ABSTRACT

Secure password storage is a vital aspect in systems based on password authentication, which is still the
most widely used authentication technique, despite its some security flaws. In this paper, we propose a
password authentication framework that is designed for secure password storage and could be easily
integrated into existing authentication systems. In our framework, first, the received plain password
from a client is hashed through a cryptographic hash function (e.g., SHA-256). Then, the hashed
password is converted into a negative password. Finally, the negative password is encrypted into an
Encrypted Negative Password (abbreviated as ENP) using a symmetric-key algorithm (e.g., AES), and
multi-iteration encryption could be employed to further improve security. The cryptographic hash
function and symmetric encryption make it difficult to crack passwords from ENPs. Moreover, there
are lots of corresponding ENPs for a given plain password, which makes precomputation attacks (e.g.,
lookup table attack and rainbow table attack) infeasible. The algorithm complexity analyses and
comparisons show that the ENP could resist lookup table attack and provide stronger password
protection under dictionary attack. It is worth mentioning that the ENP does not introduce extra elements
(e.g., salt); besides this, the ENP could still resist precomputation attacks. Most importantly, the ENP is
the first password protection scheme that combines the cryptographic hash function, the negative
password and the symmetric-key algorithm, without the need for additional information except the plain
password. The algorithm complexity analyses and comparisons show that the ENP could resist lookup
table attack and provide stronger password protection under dictionary attack. It is worth mentioning
that the ENP does not introduce extra elements (e.g., salt); besides this, the ENP could still resist
precomputation attacks. Most importantly, the ENP is the rst password protection scheme that combines
the cryptographic hash function, the negative password and the symmetric-key algorithm, without the
need for additional information. In this paper, we propose a password authentication framework that is
designed for secure password storage and could be easily integrated into existing authentication systems.
In our framework, the received plain password from a client is hashed through a cryptographic hash
function (e.g., SHA-256).
 CONTENTS

SL.NO CONTENTS PAGE.NO.

1. INTRODUCTION 1.

2. LITERATURE SURVEY 2.

3. EXESTING SYSTEM 3.

4. PROPOSED SYSTEM 4.

5. SYSTEM ARCHITECTURE 5.

6. SOFTWARE REQUIREMENTS SPECIFICATION 6.

7. CONCLUSION 7.

8. REFERENCES 8.
 LITERATURE SURVEY

Cipher text-Policy Attribute-Based Encryption In several distributed systems a user should only be able
to access data if a user posses a certain set of credentials or attributes. Currently, the only method for
enforcing such policies is to employ a trusted server to store the data and mediate access control.
However, if any server storing the data is compromised, then the confidentiality of the data will be
compromised. In this paper we present a system for realizing complex access control on encrypted data
that we call CiphertextPolicy Attribute-Based Encryption. By using our techniques encrypted data can
be kept confidential even if the storage server is untrusted; moreover, our methods are secure against
collusion attacks. Previous Attribute Based Encryption systems used attributes to describe the encrypted
data and built policies into user’s keys; while in our system attributes are used to describe a user’s
credentials, and a party encrypting data determines a policy for who can decrypt.

2
 INTRODUCTION
Owing to the development of the Internet, a vast number of online services have emerged, in which
password authentication is the most widely used authentication technique, for it is available at a low
cost and easy to deploy Hence, password security always attracts great interest from academia and
industry . Despite great research achievements on password security, passwords are still cracked since
users’ careless behaviors . For instance, many users often select weak passwords they tend to reuse same
passwords in different systems they usually set their passwords using familiar vocabulary for its
convenience to remember. It is very difficult to obtain passwords from high security systems. On the
one hand, stealing authentication data tables (containing usernames and passwords) in high security
systems is difficult. On the other hand, when carrying out an online guessing attack, there is usually a
limit to the number of login attempts. However, passwords may be leaked from weak systems.
Vulnerabilities are constantly being discovered, and not all systems could be timely patched to resist
attacks, which gives adversaries an opportunity to illegally access weak systems.

