1. Contents
Chapter 1: Introduction................................................................................................................... 4
Background to the Project............................................................................................................... 6
Problem context .......................................................................................................................... 6
Description of Problem Area ...................................................................................................... 7
Nature of Challenge.................................................................................................................... 8
Scope and Objectives...................................................................................................................... 9
Scope of Project .......................................................................................................................... 9
Future enhancements .................................................................................................................. 9
The objectives of this project...................................................................................................... 9
Project Plan................................................................................................................................... 10
Research and Techniques.......................................................................................................... 10
Interview ............................................................................................................................... 10
Questionnaire........................................................................................................................ 11
Chapter2: Literature Review......................................................................................................... 12
Introduction................................................................................................................................... 13
Authentication............................................................................................................................... 13
Basic authentication...................................................................................................................... 13
Two-Factor Authentication........................................................................................................... 14
Types of two factor authentication ............................................................................................... 15
Tokens....................................................................................................................................... 15
Connected tokens.................................................................................................................. 16
Disconnected tokens ............................................................................................................. 16
Virtual tokens........................................................................................................................ 17
Wireless tokens..................................................................................................................... 18

2. Biometrics................................................................................................................................. 18
Magnetic cards.......................................................................................................................... 19
Logical access ............................................................................................................................... 19
The relationship of Logical access and Identification and Authentication............................... 20
Comparison of USB token to other forms of authentication models............................................ 21
Passwords.................................................................................................................................. 21
Biometrics................................................................................................................................. 22
Justification of selected two factor authentication model............................................................. 24
USB Token................................................................................................................................ 24
USB tokens are cost effective............................................................................................... 24
USB tokens are so easy to use .............................................................................................. 24
Extremely portable................................................................................................................ 25
USB tokens are secure .......................................................................................................... 25
Possible USB Token problems ................................................................................................. 26
Applications.................................................................................................................................. 26
Cryptography ................................................................................................................................ 27
Encryption..................................................................................................................................... 27
Figure 2.1 ...................................................................................................................................... 27
Encryption and decryption process............................................................................................... 27
Symmetric Encryption .............................................................................................................. 28
Asymmetric Encryption............................................................................................................ 28
Blowfish Algorithm .................................................................................................................. 29
Figure 2.3 Blowfish encryption algorithm process....................................................................... 30
(Schneier, 1993)............................................................................................................................ 30
Data Encryption Standard (DES).................................................................................................. 31

3. Figure 2.2 DES Block Cipher Encryption Operation .................................................................. 33
(NSA, 1999).................................................................................................................................. 33
Advanced Encryption Standard (AES) Algorithm ....................................................................... 36
Comparison of encryption algorithms .......................................................................................... 39
Table 2.1 ....................................................................................................................................... 40
Comparison of encryption algorithms .......................................................................................... 40
Table 2.2 ....................................................................................................................................... 41
Speed comparison of encryption algorithms (Coffey, 2009)........................................................ 41
Justification on selected encryption algorithm ............................................................................. 41
Methodology................................................................................................................................. 43
Comparison of Methodologies...................................................................................................... 43
Waterfall ................................................................................................................................... 43
Spiral......................................................................................................................................... 46
RAD.......................................................................................................................................... 47
Justification of Selected Methodology.......................................................................................... 48
RAD.......................................................................................................................................... 48
Chapter3: Primary Research ......................................................................................................... 49
Primary Research.......................................................................................................................... 50
Interview ....................................................................................................................................... 50
Why use an interview?.............................................................................................................. 50
Interview held with the UNFAO technician ............................................................................. 50
Final analysis of interview........................................................................................................ 50
Questionnaire................................................................................................................................ 51
Why use questionnaires?........................................................................................................... 51
Final analysis of the Questionnaire........................................................................................... 51

4. References..................................................................................................................................... 52
Books ........................................................................................................................................ 52
Internet ...................................................................................................................................... 52
Chapter 1:
Introduction

