Look At Two Way Mobile Authentication

Published Date: 02 Nov 2017

bth_logo

TWO WAY MOBILE AUTHENTICATION

By

Harish Dinne - 850120-P555

Karthik mandava - 850828-P238

Table of Contents

Abstract - - - - - - - - - - 3

Objective - - - - - - - - - - 3

Analysis - - - - - - - - - - 4

Limitations on 2 Way Mobile Authentication System - - - 5

Technologies - - - - - - - - - 6

SHA-1 Algorithm - - - - - - - - - 7

Server- Side Scripting Language – PHP - - - - - 10

Client Side Scripting Languages (HTML / CSS / JavaScript) - - 11

Programming Process - - - - - - - - 12

Programming Maintenance - - - - - - - 12

System Design - - - - - - - - - 13

Database Design - - - - - - - - 15

Table Structure - - - - - - - - - 16

Implementation - - - - - - - - - 18

Testing - - - - - - - - - - 22

Screenshots - - - - - - - - - 27

ABSTRACT

Many organizations still rely on static ID and password that is been used in the existing authentication system which consist of Single Factor Authentication technique to provide the simplest form of authentication that may not be sufficient to safeguard against unauthorized access. Therefore the rapid spread of e-Business has necessitated for securing transactions and therefore financial organizations are looking for two-factor authentication technique as a fundamental security function.

Strong Authentication is a fundamental security function. During the authentication process, the credentials submitted by an individual are validated and associated with the person's identity. This process of binding between the credentials and identity is typically done for the purpose of granting (or denying) authorization to perform some restricted operation, like accessing secured files or executing sensitive transactions. User authentication is commonly defined as the process of verifying the identity of an individual, usually based on credentials.

Now-a-days different strong authentication methods are in use some of them can be embedded in security devices such as tokens, smart cards. First we study the different authentication method, after that on the basis of study we integrate the OTP (One Time password) based two-factor authentication method in more flexible mobile devices (such as cell phones, PDA) in a cost effective manner.

Two-factor authentication method uses mobile devices as security tokens to receive a single-use password to strengthen the existing ID/password authentication and authorization process. In the first phase, the authenticator gets a request generated by the application to authenticate a specified user. When the request is received, it generates a one-time password and sends it through a SMS to a GSM cell phone registered for that specified user. The one-time password has a default timeout 5 minutes which is configurable.

In the second phase of the authentication, a request is sent with the user id and a hash of the one-time password. If both the one-time and user specified password is valid then the user will be authenticated.

OBJECTIVE

Even though the application is using client’s device to send the second factor, it is possible to completely avoid the client’s involvement in generating the password. There are few limitations in the paper. This proposal overcomes the problem of hacking but not from phishing.

In the field of computer security, the process of attempting to verify the digital identity of the sender of a communication process such as a request to log in is termed as authentication. The sender subjected to an authentication may be a human using a computer, a computer by itself or a computer program. A blind credential could not establish identity at all, but only a narrow right or status of the user or program.

In a web of trust, authentication is a way to make sure that the user who attempts to perform functions in a system is in fact the user who is permitted to do so.

ANALYSIS

2 Way Mobile Authentication System (2WMAS) is an innovative authentication system that provides access to Web-based resources by using a two-way user authentication through the existing personal mobile phones. It is used to solve the security flaws of the web based Internet and Intranet, by involving the users to authenticate themselves using their personal mobile phones. The registration of the users has to be done in a secured manner before he can actually use the system.

It is designed to provide security to Web-based Internet and Intranet applications, and requires users to authenticate themselves with two unique criterion - a username and password, and a code which they get only during authentication (a one-time password OTP sent to their mobile phone) before they are permitted to access a secured web resource. With 2WMAS, we can positively identify users and deliver services easily and in a most secured way to users, without having the need of an additional security system. End users can have the advantages of a very simple process that omits the need to remember multiple passwords.

As the Web-based Internet becomes the most important tool for financial transactions, the level of security becomes a major concern in an organization's transaction system. Transactions in these days are secured using passwords. Institutions spend huge amounts of money on secure SSL solutions to make sure the passwords are not tracked. But,in majority of cases security violations occurs above the reach of PKI and SSL solutions.

why the existing password system is not secured

Passwords could be captured when they are sent to the browser. For example, The 'Trojan- horse' applications which most of users might have installed without their knowledge, while installing shareware tools, while reading a email, or when visiting a suspicious website. Some 'Trojan-horse' applications can even control personal computers, and allow intruders to look into their screens like a remote software application PC anywhere!

