by assisting in R & D project development. All our
research is stranded in the need to provide an industry based training for students.
About team
Our team consists of enthusiastic experts, drawn from a range of disciplines and
experience, supported by infrastructure and facilities, which are world class and
distinctively state-of-the-art.
6
A Practical Password based Two Server Authentication and Key Exchange System
The strength of the organization lies in not only identifying and articulating
intellectual challenges across a number of disciplines of knowledge but also in mounting
research, training and demonstration projects leading to development of specific problem-
based advanced technologies. The organization growth has been evolutionary, driven by a
vision of the future and ingrained in challenges frightening today. The organization
continues to grow in size, spread and intensity of work undertaken. Our experts are
involved in a wide range of R & D project development training to student wishing to
undertake professional development, or just wanting to learn about a new subject or area
of study.
About R & D
Vision
Our vision doesn't begin and end with the execution of R & D projects. The main
intension is to provide world-class training to the students in R & D project development
by sharing our knowledge and expertise to create value is our ultimate goal.
7
A Practical Password based Two Server Authentication and Key Exchange System
4. SYSTEM ANALYSIS
Multi-Server Model:
In the Multi server systems user communicate with servers in parallel by establishing the
connection with all the servers. The users have to communicate with all the servers for
authentication simultaneously so there is demand on communication bandwidth and the
need for synchronization.
8
A Practical Password based Two Server Authentication and Key Exchange System
In the Gateway augmented multi server model, the gateway server is positioned between
user and the multiple servers. The users have to communicate only with the gateway so it
removes the demand of simultaneous communications by user with multiple servers.
There is an additional layer “gateway” in the architecture where gateway acts as rely
messages between user and servers. It does similar to that of multi server.
DISADVANTAGES:
9
A Practical Password based Two Server Authentication and Key Exchange System
ADVANTAGES:
• It is clear that the two-server model has successfully eliminated drawbacks in the
plain multiserver model (i.e., simultaneous communications between a user and
multiple servers) and the gateway augmented multiserver model (i.e., redundancy)
while allowing us to distribute user passwords and the authentication functionality
to two servers in order to eliminate a single point of vulnerability in the single-
server model.
• In the Proposed System, the public server acts as a service server that provides
application services, while the back-end server is a control server whose sole
purpose is to assist the service server in user authentication (the service server, of
course, also participates in user authentication). This enforces clear separation of
duty in our system.
10
A Practical Password based Two Server Authentication and Key Exchange System
5. FEASIBILITY STUDY
Many feasibility studies are disillusioning for both users and analysts. First, the
study often presupposes that when feasibility document is being prepared, the analyst is in
a position to evaluate solutions. Second, most studies tend to overlook the confusion
inherent in the system development – the constraints and the assumed attitudes. If the
feasibility study is to serve as a decision document for a project, it must answer 3 key
questions:
1. Economical Feasibility
2. Technical Feasibility
3. Behavioral Feasibility
This application on the client side has been developed using J2EE, which is open
source software. The hardware required are two servers, which is not expensive. Hence
the application is economically feasible.
As the application has been developed using J2EE and the back end as MS-
Access, which utilize minimum resources of the Personal computer, this project is
technically feasible.
This project has been implemented by J2EE and it satisfies all the conditions and
norms of the organization and the users.
11
A Practical Password based Two Server Authentication and Key Exchange System
Technical analysis involves the evaluation of the technical merits of the system,
which should envelope, the following aspects:
Technical analysis begins with the assessment of the technical viability of the
technologies, the methods, employed and the risk involved in their development. The
proposed system employees advanced technology such as J2EE and other technical
resources, which are time tested and available. The technologies plain and simple on the
development side and are profound and robust on the implementation side that is worth
employing. The above discussion vaporizes any doubts expressed regarding viability of
the system.
12
A Practical Password based Two Server Authentication and Key Exchange System
6.1 INTRODUCTION:
Purpose:
The SRS document purpose is to describe the nominal and other
requirements of the system that validates the employee (user) and allow him to do his
office work.
Scope:
The locality of this application is limited to the user and the server; in this the
user gives his id and password to the server in order to login to the server. It provides the
authentication to the user by making it secure against the offline dictionary attacks.
User must possess a valid user id and password for the purpose of authentication.
The user importantly must have a p.c. with a LAN network in order to gain the
authentication from the server.
13
A Practical Password based Two Server Authentication and Key Exchange System
Client Side:
Front End:
Operating system : Windows XP
Technology : Java
Server Side:
Front End:
Operating system : Windows XP/2000 or higher
Technology : Java using JSP, JDBC.
Back End:
Database : MS-Access
Web Server : Apache Tomcat
Client Side:
Processor : Intel Pentium III or higher
Ram : 256 MB or higher
Hard disk : 40 GB hard disk
Network Connections : LAN
Server Side:
Processor : Intel Pentium IV or higher
Ram : 1GB or higher
Cache : 512 KB
Hard disk : 160 GB hard disk or higher
14
A Practical Password based Two Server Authentication and Key Exchange System
1. User Registration
2. Password Authentication
3. Key Exchange
4. Server Development
1. User Registration:
The user must enter the id and password to register into the database after
registering the user will login into the server using the registered id and password.