5. Overview
As observed, many people rely on computers today for many of their operations such as
communication, storage, banking and a lot more. Organizations have also taken a big interest in
the use of computers to help ease their day to day chores. The use of computer encourages for a
very large number of all sorts of information to be shared over different networks. This
information will then usually be stored in individuals’ computers or databases with the hope that
it will remain protected from the eyes of unauthorized users. Although the use of computers has
been of benefit to a lot, it has also brought up some risk issues. The world is full of people who
focus their efforts on jeopardizing the security of data hence it is vital for users to try to use
better measures to secure their data from intruders.
There are many ways of protecting data, authentication being the main one this project will be
focused on. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html defines
authentication as the process of determining whether someone or something is, in fact, who or
what it is declared to be. Passwords are the most commonly used form of authentication through
logon as they are claimed to be the simplest and cheapest. It is always assumed that if a user
knows the password then they are authentic. This is why this kind of authentication is considered
to be the weakest as even an intruder can easily have knowledge of a password.
With concern to how vulnerable information is nowadays, I came up with a befitting solution
that will be as easy and as simple as the use of the username and password authentication model.
The solution I have created will also be of a very reasonable price.
My project title is Compact Security key for windows. As the title clearly states, this is just a
portable key in the form of a USB that will help secure data stored in computers from
unauthorized users. The use of a token/dongle as a form of authentication has gained fame due to
the security benefits it gives to its users. The tool I am developing is targeted at providing a
solution of limiting access to computers by the use of a login key.

6. Background to the Project
Problem context
The use of username and password combination has been around for years and still remains the
most commonly used authentication tools in the digital world today. And there is very little
information to indicate that this method could change in the near future, even though there are
more secure alternatives available on shelf such as biometric devices and security tokens. The
reliability levels of the username-password combination depend on the ability of their users to be
effective in keeping them a secret and out of sight from privy eyes.
Passwords are vulnerable as they are usually personalized and made short to reduce the difficulty
of remembering them. If passwords are made any longer and stronger, they have high chances of
being forgotten. The users will then write them down on a piece of paper for reference when
necessary. Concurrently this makes passwords easier to steal as an intruder can just copy them
from that paper. Furthermore employees tend to reuse a particular password for different
accounts as it’s easier to remember one password than many. This is very dangerous because if
an intruder gets that one password they have access to many of the employee’s accounts.
Today’s advanced technologies make it even harder to keep username and password secure, for
example, hackers can obtain both username and password from the RAM within the SAM file
using given technologies.
Rationale
With reference to the identified problems above, the proposed system can be very beneficial to
the targeted market (users). The USB security token will be able to secure the computer system
by:
• One of the main benefits of the tool I am developing is that it increases the level of
security by enchaining the user’s account to the USB; this makes it hard for intrusion as
long as the token is kept safe. And even if the token was lost or stolen, security will still
not be compromised as an additional PIN corresponding with the USB will be required.
• Increased Security of Access Control: The login credentials for the user are now stored
within the USB hence for access to be gained, the users has to plug in the USB to the
computer. The system requires the user to enter a PIN corresponding to the USB before it

7. goes on to read the login credentials stored in the USB. Logging off the computer is as
easy as unplugging the USB.
• The application checks if the USB was what was registered before by comparing the USB
serial key with the one stored in a unique file. In this sense users no longer have to try to
remember long passwords.
• A convenient and less expensive alternative to using smart-card readers.
• Eliminates the need for expensive password management software and systems.
• Solves problems associated with managing many passwords on a network, server, or
computer system.
• And best off all a users’ password is always carried with them and not stored on the
system thereby ensuring better data security in computing systems.
Description of Problem Area
Many employees find it difficult to remember very long passwords made up of letters, numbers
and special characters. These kinds of passwords are actually considered to be strong and safe
compared to short and simple ones. If an employee opts to use the strong password, they will
usually write it somewhere to help them remember it. This is not secure as anybody can steal
their login credentials. If passwords are made short and simple, it still does not solve the problem
of intruders as they can easily guess by using either dictionary attack or brute force attack. This
then puts at stake all the important documents of the organization, example their customers’
information, bank details, tenders, future projects and other things.
Some employees are lazy to log off their computers especially if they will only be away for a few
minutes, forgetting that within those minutes an unauthorized user could obtain useful
information from their computer. With this tool, logging off is as easy as pulling out the USB
from the computer. This will immediately lock the PC.

