A

Report On
Captcha As A Graphical Password
Summer Training Report
Submitted in partial fulfilment of Bachelor of Technology
In
Computer Science and Engineering

2015-2016
Submitted By: Ishita Saraswat, 1206413041

Submitted To:Dr. Hitendra Garg

Associate Professor
Department of CSE

Under the Guidance of:

Mr. Somendra Singh Rathore

Hindustan College of Science and technology, Mathura

Farah, Mathura-281122

Training Certificate from Company (Xerox)

Please bring original certificate at the time of submission of report

ACKNOWLEDGEMENT
A training work owes its success from commencement to completion, to the people
in love with researchers at various stages. I express my gratitude to all those who
helped us in various stage of this study. First, I would like to express my sincere
gratitude indebtedness to Mr Munish Khanna (HOD, Department of Computer
Science and Engineering, HCST, Mathura) for allowing me to undergo the summer
training of 30 days at Oracle WDP with Informatics.

I am grateful to our guide Mr Hitendra Garg, for the help provided in completion
of the project, which was assigned to me. Without their friendly help and guidance
it was difficult to complete the assigned task.
I am also thankful to Mr Himanshu Mishra and all faculty members of Department
of CSE, for their true help, inspiration and for helping me to preparation of the
final report and presentation.
Last but not least, I pay my sincere thanks and gratitude to all the staff members of
CSE department for their support and for making our training valuable and fruitful.

DECLARATION

I, Ishita Saraswat, hereby declare that the work which is being presented in this
project/training titled Captcha as A Graphical Password by me, in partial
fulfilment of the requirements for the award of Bachelor of Technology (B.Tech.)
Degree in Computer Science and Engineering.
Hindustan College of Science and Technology, Farah, Mathura, is an authentic
record of my own work carried out under the guidance of Mr Hitendra Garg,
Assistant Professor, CSE department.
To the best of my knowledge, the matter embodied in this report has not been
submitted to any other University/ Institute for the award of any degree or diploma.

Date: 20/11/15

Mr Munish Khanna
(HOD, CSE)

Ishita Saraswat
1206413041

Mr Somendra Singh Rathore

(Training Incharge)

ABSTRACT
Many security primitives are based on hard mathematical problems. Using hard AI problems for
security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we
present a new security primitive based on hard AI problems, namely, a novel family of graphical
password systems built on top of Captcha technology, which we call Captcha as graphical
passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a
number of security problems altogether, such as online guessing attacks, relay attacks, and, if
combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can
be found only probabilistically by automatic online guessing attacks even if the password is in
the search set. CaRP also offers a novel approach to address the well-known image hotspot
problem in popular graphical password systems, such as PassPoints, that often leads to weak
password choices. CaRP is not a panacea, but it offers reasonable security and usability and
appears to fit well with some practical applications for improving online security.

TABLE OF CONTENTS
Sr.no
1.
2.
3.

4.

5.
6.

7.
8.
9.
10.

Topic

Page no.

Company Profile

Objective
List of Project
Graphical Password
Captcha In Authentication
Overcoming Thrawt Guessing Attack
Security of underlying captcha

9
10
10
10
10

Theoretical background
Literature Review
Software Requirement Specification
Specific Requirement

12
12
13

Approach
Input Design
Output Design
Model
System Design
Use Case Diagram
System Study
Analysis
Existing System
Proposed System
Experience
Conclusion
References

11

28
30
30
31
32

36
37
37
39

TABLE OF FIGURES

Sr.no
1.

Topic
Working Of Java

Page no.
16
19

2.

JDK 2 SDK

3.

System Architecture

33

4.

Use Case Diagram

34

COMPANY PROFILE

Infomatics (Oracle Authorized Technology Partner)

An ISO 9001:2008 Certified Organization
Infomatics is the mission, which is working for the promotion of Latest
technologies in computer. We are the group of professionals who are united
together and working for the promotion of technology. We conduct Training
Programs for professionals and engineering students. We have a branch which is
working towards the development of software, high level applications products in
conjunction with our premier goal, that is promotion of technology, such as C &
C++, Data Structure, Oracle, Java, J2EE, J2ME, .Net, Php, Oracle Database,
Linux and many more.
In Today's rapidly changing environment every organization has to face new
standards of quality assurance, new competition, increasing customer expectations
etc. As a result business enterprises are in constant need of reviewing and
reengineering their processes in order to survive and grow under competitive
environment. Therefore our designed application software's can help you meeting
these cut throat competition requirements.
Infomatics Education
INFOMATICS is always dedicated to provide quality training to INFOMATICS
Certified students and provide the skills for international certifications for the
students. INFOMATICS Education is proud to announce the successful
completion of its Summer/Vocational Training Program at Agra. Over 500
Students had been provided successful training with project in .NET, Oracle
Database, Java, J2EE, J2ME, Php and many more in Summer Trainings.
Infomatics Objectives
*Promote computer Education & Technology.
*Open platform for the development jobs.