2. Password Authentication:
After giving his id and password, the password is send to the service server and
the service server collects the remaining password from the control server and checks
whether the user is valid or not.
3. Key Exchange:
`In this the user sends his password to the service server and the service server
divides the password into two halves , one half is send to the control server and remaining
part is kept with the service server. In this the password is exchanged between the two
servers, if the password is valid the control server gives the authentication report to the
service server and then the service server provides the authentication to the user.
4. Server Development:
In this module we will develop a service server that should interacts with the
clients and we will develop a control server will only have the interaction with service
server but not with the clients.
15
A Practical Password based Two Server Authentication and Key Exchange System
Static Requirements:
These are the requirements that are essential for the better performance of the
system before the system gets executed. These include the number of users to be
supported, number of parallel instructions to be processed.
The server side computer should highly configure with a memory capacity to
support the kick off of many parallel instructions.
Dynamic Requirements:
The servers must be configured to support a vast number of users.
Security:
Every time you download a “normal” program, you are getting risk with a viral
infection. Prior to java, most users did not download executable programs frequently. In
addition, another type of malicious program exists that must be guarded against. This type
of program can gather private information, such as credit card numbers, bank account
balances, and passwords. Java answers both these concerns by providing a “firewall”
between a network application and your computer.
Portability:
16
A Practical Password based Two Server Authentication and Key Exchange System
Platform Independent:
Platform independence, that means the ability of a program to move easily from
one computer system to another. It is one of the most significant advantages that Java has
over other programming languages. Java is platform independent at both the source and
the binary level.
Byte code:
The key that allows the java to solve the security and portability problems is that
the output of java compiler is byte code. Byte code is a highly optimized set of
instructions designed to be executed by the java run – time system, which is called the
java virtual machine (JVM). That is, in its standard form, the JVM is an interpreter for
byte code.
Java Applets:
Applets are a common way of writing Java applications. Integrating web based
sound and graphics into applications is simplified by using methods in Applet class.
Applets are essentially program that run from within a browser.
They appear as part of HTML documents in the same way that pictures are presented. The
major difference is that instead of a static graphics, the Java Applet is a complete running
program. An Applet is just like a widow application, but without a classic window frame.
The ranges of programs that can be written as an APPLET are reduced because of
security limitations imposed by the target browser. Applets run only from with in Java-
Enabled browsers such as NETSCAPE, hotJava, and INTERNET EXPLOSER.
17
A Practical Password based Two Server Authentication and Key Exchange System
Init():- Used for initial setup such as defining Layout, passing parameters and other
initializations.
Start():- This is called immediately after init () start () is called each time user return to
the pea or when the page is deconified. Unlike start, init is called only once.
Stop():- This method is called when the user moves off the page on which the Applet sits
or when it is confined. If an applet if not doing time consuming activities like performing
animation, this need not be implemented.
Destroy():- This method is called when the browser shuts down. It is used to re-claim
resources.
Introduction to Swings:
After working your way through this chapter and seeing the huge changes that
have occurred within the AWT (although, if you can remember back that far, Sun claimed
Java was a “stable” language when it first appeared), you might still have the feeling that
it’s not quite done. Sure, there’s now a good event model, and JavaBeans is an excellent
component reuse design. But the GUI components still seem rather minimal, primitive,
and awkward. That’s where Swing comes in. The Swing library appeared after Java 1.1
so you might naturally assume that it’s part of Java 1.2. However, it is designed to work
with Java 1.1 as an add-on. This way, you don’t have to wait for your platform to support
Java 1.2 in order to enjoy a good UI component library. Your users might actually need to
download the Swing library if it isn’t part of their Java 1.1 support, and this could cause a
few snags. But it works Swing contains all the components that you’ve been missing
throughout the rest of this chapter: those you expect to see in a modern UI, everything
from buttons that contain pictures to trees and grids. It’s a big library, but it’s designed to
have appropriate complexity for the task at hand – if something is simple, you don’t have
to write much code but as you try to do more your code becomes increasingly complex.
This means an easy entry point, but you’ve got the power if you need it.
Easy conversion:
If you’ve struggled long and hard to build your UI using Java 1.1, you don’t want
to throw it away to convert to Swing. Fortunately, the library is designed to allow easy
conversion – in many cases you can simply put a ‘J’ in front of the class names of each of
your old AWT components.
18
A Practical Password based Two Server Authentication and Key Exchange System
Tool tips:
Almost all of the classes that you’ll be using to create your user interfaces are
derived from JComponent, which contains a method called setToolTipText(String). So,
for virtually anything you place on your form, all you need to do is say (for an object jc of
any JComponent-derived class):
jc.setToolTipText("My tip");
when the mouse stays over that JComponent for a predetermined period of time, a
tiny box containing your text will pop up next to the mouse.