Some users may even save their credentials carelessly on their PCs, The result of which, can be seen by anyone who has the access to the terminals, including the person who repairs their PC, or if they are using a computer in a cybercafe, anyone who uses that terminal after them.

An inefficient programming APIs of a system might give clues to the hackers to bypass the entire system.

Features of 2 Way Mobile Authentication System

Double-criterion to check the identity of the User:

It provides a cost-effective solution to provide the web resources with a double-criterion authentication system. Through a browser, a user requests permission to access a Web resource which needs an additional authentication code required for the Web Application. It then generates a one-time access code and sends it to the mobile phone registered to the user by an SMS text message. The user has to enter the access code into the Web-browser to finish the authentication. After the user enters the authentication information, the system determines if the information submitted is valid or not. If valid it goes ahead with the Web Application thereby allowing the user to perform the necessary transactions, otherwise not .By separating Web Application with Authentication server, we can also divide the responsibilities to decrease the internal fraud.

Protecting the existing authentication system:

The 2WMAS could not replace the existing authentication system, but instead serves as an added layer of security that protects and enriches the existing authentication system, either software or hardware.

Protecting against Internal fraud:

The system’s core authentication and messaging engine is such that it provides with a good level of security to safeguard from reverse engineering and program transformation of the software. A security platform is never secured if someone has the access to the parts of the application and its security algorithm, modify the content of code to reveal security flaws or even create a backdoor entry.

Limitations on 2 Way Mobile Authentication System

2 Way Mobile Authentication cannot solve the problem of phishing ( phishing is defined as a process of gathering personal data such as credentials, information of the credit cards and other sensitive data by impersonating as a trusted party through electronic communication)

A user cannot login to the system if the GSM gateway service provider’s servers are down where he could not receive the OTP even though he is a genuine user.

This system cannot be used when a users mobile network service provider terminates the connection due to the delay in bill payments and also poor signal of the network.

Market Segments where 2WMAS is in use

Enterprise

Secure remote access

Enterprise authentication

B2B Transactions

Consumer

Online banking

e-commerce

Internet Service Providers

Government

Common authentication

Biometrics

TECHNOLOGIES:

Software Requirements

Application Language : HTML / CSS / Java Script and PHP

Operating System : Linux / Windows

Protocols : HTTP

Web Server : Apache

FIPS 180 -1 Standard:

The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the Official series of publications relating to standards and guidelines Adopted and promulgated under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by The Computer Security Act of 1987, Public Law 100-235. These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related Telecommunications systems in the Federal Government. The NIST, through the Computer Systems Laboratory, provides leadership, technical guidance, and coordination of Government efforts in the development of standards and guidelines in these areas.

This standard specifies a Secure Hash Algorithm (SHA-1) can be used to generate a condensed representation of a message called a message digest. The output of SHA-1(message digest) is the input to the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) which checks the signature of the message. The SHA-1 should be used by both the sender and intended receiver of a message to compute and verify the digital signature.

SHA – 1 Algorithm:

SHA-1 is used to calculate the message digest for a message of any arbitrary length or data file that is provided as input. The message provided as input should be treated as a bit string. The length of the message which we input is the number of bits in the message (It is possible that the message can be empty message, such message has length 0). If the number of bits in a message is a multiple of 8, for our ease we can represent the message in hex. If it is not exact multiple of 8 we use padding. The main purpose of message padding is to make the total length of the message after padding is a multiple of 512, and then SHA-1 algorithm consequently processes it in blocks of 512 bits for computing the message digest. The following paragraph specifies how the message padding can be done.

This is how it works, first a "1" followed by m "0"s followed by a 64- bit integer are appended to the end of the message in order to produce a padded message which is of length 512 * n. The length of the original message is of size 64-bit integer. The padded message is now sequentially processed by the SHA-1 algorithm in size of 512-bit blocks.

If a message has length, l < 2^64. Before it is submitted as input to the SHA-1, the message is padded on the right as follows:

"1" is appended. Example: if the original message is "01011000", this message is padded to "010110001".

"0"s are appended. The no. of "0"s that are added to the actual message will purely depend on the actual length of the message. In the last 512-bit block the last 64 bits are reserved, for the length l of the original message.

Example: Suppose the original message is the bit string

01100001 01100010 01101111 01100100 01000101.

After the first step(a) this gives

01100001 01100010 01101111 01100100 01000101 1.

Since l = 40, so the number of bits with ‘1’ are 41 so 407 "0"s are appended, now the total becomes 448.

This above gives (in hex)

61626364 65800000 00000000 00000000

00000000 00043520 00000000 00000000

00000045 200 00000 00000000 00000000

04520000 00000000 00000000 00000028

Get the 2-word representation of l, the number of bits that are in the original message. If l < 2^32 then the first word becomes all zeroes. Add the two words to the padded message.