8. Nature of Challenge
• Time Constraints: The challenge here is immense and is the most relevant aspect of the
project as it encompasses the entirety of the project. It won’t be easy to build a complete,
fully functional, error free, access control system within a short period of time and with
such limited expertise and man power.
• Programming Language: A wise man once said “If you have 3 hours to chop down a
tree, you should spend 2 hours sharpening the axe” or something to the tune of that. The
challenge in this case is to first gain a master understanding of a programming language
that will be most suitable for creating the system. In addition to that, the implementation
of encryption into my program will be a challenge. It will also be trying for me to learn
how Windows interacts with the access controller as well as with the registry. A thorough
study will have to be carried out on building a system around Win32 Winlogon.
Winlogon consists of an executable program that is a Graphical Identification and
Authentication DLL (GINA). This program implements the authentication policy of the
interactive logon menu. It also does the authentication and identification of users. The
good thing about GINA is it can be replaced. That’s what my project depends on;
replacing GINA with my authentication mechanism will also be a huge challenge for me.
• Encryption: I must admit it’s going to be an uphill for me to encrypt the credentials in the
USB as I do have only minimal knowledge in that field. The project as a whole will be a
challenge as there is lack of reading materials for this specified field in APIIT library and
on the internet.

9. Scope and Objectives
Scope of Project
This system is developed to change the traditional authentication model of the United Nation
Food and Agriculture Organization (UNFAO), who are currently using the username and
password duet. This will provide them with strong security in an easy-to-get, user friendly and
portable form. The hardware authenticator will contain the encrypted login credentials of the
user. This will completely eliminate the problem of trying to remember difficult passwords; it
will also get rid of the problem of password being jotted down on a piece of paper. This tool will
actually give the user a whole new level of experience in authentication.
My system is divided into two main parts and these are:
Core Features
Core features are the most essential characteristics of this project. These have to be completed
within the given period of time.
Future enhancements
These are characteristics that will not be included in the project now but later on can be added to
update the current version.
Core Features
1. Editing the registry
2. Enquire for USB before logon
3. Gets user credentials from the USB
4. Log Off when USB is removed
Future enhancements
1. Enabling the USB authentication model to be compatible with Windows 7
The objectives of this project
An objective is a desired or needed result to be achieved at a specific time. The objectives of my
system are as follows:
1. The system should interact with the USB

10. 2. The account of the user should be bonded to the USB, this means that without the USB,
no access will be granted.
3. If the USB is plugged out, the system will automatically log out
4. Even if the USB is plugged in, the system should still require the user for an extra PIN
5. Even if the content of the USB is copied to another USB, usage of that other USB will
not gain you access.
6. The data in the USB should be encrypted
7. A log entry should be composed after every login, even if it’s a failed login
Project Plan
Research and Techniques
Research is a very important part of this project as it will help in its succession. There are so
many sources to collect information from. Information can be gathered online, from books, from
people and from past articles.
There are many methods of collecting primary data and the main methods include:
• questionnaires
• interviews
• focus group interviews
• observation
• case-studies
• diaries
• critical incidents
• document review
I have decided to use at least 3 data collection methods and these are interview, questionnaire
and document review.
Interview
An interview is just a conversation conducted between two or more people. In this set, the
interviewer is the one asking questions and trying to obtain answers from the interviewee who
only answers questions. Since I will be creating the system for UNFAO, it is very important to

