PROJECT REPORT ON

Enforcing Security Using RSA Algo in Netbanking

DEGREE IN

SUBMITTED BY

UNDER THE GUIDANCE OF

PROF. J. ABC

ABC
CIDCO, SEC-3, AIROLI, NAVI MUMBAI-400708 FEBRUARY 2010

CERTIFICATE
This is to certify that Mr./Ms._________________________________________ (PRN: ________________) has successfully completed a project entitled B.TECH IN MECHANICAL ENGINEERING (MLEP) 9TH SEM. Industry

Manpower and A Resource Organisation in partial fulfillment for the requirement of

Signature with Date

Project Guide

SC Coordinator

Internal Examiner

External Examiner

ACKNOWLEDGEMENT
I would like to take this opportunity to express my gratitude towards all the people who have in various ways, helped in the successful completion of my project. I must convey my gratitude to Prof. Mathews for giving me the constant source of inspiration and help in preparing the project, personally correcting my work and providing encouragement throughout the project. I also thank all my faculty members for steering me through the tough as well as easy phases of the project in a result oriented manner with concern attention.

Thanking You, ________________

ABSTRACT

We are going to implement NetBanking website which will provide security to user for money transaction through RSA algorithm. RSA algorithm is Public Key cryptography, invented in 1978. Using RSA algorithm our system will encrypt the user transaction and at the receivers end using RSA our system will decrypt the transaction, this way our system will provide security to online transactions. For implementing this project we are using PHP as frontend and MYSQL as backend.

INDEX
SR.NO 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) INTRODUCTION LITERATURE SURVEY PROBLEM DEFINITION REQUIREMENT ANALYSIS PLANNING AND ESTIMATION 15 TESTING 22 IMPLEMENTATION ADVANTAGES & DISADVANTAGES FUTURE MODIFICATIONS APPLICATION BIBLIOGRAPHY SCREENSHOTS SOURCE CODE

TITLE

PG.NO 1 5 8 11
13

27
29

31 33 48 50

Chapter 1 INTRODUCTION

INTRODUCTION
1. Introduction to Cryptography: In the era of information technology, the possibility that the information stored in a persons computer or the information that are being transferred through network of computers or internet being read by other people is very high. This causes a major concern for privacy, identity theft, electronic payments, corporate security, military communications and many others. We need an efficient and simple way of securing the electronic documents from being read or used by people other than who are authorized to do it. Cryptography is a standard way of securing the electronic documents.

1.1 Basic idea of Cryptography: Basic idea of cryptography is to mumble-jumble the original message into something that is unreadable or to something that is readable but makes no sense of what the original message is. To retrieve the original message again, we have to transform the mumble-jumbled message back into the original message again.

1.2 Basic Terminologies used in Cryptography: Data that can be read and understood without any special measures is called plaintext or cleartext. This is the message or data that has to be secured. The method of disguising plaintext in such a way as to hide its substance is called encryption. Encrypting plaintext results in unreadable gibberish called ciphertext. You use encryption to ensure that information is hidden from anyone for whom it
7

is not intended, even those who can see the encrypted data. The process of reverting ciphertext to its original plaintext is called decryption. Cryptography is the science of mathematics to encrypt and decrypt data. Cryptography enables us to store sensitive information or transmit it across insecure networks like Internet so that no one else other the intended recipient can read it. Cryptanalysis is the art of breaking Ciphers that is retrieving the original message without knowing the proper key. Cryptography deals with all aspects of secure messaging, authentication, digital signatures, electronic money, and other applications.

1.3 Cryptographic Algorithms: Cryptographic algorithms are mathematical functions that are used in the encryption and decryption process. A cryptographic algorithms works in combination with a key (a number, word or phrase), to encrypt the plain text. Same plain text encrypts to different cipher texts for different keys. Strength of a cryptosystems depends on the strength of the algorithm and the secrecy of the key.

1.4 Two Kinds of Cryptography Systems: There are two kinds of cryptosystems: symmetric and asymmetric. Symmetric cryptosystems use the same key (the secret key) to encrypt and decrypt a message, and asymmetric cryptosystems use one key (the public key) to encrypt a message and a different key (the private key) to decrypt it. Symmetric cryptosystems are also called as private key cryptosystems and asymmetric cryptosystems are also called as public key cryptosystems.
8

Chapter 2 LITERATURE SURVEY

2. Overview of Private Key Cryptography: In private-key cryptography, the sender and recipient agree beforehand on a secret private key. The plaintext is somehow combined with the key to create the cipher text. The method of combination is such that, it is hoped, an adversary could not determine the meaning of the message without decrypting the message, for which he needs the key. The following diagram illustrates the encryption process:
Message to be encrypted or plain text Encrypted message or Cipher text

Encryption Algorithm

Private Key known only to sender and receiver

The following diagram illustrates the decryption process:

Message to be decrypted or cipher text

Decryption Algorithm

Decrypted message or Plain text

Private Key known only to sender and receiver

10

To break a message encrypted with private-key cryptography, an adversary must either exploit a weakness in the encryption algorithm itself, or else try an exhaustive search of all possible keys (brute force method). If the key is large enough (e.g., 128 bits), such a search would take a very long time (few years), even with very powerful computers.