Borders:
JComponent also contains a method called set Border ( ), which allows you to
place various interesting borders on any visible component. The following example
demonstrates a number of the different borders that are available, using a method called
showBorder( ) that creates a JPanel and puts on the border in each case. Also, it uses
RTTI to find the name of the border that you’re using (stripping off all the path
information), then puts that name in a JLabel in the middle of the panel:
Buttons:
Swing adds a number of different types of buttons, and it also changes the
organization of the selection components: all buttons, checkboxes, radio buttons, and
even menu items are inherited from Abstract Button (which, since menu items are
included, would probably have been better named “AbstractChooser” or something
equally general).
The JButton looks like the AWT button, but there’s more you can do to it (like
add images, as you’ll see later). In com.sun.java.swing.basic, there is a BasicArrowButton
that is convenient, but what to test it on? There are two types of “spinners” that just beg to
be used with arrow buttons: Spinner, which changes an int value, and String Spinner,
which moves through an array of String (even automatically wrapping when it reaches the
end of the array).
19
A Practical Password based Two Server Authentication and Key Exchange System
The Action Listeners attached to the arrow buttons shows how relatively obvious
it is to use these spinners: you just get and set values, using method names you would
expect since they’re Beans. When you run the example, you’ll see that the toggle button
holds its last position, in or out. But the check boxes and radio buttons behave identically
to each other, just clicking on or off (they are inherited from JToggleButton).
Button groups:
If you want radio buttons to behave in an “exclusive or” fashion, you must add
them to a button group, in a similar but less awkward way as the old AWT. But as the
example below demonstrates, any Abstract Button can be added to a Button Group.
To avoid repeating a lot of code, this example uses reflection to generate the
groups of different types of buttons. This is seen in make Panel, which creates a button
group and a JPanel, and for each String in the array that’s the second argument to
makeBPanel( ), it adds an object of the class represented by the first argument.
Icons:
You can use an Icon inside a JLabel or anything that inherits from Abstract Button
(including JButton, JCheckbox, JradioButton, and the different kinds of JMenuItem).
Using Icons with JLabels is quite straightforward (you’ll see an example later). The
following example explores all the additional ways you can use Icons with buttons and
their descendants.
Menus:
Menus are much improved and more flexible in Swing – for example, you can use
them just about anywhere, including panels and applets. The syntax for using them is
much the same as it was in the old AWT, and this preserves the same problem present in
the old AWT: you must hard-code your menus and there isn’t any support for menus as
resources (which, among other things, would make them easier to change for other
languages). In addition, menu code gets long-winded and sometimes messy.
20
A Practical Password based Two Server Authentication and Key Exchange System
The following approach takes a step in the direction of solving this problem by
putting all the information about each menu into a two-dimensional array of Object (that
way you can put anything you want into the array). This array is organized so that the first
row represents the menu name, and the remaining rows represent the menu items and
their characteristics.
Popup Menus:
The implementation of JPopupMenu seems a bit strange: you must call enable
Events( ) and select for mouse events instead of using an event listener. That is, it’s
possible to add a mouse listener but the Mouse Event that comes through doesn’t return
true from
isPopupTrigger( ) – it doesn’t know that it should trigger a popup menu.8 In addition,
when I tried the listener approach it behaved strangely, possibly from recursive click
handling.
List boxes and combo boxes in Swing work much as they do in the old AWT, but
they also have increased functionality if you need it. In addition, some conveniences have
been added. For example, the JList has a constructor that takes an array of Strings to
display (oddly enough this same feature is not available in JComboBox).
A slider allows the user to input data by moving a point back and forth, which is
intuitive in some situations (volume controls, for example). A progress bar displays data
in a relative fashion from “full” to “empty” so the user gets a perspective.
21
A Practical Password based Two Server Authentication and Key Exchange System
Trees:
Tabbed Panes:
Earlier in this chapter you were introduced to the positively medieval Card
Layout, and saw how you had to manage all the switching of the ugly cards yourself.
Someone actually thought this was a good design. Fortunately, Swing remedies this by
providing JTabbedPane, which handles all the tabs, the switching, and everything. The
contrast between Card Layout and JTabbedPane is breathtaking.
22
A Practical Password based Two Server Authentication and Key Exchange System
7. SYSTEM DESIGN
7.1 INTRODUCTION:
Purpose:
System design is the process of application various techniques and principles for
the purpose of definition a system in sufficient detail to permit its physical realization.
Primary design is concerned with the transformation of requirements into data and
software architecture.
Table: 7.2.1
A class diagram shoes a set of classes, interfaces, and collaborations and their
relationships. Class diagrams are most common diagrams found in modeling object-
23
A Practical Password based Two Server Authentication and Key Exchange System
oriented systems. You use class diagrams to illustrate the static design view of the system.
Class diagrams that include active class are used to address the static process view of a
system.
Class diagrams are important for not only visualizing, specifying and
documenting structural models, but also for constructing executable systems through
forward and reverse engineering.
Identify Classes:
By filtering out all of the nouns except for the classes, you will have many of the
classes identified from your system. These are termed as ALC (analysis level classes)
from which classes are categorized as good classes and bad classes where good classes
are those relevant to the project.
