Undergraduate Software Engineering Experience Developing an Authentication System

Transcription

1 96 Int'l Conf. Security and Management SAM'17 Undergraduate Software Engineering Experience Developing an Authentication System Suhair Amer and Wenxing Qiu Department of Computer Science, Southeast Missouri State University, One University plaza, Cape Girardeau, MO, USA Abstract- This paper describes the development of a Three Level Password Authentication System by an undergraduate student taking a software engineering four hundred level course at our institution. The password difficulty increases with each level. Users should be able to set their passwords in registration phase. Users can login to the system by entering correct passwords within a time limit. If a user forgot the password, the forget password feature allows the user to reset the password with verification. Keywords: authentication system, Windows forms application 1 Introduction This authentication system validates user input before accessing the system with a three level password logins, in which the password difficulty increases with each level. Users should be able to set their passwords in the registration phase. Users can login to the system by entering correct passwords. The first step is registering new users. The registration system requests user s information and records data into a database. Then, text based authentication is used as level 1 security and which asks the user for his/her username and password. In level 2 we use a 4-digit PIN to verify the user. Colored pattern authentication is set up as the level 3 security. Other authentication methods can be divided into three categories, which are token based authentication, biometric based authentication and knowledge based authentication [1]. Token based authentication uses tokens such as bank cards and smart cards [2]. A user without a token is unable to login. Biometric based authentication applies biometric verification techniques such as fingerprints, face recognition, hand geometry, voice recognition and other physiological or behavioral methods [3]. The knowledge based authentication can be classified as recall based technique (textual passwords and one time passwords) and recognition based technique (graphical passwords like image ordering and color pixels) [4]. Knowledge based authentication can be classified as text-based and picture-based passwords [5]. Text-based password includes both static password and dynamic password [6]. Authentication methods are vulnerable against dictionary attack, brute force attack, eaves dropping, and guessing [7]. Dictionary attack is used for finding keys and decrypt cipher-text by systematically entering every word in a dictionary. Brute force attack is a trial-anderror method and uses automated software to generate numerous consecutive guesses. Shoulder surfing is direct observation over someone s shoulder to obtain secure information. Eaves dropping steals private communication message by unauthorized real-time interception. Guessing is simply guessing secure information, but it is hard for attacking a secret password. For all authentication methods, the first step should be registering new users [8]. The registration system needs to acquire users information then record the collected data into its database. Text based authentication is going to be used as level 1 security and which asks users for their username and password. This identification ensures that username and password are entered in a correct pair. However, textual password suffers from guessing, shoulder surfing, dictionary and brute-force attacks [7]. Therefore, image based authentication is set up as level 2 security. It works as an alternative click based graphical password scheme [9] in which users are asked to select three click points on an image uploaded by users. The system will save where the user click points are in the first setup time, and will then determine whether the click points match for later logins. An alternative way for image password is to select several images at the time of registration. These images are cropped and randomly arranged by the system. At login time, users have to arrange the cropped parts in correct order in order to successfully login. If users forget the password then the system would pick another image from the registered images [10]. This authentication may