OBJECTIVE

The most notable primitive invented is CAPTCHA, which distinguishes human

users from computers by presenting a challenge, i.e., a puzzle, beyond the
capability of computers but easy for humans. CAPTCHA is now a standard
Internet security technique to protect online email and other services from being
abused by bots. This existing paradigm has achieved just a limited success as
compared with the cryptographic primitives based on hard math problems and
their wide applications.
In this paper, we present a new security primitive based on hard AI problems,
namely, a novel family of graphical password systems built on top of CAPTCHA
technology, which we call CAPTCHA as graphical passwords (CaRP).
CaRP is both a CAPTCHA and a graphical password scheme. CaRP addresses a
number of security problems altogether, such as online guessing attacks, relay
attacks, and, if combined with dual-view technologies, shoulder-surfing attacks.
CaRP offers protection against online dictionary attacks on passwords, which have
been for long time a major security threat for various online services.
CaRP also offers protection against relay attacks, an increasing threat to bypass
CAPTCHA protection.

LIST OF PROJECT

Graphical Password.

Captcha in Authentication.

Overcoming Thwart Guessing Attacks.

Security Of Underlying Captcha

2.1 MODULES DESCRIPTION:2.1.1 Graphical Password:

In this module, Users are having authentication and security to access the detail
which is presented in the Image system. Before accessing or searching the details
user should have the account in that otherwise they should register first.

2.1.2 Captcha in Authentication:

In this module we use both Captcha and password in a user authentication
protocol, which we call Captcha-based Password Authentication (CbPA) protocol,
to counter online dictionary attacks. The CbPA-protocol in requires solving a
Captcha challenge after inputting a valid pair of user ID and password unless a
valid browser cookie is received. For an invalid pair of user ID and password, the
user has a certain probability to solve a Captcha challenge before being denied
access.
2.1.3 Overcoming Thwart Guessing Attacks:
In a guessing attack, a password guess tested in an unsuccessful trial is determined
wrong and excluded from subsequent trials. The number of undetermined
password guesses decreases with more trials, leading to a better chance of finding
the password. To counter guessing attacks, traditional approaches in designing
graphical passwords aim at increasing the effective password space to make
passwords harder to guess and thus require more trials. No matter how secure a
graphical password scheme is, the password can always be found by a brute force

attack. In this paper, we distinguish two types of guessing attacks: automatic

guessing attacks apply an automatic trial and error process but S can be manually
constructed whereas human guessing attacks apply a manual trial and error
process.
2.1.4 Security of Underlying Captcha:
Computational intractability in recognizing objects in CaRP images is
fundamental to CaRP. Existing analyses on Captcha security were mostly case by
case or used an approximate process. No theoretic security model has been
established yet. Object segmentation is considered as a computationally
expensive, combinatorially-hard problem, which modern text Captcha schemes
rely on.

THEORETICAL BACKGROUND

3.1 LITERATURE REVIEW

On predictive models and user drawn graphical passwords
In commonplace text-based password schemes, users typically choose passwords
that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force
dictionary attacks. This leads us to ask whether other types of passwords (e.g.,
graphical) are also vulnerable to dictionary attack because of users tending to
choose memorable passwords. We suggest a method to predict and model a
number of such classes for systems where passwords are created solely from a
user's memory. We hypothesize that these classes define weak password subspaces
suitable for an attack dictionary. For user-drawn graphical passwords, we apply
this method with cognitive studies on visual recall. These cognitive studies
motivate us to define a set of password complexity factors (e.g., reflective
symmetry and stroke count), which define a set of classes. To better understand
the size of these classes and, thus, how weak the password subspaces they define
might be, we use the Draw-A-Secret (DAS) graphical password scheme of
Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS
under convenient parameter choices and show that they can be combined to define
apparently popular subspaces that have bit sizes ranging from 31 to 41a
surprisingly small proportion of the full password space (58 bits). Our results
quantitatively support suggestions that user-drawn graphical password systems
employ measures, such as graphical password rules or guidelines and proactive
password checking.
Modeling user choice in the PassPoints graphical password scheme
We develop a model to identify the most likely regions for users to click in order
to create graphical passwords in the PassPoints system. A PassPoints password is
a sequence of points, chosen by a user in an image that is displayed on the screen.
Our model predicts probabilities of likely click points; this enables us to predict

the entropy of a click point in a graphical password for a given image. The model
allows us to evaluate automatically whether a given image is well suited for the
PassPoints system, and to analyze possible dictionary attacks against the system.
We compare the predictions provided by our model to results of experiments
involving human users. At this stage, our model and the experiments are small and
limited; but they show that user choice can be modeled and that expansions of the
model and the experiments are a promising direction of research.
Securing passwords against dictionary attacks
The use of passwords is a major point of vulnerability in computer security, as
passwords are often easy to guess by automated programs running dictionary
attacks. Passwords remain the most widely used authentication method despite
their well-known security weaknesses. User authentication is clearly a practical
problem. From the perspective of a service provider this problem needs to be
solved within real-world constraints such as the available hardware and software
infrastructures. From a user's perspective user-friendliness is a key requirement. In
this paper we suggest a novel authentication scheme that preserves the advantages
of conventional password authentication, while simultaneously raising the costs of
online dictionary attacks by orders of magnitude. The proposed scheme is easy to
implement and overcomes some of the difficulties of previously suggested
methods of improving the security of user authentication schemes. Our key idea is
to efficiently combine traditional password authentication with a challenge that is
very easy to answer by human users, but is (almost) infeasible for automated
programs attempting to run dictionary attacks. This is done without affecting the
usability of the system. The proposed scheme also provides better protection
against denial of service attacks against user accounts.
Revisiting defenses against large-scale online password guessing attacks