11. know their ideas and suggestions. I will interviews some of the employees about what they think
of the system.
Questionnaire
http://www.cc.gatech.edu/classes/cs6751_97_winter/Topics/quest-design/ states that
questionnaires are an inexpensive way to gather data from a potentially large number of
respondents. Questionnaires are often said to be the only feasible way to reach a large number of
people that can give accurate results statistically. A well-designed questionnaire will help me
gather information on the overall performance of the system and on the specific components of
the system.
Most of my research will be done through document reviews. Due to lack of resources pertaining
to my project in the UCTI library, a large portion of the research will be carried out using the
internet. I will begin my research on Winlogon, to try to understand how it will be used in my
project. I will then proceed to learn about how to manipulate the registry to make it work with
my program. Furthermore I have to research on how to turn a USB into a token. Encryption is
another major part of the project hence a thorough research on encryption will be carried out. For
the project to be a success I need to know more about the programming language that I will be
using which is C++. I will carry out a research on C++ to help equip myself with more
knowledge of how to use it. Furthermore research on the methodologies available for this kind of
project will be carried out.

12. Chapter2:
Literature
Review

13. Introduction
This chapter carries a general overview of authentication. It will help to briefly explain what
authentication is and concentrate on elaboration what two-factor authentication is and how it
enhances security. It will further cover how something as simple as a USB can be used as a
dongle in a two-factor authentication. The processes, techniques and functions of two factor
authentication will be broadly discussed in this chapter.
Authentication
http://mtechit.com/concepts/authentication.html defines authentication as any process by which a
system verifies the identity of a user who wishes to access it. Authentication can be implemented
in several ways such as;
Credentials – this is achieved when the individual requesting for access presents what they
personally know as a secret, like a username and password or a PIN.
Tokens – this is achieved when the requestor for access presents what they have that is also
unique such as a physical token or a smart card.
Biometrics – this is achieved when the requestor for access present what they are, such as any
unique biometric data like fingerprint.
Basic authentication
Basic authentication would normally request a user to identify who they are with a username and
verify that they are who they claim to be with a password corresponding to the given username.

14. http://wiki.openqa.org/download/attachments/11206714/BasicAuthentication.jpg?version=1&modificationDate=12
02475752859
Two-Factor Authentication
Two-factor authentication , which is at times referred to as strong authentication, is when any
two of the above mentioned authentication methods are combined to identify and verify an
individual. It is a way of reinforcing the level of security by raising the level of authentication
assurance. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci992919,00.html defines
two-factor authentication as a security process in which the user provides two means of
identification, one of which is typically a physical token, such as a card, and the other of which is
typically something memorized, such as a security code.
The two factor authentication model helps enable users to protect their personal data by making
it difficult for intruders to gain access to their computers. It does so by strengthening the already
existing login mechanism through using any two factors of authentication, which could be either
the user submitting what they know, or what they have or what they are.

15. http://www.geeky-gadgets.com/wp-content/uploads/2008/11/lego-usb-drive.jpg
http://www.topnews.in/files/finger-print.jpg
Types of two factor authentication
The concept of two factor authentication is not new; it has been around for years now therefore
there are many two factor authentication types that have been discovered over time.
Tokens
http://www.bitpipe.com/tlist/Security-Tokens.html defines a token as a small hardware device that the
owner carries to authorize access to a network service. A commonly used object can be used as a
token such as a USB. As already stated, security tokens enhances security and provides an
increased level of assurance that the user is who they claim to be. Unlike usernames and
passwords, tokens are physical objects. The owner would know if their token was stolen. Tokens
are so easy to carry around and even if lost, they will remain useless as the person would still
need the other factor to identify and verify who they are. They are also very easy to use; an
example is of a USB/dongle. The user has to just place the USB in an input device and enter their
corresponding PIN and they are good to go.