2 Int'l Conf. Security and Management SAM'17 97 suffer from the attacks such as guessing, dictionary attack, and brute-force attack [7]. Level 3 security uses a one time password authentication that is applied by generating a onetime random code. The system will generate passwords randomly each time and send it to the user s account so that the user has access to login. This method is hard to attack unless the hacker has access to the user s account [9]. The project is an authentication system that validates user for accessing the system only when they have inputted correct passwords. The project involves three levels of user authentication (it contains three logins). The password difficulty increases with each level. Users must input correct password for successful login within a time limit. Users would be given privilege to set passwords according to their wish. 2 Analysis In the Three Level Password Authentication System, new users are able to register and returning users should be requested to enter their usernames and passwords to login to the system. If the user forgot the password, the forget password feature allows the user to reset the password with verification. There are three boundary use cases: SubmitRegistrationForm which is filled by the user and presented to DatabaseAdminister on the Database, ProblemReport that describes problems reported by users or DatabaseAdminister, and ExitClick which occurs when a user clicks the Exit button to terminate the login system. The functional requirements are: New users should be able to register Returning users should be required to enter their username and password to login to the system Up to three attempts are allowed If the user forgets the password, the forget password feature should allow the user to reset the password with verification. The nonfunctional requirements are summarized in Table 1. Table1: Nonfunctional requirements Usability Login interface familiar to the user Login promote Reliability Reliable from attack User s information Login error Safety requirements Security requirements Performance Responsibility of the system Login waiting time Data stored Supportability The person who maintains the system Port the system to different software or hardware environments Interface Use s information stored into the system in registration Standards supported by the system Packaging Install the system Constraints on the installation Legal License of the system and licensing fees Then several scenarios have been developed. One example (Table 2) is related to exceeding time limit before entering the password. Table 2: Exceeding time limit Scenario name exceedtimelimit Participating Ann: user actor instances Flow of events 1. Ann input incorrect password for three times 2. System block for input 3. User verification needed 3 Design As the purpose of the system is to validate users access to a system with three level password logins, in which difficulty of passwords increase with each level, the design goals of the Three Level Password Authentication System are that: new users should be able to register, returning users should be requested to input usernames and passwords in order to access the system, limited number of attempts are allowed. Table 3 describes the entity and objects participating in the SystemDatabase use case identified from noun phrases in the use case. Table 4 describes an example of a boundary object table. Table 5 describes an example of a control object table.

3 98 Int'l Conf. Security and Management SAM'17 Table 3: Entity objects Entity Attributes & Object Associations User username password personal information Database Database Administ er Problem Report address name DOB password, security questions employee numbers description response status (acknowledged, not acknowledged, accepted, rejected, and pending) Definition A user can login and logout the system and register his or her information onto the database. Database is used to keep track of the users information. DatabaseAdmi nisters are people who maintain the database Situation requiring attention from a DatabaseAdmi nister. An ProblemReport may be reported in the system by a DatabaseAdmi nister or a user. Table 4: Boundary objects for the SystemDatabase user case. Boundary Definition Object UsersInterfa Interface for the user to input ce username and password Registration Form used for registration. This Form form is filled by the user and presented to DatabaseAdminister ProblemRep ortform FormSubmis sionbutton Table 5: Control objects table Registration Control on the Database Form used for acknowledging DatabaseAdminister that some problems on the database are aroused by either user or DatabaseAdminister Button used by a user to submit RegistrationForm Manage the registration submission function on the database. This Problem Report Control object is created when the user filled out the information and selects the FormSubmissionButton. It the created submit the form and present it to the DatabaseAdminister. Manage the problem reporting function on the database. This object is created when an ProblemReport is received. It then creates a ProblemReport and display it to the DatabaseAdminister. As explained in the sequence diagram (figure 1), for each password level, the user will enter the password and submit (clicking or pressing a button), which will create a control to handle registering or saving this password to the database. Figure 2, shows the class diagram associated with the different classes used to complete the registration process. Figure 1: Sequence (interaction) diagrams for registration (creating a password set). Figure 2: Class diagram with: identified inheritance, identified associations, identified aggregates, identified attributes of individual classes. The database is the active mode as long as it is being accessed to either save a password or retrieve a password to compare it with currently entered password