Private-key methods are efficient and difficult to break. However, one major drawback is that the key must be exchanged between the sender and recipient beforehand, raising the issue of how to protect the secrecy of the key. When the President of the United States exchanges launch codes with a nuclear weapons site under his command, the key is accompanied by a team of armed couriers. Banks likewise use high security in transferring their keys between branches. These types of key exchanges are not practical, however, for e-commerce between, say, amazon.com and a casual web surfer. 3. Overview of Public Key Cryptography: Public Key cryptography uses two keys Private key (known only by the recipient) and a Public key (known to everybody). The public key is used to encrypt the message and then it is sent to the recipient who can decrypt the message using the private key. The message encrypted with the public key cannot be decrypted with any other key except for its corresponding private key. The following Diagram illustrates the encryption process in the public key cryptography
Message to be encrypted or plain text Encryption Algorithm Encrypted message or Cipher text

Public Key known to everyone 11

The following diagram illustrates the decryption process in the public key cryptography:

Message to be encrypted or plain text

Encryption Algorithm

Encrypted message or Cipher text

Private Key known only to receiver

the public-key algorithm uses a one-way function to translate plaintext to ciphertext. Then, without the private key, it is very difficult for anyone (including the sender) to reverse the process (i.e., translate the ciphertext back to plaintext). A one-way function is a function that is easy to apply, but extremely difficult to invert. The most common one-way function used in public-key cryptography involves factoring very large numbers. The idea is that it is relatively easy to multiply numbers, even large ones, with a computer; however, it is very difficult to factor large numbers. The only known algorithms basically have to do a sort of exhaustive search (Does 2 go in to? Does 3? 4? 5? 6? and so on). With numbers 128 bits long, such a search requires performing as many tests as there are particles in the universe. For instance, someone wishing to receive encrypted messages can multiply two very large numbers together. She keeps the two original numbers a secret, but sends the product to anyone who wishes to send her a message. The encryption/decryption algorithm is based upon combining the public number with the plaintext. Because it is a one-way function, the only way to reverse the process
12

is to use one of the two original numbers. However, assuming the two original numbers are very large, their product is even bigger; it would be impractical for an adversary to try every possibility to determine what the two original numbers were.

13

Chapter 3 PROBLEM DEFINITION

14

Problem Definition: Present system uses private key cryptography for internet banking application or websites. Private-key methods are efficient and difficult to break. However, one major drawback is that the key must be exchanged between the sender and recipient beforehand, raising the issue of how to protect the secrecy of the key. When the President of the United States exchanges launch codes with a nuclear weapons site under his command, the key is accompanied by a team of armed couriers. Banks likewise use high security in transferring their keys between branches. These types of key exchanges are not practical, however, for ecommerce between, say, amazon.com and a casual web surfer.

15

Chapter 4 HARDWARE & SOFTWARE REQUIREMEN

16

Hardware and Software requirements Hardware: 1. Processor: Pentium 4 2. RAM: 512 MB or more 3. Hard disk: 16 GB or more 4. Android Device

Software 1. WAMP server

Frontend 1. PHP Backend 1. MYSQL

17

Chapter 5 PLANNING AND ESTIMATION

18

Planning and Cost Estimation

The entire project spanned for duration of 9 months. In order to effectively design and develop a cost-effective model the Waterfall model was practiced.

FIGURE 1 WATERFALL MODEL Requirement gathering and Analysis phase:

19

This phase started at the beginning of our project, we had formed groups and modularized the project. Important points of consideration were 1 Define and visualize all the objectives clearly. 2 3 Gather requirements and evaluate them. Consider the technical requirements needed and then collect 4 5 6 7 8 9 technical specifications of various peripheral components required. Analyze the coding languages needed for the project. Define coding strategies.

Analyze future risks / problems. Define strategies to avoid this risks else define alternate solutions to this risks. Check financial feasibility. Define Gantt charts and assign time span for each phase. By studying the project extensively we developed a Gantt chart to track

and schedule the project. Below is the Gantt chart of our project.