Eg: If the actual message in (b) is as follows. Now l = 40 (since we already calculated 1 before any padding). The representation of 40 in two words of is hex 00000000 00000028. Hence the final padded message is hex

61626364 65800000 00000000 00000000

00000000 00000000 00000000 00000000

00000000 00000000 00000000 00000000

00000000 00000000 00000000 00000028

Now the padded message has 16 * n words for some n > 0. The padded message will be treated as a sequence of n blocks MD(1) ,MD(2), first characters (or bits) of the message.

The logical functions f(0), f(1),..., f(79) are used in SHA-1. Each f(t), 0 <- t <- 79, operates on three 32-bit words X, Y, Z and results a 32-bit word as output. f(t; X, Y, Z) is defined as follows: for words X, Y, Z,

f(t; X, Y, Z) = (Y AND Z) OR ((NOT X) AND Z) ( 0 <= t <= 19)

f(t; X, Y, Z) = X XOR Y XOR Z (20 <= t <= 39)

f(t; X, Y, Z) = (X AND Y) OR (X AND Z) OR (Y AND Z) (40 <= t <= 59)

f(t; X, Y, Z) = Y XOR Y XOR Z (60 <= t <= 79).

Thes constants C(0), C(1), ... , C(79) is used in the SHA-1 algorithm. In hex these are given by

C(t) = 5A827999 ( 0 <= t <= 19)

C(t) = 6ED9EBA1 (20 <= t <= 39)

C(t) = 8F1BBCDC (40 <= t <= 59)

C(t) = CA62C1D6 (60 <= t <= 79).

The below mentioned methods produce the same message digest. Even though using method 2 saves sixty-four 32-bit words of storage, it is likely to lengthen execution time due to the increased in complexity of the address calculations for the { WD[t] } in step (c). There are also other methods available for computations which give identical results.

The message digest is computed using the message padding as discussed above. The computation shown above are using two buffers, both have a five 32-bit words, and a sequence of eighty 32-bit words. The names of the 1st 5-word buffer are labeled R, X, Y, Z, and P. The names of the second 5-word buffer are labeled I0, I1, I2, I3, and I4. The names of the 80-word sequence are labeled WD(0), WD(1),..., WD(79). A single word buffer TEMP is also there in the sequence.

To produce the message digest, the 16-word blocks MD(1), MD(2),..., MD(n) defined in section 4 are processed in sequential order. The processing of each MD(i) involves 80 steps. Before processing any blocks, the H's are initialized as follows: in hex,

I0 = 67452301

I1 = EFCDAB89

I2 = 98BADCFE

I3 = 10325476

I4 = C3D2E1F0.

Now MD(1), MD(2), ... , MD(n) are processed. To process MD(i), we proceed as follows:

Divide MD(i) into 16 words WD(0), WD(1), ... , WD(15), where WD(0) is the left-most word.

For t = 16 to 79

let WD(t) = S^1(WD(t-3) XOR WD(t-8) XOR WD(t-14) XOR WD(t-16)).

Let R = I0, X = I1, Y = I2, Z = I3, P = I4.

For t = 0 to 79 do

TEMP = S^5(R) + f(t;X,Y,Z) + P + WD(t) + C(t);

P = Z; Z = Y; Y = S^30(X); X = R; R = TEMP;

Let I0 = I0 + R, I1 = I1 + X, I2 = I2 + Y, I3 = I3 + Z, I4 = I4+P

After processing MD(n), the message digest is the 160-bit string represented by the 5 words I0 I1 I2 I3 I4.

The method above assumes that the sequence WD(0), ... , WD(79) is implemented as an array of eighty 32-bit words. This is efficient from the standpoint of minimization of execution time, since the addresses of WD(t-3), ... ,WD(t-16) in step (b) are easily computed. If space is at a premium, an alternative is to regard { WD(t) } as a circular queue, which may be implemented using an array of sixteen 32-bit words WD[0], ... WD[15]. In this case, in hex let MSK = 0000000F. Then processing of MD(i) is as follows:

Divide MD(i) into 16 words WD[0], ... , WD[15], where WD[0] is the left-most word.

Let R = I0, X = I1, Y = I2, Z = I3, P = I4.