We propose a Encrypted negative password method based on Negative database (NDB generation),
which further improve the security of password. The users can use this application without any fear of
security flaws. The existing system actually uses the simplest mechanism of all the other techniques.
The plain password is just encrypted and stored in the database. The other main mechanism which is
used till date is the hashing mechanism where in the plain password is hashed using hashing algorithms
such as the Secure Hash Algorithm or the Message Digest Algorithm. Comparing to the previous
mechanism it provides more security and also it doesn’t provide the actual password but the hashed
value of the password.

The existing system actually uses the simplest mechanism of all the other techniques. The plain
password is just encrypted and stored in the database. The other main mechanism which is used till date
is the hashing mechanism where in the plain password is hashed using hashing algorithms such as the
Secure Hash Algorithm or the Message Digest Algorithm. Comparing to the previous mechanism it
provides more security and also it doesn’t provide the actual password but the hashed value of the
password.

1
 EXISTING SYSTEM

In past, a scheme based on MD5 was proposed. It is a variant of salted password, where the salt is two
random strings. Although it could resist lookup table attack and make dictionary attack difficult, it
introduces many parameters, which makes it complicated and inconvenient to use. In past, dynamic salt
generation and placement are used to improve password security. Essentially, this scheme is also a
variant of salted password, where the salt is a random string that is dependent on the original password.
Consequently, it could resist lookup table attack, however it could not defend against dictionary attack
and also introduces an extra element (i.e., salt). In past, improved dynamic Key-Hashed Message
Authentication Code function (abbreviated as d-HMAC) was proposed for password storage. It is also
a variant of salted password, where the salt is the user’s public key, and it introduces a secret key, which
makes it inconvenient to use M. Najjar et. al. proposed

improved dynamic Key-Hashed Message Authentication Code function (abbreviated as d-HMAC) was
proposed for password storage. It is also a variant of salted password, where the salt is the user’s public
key, and it introduces a secret key, which makes it inconvenient to use.

DISADVANTAGES OF EXISTING SYSTEM

 it complicated and inconvenient to use
 Secure password storage is a vital aspect in systems based on password authentication, which is
still the most widely used authentication technique, despite its some security flaws.

 The reversal difficulty needs to be further improved.

 It could not defend against dictionary attack and also introduces an extra element.

 Hashed Password: The simplest scheme to store passwords is to directly store plain passwords.
However, this scheme presents a problem that once adversaries obtain the authentication data
table, all passwords are immediately compromised.

 Key Stretching: To resist dictionary attack, key stretching [38], which converts weak passwords
to enhanced passwords, was proposed. Key stretching could increase the time cost required.

3
 PROPOSED SYSTEM

In this paper, a password protection scheme called Encrypted Negative Password (abbreviated as ENP)
is proposed, which is based on the Negative Database (abbreviated as NDB), cryptographic hash
function and symmetric encryption, and a password authentication framework based on the ENP is
presented. The NDB is a new security technique that is inspired by biological immune systems and has
a wide range of applications. Symmetric encryption is usually deemed inappropriate for password
protection. Because the secret key is usually shared by all encrypted passwords and stored together with
the authentication data table, once the authentication data table is stolen, the shared key may be stolen
at the same time. Thus, these passwords are immediately compromised. However, in the ENP, the secret
key is the hash value of the password of each user, so it is almost always different and does not need to
be specially generated and stored. Consequently, the ENP enables symmetric encryption to be used for
password protection. As an implementation of key stretching, multi-iteration encryption is introduced
to further improve the strength of ENPs. Compared with the salted password scheme and key stretching,
the ENP guarantees the diversity of passwords by itself without introducing extra elements (e.g., salt).

ADVANTAGES OF PROPOSED SYSTEM

 The results show that the ENP could resist lookup table attack without the need for extra and
provide stronger password protection under dictionary attack.
 We analyze and compare the attack complexity of hashed password, salted password, key
stretching and the ENP.