TimeLine

20

21

Cost Estimation

Cost estimation is done using cocomo model Ratings Very cost Drivers Product attributes Required software reliability Size of application database Complexity of the product Hardware attributes Run-time performance constraints Memory constraints Volatility of the virtual machine environment Required turnabout time Personnel attributes Analyst capability Applications experience Software engineer capability Virtual machine experience Programming language experience Project attributes Use of software tools Application of software engineering methods Required development schedule 22 Low 0.75 0.70 Low Nominal High 0.88 0.94 0.85 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.00 1.15 1.08 1.15 1.11 1.06 1.15 1.07 0.86 0.91 0.86 0.90 0.95 0.91 0.91 1.04 Very High 1.40 1.16 1.30 1.30 1.21 1.30 1.15 0.71 0.82 0.70 Extra High

1.65 1.66 1.56

0.87 0.87 1.46 1.29 1.42 1.21 1.14 1.24 1.24 1.23 1.19 1.13 1.17 1.10 1.07 1.10 1.10 1.08

0.82 0.83 1.10

The Intermediate Cocomo formula now takes the form: E=ai(KLoC)(bi).EAF Using above calculation we found that The total time period of the project is around 6 months, the per month cost comes out to be Rs.20,000 , so the total comes to be Rs. 1,20,000

Chapter 6
23

TESTING

Testing Software testing methods are traditionally divided into black box testing and white box testing. These two approaches are used to describe the point of view that a test engineer takes when designing test cases. Black box testing Black box testing treats the software as a "black box"without any knowledge of internal implementation. Black box testing methods include: equivalence partitioning, boundary value analysis, all-pairs testing, fuzz testing, model-based testing, traceability matrix, exploratory testing and specification-based testing. 24

Specification-based testing: Specification-based testing aims to test the functionality of software according to the applicable requirements. Thus, the tester inputs data into, and only sees the output from, the test object. This level of testing usually requires thorough test cases to be provided to the tester, who then can simply verify that for a given input, the output value (or behavior), either "is" or "is not" the same as the expected value specified in the test case. Specification-based testing is necessary, but it is insufficient to guard against certain risks. Advantages and disadvantages: The black box tester has no "bonds" with the code, and a tester's perception is very simple: a code must have bugs. Using the principle, "Ask and you shall receive," black box testers find bugs where programmers do not. But, on the other hand, black box testing has been said to be "like a walk in a dark labyrinth without a flashlight," because the tester doesn't know how the software being tested was actually constructed. As a result, there are situations when (1) a tester writes many test cases to check something that could have been tested by only one test case, and/or (2) some parts of the back-end are not tested at all. Therefore, black box testing has the advantage of "an unaffiliated opinion," on the one hand, and the disadvantage of "blind exploring," on the other. White box testing White box testing is when the tester has access to the internal data structures and algorithms including the code that implement these. Types of white box testing The following types of white box testing exist:

API testing (application programming interface) - Testing of the Code coverage - creating tests to satisfy some criteria of code coverage

application using Public and Private APIs

(e.g., the test designer can create tests to cause all statements in the program to be executed at least once) 25

Fault injection methods - improving the coverage of a test by introducing Mutation testing methods Static testing - White box testing includes all static testing

faults to test code paths

Code completeness evaluation White box testing methods can also be used to evaluate the completeness of a test suite that was created with black box testing methods. This allows the software team to examine parts of a system that are rarely tested and ensures that the most important function points have been tested. Two common forms of code coverage are:

Function coverage, which reports on functions executed Statement coverage, which reports on the number of lines executed to

complete the test They both return a code coverage metric, measured as a percentage.

Integration testing is any type of software testing, that seeks to verify the interfaces between components against a software design. Software components may be integrated in an iterative way or all together ("big bang"). Normally the former is considered a better practice since it allows interface issues to be localised more quickly and fixed.

Acceptance testing Acceptance testing can mean one of two things: 1. A smoke test is used as an acceptance test prior to introducing a new build to the main testing process, i.e. before integration or regression. 26

2. Acceptance testing performed by the customer, often in their lab environment on their own HW, is known as user acceptance testing (UAT).

Chapter 6
27

IMPLEMENTATION

4. RSA Public Key Cryptography Algorithm:

4.1 Introduction to RSA Algorithm:
RSA is one of the most popular and successful public key cryptography algorithms. The algorithm has been implemented in many commercial applications. It is named after its inventors Ronald L. Rivest, Adi Shamir, and Leonard Adleman. They invented this algorithm in the year 1977. They utilized the fact that when prime numbers are chosen as a modulus, operations behave conveniently. They found that if we use a prime for the modulus, then raising a number to the power (prime - 1) is 1. RSA algorithm simply capitalizes on the fact that there is no efficient way to factor very large integers. The security of the whole algorithm relies on that fact. If someone comes up with an easy way of factoring a large number, then thats the end of the RSA algorithm. Then any message encrypted with the RSA algorithm is no more secure.