For t = 0 to 79 do

s = t AND MSK;

if (t >= 16) WD[s] = S^1(WD[(s + 13) AND MSK] XOR WD[(s + 8)

ANDMSK] XOR WD[(s + 2) AND MSK] XOR WD[s]);

TEMP = S^5(R) + f(t;X,Y,Z) + P + WD[s] + C(t);

P = Z; Z = Y; Y = S^30(X); X = R; R = TEMP;

Let I0 = I0 + R, I1 = I1 + X, I2 = I2 + Y, I3 = I3 + Z, I4 = I4+P

Server- Side Scripting Language – PHP:

PHP: Hypertext PRE Processor, is a widely used, general-purpose and server side scripting language that was originally designed for web development, to produce dynamic web pages. We can embed PHP into HTML and that usually runs on a web server, before that we have to configure and process PHP code used to create web page content from it. That configuration can be deployed on most web servers and also into almost every operating system and platform for free of charge. Statistics shows PHP was installed on over 20 million websites and 1 million web servers.

Features of PHP (Server-Side Scripting Language):

Standard CGI, Fast-CGI and Apache module support - As a standard CGI program, we can install PHP on any UNIX system running any UNIX web server. With support for the new Fast-CGI standard, PHP can get benefit of the speed improvements gained through this process. As an Apache module, PHP becomes an extremely powerful and lightning fast alternative to CGI programming.

Access Logging - With this feature enabled in PHP that is access logging, users own hit counting and logging can be maintained by the user. Anyway PHP cannot use systems central login, and it provides real-time access monitoring. An individual user has has access to the set of pages, log viewer script provides a easy access to those pages. A footer generated by configuring the package shows the access information.

Access Control - Access control configuration can be handled by A built-in web-based configuration. It is possible to for a user to create WebPages and provide some access restrictions to those pages and this can be done by using PHP access control so that other cannot even see the WebPages. Pages can be password protected, or we can avoid even looking into the pages, logging can be disabled and based on the client's domain, the browser, e-mail identity’s or even the referring document can be disabled.

RFC-1867 File Upload Support – With the added feature in Netscape 2.0 any user can upload files to a web server. To work such kind of feature PHP provides the actual Mime decoding and once the file has uploaded, to make use of the uploaded files PHP provides and extra frame work also.

HTTP-based authentication control – To generate coustomized based HTTP authentication mechanisms for web servers like Apache one can use PHP.

Variables, Arrays, Associative Arrays - PHP supports various types like which are used to transfer data from page to page. The type of variables that are supported by PHP are typed variables, Perl-like associative arrays and ordinary arrays.

Conditionals, While Loops - PHP also supports programming languages like C embed with all features. We can use all features that are inbuilt in C-Language like, we can use conditional statements (if/then and else or if/else/end if) that are in C-Language. We can also use loops like ( while, for, do while ) and even statements like Switch/case to guide the flow of the program and how the HTML should work while displaying.

Extended Regular Expressions – To accomplish pattern matching one has to use Regular expressions, and for even pattern substitutions and general string manipulation also. PHP also supports all operations that are done using regular expression.

Raw HTTP Header Control – For some high level web design if some condition is satisfied PHP has ability send the web pages with customized raw HTTP headers, the most common use of this is sending location. In such situations URL header has to redirect the calling client to some other URL. For turning off caching it can also be used and even to manipulate the last update header of pages.

ISP "Safe Mode" support – PHP has a special feature that is "Safe Mode". By using it multiple can run their scripts on the same web server so that, spending additional cost on web servers can be reduced.

It's Free! – One of the main reasons for so many people use PHP is that it is free. PHP is licensed under the GNU/GPL that allows us to use this scripting language for all purposes including commercial usage.

Client Side Scripting Languages (HTML / CSS / JavaScript) :

Some Computer programs that are executed by the users from the user’s web browser not form the server side that is on web server, we call such programs as Client-side scripting Languages. Examples of this kind are HTML, CSS and JavaScript. Such kind of computer programming is very important part of the Dynamic Hyper Text Mark-up Language (DHTML) concept, it will enable the scripting done on web pages that is, to display different outputs depend on user inputs and date and time variables (such as the time of day), or other variables. In Hyper Text Mark-up Language documents, Client-side scripts are often embedded, but the embedded client side scripts may also be present in a separate file, which will point the link in which document it was present. When a request is made by the user, the respective files are sent to the computer of the user who requested the files by the web server on which they are present. Whenever any user executes his script from the web browser, client side script execution is done and the respective output will be displayed. In the Client-side scripts there may also exist some instructions for the browser to take into consideration so that the user wants to do some operations on the document in different way, for example to clicks a certain button. Without communicating the web server such kind of instructions can be performed.