16. Tokens can be classified into different categories, namely:
• Connected token
• Disconnected token
• Virtual token
• Wireless token
Connected tokens
These are simply tokens that require to be physically connected to the user’s computers. The
user’s login credentials will then be automatically transmitted into the user’s computer. This
eliminates the need for a user to physically type in their login credentials. The most known types
of physical tokens are USB tokens.
http://2.bp.blogspot.com/_fql9OOqZzuQ/SmnUiiGs0nI/AAAAAAAAByw/tMJbum-1dl0/s400/usb-fingerprint-
security-lock-flash-disk-1_ijoQR_6648.jpg
Disconnected tokens
Disconnected token as the name states are the opposite of the above mentioned. These are token
that do not require to be physically plugged into the user’s computer. Examples of such include
the use of OTP (one time password) or the use of phones. This is usually used to enhance the
security for online transactions. In this category, the user will receive an auto generated password
on their phone and they would have to manually type it on to the password field.

17. 2. http://www.libertyistore.com/img/productImages/Security%20Accessories/ZyWALL%20OTP%20%28One%20Time%2
0Password%20Token%29.jpg
1. http://www.callclareity.com/2004-datasecurity-files/image003.gif
Virtual tokens
Virtual tokens are a new form of multi factor authentication. Sestus is one of the security
companies that make Virtual tokens. Virtual tokens are said to reduce installation /
implementation and maintenance costs as they only use the existing internet device as “The
something the user has”. (http://www.sestus.com/ )

18. Wireless tokens
A new quality of tokens has been developed to ease the authentication process without keying
character sequences and with automatic pairing of authentication factors.
An example of a
wireless token would be of using Bluetooth. Bluetooth token only works within certain distance
hence the logoff criteria can be integrated with distance metrics.
Biometrics
http://www.authenticationworld.com/ defines biometric authentication as the process of taking a
"piece of you", digitizing it and then using this to authenticate against an identity directory or
database. Biometric authentication can be achieved from physiological features or behavioral
features.
The use of unique physiological features for biometric authentication has gained more
recognition in many sectors. Some examples of behavioral features that can be used for
biometric authentication are digital signature. Biometric authentication also fits under two factor
authentication. Users may use their physiological features to authenticate themselves; such as
fingerprint, voice recognition. They will submit their biometric feature to the given hardware and
then add a PIN or password to gain access. While biometric authentication is considered to be
secure, it may be a little difficult to use and very expensive when a large number of people are
involved. And finally biometric authentication is surrounded by user resistance issues.
“Perhaps the biggest barrier to increased adoption of biometric authentication is user
resistance; many people still associate biometrics with Big Brother invasions of privacy.”
Forrester Turner
Many users refuse to have their personal physical characteristics taken and stored for
authentication purposes.

19. Magnetic cards
One perfect example of a magnetic card is the ATM card; this kind of authentication method is
usually used along with a secure encrypted reader to provide a two factor authentication model.
Each magnetic card possesses a unique correlative number called a dynamic digital identifier.
Each time a user swipe the card the dynamic digital identifier is matched against the original
stored value to authenticate the user. This number is changed all the time hence cannot be re-
used.
http://info.itsecurityexpert.co.uk/uploaded_images/Plastic_Magnetic_Strip_Card_2_806-792835.jpg
Logical access
Nowadays a lot of IT systems are used to store information that can be accessed by a lot of
people. It is normal to also find an organization that has divided its information into 1.
Information that can be accessed by everyone, information that can be accessed by a certain
group of people or even a certain department and information that can only be accessed by
certain individuals. Usually this kind of information is stored in a centralized location to help
avoid spending a lot of money and it also helps to allow for collaboration, communication and
discovery to take place.
One problem with storing information in one centralized location is that users may end up having
sensitive information that they were never meant for their eyes or even edit information they are