Brute force and dictionary attacks on password-only remote login services are
now widespread and ever increasing. Enabling convenient login for legitimate
users while preventing such attacks is a difficult problem. Automated Turing Tests
(ATTs) continue to be an effective, easy-to-deploy approach to identify automated
malicious login attempts with reasonable cost of inconvenience to users. In this
paper, we discuss the inadequacy of existing and proposed login protocols
designed to address large-scale online dictionary attacks (e.g., from a botnet of
hundreds of thousands of nodes). We propose a new Password Guessing Resistant
Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such
attacks. While PGRP limits the total number of login attempts from unknown
remote hosts to as low as a single attempt per username, legitimate users in most
cases (e.g., when attempts are made from known, frequently-used machines) can
make several failed login attempts before being challenged with an ATT. We
analyze the performance of PGRP with two real-world data sets and find it more
promising than existing proposals.
Cognitive authentication schemes safe against spyware
Can we secure user authentication against eavesdropping adversaries, relying on
human cognitive functions alone, unassisted by any external computational
device? To accomplish this goal, we propose challenge response protocols that
rely on a shared secret set of pictures. Under the brute-force attack the protocols
are safe against eavesdropping, in that an observer who fully records any feasible
series of successful interactions cannot practically compute the users secret.
Moreover, the protocols can be tuned to any desired level of security against
random guessing, where security can be traded-off with authentication time. The
proposed protocols have two drawbacks: First, training is required to familiarize
the user with the secret set of pictures. Second, depending on the level of security
required, entry time can be significantly longer than with alternative methods. We
describe user studies showing that people can use these protocols successfully, and
quantify the time it takes for training and for successful authentication. We show

evidence that the secret can be effortlessly maintained for a long time (up to a
year) with relatively low loss.

3.2 SOFTWARE REQUIREMENT SPECIFICATION

Software requirement specification is a set of completely and precisely stated
properties along with the constraints of the system that the software must satisfy.
A well designed software requirements specification establishes boundaries and
solutions of system to develop useful software.

3.2.1 Requirements of SRS:

The SRS should specify only the external system behavior and not the internal
details. It also specifies any constraints imposed on implementation. A good SRS
is flexible to change and acts as a reference tool for system developer,
administrator and maintainer.

Software Environment
Java Technology
Java technology is both a programming language and a platform.
The Java Programming Language
The Java programming language is a high-level language that can be characterized
by

all

of

the

following

buzzwords:

Simple,Architecture,neutral,Objectoriented,Portable,Distributed,Highperformance
,Interpreted, Multithreaded, Robust, Dynamic, Secure
With most programming languages, you either compile or interpret a program so
that you can run it on your computer. The Java programming language is unusual
in that a program is both compiled and interpreted. With the compiler, first you

translate a program into an intermediate language called Java byte codes the
platform-independent codes interpreted by the interpreter on the Java platform.
The interpreter parses and runs each Java byte code instruction on the computer.
Compilation happens just once; interpretation occurs each time the program is
executed. The following figure illustrates how this works.

Figure: 1
You can think of Java byte codes as the machine code instructions for the Java
Virtual Machine (Java VM). Every Java interpreter, whether its a development
tool or a Web browser that can run applets, is an implementation of the Java VM.
Java byte codes help make write once, run anywhere possible. You can compile
your program into byte codes on any platform that has a Java compiler. The byte
codes can then be run on any implementation of the Java VM. That means that as
long as a computer has a Java VM, the same program written in the Java
programming language can run on Windows 2000, a Solaris workstation, or on an
iMac.

Figure: 2
The Java Platform
A platform is the hardware or software environment in which a program runs.
Weve already mentioned some of the most popular platforms like Windows 2000,
Linux, Solaris, and MacOS. Most platforms can be described as a combination of
the operating system and hardware. The Java platform differs from most other
platforms in that its a software-only platform that runs on top of other hardwarebased platforms.
The Java platform has two components:

The Java Virtual Machine (Java VM)

The Java Application Programming Interface (Java API)

Youve already been introduced to the Java VM. Its the base for the Java platform
and is ported onto various hardware-based platforms.
The Java API is a large collection of ready-made software components that
provide many useful capabilities, such as graphical user interface (GUI) widgets.
The Java
API is grouped into libraries of related classes and interfaces; these libraries are
known as packages. The next section, What Can Java Technology Do? Highlights
what functionality some of the packages in the Java API provide.
The following figure depicts a program thats running on the Java platform. As the
figure shows, the Java API and the virtual machine insulate the program from the
hardware.