Another method is looking for the repeating objects to the level of different
sequence diagrams at the analysis level. The repeating objects are the tentative objects at
the design level class diagram.
24
A Practical Password based Two Server Authentication and Key Exchange System
CLASS DIAGRAM:
user registration
name name
password user id
password
login()
registration() login()
25
A Practical Password based Two Server Authentication and Key Exchange System
Definitions:
A use-case diagram is a set of use cases, actors and relationships between actors,
use-cases.
A use-case diagram contains
1. Use-cases
2. Actors
3. Association relationship between actors, use-cases
Actor:
An actor is user of system or database in system. These are represented with stick
Figure.
Association:
It links actors to use use-case explains in what and how actor interacts with
system.
26
A Practical Password based Two Server Authentication and Key Exchange System
1. One of the methods used to identify the use cases is actor based.
a. The actors related to a system or organization are identified
b. The process, task, functions initiated or participated, performed by each
actors are identified. The use case should represent a course of events
leading to a clear goal.
2. The second method used to identify use-cases is event based
a. The external events that a system must respond to are identified.
b. Relate the events to actors and use cases
27
A Practical Password based Two Server Authentication and Key Exchange System
28
A Practical Password based Two Server Authentication and Key Exchange System
received by those objects .The objects are typically named or anonymous instances of
classes, but may also represent instances of other things ,such as collaborations,
components , and nodes. We use sequence diagram to represent the dynamic view of the
system.
1: login
2: check details
3: check the database
4: new user
10: generate the value for the first half by using value of second half
12: logout
29
A Practical Password based Two Server Authentication and Key Exchange System
control
server
user
1: login
4: new user
12: logout
2: check details
5: provide new user id &password
8: send second half to the control server
databas
e service
server
30
A Practical Password based Two Server Authentication and Key Exchange System
Activity diagram is a variation or special case of state machine. In this, the states
or the activities represent the performance of operations. The transactions are triggered by
the completion of operations. Activity diagram may be used to model an entire business
process. It provides flow of the program. Activity diagram is used to show the internal
state of the object by external events may appear in them.
The activity diagram describes the sequence of activities, with the support for both
conditional and parallel behavior.
31
A Practical Password based Two Server Authentication and Key Exchange System
32
A Practical Password based Two Server Authentication and Key Exchange System
Registration login
user
logout
Password Authentication:
After giving his id and password, the password is send to the service server and
the service server collects the remaining password from the control server and checks
whether the user is valid or not.
Key Exchange:
In this the user sends his password to the service server and the service server
divides the password into two halves, one half is send to the control server and remaining
part is kept with the service server. In this the password is exchanged between the two
33
A Practical Password based Two Server Authentication and Key Exchange System
servers, if the password is valid the control server gives the authentication report to the
service server and then the service server provides the authentication to the user.
password
authentication
8. SYSTEM MODULES
34
A Practical Password based Two Server Authentication and Key Exchange System
In this section, we elaborate the authentication and key exchange protocols that are
used upon the two server model. We first discuss about the mutual authentication protocol
then the basic two server authentication protocol and its security issues, then the
improved protocol and then the proposed two way authentication and key exchange
protocol in the two server model. For ease of reference, the notations that are used are
tabulated below.
Notation
a, b
g1 , g 2 Belongs to QR p where QR p is a quadratic residues of
mod p
x, y Random numbers
a 1 , b1 , b 2 Random numbers belongs to Zq
∏ User’s password
35
A Practical Password based Two Server Authentication and Key Exchange System
The mutual authentication between two users Alice and Bob are explained below. The
steps involved in mutual authentication between Alice and Bob are discussed as follows:
f ( x) = x a mod n
Alice sends H (PW) [f(x)] and H (PW) [x] to Bob. Bob decrypts using the H (PW)
that is stored in the database to obtain f(x) and x. Bob generates value y and prime
number b and calculates
g ( x) = ( x) b mod n
g ( y ) = ( y ) b mod n
g ( x, y ) = ( xy ) b mod n
The session key k is generated by Bob
36
A Practical Password based Two Server Authentication and Key Exchange System
k = ( f ( x ) * g ( x )) mod n
Bob encrypts values x, y using key k as k[x, y] and encrypts values g(x), g(y), g(x, y)
using H (PW) as H (PW) [g(x), g(y), g(x, y)] and sends to Alice.
Alice decrypts g(x), g(y), g(x, y) and generates the key k using
k = ( f ( x ) * g ( y )) mod n
f ( y ) = ( y ) a mod n
f ( x, y ) = ( xy ) a mod n
f ( g ( x, y )) = ( g ( x, y )) a mod n
Alice encrypts y with session key k. Alice sends f(y), f(x, y), f (g(x, y)), and k [y] to Bob.
Bob decrypts k[y] to verify the value y. Bob computes g (f(x), f(y)) and compares with f
(g(x, y)) for authentication and sends g (f(x, y)) to Alice. Alice computes f (g(x), g(y))
and compares the value to g(f(x, y)) to authenticate Bob. Thus, Alice and Bob
authenticated each other through mutual authentication protocol.