4 Int'l Conf. Security and Management SAM'17 99 (Figure 3). It will become inactive once the user logs out of the system. to the requirement of concurrent accesses among different users. Identifying Boundary conditions. For example, with LoginClick, The user clicks on login button to request access to the system. Identifying subsystem services. Figure 3: State machine diagrams of System Database As part of object design phase, subsystem decomposition was performed (figure 4). Three subdatabases are used to store the diverse types of passwords. Three verification subsystems are responsible for each type of password. Figure 4: Subsystem decomposition As part of and required in the software engineering course and by following a software process, the student performed the following: Hardware/ software mapping Identifying persistent objects: In this authentication system, users information and queries history must be stored. Selecting a storage strategy:relational database is used for storage, because complex queries and large data set are involved in the authentication system. Identifying Access controls and security Identifying Global software controls: Threads are used as a global software control in this system, due Different patterns were examined. The Bridge design, Strategy design and Composite design would not work. However, the following can be used: Adapter design pattern would work with the Three Level Password Authentication System. It is a design pattern that converts the interface of a component into an interface that the client expects. So, it allows the interface of an existing class to be used as another interface so that they can work corporately. The Three Level Password Authentication System uses adapter design pattern to cooperate three levels of database and three levels of verification process. Abstract Factory design pattern would work with the Three Level Password Authentication System. This pattern encapsulates the creation of families or related objects and so that it shields the client from the creation process and prevents the use of objects from different families. In the Three Level Password Authentication System, users don t need to know the implementation detail. They only need to know how to use the login interface. Command design pattern would work with the Three Level Password Authentication System. It is a design pattern that decouples the objects responsible for command processing from the commands themselves. This pattern protects these objects from changes due to new functionality. This pattern is useful in the Three Level Password Authentication System because we don t want to change the existing system by adding new functionality like forgot password feature. 4 Implementation, testing and results This Three level Password Authentication system was built as a C# Windows forms application in Visual Studio Textboxes are used for users to enter information to request access to the system. Colored patterns are implemented by using button_click function. In other words, users should be able to log into the system by clicking the corresponding button that they had registered. Otherwise a wrong password message would be displayed. Data is stored in an external text file

5 100 Int'l Conf. Security and Management SAM'17 using output file stream and it is retrieved by using input file stream. Class interfaces were identified and written in the following format: class) User class (linked to FormSubmissionButton username: String password String - void setuername(string s); - void setpassword(string s); - String getusername(); - String getpaasword(); The system uses optimizing access paths and collapsing objects into attributes optimizations to simplify the Object Design Model. In optimizing access paths, frequent operations should not require many traversals. In this case, verification is the most frequently invoked operation, which should have a direct connection between the querying object and the queried object. Thus, each verification process is directly connected to the corresponding database. Then objects classes were collapsed into attributes, thus reducing the overall complexity of the model. In the three-level password authentication system, FormSubmissionButton and RegistrationControl can be collapsed into attributes of RegistrationForm class. For mapping Associations to Collections, the authentication system uses unidirectional one-to-one associations. Each user is associated with exactly one userinfo object in the Database class. In verification process, the verification calls the operations of the Database class, comparing the input with the corresponding userinfo. Figure 5 is an example mapping Contracts to Exceptions. Figure 5: mapping Contracts to Exceptions When a user is trying to register but his or her information has already existed on file, reguser throws ExistUserException. RegistrationForm catches exceptions raised by Registration and RegistrationControl and logs them into an error console that is displayed to the user. Then Object Models was mapped to Persistent Storage Schema similar to tables 6 and 7. Table 6: User table usernam e firstnam e A alice ali123@mail.co m DOB 1/1/199 0 Table 7: Login table (foreign key) username Password1 Password2 Password3 A a1 qwe g5 The password verification component was developed. Figure 6, show the start and registration page where the user will enter a user name, text password (corresponding to level 1 security), pin (corresponding to level 2 security) and selects a pattern number (corresponding to level 3 security). This is done once. Figures 7, 8, 9, 10, and 11 show the process of or the steps of entering the three passwords. First the user will be asked to enter the level 1 password, which is in text format and then clicks next. The user is then asked to enter the pin, which corresponds to the second level of security. If the user enters the wrong pin an error message will be displayed. The user can re-enter any password up to three times. If successful, the use will enter the third level security password which choosing a pattern. Once the user have entered/selected all three passwords correctly, a welcome message will be displayed and the user will have access to the system.