Database – MYSQL:

MYSQL is a RDBMS, which can be abbreviated as relational database management system. The database management system that we used in this application was MySQL. MySQL database will allows users to create a relational database management system structure on the web-server that may be present in somewhere to store data like fields or records or user details. This program runs like a server providing multi-user access to a number of databases. MySQL is most commonly used with PHP scripts to make innovative powerful and flexible server side applications. We basically create forms by using HTML with fields in them, and MYSQL holds tables and PHP is used to send queries to the data base, by combining these entire things one can create truly efficient projects in the web.

SMS Gateway Service Provider (www.clickatell.com) :

Clickatell is an SMS Gateway provider, which provides an interface between an existing systems and the SMS Messaging Gateway. It is a lower level connectivity option, but offers the very good functionality and flexibility for the end user. With the API clickatell can set up alert-based SMS delivery from clickatells server. Depending on the messaging requirements, clickatell may find one or more of Clickatell's products to suit clickatell needs, out of which they have opted HTTP API which is gives us the easy ways in order to connect to the Clickatell API for sending SMS.

HTTP/HTTPS API is one of the easiest server-based way of communicating Clickatell's gateway. We can use it either in the form of a HTTP-POST or as a URL that uses GET method for sending SMS. It is recommended to POST for larger data transfer, due to the size limitations of GET. Communication to the API can be done either via HTTPS on port 443 or HTTP on port 80. All calls we made to the API must be URL-encoded. The parameter names used here are case-sensitive. Batch messaging done in a variety of ways. For using clickatell’s API, we need to register at: www.clickatell.com and sign-up there and buy the SMS credits, so that we can send SMS.

Below is the procedure to send an SMS using clickatell (mentioned below is manual, we need to program it accordingly to integrate)

First we need to sign up for an HTTP/S account; we will be given a username, password and api_id(application id).

Once the registration has been activated we will receive 10 free credits with which to test our service.

Have the number we wish to send to ready in international format e.g. 448311234567.

Open the browser (e.g. Internet Explorer), and type the code in following sequence. http://api.clickatell.com/http/sendmsg?user=xxxxx&password=xxxxx&api_id=xxxxx&to=448311234567&text=Meet+me+at+home

The text of the message should be in above mentioned format, and the '+' signs replace the spaces that are present in between words as above.

Press 'Enter' on the keyboard and the message will be sent the mobile phone of specified user.

Programming Process:

Below are the steps to be followed to demonstrate two way mobile authentication systems:

Create a project flow design.

Design good looking and attracting web pages and site flow with Hypertext markup language (HTML) and Cascading Style sheets (CSS).

Decide the database structure to store the registered user’s contact, log-in and account details.

Develop the code needful to navigate the application dynamically.

Integrate the Clickatell's HTTP/HTTPS API to our system to send SMS (which include the one-time password (OTP) generated by the SHA-1 algorithm)

Test the application to locate and remove any bugs.

Compile the tested application and deploy the files in the server.

Buy a domain name and point it to our server to make it live.

Programming Maintenance:

Apart from the bugs, we have to maintain the program we created. Program Maintenance is a term used for the updating of a program after the program is put into use. This updating may be a result of the users request or a change in the way the program needs to operate.

SYSTEM DESIGN

Data Flow Diagram

UML Diagram

The Unified Modeling Language allows the software engineer to express an analysis model using the modeling notation that is governed by a set of syntactic semantic and pragmatic rules.

Use case Diagrams depicts the control flow of a functional system from a user’s point of view. Use cases are used during requirements gathering and analysis to represent the functionality of the system. Use cases focus on the behavior of the system from external point of view.

Actors are the users that interact with the system. Examples of actors include users like administrator, bank customer …etc., or another system like central database.

Use Case:

DATABASE DESIGN

Database : bthbanken

Username : bthbanken

Password : Qua4rigadb

TABLE STRUCTURE

CREATE TABLE `user_balance` (

`user_id` int(10) NOT NULL default '0',

`acc_balance` varchar(255) NOT NULL default '0',

PRIMARY KEY (`user_id`)

);

CREATE TABLE `user_details` (

`user_id` int(10) NOT NULL default '0',

`firstname` varchar(255) NOT NULL default '',

`lastname` varchar(255) NOT NULL default '',

`email` varchar(255) NOT NULL default '',

`address` varchar(255) NOT NULL default '',

`contactnumber` varchar(255) NOT NULL default '',

`alternatenumber` varchar(255) NOT NULL default '',

`state` varchar(255) NOT NULL default '',

`zip` int(20) NOT NULL default '0'

);

CREATE TABLE `user_login` (

`user_id` int(10) NOT NULL auto_increment,

`user_name` varchar(255) NOT NULL default '',

`user_pass` varchar(255) NOT NULL default '',

PRIMARY KEY (`user_id`),

UNIQUE KEY `user_name` (`user_name`)

);

