Chapter 1
Introduction
It would be very useful if we can find an innovate way of accessing cloud services, which neither
involves memorizing dozens of alphanumeric combinations, nor adds layers of complexity for
users. For password-based authentication methods, their security is mainly determined by the
difficulty of guessing a user’s password. Unfortunately, passwords usually have low randomness
and are easier to guess than users think. To further enhance the security of password-based web
applications, a promising solution is to deploy a technology called two-factor or multifactor
authentication, in which a user is required to provide additional authentication information besides
passwords. The second piece of information is typically generated by a physical token such as RSA
SecurID or a software application as Google Authenticator. If different service providers set up
their own two-factor authentication services, users may have to experience painful registration and
login processes repeatedly. A naive way to reduce users’ burden for holding multiple passwords
for different cloud services is to store users’ credentials in a single device or service, and use certain
key derivation functions to generate temporal passwords for sequential logins.
Chapter 1, section 1.1
The other approach is to enrol an Internet-scale identity system that defines systematize device
enabling the identity attributes of its users to be shared between web applications and cloud
services. A number of technologies and standards such as OpenID and OAuth have -emerged to
deliver an Internet-scale identity system during the past few years. The basic idea of those identity
systems is to authenticate users with the aid of trusted Identity Providers (IDPs). Recently,
Bonneauetal. presented a comprehensive evaluation for two decades of proposals to replace text
passwords for general-purpose user authentication on the Internet. Their evaluation results have
demonstrated the difficulty of replacing passwords and highlighted the research challenges towards
designing a password-less login scheme. In this contribution, we propose this system, an innovative
security framework for password-less universal login. After an initial registration process, this
salient feature comes from the adoption of push message services for mobile devices and public-
key cryptography. Different from most existing login solutions, the servers in system are not able
to generate users’ credentials. As a potential application of the system security framework, we have
applied it to build a password-less mobile payment solution for tackling the recent Mint Chip-
Challenges
Password-less Authentication Using QR code is an idea to login to our account without the use of
password. That is user can login to his/her online account without the use of password as his/her
smartphone replaces the password. To login a user simply has to scan a QR code generate by the
site after entering his/her User-Id using his/her smartphone. QR code for generated for a user will
not work if it is scanned by another smartphone.
The arrival of amazing cloud services and web applications, users frequently access services in
their daily lives. Nowadays, we are likely to have more than ten accounts for computers, email
accounts, websites, social networks, and various other cloud services, all with different passwords
and security policies. Memorizing all passwords is both arduous and annoying, so people often
end up in using simple passwords, or constantly forgetting less frequently used ones.
1.3 Android
Android is a mobile operating system developed by Google, based on the Linux kernel and
designed primarily for touch-screen mobile devices such as smart-phones and tablets.
Android's user interface is mainly based on direct manipulation, using touch gestures that loosely
correspond to real-world actions, such as swiping, tapping and pinching, to manipulate on-screen
objects, along with a virtual keyboard for text input. In addition to touch-screen devices, Google
has further developed Android TV for televisions, Android Auto for cars and Android Wear for
wrist watches, each with a specialized user interface. Variants of Android are also used on game
consoles, digital cameras, PCs and other electronics. Initially developed by Android Inc., which
Google bought in 2005, Android was unveiled in 2007, along with the founding of the Open
Handset Alliance – a consortium of hardware, software, and telecommunication companies
devoted to advancing open standards for mobile devices. Android is popular with technology
companies that require a ready-made, low-cost and customizable operating system for high-
tech devices
Beginning with the first commercial Android device in September 2008, the operating system has
gone through multiple major releases, with the current version being 8.0 "Oreo", released in August
1.4 QR Code
QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix
barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A
barcode is a machine-readable optical label that contains information about the item to which it is
attached. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary,
and kanji) to efficiently store data; extensions may also be used.