System Model:
The three entities that are involved in the system are the users U , Service server
SS , and the control server CS . The service server is the public server and the control
server is the hidden back end server in the two server model. In this protocol the users can
only communicate with the public server and the control server is away from the users.
Users are not aware about the control server and it is especially used for user
authentication. The user’s long secrets passwords are transformed into two secret
37
A Practical Password based Two Server Authentication and Key Exchange System
Passwords which are held by public server and the control server. The two server based
on the secret passwords validate the user while login.
User Registration:
The user must beforehand register with the servers by establishing a shared
password. The password π is divided as π and π
1 2 the long random numbers such that
π +π mod q , where q is the prime numbers. The passwords are stored in the two servers
1 2
to control server CS through postal mail. To initiate a request for the server, user U
sends his identity together with a service request Re q to Server1 in M 1 .
The mutual authentication and key Exchange enables between user and public
server SS . We outline the basic password authentication protocol here. The notations and
symbols followed are tabulated in table below.
38
A Practical Password based Two Server Authentication and Key Exchange System
The user initiates the request after completing the user registration phase with the
SS in message M 1 .The SS sends the request to CS with the user id in M 2 . Then SS
b ∏
selects the random number b
2 from the set z
q to compute the value of B =g 2g 2 .We
2 1 2
omitted the modulo p notation for arithmetic operation. The CS sends the value B 2 to
SS in M 3 . SS now computes B and sends to user U in M 4 .
The U selects the random number a from the set z
q and computes the
The session key K is established between the SS and U . The SS sends the value of S
s
The three entities that are involved in the system are the users U , Service server
SS , and the control server CS . The service server is the public server and the control
server is the hidden back end server in the two server model. In this protocol the users can
only communicate with the public server and the control server is away from the users.
Users are not aware about the control server and it is especially used for user
authentication. The user’s long secrets passwords are transformed into two secret
passwords which are held by public server and the control server. The two server based
on the secret passwords validate the user while login.
39
A Practical Password based Two Server Authentication and Key Exchange System
User Registration:
The user must beforehand register with the servers by establishing a shared
password. The password π is divided as π and π
1 2 the long random numbers such that
π +π mod q , where q is the prime numbers. The passwords are stored in the two servers
1 2
for the server, user U sends his identity together with a service request Re q to Server1
in M 1 .
The mutual authentication and key Exchange enables between user and servers
Server1 and Server 2 . We outline the proposed password authentication protocol here.
The notations and symbols followed are tabulated in table 8.1. The user initiates the
request after completing the user registration phase with the servers Server1 or Server 2
in message M 1 . If the user request Server1 , then Server1 computes the value of
f ( x) = x a mod n , U ' = h (∏1 )[f ( x )] and V ' = h (∏1 )[ x ] . Server1 sends uid, U ' , V ' to
Server 2 in M 2 .
Server 2 decrypts using the hash that is stored in the database to obtain f(x) and x.
Server 2 then computes g ( x ) = x b mod n ,, g ( y) = y b mod n , g ( x , y) = ( xy) b mod n ,
k = (f ( x ) * g ( x )) mod n and U '' =h (∏2 )[g ( x ), g ( y), g ( x , y)] . Server 2 sends the ''
U , k[ x , y ]
b b
B 2 = g1 2 g ∏ 2
2 mod p
meanwhile Server1 computes B = g 1g ∏1 mod p . Server 2 sends
1 1 2
g ( f ( x , y )), B 2 to Server1 in M 5 . Server1 computes and validates to authenticate the
?
Server 2 f (g ( x ), g ( y )) =g (f ( x , y)) and B = B1B2 mod p . Server1 sends the value B to
40
A Practical Password based Two Server Authentication and Key Exchange System
a
S'u = (B / g ∏ ) 1 mod p
a
user U in M 6 . The user U computes A = g11 mod p , and Su = h (S'u ) .
2
b
The user U sends A, S u to Server1 in M 7 . Server1 computes S1 = A 1 mod p and
b
sends the value A, S u and S1 to Server 2 in M 8 . Server 2 computes S 2 = A 2 mod p and
?
authenticates the Server1 by checking the values of S u = h (S S 2 mod p) . Server 2
1 sends
? b1
S u = h (SA
2 mod p) ,
b
SS = h ( A 1 S 2 mod p) , and
b
K = h ( uid , ser1, A 1S 2 mod p)
Where r ∈ z
R q , ∈ QR
R p , and ∈ is a negligible function. That is computationally
intractable for A to distinguish between ( g , h, g
r
,h
r
) and ( g , h, g r , z ) .
41
A Practical Password based Two Server Authentication and Key Exchange System
The attacks against the password of the user. Control server can obtain B
1
9. SYSTEM IMPLEMENTATION
42
A Practical Password based Two Server Authentication and Key Exchange System
Servlets provide a Java based solution used to address the problems currently
associated with doing server-side programming, including inextensible scripting
solutions, platform-specific APIs, and incomplete interfaces. Servlets are objects that
conform to a specific interface that can be plugged into a Java-based server. Servlets are
to the server-side where applets are to the client-side object byte codes that can be
dynamically loaded off the net. They differ from applets in that they are faceless objects
(without graphics or a GUI component). They serve as platform-independent,
dynamically-loadable, pluggable helper byte code objects on the server side that can be
used to dynamically extend server-side functionality.