28

4.2 RSA Algorithm:

The encryption and decryption in the RSA algorithm is done as follows. Before encryption and decryption is done, we have to generate the key pair and then those keys are used for encryption and decryption. 4.2.1 Key Generation:

The first step in RSA encryption is to generate a key pair. Two keys are generated of which one is used as the public key and the other is used as the private key. The keys are generated with the help of two large prime numbers. The keys are generated as follows
1. Generate two large random primes p and q. 2. Compute n which is equal to product of those two prime numbers, n = pq 3. Compute (n) = (p-1)(q-1). 4. Choose an integer e, 1 < e < (n), such that gcd(e, (n)) = 1. 5. Compute the secret exponent d, 1 < d < (n), such that ed 1 (mod (n)). 6. The public key is (n, e) and the private key is (n, d). The values of p, q, and (n) should also be kept secret.

n is known as the modulus. e is known as the public exponent or encryption exponent. d is known as the secret exponent or decryption exponent.

4.2.2 Encryption: Encryption is done using the public key component e and the modulus n. To whomever we need to send the message, we encrypt the message with their public key (e,n). Encryption is done by taking an exponentiation of the message m with the public key e and then taking a modulus of it. The following steps are done in encryption. 1. Obtain the recipients public key (n,e) 2. Represent the plaintext message as a positive integer m < n 3. Compute the ciphertext c = m^e mod n. 4. Send the ciphertext c to the recipient.
29

4.2.3 Decryption: Decryption is done using the Private key. The person who is receiving the encrypted message uses his own private key to decrypt the message. Decryption is similar to the encryption except that the keys used are different. 1. Recipient uses his private key (n,d) to compute m = c^d mod n. 2. Extract the plaintext from the integer representative m. The RSA algorithm has been implemented in many applications and it is currently one of the most popularly used encryption algorithm. RSA algorithm is based fully on mathematics and in the next section we will see the mathematics behind RSA.

DFD

Sender

Amount & Acc information

RSA Encryption

Server

RSA Decryption

Online Transaction using RSA 30

Amount

Receiver

Chapter 8
31

ADVANTAGES

Advantages:

Provides high level of security to online transactions. Reduce/prevent financial loss from attacks.

32

Chapter 9
33

APPLICATION

1. To increasing security in online transactions. 2. For high level secure communication in war.

34

Chapter 10
35

FUTURE MODIFICATIONS

36

Chapter 11
37

BIBILIOGRAPHY

BIBLOGRAPHY
[1] M. Weiser, The Computer for the 21st Century, Scientific American, vol. 265, no. 3, pp. 94-104, September 1991. [2] D. J. Goodman, The wireless Internet: promise and challenges, Computer, vol. 33, no. 7, pp. 36-41, July 2000. [3] S. Saha, M. Jamtgaard, and J. Villasenor, Bringing the wireless Internet to mobile devices, Computer, vol. 34, no. 6, pp. 54-58, June 2001.

38

[4] P. Pace, G. Aloi, and A. Palmacci, A Multi-Technology Location- Aware Wireless System for Interactive Fruition of Multimedia Contents, IEEE Transactions on Consumer Electronics, vol. 55, No. 2, pp. 342-250, MAY 2009. [5] F. O. Akgul, and K. Pahlavan, Location Awareness for Everyday Smart Computing, Proceedings of the 16th International Conference on Telecommunications, pp. 2-7, Marrakech, Morocco, May 2009. [6] S. Hartwig, M. Luck, J. Aaltonen, R. Serafat, and W. Theimer, Mobile multimedia challenges and opportunities, IEEE Transactions on Consumer Electronics, vol. 46, no. 4, pp. 1167-1178, November 2000. [7] D.L. Lee, W.-C. Lee, J. Xu, and B. Zheng, Data Management in location-dependent information services, IEEE Pervasive Computing, vol. 1, no. 3, pp. 65-72, July-Sept. 2002. [8] P. Bellavista, A. Kupper, and S. Helal, Location-based services: back to the Future, IEEE Pervasive Computing, vol. 7, issue 2, pp. 85-89, April-June 2008.

Chapter 12
39

SCREENSHOTS

40

Chapter 13 SOURCE CODE

41

42