A password is a word or string of characters used for user authentication to prove identity
or access approval to gain access to a resource (example: an access code is a type of password),
which is to be kept secret from those not allowed access. In modern times, user names and
passwords are commonly used by people during a log in process that controls access to protected
computer operating-systems, mobile-phones, cable-TV decoders etc.
A typical computer user has passwords for many purposes: logging into accounts, retrieving e-
mail, accessing applications, databases, networks, web sites, and even reading the morning
newspaper online. Passwords are used on websites to authenticate users and are usually maintained
on the Web server, meaning the browser on a remote system sends a password to the server (by
HTTP POST), the server checks the password and sends back the relevant content (or an access
denied message). This process eliminates the possibility of local reverse engineering as the code
used to authenticate the password does not reside on the local machine.
Transmission of the password, via the browser, in plaintext means it can be intercepted along its
journey to the server. Many web authentication systems use SSL to establish an encrypted session
between the browser and the server, and is usually the underlying meaning of claims to have a
"secure Web site". This is done automatically by the browser and increases integrity of the session,
assuming neither end has been compromised and that the SSL/TLS implementations used are high
quality ones.
Passwordless authentication is a type of authentication where users do not need to login with
passwords. This form of authentication totally makes passwords obsolete. With this form of
authentication, users are presented with the options of either logging in simply via a magic link,
fingerprint, or using a token that is delivered via email or text message.
1.6.1 Benefits:
Improve User Experience: The faster users can sign up and use your service, the more users
your app tends to attract. Users dread having to fill out forms and go through a rigorous
registration process. Imagine eliminating that extra five minutes of asking users to remember
their grandmother's maiden name as a security question. Passwordless authentication helps
improve user experience in this regard.
Increase Security: Once you go Passwordless, there are no passwords to be hacked.
Let's take a look at Auth0's magic link implementation below:
Can replace Smart Card: It requires the separate scanner to scan the smart card. Smart card has
less storage as compare to QR code.
Can replace Swipe Card: Swipe card can be cloned, but QR code can’t be cloned. Swipe Card
has no memory compared to QR code.
Secure way of transaction: QR code is scanned through camera equipped with hardware device
therefore our system provides the more secure transaction.
Cash Card: Transfer can be also done using Cash Card which is replicable to Demand Draft
and Cheque. System will generate Cash Card with QR code providing secure authentication.
It can also use in shopping mall to scan product and add in a cart.
It can be used as payroll system for industry.
Chapter 2
Literature Review
Android applications are written in the Java programming language. The Android SDK tools
compile the code along with any data and resource file into an Android package, an archive file
with a apk suffix. All the code in a single apk file is considered to be one application and is the file
that Android-powered devices use to install the application. Once installed on a device, each
Android application lives in its own security sandbox [1]. The Android operating system is a multi-
user Linux system in which each application is a different user. By default, the system assigns each
application a unique Linux user ID (the ID is used only by the system and is unknown to the
application). The system sets permissions for all the files in an application so that only the user ID
assigned to that application can access them. Each process has its own virtual machine (VM), so
an application's code runs in isolation from other applications.
Passwords are a commonly-used method of authentication. A unique sequence of characters is
[2]
presented to the system when identification is needed . This sequence is then compared with a
stored sequence, perhaps after some transformation (e.g., encryption). A match provides the proof
Chapter 3
System Analysis
The typical sequence for registering and logging on to a web site forum normally follows the sorts
of steps.
1. The user chooses to register on the web site.
2. A registration form captures a minimum of the following:
• A user name.
• The desired password.
• The contact email address.
The proposed system as an end user sees it consists of the following steps:
1. The user chooses to register on the web site.
2. A registration form captures a minimum of the following:
• A user name.
• The contact email address.
3. Generating QR code using username.
Encryption
An encryption is the process of encoding a message or information in such a way that only
authorized parties can access it and those who are not authorized cannot. Encryption does not itself
prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption
scheme, the intended information or message, referred to as plaintext, is encrypted using an
encryption algorithm a cipher generating cipher text that can be read only if decrypted.