What is a Servlet?
Request WEB
CLEINT SERVER
Servlet
Name +
parameters
JVM
Response DATA
SERVLET BASE
43
A Practical Password based Two Server Authentication and Key Exchange System
The javax.servlet package provides interfaces and classes for writing servlets. The
architecture of the package is described below.
The central abstraction in the Servlet API is the Servlet interface. All servlets
implement this interface, either directly or, more commonly, by extending a class that
implements it such as HttpServlet.
The Servlet interface declares, but does not implement, methods that manage the
servlet and its communications with clients. Servlet writers provide some or all of these
44
A Practical Password based Two Server Authentication and Key Exchange System
Client Interaction:
1. A Servlet Request, which encapsulates the communication from the client to the
server.
2. A Servlet Response, which encapsulates the communication from the servlet back
to the client.
Servlet Request and Servlet Response are interfaces defined by the javax.servlet package.
1. Information such as the names of the parameters passed in by the client, the
protocol (scheme) being used by the client, and the names of the remote host that
made the request and the server that received it.
2. The input stream, ServletInputStream. Servlets use the input stream to get data
from clients that use application protocols such as the HTTP POST and PUT
methods.
Interfaces that extend ServletRequest interface allow the servlet to retrieve more
protocol-specific data. For example, the HttpServletRequest interface contains methods
for accessing HTTP-specific header information.
The Servlet Response interface gives the servlet methods for replying to the client.
It:
1. Allows the servlet to set the content length and MIME type of the reply.
2. Provides an output stream, ServletOutputStream, and a Writer through which the
servlet can send the reply data.
45
A Practical Password based Two Server Authentication and Key Exchange System
Interfaces that extend the ServletResponse interface give the servlet more
protocol-specific capabilities. For example, the HttpServletResponse interface contains
methods that allow the servlet to manipulate HTTP-specific header information.
Servlet Lifecycle:
CLASS INSTANCE
INIT
DESTROY
46
A Practical Password based Two Server Authentication and Key Exchange System
TOMCAT
Own Folder
WEB-INF web.xml
Fig 9.1.4 The hierarchy structure to deploy the servlet file in tomcat web server
A Java Server page is a simple, yet powerful technology for creating and
maintaining dynamic-content webs pages. Based on the Java programming language,
Java Server Pages offers proven portability, open standards, and a mature re-usable
component model.
The Java Server Pages architecture enables the separation of content generation
from content presentation. This separation not only eases maintenance headaches, it also
allows web team members to focus on their areas of expertise. Now, webpage designers
can concentrate on layout, and web application designers on programming, with minimal
concern about impacting each other’s work. The rest of this document gives you the
bigger picture:
1. Portability
2. Composition
3. Processing
4. Access Models
47
A Practical Password based Two Server Authentication and Key Exchange System
1. Portability:
Java Server Pages files can be run on any web server or web-enabled application
server that provides support for them. Debugged the JSP engine, this support involves
recognition, translation, and management of the Java Server Page lifecycle and its
interactions with associated components.
The JSP engine for a particular server might be built-in or might be provided
through a 3rd-party and-on. As long as the server on which you plan to execute the Java
Server Pages supports the same specification level as that to which the file was written,
no changes should be necessary as you move your files from server to server.
Note, however, that instructions for the setup and configuration of the files may
differ between files.
2. Composition:
It was mentioned earlier that the Java Server Pages architecture can include
reusable Java components. The architecture also allows for the embedding of a scripting
language directly into the Java Server Pages file.
The components current supported include JavaBeans, and Servlets. Support for
Enterprise Java Beans components will likely be added in a future release. As the default
scripting language, Java Server Pages use the Java programming language. This means
that scripting on the server side can take advantage of the full set of capabilities that the
Java Programming language offers. Support for other scripting languages might become
available in the future.
48
A Practical Password based Two Server Authentication and Key Exchange System
3. Processing:
A Java Server Pages file is essentially an HTML document with JSP scripting or
tags. It may have associated components in the form of .class, .jar, or .ser files- - or it
may not. The use of components is not required.
The Java Server Pages file has a .jsp extension to identify it to the server as a Java
Server Pages file. Before the page is served, the Java Server Pages syntax is parsed and
processed into a servlet on the server side. The servlet that is generated outputs real
content in straight HTML for responding to the client. Because it is standard HTML, the
dynamically generated response looks no different to the client browser than a static
response.
4. Access Models:
Bean
Request
Browser
JSP
Response
In this scenario, suppose the page accesses reusable Java Bean components that
perform particular well-defined computations like accessing a database. The result of the
Bean’s computations, called result sets are stored within the Bean as properties. The page
uses such Beans to generate dynamic content and present it back to the client.