CREATE TABLE `user_received` (

`user_id` int(10) NOT NULL default '0',

`received_bank_name` varchar(255) NOT NULL default '',

`received_acc_number` varchar(255) NOT NULL default '0',

`amount_received` varchar(255) NOT NULL default '0',

`transaction_date` varchar(255) NOT NULL default ''

);

CREATE TABLE `user_transfer` (

`user_id` int(10) NOT NULL default '0',

`destination_bank_name` varchar(255) NOT NULL default '',

`destination_acc_number` varchar(255) NOT NULL default '0',

`amount_transferred` varchar(255) NOT NULL default '0',

`transaction_date` varchar(255) NOT NULL default ''

);

user_login

Attributes : user_id, user_name, user_pass

user_id : It is an auto incremented field which track the number of users registered with the bank. It is the primary key for this table.

user_name : It stores the username of a registered user which is unique.

user_pass : It stores the password corresponding to a username.

user_details

Attributes : user_id, firstname, lastname, email, address, contactnumber, alternatenumber, state, zip

user_id : It is a field which corresponds to the user_id in user_login table.

firstname : It stores the First name of the registered user.

lastname : stores the Last name of the registered user.

email : stores the email id of the registered user.

address : stores the address

contactnumber : stores the mobile number of the user to which the SMS has to be sent.

alternatenumber : this field is optional and stores the alternate number of the user.

state : stores the resident state.

zip : stores the zipcode of the resident.

user_balance

Attributes : user_id, acc_balance

user_id : It is a field which corresponds to the user_id in user_login table.

acc_balance : It stores the net balance of a account holder. By default it has value zero.

user_received

Attributes : user_id, received_bank_name, received_acc_number, amount_received, transaction_date

user_id : It is a field which corresponds to the user_id in user_login table.

received_bank_name : It stores the name of the bank from which a user receives money.

received_acc_number :It stores the account number of the user who transfers the money.

amount_received : It stores the amount received.

transaction_date : stores the date of the transaction.

user_transfer

Attributes : user_id, destination_bank_name, destination_acc_number, amount_transferred, transaction_date

user_id: It is a field which corresponds to the user_id in user_login table.

destination_bank_name: It stores the name of the bank to which the money has to be transferred.

destination_acc_number:It stores the account number of the user to transfer the money.

amount_transferred: It stores the amount transferred.

transaction_date : stores the date of the transaction.

IMPLEMENTATION

index.php

This is the home page of the site and include links to login, new user sign up and forgot password.

register.php

This is the registration page of a new user to the bank, where the user enters his login and contact details. This program performs basic client side (JavaScript) validations of the details entered. On submitting this page will redirect to loginform.php

loginform.php

This page checks whether the username submitted in register.php already exists in the database, if exists then, it will again redirect to register.php throwing an error "username already exist, please try another one..." and if does not exist, It will perform the following steps:

Inserts a new user login details in user_login table namely, username and password. The user_id is an auto incremented field and increments its value by 1.

Based on the last inserted user_id in user_login table, it will insert a new record in user_details table updating all the contact details of the user.

Inserts a new record in user_balance table by a default value of zero in acc_balance (account balance)

Displays the login form and on submitting this form will redirect to login_home.php

login_home.php

It checks the whether the posted login details are valid or not. If they are invalid then, it redirects to index.php throwing an error message "invalid username / password"

Else if valid then, it performs the following steps:

Connects to the database and fetch the user_id of the username and password submitted and stores in a session variable.

Creates a one time password (OTP) based on the SHA1 algorithm and stores it in a session variable.

Retrieves the contact number of the user, based on the user_id from the table user_details.

Creates a query string to send an SMS based on clickatells API procedure and sends an sms to the contact number retrieved.

After sending the sms it will redirect the page to authenticate_password.php

authenticate_password.php

This page asks the user to enter the OTP sent to his mobile via SMS and on submitting this page will redirect to verify_password.php

verify_password.php

This page checks whether the entered OTP is equal to the already stored session password variable and if it is correct will redirect the page to transaction.php else it will again redirect the page to authenticate_password.php throwing an error "you have entered wrong password, please try again..."

transaction.php

This page performs the following:

Displays the account id which is same as user_id.

Retrieves the account balance of the user from user_balance and displays it.