Decryption
Decryption is the process of transforming data that has been rendered unreadable through
encryption back to its unencrypted form. In decryption, the system extracts and converts the garbled
data and transforms it to texts and images that are easily understandable not only by the reader but
also by the system. Decryption may be accomplished manually or automatically. It may also be
performed with a set of keys or passwords.
AES
Advanced Encryption Standard (AES for short), also known as Rijndael, is 128-bit encryption
technique developed by US National Institute of Standards and technology(NIST) in 2001. AES is
a subset of Rjidael cipher which was proposed and developed by Vincent Rjimen and Joan Daemen.
It had replaced Data Encryption Standard (DES for short) and it do not use Feistel Network like its
predecessor the DES. It can support cipher keys of three different sizes, 128, 192 and 256-bit key
but it divides data to be encrypted in size 128 bit. It is symmetric key algorithm.
Sub-Bytes
In the Sub--Bytes step, each byte in the state matrix is replaced with a Sub-Byte using an 8-
bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher.
The S-box used is derived from the multiplicative inverse over GF(28), known to have good non-
linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed
by combining the inverse function with an invertible affine transformation. The S-box is also
chosen to avoid any fixed points (and so is a derangement),and also any opposite fixed points.
While performing the decryption, the InvSub-Bytes step (the inverse of Sub-Bytes) is used, which
requires first taking the inverse of the affine transformation and then finding the multiplicative
inverse.
ShiftRows
The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a
certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one
to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively.
For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row n is shifted left
circular by n-1 bytes. In this way, each column of the output state of the ShiftRows step is
composed of bytes from each column of the input state. (Rijndael variants with a larger block size
have slightly different offsets). For a 256-bit block, the first row is unchanged and the shifting for
the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively—this change only
MixColumns
In the MixColumns step, the four bytes of each column of the state are combined using an
invertible linear transformation. The MixColumns function takes four bytes as input and outputs four
bytes, where each input byte affects all four output bytes. Together
with ShiftRows, MixColumns provides diffusion in the cipher. During this operation, each column is
transformed using a fixed matrix (matrix left-multiplied by column gives new value of column in
the state).
In the Add Round Key step, the subkey is combined with the state. For each round, a subkey is
derived from the main key using Rijndael's key schedule; each subkey is the same size as the state.
The subkey is added by combining each byte of the state with the corresponding byte of the subkey
using bitwise XOR.
Final round is last round in AES. It is just like normal round but for this round we do not perform
Mix Column Step. Step performed in final round are as follows:
1. Sub-Bytes
2. Shift Rows
3. Add Round Key.
Hardware Requirement
XAMPP
Internet Browser
OS: Windows XP, 7, 8 or 10
Minimum Android version 4.0
Android Studio
Android SDK version 22
Chapter 4
System Design
A data flow diagram (DFD) is a graphical representation of the "flow" of data through an
information system, modeling its process aspects. A DFD is often used as a preliminary step to
create an overview of the system without going into great detail, which can later be elaborated. A
DFD shows what kind of information will be input to and output from the system, how the data
will advance through the system, and where the data will be stored. Data flow diagrams are one of
the three essential perspectives of the structured-systems analysis and design method SSADM. The
sponsor of a project and the end users will need to be briefed and consulted throughout all stages
of a system's evolution. With a data flow diagram, users are able to visualize how the system will
operate, what the system will accomplish, and how the system will be implemented. The old
system's data flow diagrams can be drawn up and compared with the new system's data flow
diagrams to draw comparisons to implement a more efficient system.
DFD Level 1
A sequence diagram is an interaction diagram that shows how objects operate with one another and
in what order. It is a construct of a message sequence chart. A sequence diagram shows object
interactions arranged in time sequence. It depicts the objects and classes involved in the scenario
and the sequence of messages exchanged between the objects needed to carry out the functionality
of the scenario.
The figures show some important use case system sequence diagram. In each diagram, we provide
two methods to help user to control the system, the black arrow means the user completes the
processes by button and the blue arrow means the users completes the processes by voice control.