Figure: 3
Native code is code that after you compile it, the compiled code runs on a specific
hardware platform. As a platform-independent environment, the Java platform can

be a bit slower than native code. However, smart compilers, well-tuned

interpreters, and just-in-time byte code compilers can bring performance close to
that of native code without threatening portability.
What Can Java Technology Do?
The most common types of programs written in the Java programming language
are applets and applications. If youve surfed the Web, youre probably already
familiar with applets. An applet is a program that adheres to certain conventions
that allow it to run within a Java-enabled browser.
However, the Java programming language is not just for writing cute, entertaining
applets for the Web. The general-purpose, high-level Java programming language
is also a powerful software platform. Using the generous API, you can write many
types of programs.
An application is a standalone program that runs directly on the Java platform. A
special kind of application known as a server serves and supports clients on a
network. Examples of servers are Web servers, proxy servers, mail servers, and
print servers. Another specialized program is a servlet. A servlet can almost be
thought of as an applet that runs on the server side. Java Servlets are a popular
choice for building interactive web applications, replacing the use of CGI scripts.
Servlets are similar to applets in that they are runtime extensions of applications.
Instead of working in browsers, though, servlets run within Java Web servers,
configuring or tailoring the server.
How does the API support all these kinds of programs? It does so with packages
of software components that provides a wide range of functionality. Every full
implementation of the Java platform gives you the following features:

The essentials: Objects, strings, threads, numbers, input and output, data
structures, system properties, date and time, and so on.

Applets: The set of conventions used by applets.

Networking: URLs, TCP (Transmission Control Protocol), UDP (User Data gram
Protocol) sockets, and IP (Internet Protocol) addresses.

Internationalization: Help for writing programs that can be localized for users
worldwide. Programs can automatically adapt to specific locales and be displayed
in the appropriate language.

Security: Both low level and high level, including electronic signatures, public
and private key management, access control, and certificates.

Software components: Known as JavaBeansTM, can plug into existing component

architectures.

Object serialization: Allows lightweight persistence and communication via

Remote Method Invocation (RMI).

Java Database Connectivity (JDBCTM): Provides uniform access to a wide range

of relational databases.
The Java platform also has APIs for 2D and 3D graphics, accessibility, servers,
collaboration, telephony, speech, animation, and more. The following figure
depicts what is included in the Java 2 SDK.

Figure: 4
ODBC
Microsoft Open Database Connectivity (ODBC) is a standard programming
interface for application developers and database systems providers. Before
ODBC became a de facto standard for Windows programs to interface with
database systems, programmers had to use proprietary languages for each
database they wanted to connect to. Now, ODBC has made the choice of the

database system almost irrelevant from a coding perspective, which is as it should

be. Application developers have much more important things to worry about than
the syntax that is needed to port their program from one database to another when
business needs suddenly change.
Through the ODBC Administrator in Control Panel, you can specify the particular
database that is associated with a data source that an ODBC application program
is written to use. Think of an ODBC data source as a door with a name on it. Each
door will lead you to a particular database. For example, the data source named
Sales Figures might be a SQL Server database, whereas the Accounts Payable data
source could refer to an Access database. The physical database referred to by a
data

source

can

reside

anywhereontheLAN.

From a programming perspective, the beauty of ODBC is that the application can
be written to use the same set of function calls to interface with any data source,
regardless of the database vendor. The source code of the application doesnt
change whether it talks to Oracle or SQL Server. In a client/server environment,
the ODBC API even handles many of the network issues for the application
programmer.
The advantages of this scheme are so numerous that you are probably thinking
there must be some catch. The only disadvantage of ODBC is that it isnt as
efficient as talking directly to the native database interface. ODBC has had many
detractors make the charge that it is too slow. Microsoft has always claimed that
the critical factor in performance is the quality of the driver software that is used.
In our humble opinion, this is true. The availability of good ODBC drivers has
improved a great deal recently.
JDBC
In an effort to set an independent database standard API for Java; Sun
Microsystems developed Java Database Connectivity, or JDBC. JDBC offers a
generic SQL database access mechanism that provides a consistent interface to a
variety of RDBMSs. This consistent interface is achieved through the use of
plug-in database connectivity modules, or drivers. If a database vendor wishes

to have JDBC support, he or she must provide the driver for each platform that the
database and Java run on.
To gain a wider acceptance of JDBC, Sun based JDBCs framework on ODBC. As
you discovered earlier in this chapter, ODBC has widespread support on a variety
of platforms. Basing JDBC on ODBC will allow vendors to bring JDBC drivers to
market much faster than developing a completely new connectivity solution.
JDBC Goals
Few software packages are designed without goals in mind. JDBC is one that,
because of its many goals, drove the development of the API. These goals, in
conjunction with early reviewer feedback, have finalized the JDBC class library
into a solid framework for building database applications in Java.
The goals that were set for JDBC are important. They will give you some insight
as to why certain classes and functionalities behave the way they do. The eight
design goals for JDBC are as follows:

SQL Level API

The designers felt that their main goal was to define a SQL interface for Java.
Although not the lowest database interface level possible, it is at a low enough
level for higher-level tools and APIs to be created.

SQL Conformance
SQL syntax varies as you move from database vendor to database vendor. In an
effort to support a wide variety of vendors, JDBC will allow any query statement
to be passed through it to the underlying database driver. This allows the
connectivity module to handle non-standard functionality in a manner that is
suitable for its users.

JDBC must be implemental on top of common database interface

The JDBC SQL API must sit on top of other common SQL level APIs. This
goal allows JDBC to use existing ODBC level drivers by the use of a software
interface
This interface would translate JDBC calls to ODBC and vice versa.

Provide a Java interface that is consistent with the rest of the Java system
Because of Javas acceptance in the user community thus far, the designers feel
that they should not stray from the current design of the core Java system.