6 Int'l Conf. Security and Management SAM' Figure 9: Level 2 Login page with (Correct PIN) Figure 6:Start and Registration page Figure 10: Level 3 Login page with (wrong choice) Figure 7: Level 1 Login page Figure 11: Login Succeeded page Figure 8: Level 2 Login page with (Wrong PIN) Testing involved the following: 1. component inspection which finds faults in an individual component through the manual inspection of its source code. The procedure is that the author of the component presents the purpose and scope of the component and the goals of the inspection. For example, the author of the RegistrationForm class described its purpose for new users which is to enter data into the database, and its goal of the inspection which is to make sure that the information entered by users in the RegistrationForm would be successfully stored in the system database. The reviewers then raise issues if they think there is a fault. 2. Usability testing finds differences between what the system does and the users expectation of what it should do. It tests the user s understanding of the system. Developer first formulated a test objective that they hope to learn in the test, such as the geometrical layout of the login interface. The test objective is then evaluated in a series of experiments to check whether it is easy to use as expected. Developers collect data in the experiments to identify specific problem with the system.

7 102 Int'l Conf. Security and Management SAM'17 3. Unit testing finds faults by isolating an individual component using test stubs and drivers and by exercising the component using test cases. It focuses on the building blocks of the software system. For example, unit testing checks the boundary user case that whether the RegistrationForm was successfully submitted to the system database by users once they click on the submit button. 4. Integration testing finds faults by integrating several components together. It detects faults that have not been detected during unit testing by focusing on small groups of components. For example, level 1 verification, level 2 verification, and level 3 verification are integrated and tested. 5. System testing focuses on the complete system, its functional and nonfunctional requirements, and its target environment. During system testing, several activities are performed, such as functional testing, performance testing, pilot testing, acceptance testing, and installation testing. Function testing as a part of system testing in the Three Level Password Authentication System, for instance, finds differences between the functional requirement (new users should be able to register, returning users should be required to enter their username and password to login to the system, up to three attempts are allowed, and forget password feature) and the system. 5 Conclusion The authentication system validates users access to the system with three level password logins. Users should be able to set their passwords at registration phase. Users can login to the system by entering correct passwords within a time limit. If a user forgot the password, the forget password feature enables the user to reset password with verification. The system has a secure database, user-friendly interface, and reasonable registration process. The student successfully completed the required activities including analysis, design, object design, implementation and testing. --Level-Password-Authentication.pdf [3] Akazue, M., & Efozia, N. F. (2010). A Review of Biometric Technique for Secring Corporate Stored Data. [4] Varghese, L., Mathew, N., Saju, S., & Prasad, V. K. (2014). 3-Level Password Authentication System. Retrieved from 414_23.pdf [5] Aman, G., & Winnie, N. (2012). 4-D Password: Strengthening the Authentication Sceneǁ. International Journal of Scientific & Engineering Research, 3(10), 1. [6] Lee, J. D., Jeong, Y. S., & Park, J. H. (2014). A rhythm-based authentication scheme for smart media devices. The Scientific World Journal, [7] Deshpande, A., Singh, S., Kharga, A., & Ragha, L. (n.d.). Session Passwords Using Three Level Authentication System. Retrieved from [8] Vemuri, V. K., & Prasad, S. V. (2014). A Secure authentication System by Using Three Level security. Retrieved from 8b89e.A%20Secure%20Authentication%20System%20 by%20using%20three%20level%20security.pdf [9] Manjunath, M., Ahamed, K. I., & Suchithra. (2013). Security Implementation of 3-Level Security System Using Image Based Authentication. Retrieved from [10] Jansen, W. (2004). U.S. Patent Application No. 10/886, References [1] Suo, X., Zhu, Y., & Owen, G.S. (2005). Graphical Passwords: A Survey. Retrieved from [2] Sophia, M. E. (2015). Three Level Password Authentication. European Journal of Computer Science and Information Technology, 3(5), 1-7. Retrieved from