2: validation
3: Generate QR code
4: scan QR code
5: send U_ID
6: set password
7: login
8: check details
9: scan QR code
Flowcharts are used in designing and documenting simple processes or programs. Like other types
of diagrams, they help visualize what is going on and thereby help understand a process, and
perhaps also find less-obvious features within the process, like flaws and bottlenecks. There are
different types of flowcharts: each type has its own set of boxes and notations. The two most
common types of boxes in a flowchart are:
a processing step, usually called activity, and denoted as a rectangular box
a decision, usually denoted as a diamond.
A flowchart is described as "cross-functional" when the chart is divided into different vertical or
horizontal parts, to describe the control of different organizational units. A symbol appearing in a
particular part is within the control of that organizational unit. A cross-functional flowchart allows
the author to correctly locate the responsibility for performing an action or making a decision, and
to show the responsibility of each organizational unit for different parts of a single process.
A system architecture or systems architecture is the conceptual model that defines the structure,
behaviour, and more views of a system. An architecture description is a formal description and
representation of a system, organized in a way that supports reasoning about the structures and
behaviour of the system.
A system architecture can comprise system components, the expand systems developed, that will
work together to implement the overall system. There have been efforts to formalize languages to
describe system architecture, collectively these are called architecture description languages
(ADLs).
Chapter 5
Result
Chapter 6
It is possible to improve the current process of identification and authentication and reduce the
burden of remembering different passwords for different website accounts on user by implement
QR code for authentication as it makes the process of login and signing up as simple as just
scanning QR code generated on website by his/her smartphone.
Even though the Password-less Authentication System using QR code has been implemented for
website it still has potential for been develop for offline computer applications. Further the app on
user's smart phone can be developed to scan generated QR code even when phone is not connected
to internet.
[1] Bo Zhu,Xinxin Fan and Guang Gong – “ Loxin , a solution to passwordless universal login,
IEEE paper, 2014”.
[2] Kirit Saelensminde and Prof. Veera Boonjing - “A simple password less authentication system
for web sites, Seventh International Conference on Information Technology IEEE paper, 2010”
[3] Kuan-Chieh Liao, Min-Hsuan Sung, Wei-Hsun Lee, TingChing Lin - “A One-Time Password
Scheme with QR-Code Based on Mobile Phone” 2009 Fifth International Joint Conference on INC,
IMS and IDC.
[4] Renjie Weng – “Password-less login Everywhere, Journal of Stevens Institute of technology,
Hoboken, NJ07030”.
[5] Cryptography and Network Security: Principles and Practice, 5th edition Book by William
Stallings.
We would like to express our gratitude to all those who helped us reach our goal, it would not have
been possible without the kind support and help of many individuals and organizations. We would
like to extend my sincere thanks to all of them.
We are also thankful to Dr. S. K. Narayankhedkar, Principal, Mahatma Gandhi Mission’s
College of engineering and Technology, Navi Mumbai, for his encouragement and for providing
an outstanding academic environment.
We are also thankful to Dr. K. Sankar, H.O.D, Computer Department, Mahatma Gandhi Mission’s
College of engineering and Technology, Navi Mumbai, for his guidance, encouragement and
support during my project. We would like to thank all the staff members for their valuable co-
operation and permitting us to work in the computer labs.
We are using this opportunity to express our gratitude to everyone who supported us throughout
the process of this B.E project. We are highly indebted to Mrs. Rajashree Sonawale for the
guidance and constant supervision as well as for providing necessary information regarding the
project and also for his support in completing the project. We are thankful for his aspiring guidance,
invaluable constructive criticism and friendly advice during the project. We are sincerely grateful
to him for sharing truthful and illuminating views on the number of issues related to this project.
Special thanks to our colleagues and friends for providing us useful comments and continuous
encouragement. Finally, we would like to thank our family, our parents for supporting us spiritually
throughout our carrier and for their support and endurance during this work.