Keep it simple
This goal probably appears in all software design goal listings. JDBC is no
exception Sun
felt that the design of JDBC should be very simple, allowing for only one
method of
completing a task per mechanism.
Compilation happens just once; interpretation occurs each time the program is
executed. The figure illustrates how this works.
Figure: 5

You can think of Java byte codes as the machine code instructions for the Java Virtual
Machine (Java VM). Every Java interpreter, whether its a Java development tool or a Web
browser that can run Java applets, is an implementation of the Java VM. The Java VM can
also be implemented in hardware.
Java byte codes help make write once, run anywhere possible. You can compile your Java
program into byte codes on my platform that has a Java compiler.
What is a Java Web Application?
A Java web application generates interactive web pages containing various types
of markup language (HTML, XML, and so on) and dynamic content. It is
typically comprised of web components such as JavaServer Pages (JSP), servlets
and JavaBeans to modify and temporarily store data, interact with databases and
web services, and render content in response to client requests.
Because many of the tasks involved in web application development can be
repetitive or require a surplus of boilerplate code, web frameworks can be applied
to alleviate the overhead associated with common activities. For example, many
frameworks, such as JavaServer Faces, provide libraries for templating pages and
session management, and often promote code reuse.

What is Java EE?

Java EE (Enterprise Edition) is a widely used platform containing a set of
coordinated technologies that significantly reduce the cost and complexity of
developing, deploying, and managing multi-tier, server-centric applications. Java
EE builds upon the Java SE platform and provides a set of APIs (application
programming interfaces) for developing and running portable, robust, scalable,
reliable and secure server-side applications.
Some of the fundamental components of Java EE include:

Enterprise JavaBeans (EJB): a managed, server-side component architecture used

to encapsulate the business logic of an application. EJB technology enables rapid
and simplified development of distributed, transactional, secure and portable
applications based on Java technology.

Java Persistence API (JPA): a framework that allows developers to manage data
using object-relational mapping (ORM) in applications built on the Java Platform.
JavaScript and Ajax Development
JavaScript is an object-oriented scripting language primarily used in client-side
interfaces for web applications. Ajax (Asynchronous JavaScript and XML) is a
Web 2.0 technique that allows changes to occur in a web page without the need to
perform a page refresh. JavaScript toolkits can be leveraged to implement Ajaxenabled components and functionality in web pages.
Web Server and Client
Web Server is a software that can process the client request and send the response
back to the client. For example, Apache is one of the most widely used web
server. Web Server runs on some physical machine and listens to client request on
specific port.
A web client is a software that helps in communicating with the server. Some of
the most widely used web clients are Firefox, Google Chrome, Safari etc. When
we request something from server (through URL), web client takes care of

creating a request and sending it to server and then parsing the server response
and present it to the user.
HTML and HTTP
Web Server and Web Client are two separate softwares, so there should be some
common language for communication. HTML is the common language between
server and client and stands for HyperText Markup Language.
Web server and client needs a common communication protocol, HTTP
(HyperText Transfer Protocol) is the communication protocol between server and
client.Some of the important parts of HTTP Request are:

HTTP Method action to be performed, usually GET, POST, PUT etc.

URL Page to access

Form Parameters similar to arguments in a java method, for example

user,password details from login page.
Some of the important parts of HTTP Response are:

Status Code an integer to indicate whether the request was success or not. Some
of the well known status codes are 200 for success, 404 for Not Found and 403 for
Access Forbidden.

Content Type text, html, image, pdf etc. Also known as MIME type

Content actual data that is rendered by client and shown to user.

MIME Type or Content Type: If you see above sample HTTP response header, it
contains tag Content-Type. Its also called MIME type and server sends it to
client to let them know the kind of data its sending. It helps client in rendering the
data for user. Some of the mostly used mime types are text/html, text/xml,
application/xml etc.

Understanding URL
URL is acronym of Universal Resource Locator and its used to locate the server
and resource. Every resource on the web has its own unique address. Lets see
parts of URL with an example.
http://localhost:8080/FirstServletProject/jsps/hello.jsp
http:// This is the first part of URL and provides the communication protocol to
be used in server-client communication.
localhost The unique address of the server, most of the times its the hostname
of the server that maps to unique IP address. Sometimes multiple hostnames point
to same IP addresses and web server virtual host takes care of sending request to
the particular server instance.
8080 This is the port on which server is listening, its optional and if we dont
provide it in URL then request goes to the default port of the protocol. Port
numbers 0 to 1023 are reserved ports for well known services, for example 80 for
HTTP, 443 for HTTPS, 21 for FTP etc.
FirstServletProject/jsps/hello.jsp Resource requested from server. It can be
static html, pdf, JSP, servlets, PHP etc.
Why we need Servlet and JSPs?
Web servers are good for static contents HTML pages but they dont know how to
generate dynamic content or how to save data into databases, so we need another
tool that we can use to generate dynamic content. There are several programming
languages for dynamic content like PHP, Python, Ruby on Rails, Java Servlets and
JSPs.
Java Servlet and JSPs are server side technologies to extend the capability of web
servers by providing support for dynamic response and data persistence.