Displays the credited and debited details from the table user_transfer and user_received accordingly.

add_money.php

This page displays a form asking the user an amount to add to his account balance. On submitting this page will post the values to verify_add.php

verify_add.php

It will update the acc_balance field in the user_balance by adding the existing and the posted amount and redirect to transaction.php

bank_selection.php

It shows two options for the money transfer namely, "same bank" or "other bank". On selection of the options will submit the page to redirect.php

redirect.php

It will redirect the page to samebank.php or otherbank.php based on the selection of money transfer in bank_selection.php

samebank.php

It shows the existing account numbers – names of the bank and asks for the amount to be transferred. On submitting this form will redirect the page to same_auth.php

same_auth.php

This page performs the following:

Stores the amount and account number posted from the samebank.php in a session variable.

Creates a one time password (OTP) based on the SHA1 algorithm and stores it in a session variable.

Retrieves the contact number of the user, based on the user_id from the table user_details.

Creates a query string to send an SMS based on clickatells API procedure and sends an sms to the contact number retrieved.

asks the user to enter the OTP sent to his mobile via SMS and on submitting this page will redirect to aftersame_auth.php

aftersame_auth.php

This page checks whether the entered OTP is equal to the already stored session password variable and if it is not correct, will redirect the page to same_auth.php throwing an error "you have entered wrong password, please try again..." else if correct, it performs the following:

Deducts the transferred amount from the existing balance in user_balance.

Adds the same amount to the transferred account number.

Inserts a new record in user_transfer updating the details of the transferred bank, account number and the transaction date. (credited details)

Adds the transferred amount to the account number (i.e user_id) to which the money is transferred.

Inserts a new record in user_received updating the details of the transferred bank, account number and the transaction date. (debited details)

Redirects the page to success.html showing a message "your transaction is successfully completed".

otherbank.php

It asks the user to enter the account number, bank name and the amount to be transferred. On submitting this form will redirect the page to other_auth.php

other_auth.php

This page performs the following:

Stores the amount ,account number and the bank name posted from the otherbank.php in a session variable.

Creates a one time password (OTP) based on the SHA1 algorithm and stores it in a session variable.

Retrieves the contact number of the user, based on the user_id from the table user_details.

Creates a query string to send an SMS based on clickatells API procedure and sends an sms to the contact number retrieved.

Asks the user to enter the OTP sent to his mobile via SMS and on submitting this page will redirect to afterother_auth.php

afterother_auth.php

This page checks whether the entered OTP is equal to the already stored session password variable and if it is not correct, will redirect the page to same_auth.php throwing an error "you have entered wrong password, please try again..." else if correct, it performs the following:

Deducts the transferred amount from the existing balance in user_balance.

Inserts a new record in user_transfer updating the details of the transferred bank, account number and the transaction date. (credited details)

Redirects the page to success.html showing a message "your transaction is successfully completed".

Sample Coding

/* code to generate OTP and storing it in a session variable for comparison in the next step */

$otp = sha1(mt_rand());

$otp_password = substr($otp, 0, 6);

$_SESSION['OTP'] = $otp_password;

/* below is the code to send a request to clickatell’s API to send an SMS */

$clickatell_sms_url = "http://api.clickatell.com/http/sendmsg?";

$clickatell_username = "rajan_eeitc";

$clickatell_password = "Cefuv123";

$clickatell_api_id = "3205489";

$clickatell_to = "46".$sms_mobile_number['contactnumber'];

$clickatell_message = "BTH+BANKEN+Authentication+Password+:+".$otp_password."++Thank+you+for+registering+an+account+with+BTH+BANKEN";

$clickatell_query_string = $clickatell_sms_url."user=".$clickatell_username."&password=".$clickatell_password."&api_id=".$clickatell_api_id."&to=".$clickatell_to."&text=".$clickatell_message;

$send_sms = file_get_contents($clickatell_query_string);

TESTING

Testing Objectives

In light of the diversity of existing software testing, it is advantageous to consider the types of tests as they become available to a designer. This will also help identify the scope of a particular test and clarify its main advantages and disadvantages as well as make the developer aware about the limitations of this test.

Functional Tests are used to exercise the code with nominal inputs (input values) for which the expected values are available. We also know the boundary conditions for these inputs. For instance, functional testing of matrix multiplication can involve some data (matrices) for which the results are known in advance.

Performance Tests are utilized in order to determine the widely defined performance of the software system such as an execution time associated with various parts of the code, response time(in case of embedded systems),and device utilization. The intent of this type of testing is to identify weak points of a software system and quantifying its shortcomings, leading to further improvements.

Stress Tests are designed to break a software module. This type of testing determines the strengths and limitations of the software. Structure Tests are aimed at exercising the internal logic of a software system.

Testing In Small-Testing In the Large: The underlying criterion concerns which part of the system is subject to testing. If we are concerned with the individual modules, procedures and functions then, this lead to testing in the small. Testing in the large is primarily devoted to integration testing when the system is developed out of some already constructed modules.