 The results show that the ENP could resist lookup table attack without the need for extra
elements and provide stronger password protection under dictionary attack

 The ENP guarantees the diversity of

 We propose a password protection scheme called ENP, and we propose two implementations
of the ENP:
ENPI and ENPII, including their generation algorithms and verification algorithms.
Furthermore, a password authentication framework based on the ENP is presented.

4
 SYSTEM ARCHITECTURE

Systems design is the process of defining the architecture, components, modules, interfaces, and data
for a system to satisfy specified requirements. Systems design could see it as the application of systems
theory to product development. There is some overlap with the disciplines of systems analysis, systems
architecture and systems engineering.

The below figure shows a general block diagram describing the activities performed by this project.

Fig. 1.1 Authentication by Negative Password

5
 SOFTWARE REQUIREMENTS SPECIFICATION
The following are the hardware and software requirements that have used to implement the proposed
system

Hardware Requirements

1)Operating System : Windows Only

2)Processor : i5 and above

3)Ram : 4gb and above

4)Hard Disk : 50 GB

Software Requirement

1)Visual Studio Community Version

2)Nodejs ( Version 12.3.1)

3)Python IDEL ( Python 3.7 )

6
 REFERENCES

1. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, Passwords and the evolution
of imperfect authentication, Communications of the ACM, vol. 58, no. 7, pp. 7887, Jun.
2015.

2. M. A. S. Gokhale and V. S. Waghmare, The shoulder surng resistant graphical password

authentication technique, Procedia Computer Science, vol. 79, pp. 490498, 2016.

3. J. Ma, W. Yang, M. Luo, and N. Li, A study of probabilistic password models, in

Proceedings of 2014 IEEE Symposium on Security and Privacy, May 2014, pp. 689704.

4. A. Adams and M. A. Sasse, Users are not the enemy, Communications of the ACM,
vol. 42, no. 12, pp. 4046, Dec. 1999

5. E. H. Spafford, Opus: Preventing weak password choices, Computers & Security, vol.
11, no. 3, pp. 273278, 1992.

6. Y. Li, H. Wang, and K. Sun, Personal information in passwords and its security
implications, IEEE Transactions on Information Forensics and Security, vol. 12, no. 10,
pp. 23202333, Oct. 2017.

7. D. Florencio and C. Herley, A large-scale study of web password habits, in Proceedings

of the 16th International Conference on World Wide Web. ACM, 2007, pp. 657666.

8. R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S.

M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor, Designing password policies

for strength and usability, ACM Transactions on Information and System Security, vol.
18, no. 4, pp. 13:113:34, May 2016.
9. D. Wang, D. He, H. Cheng, and P. Wang, fuzzyPSM: A new password strength meter
using fuzzy probabilistic context-free grammars, in Proceedings of 2016 46th Annual
IEEE/IFIP International Conference on Dependable Systems and Networks, Jun. 2016,
pp. 595606.

8
 CONCLUSION

In this paper, we proposed a password protection scheme called ENP, and presented a password

authentication framework based on the ENP. In our framework, the entries in the authentication data

table are ENPs. In the end, we analyzed and compared the attack complexity of hashed password, salted

password, key stretching and the ENP. The results show that the ENP could resist lookup table attack

and provide stronger password protection under dictionary attack. It is worth mentioning that the ENP

does not need extra elements (e.g., salt) while resisting lookup table attack.

We develop achievability protocols and outer bounds for the secure network coding setting, where the

edges are subject to packet erasures, and public feedback of the channel state is available to both Eve

and the legitimate network nodes. Secure network coding assumes that the underlying network channels

are error-free; thus, if our channels introduce errors, we need to first apply a channel code to correct

them, and then build security on top of the resulting error-free network

In the future, other NDB generation algorithms will be studied and introduced to the ENP to further

improve password security. Furthermore, other techniques, such as multi– factor authentication and

challenge–response authentication.