Web Container
Tomcat is a web container, when a request is made from Client to web server, it
passes the request to web container and its web container job to find the correct
resource to handle the request (servlet or JSP) and then use the response from the
resource to generate the response and provide it to web server. Then web server
sends the response back to the client.
When web container gets the request and if its for servlet then container creates
two Objects HTTPServletRequest and HTTPServletResponse. Then it finds the
correct servlet based on the URL and creates a thread for the request. Then it
invokes the servlet service() method and based on the HTTP method service()
method invokes doGet() or doPost() methods. Servlet methods generate the
dynamic page and write it to response. Once servlet thread is complete, container
converts the response to HTTP response and send it back to client.
Some of the important work done by web container are:

Communication Support Container provides easy way of communication

between web server and the servlets and JSPs. Because of container, we dont
need to build a server socket to listen for any request from web server, parse the
request and generate response. All these important and complex tasks are done by
container and all we need to focus is on our business logic for our applications.

Lifecycle and Resource Management Container takes care of managing the

life cycle of servlet. Container takes care of loading the servlets into memory,
initializing servlets, invoking servlet methods and destroying them. Container also
provides utility like JNDI for resource pooling and management.

Multithreading Support Container creates new thread for every request to the
servlet and when its processed the thread dies. So servlets are not initialized for
each request and saves time and memory.

JSP Support JSPs doesnt look like normal java classes and web container
provides support for JSP. Every JSP in the application is compiled by container
and converted to Servlet and then container manages them like other servlets.

Miscellaneous Task Web container manages the resource pool, does memory
optimizations, run garbage collector, provides security configurations, support for
multiple applications, hot deployment and several other tasks behind the scene
that makes our life easier.
Web Application Directory Structure
Java Web Applications are packaged as Web Archive (WAR) and it has a defined
structure. You can export above dynamic web project as WAR file and unzip it to
check the hierarchy. It will be something like below image.

Figure: 6

Deployment Descriptor
web.xml file is the deployment descriptor of the web application and contains
mapping for servlets (prior to 3.0), welcome pages, security configurations,
session timeout settings etc.
Thats all for the java web application startup tutorial, we will explore Servlets and
JSPs more in future posts.
MySQL:

MySQL, the most popular Open Source SQL database management system, is
developed, distributed, and supported by Oracle Corporation.
The MySQL Web site (http://www.mysql.com/) provides the latest information
about MySQL software.

MySQL is a database management system.

A database is a structured collection of data. It may be anything from a simple
shopping list to a picture gallery or the vast amounts of information in a corporate
network. To add, access, and process data stored in a computer database, you need
a database management system such as MySQL Server. Since computers are very
good at handling large amounts of data, database management systems play a
central role in computing, as standalone utilities, or as parts of other applications.

MySQL databases are relational.

A relational database stores data in separate tables rather than putting all the data
in one big storeroom. The database structures are organized into physical files
optimized for speed. The logical model, with objects such as databases, tables,
views, rows, and columns, offers a flexible programming environment. You set up
rules governing the relationships between different data fields, such as one-to-one,
one-to-many, unique, required or optional, and pointers between different
tables. The database enforces these rules, so that with a well-designed database,
your application never sees inconsistent, duplicate, orphan, out-of-date, or missing
data.
The SQL part of MySQL stands for Structured Query Language. SQL is the
most common standardized language used to access databases. Depending on your
programming environment, you might enter SQL directly (for example, to
generate reports), embed SQL statements into code written in another language, or
use a language-specific API that hides the SQL syntax.
SQL is defined by the ANSI/ISO SQL Standard. The SQL standard has been
evolving since 1986 and several versions exist. In this manual, SQL-92 refers to
the standard released in 1992, SQL:1999 refers to the standard released in 1999,

and SQL:2003 refers to the current version of the standard. We use the phrase
the SQL standard to mean the current version of the SQL Standard at any time.

MySQL software is Open Source.

Open Source means that it is possible for anyone to use and modify the software.
Anybody can download the MySQL software from the Internet and use it without
paying anything. If you wish, you may study the source code and change it to suit
your needs. The MySQL software uses the GPL (GNU General Public License),
http://www.fsf.org/licenses/, to define what you may and may not do with the
software in different situations. If you feel uncomfortable with the GPL or need to
embed MySQL code into a commercial application, you can buy a commercially
licensed version from us. See the MySQL Licensing Overview for more
information (http://www.mysql.com/company/legal/licensing/).

The MySQL Database Server is very fast, reliable, scalable, and easy to use.
If that is what you are looking for, you should give it a try. MySQL Server can run
comfortably on a desktop or laptop, alongside your other applications, web
servers, and so on, requiring little or no attention. If you dedicate an entire
machine to MySQL, you can adjust the settings to take advantage of all the
memory, CPU power, and I/O capacity available. MySQL can also scale up to
clusters of machines, networked together.
You can find a performance comparison of MySQL Server with other database
managers on our benchmark page.
MySQL Server was originally developed to handle large databases much faster
than existing solutions and has been successfully used in highly demanding
production environments for several years. Although under constant development,
MySQL Server today offers a rich and useful set of functions. Its connectivity,
speed, and security make MySQL Server highly suited for accessing databases on
the Internet.

MySQL Server works in client/server or embedded systems.