A request comes through a servlet.
49
A Practical Password based Two Server Authentication and Key Exchange System
Request
Servlet
JDBC Database
Browser
Response Bean
JSP
The servlet generates the dynamic content. To handle the response to the client,
the servlet creates a Bean and stores the dynamic content (sometimes called the result set)
in the Bean. The servlet then invokes a JavaServer Page that will present the content
along with the Bean containing the generated from the servlet.
There are two APIs to support this model of request processing using JavaServer
Pages. One API facilitates passing context between the invoking servlet and the
JavaServer Page. The other API lets the invoking servlet specify which JavaServer Page
to use.
In both of the above cases, the page could also contain any valid Java code. The
JavaServer Pages architecture encourages separation of content from presentation - - it
does not mandate it.
Apache Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and Java Server Pages technologies. The Java Servlet
and Java Server Pages specifications are developed by Sun under the Java Community
Process. Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to be a
collaboration of the best-of-breed developers from around the world.
50
A Practical Password based Two Server Authentication and Key Exchange System
Apache lends itself particularly well to projects that are heavily Java based. It
offers superior handling of the Java Database Connectivity (JDBC) application program
interface (a program which allows Java-based service to access information, stored in
SQL-compliant databases).
Apache was born in early 1995, as free Web server software based around NCSA
http 1.3, which was the most popular Web server of the day, and a bunch of software
patches. From that it earned it's moniker, which stands for "APACHE server." Since then,
it has been completely re-written, and has become the most popular WWW server on the
Internet.
Apache pros:
It’s constantly being updated and you can add functionality as it becomes
available.
Free:
Multi-platform support:
Apache can be used on systems that have 80x86-series (i.e. Intel) processors
running either Linux or NT as an OS, or on other computers running a Unix-type OS on a
different processor.
51
A Practical Password based Two Server Authentication and Key Exchange System
Popular:
Apache is the most-used Web server software package in the world. As such, it's
unlikely that further development of the software will ever cease.
Apache cons:
No Support:
Apache's developers do not provide any type of support for their product. There
are third-party companies that provide Apache support, but you have to pay for it.
HMAC is defined as
Where h is an iterated hash function, K is a secret key padded with extra zeros to the
block size of the hash function
52
A Practical Password based Two Server Authentication and Key Exchange System
9.3 CONTRIBUTION:
The work is continued by exposing the hidden control server to users so that user
can login to any one system at a time. The other server automatically acts as the control
server. In this proposed system the number users will be increased than basic system and
the control server can be used efficiently. The servers are made public so there may be
higher chances for attacks in between the servers. The protocol is designed to check
authentication between servers and between user and server. The mutual authentication
protocol is used to authenticate between servers before communication for user
authentication is involved. The basic password authentication protocol is used to
authenticate between user and servers. The password splitting techniques provides basic
security for the two server systems.
Three types of entities are involved in our system, i.e., users, a service server (SS)
that is the public server in the two server model, and a control server (CS) that is the
back-end server. In this setting, users only communicate with SS and do not necessarily
know CS. For the purpose of user authentication, a user U has a password which is
transformed into two long secrets, which are held by SS and CS, respectively. Based on
their respective shares, SS and CS together validate users during user login. We assume
the following security model.
53
A Practical Password based Two Server Authentication and Key Exchange System
We stress that this security model exploits the different levels of trust upon the two
servers. As discussed earlier, this clearly holds with respect to outside attackers. As far as
inside attackers are concerned, justifications come from our application and
generalization of the system to the architecture of a single control server supporting
multiple service servers, where the control server affords and deserves enforcing more
stringent security measurements against inside attackers. Notice that the assumption we
make here is already weaker than that in, where the back-end server is strictly passive and
is not allowed to eavesdrop on communication channels, while CS in our setting is
allowed for eavesdropping. We believe this weakening is important and more realistic
since eavesdropping is practically easy and insidious.
54
A Practical Password based Two Server Authentication and Key Exchange System
Testing is a fault detection technique that tries to create failure or erroneous states
in a planned way. This allows the developer to detect failures in the system before it is
released to the customer. Note that this definition of testing implies that a successful test
is a test that identifies faults. We will use this definition throughout the development
phase. Another often used definition of testing is that “it demonstrates that faults are not
present”. We will use this definition only after the system when we try to demonstrate
that the delivered system fulfills the functional requirements.
If we used this second definition all the time, we would tend to select test data that
have a low probability of causing the program to fail. If on the other hand, the goal is to
demonstrate that program has faults, we would tend to look for test data with a higher
probability of finding faults. The characteristic of a good test model is that it contains test
cases that identify faults. Tests should include broad range of input values, including
invalid inputs and boundary cases, otherwise faults may not be detected. Unfortunately,
such an approach requires extremely lengthy testing times for even small systems.
1. Test Planning allocates resources and schedules the testing. This activity should
occur early in the development phase so that sufficient time and skill is dedicated
to testing. For example, developers can design test cases as soon as the models
they validate become stable.