Black Box-White (Glass) Box Testing: As the name suggests, the criterion leading to this type of discrimination specifies whether the internal (logical) structure of the system is available for testing purposes. If so, we are concerned with white box testing. If the internal structure is not available or exercised when developing the test suite, we confine ourselves to black box testing. Depending which way was selected, the points of view on testing are also radically different. In black box testing we are interested to test what the system is supposed to do. The testing is worked out from input data perspective; subsequently we see if the outputs (actions) of the software match the expected values. Functional, stress, and performance tests fall under this general category. In white box testing, testing concentrates on what the system does. Essentially, using detailed knowledge of code, one creates a battery of tests in such a way that they exercise all components of the code (say, statements, branches, paths).structural testing sub schemes white box testing.

Test Activities

In software testing we encounter a number of key activities:

Test plans

Test design

Test Cases

Test procedure

Test execution

Test report

A test plan indicates the scope, approach, resources and the schedule of testing activity. At this stage, one indicates what is to be or not to be tested and which tasks to perform. In addition, it is necessary to identify the sources and levels of risk in testing. Software testers are also identified. Test planning may begin as soon as the requirements are completed.

The key features in a test plan are

Transitioning

Estimates

Completion

Risk analysis allocation

It is difficult to determine when to stop testing or when a reasonable number of faults have been detected. For these reasons, criteria should be provided as a guideline for test completion. A test design refines the approach in a test plan. Test design also identifies specific features to be tested by the design, and define the associated test cases. It is strongly suggested that tests should be designed for regression testing (test previously executed can be repeated at a later point in development and maintenance).the test cases and test procedures are constructed in an implementation phase. One should strive for the most compact (smallest) collection of test cases (batteries) that still meet the goal. Good test cases have a high probability of detecting undiscovered errors. A test procedure identifies all steps required to operate the system and exercise the specified test cases to implement the already defined test design. Test execution is performing the test procedures. Test execution starts from the component level and moves up to the integration, system and acceptance level. a test report summarizes all outcomes of testing and highlights the discrepancies detected. Sting activities are distributed across the entire software life-cycle as shown in the figure.

Requirements

Design

Implementation

Test

Test plan

generation

Test design

Generation

Test case

Generation

Test procedure

Generation

Test execution

Phases of Testing

Testing can be divided into a number of phases as shown below:

Program Testing

System Testing

User Acceptance Testing

Program Testing:

The purpose of program testing is to check out whether the program is working accordingly to the specification given. This phase ensures that the program or modules as expected. In this phase, all parts of the program are checked thoroughly

System Testing:

System testing should prove that the computer system work as intended and are acceptable to user operations and audit. It would also show that the system would interface correctly with other existing computer systems. The running of system test should be under the control of operations, it can also prove that all the operations, so that operating procedures can prove to be correct. There should be sufficient volume of data to demonstrate that the system meets the performance constraints.

User Acceptance Testing:

User acceptance testing to be performed must be established and agreed during analysis. It may be urn in parallel with the existing system so that users will create special test data. The key difference between system testing and user acceptance testing is that the user is interested in the inputs and outputs. The inputs and outputs are verified with existing system and checked to see if it is the same.

Level of Testing

There are two levels of testing used the package they are:

Unit Testing

System Testing

Unit Testing:

Unit testing focuses verification on the smallest unit of software design. In unit testing various programs, which comprises the system are tested separately and are made to behave as expected. So unit testing is sometimes called as "Program Testing". This reduces the error produced by the larger program.

System Testing:

It is used to find the integration of each module in the system. It is also tested to find discrepancies between the system and its original objectives, current specification and system documentation. System testing is a series of different test whose primary purpose is to fully exercise the computer-based system. Testing is used to find the compatibility between the various programs units available in the system.

Testing Strategies

Testing of software’s is done in the aim of finding errors. Test cases are devised to bring out errors in the system. The test data are created with the intention of determining whether the system will program will handle them appropriately. There are two general testing strategies for testing software namely:

Code Testing

Specification Testing

Validation Testing

Code Testing:

The code testing strategy examines the logic of the program. Test cases are devised such that they result in executing every instruction in the program (i.e.) every path of the program is tested. Specification testing handles all these problems.

Specification Testing:

Specification Testing involve stating what the program should and how it should perform under various conditions. The test are developed for each condition or combination of condition and submitted for processing. By examining the results we can determine where the program performs according to its specified requirements.

Validation Testing:

Validation can be defined in many ways, but a simple definition is that validation succeeds when software functions in a manner that can be reasonable expected by the customer. Software validation testing is performed through a series of black box tests that shows conformity with requirements.

SCREEN SHOTS