The MySQL Database Software is a client/server system that consists of a multithreaded SQL server that supports different backends, several different client
programs and libraries, administrative tools, and a wide range of application
programming interfaces (APIs).

A large amount of contributed MySQL software is available.

MySQL Server has a practical set of features developed in close cooperation with
our users. It is very likely that your favorite application or language supports the
MySQL Database Server.

3.2.2 SPECIFIC REQUIREMENT

HARDWARE REQUIREMENTS:

System

Pentium IV 2.4 GHz.

Hard Disk

40 GB.

Floppy Drive

1.44 Mb.

Monitor

15 VGA Colour.

Mouse

Logitech.

Ram

512 Mb.

SOFTWARE REQUIREMENTS:

Operating system

Windows XP/7.

Coding Language

JAVA/J2EE

IDE

Netbeans 7.4

Database

MYSQL

APPROACH
4.1 INPUT DESIGN

The input design is the link between the information system and the user. It
comprises the developing specification and procedures for data preparation and
those steps are necessary to put transaction data in to a usable form for processing
can be achieved by inspecting the computer to read data from a written or printed
document or it can occur by having people keying the data directly into the
system. The design of input focuses on controlling the amount of input required,
controlling the errors, avoiding delay, avoiding extra steps and keeping the
process simple. The input is designed in such a way so that it provides security
and ease of use with retaining the privacy. Input Design considered the following
things:

What data should be given as input?

How the data should be arranged or coded?

The dialog to guide the operating personnel in providing input.

Methods for preparing input validations and steps to follow when error occur.
OBJECTIVES
1. Input Design is the process of converting a user-oriented description of the
input into a computer-based system. This design is important to avoid errors in the
data input process and show the correct direction to the management for getting
correct information from the computerized system.
2. It is achieved by creating user-friendly screens for the data entry to handle large
volume of data. The goal of designing input is to make data entry easier and to be
free from errors. The data entry screen is designed in such a way that all the data
manipulates can be performed. It also provides record viewing facilities.
3. When the data is entered it will check for its validity. Data can be entered with
the help of screens. Appropriate messages are provided as when needed so that the
user will not be in maize of instant. Thus the objective of input design is to create
an input layout that is easy to follow

4.2 OUTPUT DESIGN

A quality output is one, which meets the requirements of the end user and presents
the information clearly. In any system results of processing are communicated to
the users and to other system through outputs. In output design it is determined
how the information is to be displaced for immediate need and also the hard copy
output. It is the most important and direct source information to the user. Efficient
and intelligent output design improves the systems relationship to help user
decision-making.
1. Designing computer output should proceed in an organized, well thought out
manner; the right output must be developed while ensuring that each output
element is designed so that people will find the system can use easily and
effectively. When analysis design computer output, they should Identify the
specific output that is needed to meet the requirements.
2. Select methods for presenting information.
3. Create document, report, or other formats that contain information produced by
the system.
The output form of an information system should accomplish one or more of the
following objectives.

Convey information about past activities, current status or projections of the

Future.

Signal important events, opportunities, problems, or warnings.

Trigger an action.

Confirm an action.

MODEL
5.1 SYSTEM DESIGN
SYSTEM ARCHITECTURE

Figure: 7

5.2 USE CASE DIAGRAM:

A use case diagram in the Unified Modeling Language (UML) is a type of
behavioral diagram defined by and created from a Use-case analysis. Its purpose
is to present a graphical overview of the functionality provided by a system in
terms of actors, their goals (represented as use cases), and any dependencies
between those use cases. The main purpose of a use case diagram is to show what
system functions are performed for which actor. Roles of the actors in the system
can be depicted.

5.3 SYSTEM STUDY

5.3.1 FEASIBILITY STUDY
The feasibility of the project is analyzed in this phase and business proposal is put
forth with a very general plan for the project and some cost estimates. During

system analysis the feasibility study of the proposed system is to be carried out.
This is to ensure that the proposed system is not a burden to the company. For
feasibility analysis, some understanding of the major requirements for the system
is essential.
Three key considerations involved in the feasibility analysis are

ECONOMICAL FEASIBILITY.

TECHNICAL FEASIBILITY.

SOCIAL FEASIBILITY.
ECONOMICAL FEASIBILITY
This study is carried out to check the economic impact that the system will have
on the organization. The amount of fund that the company can pour into the
research and development of the system is limited. The expenditures must be
justified. Thus the developed system as well within the budget and this was
achieved because most of the technologies used are freely available. Only the
customized products had to be purchased.
TECHNICAL FEASIBILITY
This study is carried out to check the technical feasibility, that is, the technical
requirements of the system. Any system developed must not have a high demand
on the available technical resources. This will lead to high demands on the
available technical resources. This will lead to high demands being placed on the
client. The developed system must have a modest requirement, as only minimal or
null changes are required for implementing this system.

SOCIAL FEASIBILITY

The aspect of study is to check the level of acceptance of the system by the user.
This includes the process of training the user to use the system efficiently. The
user must not feel threatened by the system, instead must accept it as a necessity.
The level of acceptance by the users solely depends on the methods that are
employed to educate the user about the system and to make him familiar with it.
His level of confidence must be raised so that he is also able to make some
constructive criticism, which is welcomed, as he is the final user of the system.