2. Usability testing tries to find faults in the user interface design the system. Often
system fails to accomplish their intended purpose simply because their users are
confused by their user interface and unwillingly introduce erroneous data.
3. Unit testing tries to find faults in participating objects and/or subsystems with
respect to the cases from the use case model.
55
A Practical Password based Two Server Authentication and Key Exchange System
4. Integration testing is the activity of finding faults when testing the individual
tested components together, for example, subsystems described in the subsystem
decomposition, while executing the use cases and scenarios from the RAD
(Required Analysis Document).
5. Structural testing is the culmination of integration tests and structural tests exploit
knowledge from the SDD (System Design Document) using an integration
strategy described in the Test Plan (TP).
6. System testing tests all the components together, seen as a single system to
identify faults with respect to the scenarios from the problem statement and the
requirements and design goals is identified in the analysis and system design,
respectively.
7. Functional testing tests the requirements from the RAD and the user manual.
9. Acceptance testing and installation testing check the system against the project
agreement and is done by the client, if necessary, the help by the developers.
1. A component is a part of the system that can be isolated for testing. A component
can be an object, or one or more subsystems.
2. A fault also called bug or defect is a design or coding mistake that may cause
abnormal component behavior.
56
A Practical Password based Two Server Authentication and Key Exchange System
5. A test case is a set of inputs and expected results that exercises a component with
the purpose of causing failures and detecting faults.
2. A good test case design is one that has a probability of finding an as yet undiscovered
error.
57
A Practical Password based Two Server Authentication and Key Exchange System
1. Condition Testing
2. Data flow Testing
3. Loop Testing
58
A Practical Password based Two Server Authentication and Key Exchange System
A software testing strategy provides a road map for the software developer.
Testing is a set of activities that can be planned in advance and conducted systematically.
For this reason a template for software testing a set of steps into which we can place
specific test case design methods should be designed for software engineering process.
1. Testing begins at the module level and works” outward” toward the integration of the
entire computer based system.
2. Different testing techniques are appropriate at different points in time.
3. The developer of the software and an independent test group conducts testing.
4. Testing and Debugging are different activities but debugging must be accommodated
in any testing strategy.
A test case is a set of input data and expected results that exercises a component
with purpose of causing failures and detecting faults. A test case has five attributes: name,
location, input, oracle, and log (table 11-1). The name of the test case allows the tester to
distinguish between different test cases. A heuristic for naming test cases is to derive the
name from the requirement it is testing or from the component being tested. For example,
if you are testing a use case cancel(), you might want to call the test case Test cancel. If a
test case involves two components A and B then a good name would be Test_AB. The
location attribute describes where the test case can be found.
59
A Practical Password based Two Server Authentication and Key Exchange System
TEST CASES:
60
A Practical Password based Two Server Authentication and Key Exchange System
10.DISPLAY SCREENS
LOGIN FORM:
61
A Practical Password based Two Server Authentication and Key Exchange System
62
A Practical Password based Two Server Authentication and Key Exchange System
63
A Practical Password based Two Server Authentication and Key Exchange System
64
A Practical Password based Two Server Authentication and Key Exchange System
65
A Practical Password based Two Server Authentication and Key Exchange System
66
A Practical Password based Two Server Authentication and Key Exchange System
67
A Practical Password based Two Server Authentication and Key Exchange System
68
A Practical Password based Two Server Authentication and Key Exchange System
INTRODUCTION
The protection of computer based resources that include hardware, software, data,
procedures and people against unauthorized use or natural disaster is known as System
Security.
SYSTEM SECURITY refers to the technical innovations and procedures applied to the
hardware and operating systems to protect against deliberate or accidental damage from a
defined threat.
DATA SECURITY is the protection of data from loss, disclosure, modification and
destruction.
SYSTEM INTEGRITY refers to the power functioning of hardware and programs,
appropriate physical security and safety against external threats such as eavesdropping
and wiretapping.
PRIVACY defines the rights of the user or organizations to determine what information
they are willing to share with or accept from others and how the organization can be
protected against unwelcome, unfair or excessive dissemination of information about it.
CONFIDENTIALITY is a special status given to sensitive information in a database to
minimize the possible invasion of privacy. It is an attribute of information that
characterizes its need for protection.
Security Software:-
System security refers to various validations on data in form of checks and
controls to avoid the system from failing. It is always important to ensure that only valid
data is entered and only valid operations are performed on the system. The system
employees two types of checks and controls.
69
A Practical Password based Two Server Authentication and Key Exchange System
13. LIMITATIONS
70
A Practical Password based Two Server Authentication and Key Exchange System
14. CONCLUSION
The proposed authentication system can be used instead of existing single server
system such as FTP and email servers where the number of users can be increased by
providing two way user authentication using two servers. The future work to be carried is
designing the protocol in the wireless environment between users and servers and placing
a back up third server when any one of the server fails.
71
A Practical Password based Two Server Authentication and Key Exchange System
15. REFERENCES
Related Websites:
www.w3schools.com
www.javacompletereference.com
www.amazon.com
72
A Practical Password based Two Server Authentication and Key Exchange System
16. APPENDICES
73