ANALYSIS
6.1 EXISTING SYSTEM:
The most notable primitive invented is Captcha, which distinguishes human users
from computers by presenting a challenge, i.e., a puzzle, beyond the capability of
computers but easy for humans. Captcha is now a standard Internet security
technique to protect online email and other services from being abused by bots.
DISADVANTAGES OF EXISTING SYSTEM:

This existing paradigm has achieved just a limited success as compared with the
cryptographic primitives based on hard math problems and their wide
applications.
6.2 PROPOSED SYSTEM:
In this project, we present a new security primitive based on hard AI problems,
namely, a novel family of graphical password systems built on top of Captcha
technology, which we call Captcha as graphical passwords (CaRP).
CaRP is both a Captcha and a graphical password scheme. CaRP addresses a
number of security problems altogether, such as online guessing attacks, relay
attacks, and, if combined with dual-view technologies, shoulder-surfing attacks.
ADVANTAGES OF PROPOSED SYSTEM:
CaRP offers protection against online dictionary attacks on passwords, which have
been for long time a major security threat for various online services.
CaRP also offers protection against relay attacks, an increasing threat to bypass
Captchas protection.

EXPERIENCE

The time taken to develop the project took nearly 45 days of consistent hard work.
My knowledge as far as after the completion of this project is concerned has
gained an edge. I have learnt about working on the technologies. Making
connections with a database, storing value in database.
I have learnt the importance of user authentication on social media that is an
immensely important aspect of any other Web Application. I have also learned to
work under team dynamics under pressure and deadline.

CONCLUSION
We have proposed CaRP, a new security primitive relying on unsolved hard AI
problems. CaRP is both a Captcha and a graphical password scheme. The notion
of CaRP introduces a new family of graphical passwords, which adopts a new
approach to counter online guessing attacks: a new CaRP image, which is also a
Captcha challenge, is used for every login attempt to make trials of an online
guessing attack computationally independent of each other. A password of CaRP
can be found only probabilistically by automatic online guessing attacks including
brute-force attacks, a desired security property that other graphical password
schemes lack. Hotspots in CaRP images can no longer be exploited to mount

automatic online guessing attacks, an inherent vulnerability in many graphical

password systems. CaRP forces adversaries to resort to significantly less efficient
and much more costly human-based attacks. In addition to offering protection
from online guessing attacks, CaRP is also resistant to Captcha relay attacks, and,
if combined with dual-view technologies, shoulder-surfing attacks. CaRP can also
help reduce spam emails sent from a Web email service.
Our usability study of two CaRP schemes we have implemented is encouraging.
For example, more participants considered AnimalGrid and ClickText easier to
use than PassPoints and a combination of text password and Captcha. Both
AnimalGrid and ClickText had better password memorability than the
conventional text passwords. On the other hand, the usability of CaRP can be
further improved by using images of different levels of difficulty based on the
login history of the user and the machine used to log in. The optimal tradeoff
between security and usability remains an open question for CaRP, and further
studies are needed to refine CaRP for actual deployments.
Like Captcha, CaRP utilizes unsolved AI problems. However, a password is much
more valuable to attackers than a free email account that Captcha is typically used
to protect. Therefore there are more incentives for attackers to hack CaRP than
Captcha. That is, more efforts will be attracted to the following win-win game by
CaRP than ordinary Captcha: If attackers succeed, they contribute to improving AI
by providing solutions to open problems such as segmenting 2D texts. Otherwise,
our system stays secure, contributing to practical security. As a framework, CaRP
does not rely on any specific Captcha scheme. When one Captcha scheme is
broken, a new and more secure one may appear and be converted to a CaRP
scheme. Overall, our work is one step forward in the paradigm of using hard AI
problems for security. Of reasonable security and usability and practical
applications, CaRP has good potential for refinements, which call for useful future
work. More importantly, we expect CaRP to inspire new inventions of such AI
based security primitives.

REFERENCES
[1] R. Biddle, S. Chiasson, and P. C. van Oorschot, Graphical passwords:
Learning from the first twelve years, ACM Comput. Surveys, vol. 44, no. 4, 2012.
[2] (2012, Feb.).

The Science Behind Passfaces

[Online]. Available:

http://www.realuser.com/published/ScienceBehindPassfaces.pdf
[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The design and
analysis of graphical passwords, in Proc. 8th USENIX Security Symp., 1999, pp.
115.

[4] H. Tao and C. Adams, Pass-Go: A proposal to improve the usability of

graphical passwords, Int. J. Netw. Security, vol. 7, no. 2, pp. 273292, 2008.
[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon,
PassPoints: Design and longitudinal evaluation of a graphical password system,
Int. J. HCI, vol. 63, pp. 102127, Jul. 2005.
[6] P. C. van Oorschot and J. Thorpe, On predictive models and userdrawn
graphical passwords, ACM Trans. Inf. Syst. Security, vol. 10, no. 4, pp. 133,
2008.
[7] K. Golofit, Click passwords under investigation, in Proc. ESORICS, 2007,
pp. 343358.
[8] A. E. Dirik, N. Memon, and J.-C. Birget, Modeling user choice in the
passpoints graphical password scheme, in Proc. Symp. Usable Privacy Security,
2007, pp. 2028.