20. not supposed to edit. It is necessary to ensure that this does not happen, this is where logical
access comes into play.
Logical access gives control to who may and who may not view, edit or access certain
information.
Logical access controls are a means of addressing these problems.
www.public.iastate.edu/~ecommerce/glossary.html defines logical access as user based authenticated
access to the application systems and the data that is processed.
The relationship of Logical access and Identification and Authentication
Identification and authentication play a big role in logical access. This is because identification
and authentication is the process where a user trying to interact with a system is asked to identify
and verify who they claim to be before they are allowed access. The identification can either be
achieved by a submission of a username or a token and the verification can be done through the
use of a password or PIN that corresponds with the submitted identification mechanism. The
logical access then bonds the appropriate information and permissible accesses with that identity.
So, logical access works hand in hand with identification and authentication. If the user’s
password is stolen and used against their knowledge, then both logical access and I&A are
compromised, that there can be referred to a security breach

21. Comparison of USB token to other forms of authentication models
A smart card based device is the perfect suggestion for an organization that is seeking a strong
authentication as it’s highly secure. Now, if an organization seeks a mechanism that fits the
description above and is also cost effective, then a USB token will be their perfect solution.
Why USB token?
A USB token has proven to be one of the best two factor authentication models when compared
to all the other models.
Passwords
"A password should be like a toothbrush. Use it every day; change it regularly, and DON'T
share it with friends." – Usenet
Even though the username and password authentication model is one of the cheapest, portable
and the most common in a lot of organizations, it still has proven on so many occasions not to be
secure. This is because a password’s security level relies on the user keeping it a secret. If the
user does not keep it away from prying eyes, then the security of their data may be compromised.
Well, it’s very difficult to keep a password a secret. People have very bad risk evaluation,
according to http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/ workers were
prepared to give away their passwords for a cheap pen. This is not the only example; there are so
many instances where best friends openly share passwords as a sign of trust. What happens when
you are not friends anymore?
Apart from the above mentioned reason why passwords are not safe, there is a lot more of other
reasons. Usually people tend to use short and simple passwords as long passwords are
susceptible to being forgotten. Short passwords are not safe, as they can easily be guessed or
cracked especially if they are made up of letters only.

22. http://www.microsoft.com/protect/fraud/passwords/create.aspx on the contrary, advices users to strengthen
their passwords by using at least 14 characters or more, and by using the entire keyboard if
necessary, meaning to use a mixture of letters and other characters on the keyboard, implying
that the greater the characters, the better. Well, if only this could work, then maybe passwords
would be safe. Unfortunately long passwords are also a problem, as already mentioned, they can
be forgotten. Who is going to remember a password like this wbh@#%800? Well, not many
people would, so to avoid forgetting them, users usually jot them down on a piece of paper and
forget to keep the papers safe hence making their passwords available to public.
Well, passwords are just too hard to manage; some people do make their passwords out of
paraphrases as advised by Mark Burnett in his book ‘Perfect Password: Selection, Protection,
Authentication’, but it still does not make the use of a password secure. Man in the middle
attacks can still acquire these Para-phrased passwords and there are tools like Cain and Abel that
can be used to get these passwords.
A USB compared to a password is secure as it provides to the user what a password fails to. A
USB token can store the longest password within it. The user does not have to remember or even
jot it down; it is stored directly inside the USB token. Concurrently, the login credentials stored
within the USB token are encrypted, unlike the normal passwords usually used. The login
credentials stored within the USB token cannot be shared, even if they were shared, they can’t be
used anywhere else as they are bonded to the USB’s serial number.
Biometrics
Now moving on to why organizations should use USB tokens and not Biometrics, even though
biometric authentication is known to be the best as it cannot be shared amongst friends or stolen
or lost, it stays the same for a very long time. Unfortunately if it is compromised then it is
compromised forever. Nothing is perfect, so as biometric authentication. Biometrics still has a lot
of accuracy issues. http://www.biometricnewsportal.com/biometrics_issues.asp defines a False Accept as
when a nonmatching pair of biometric data is wrongly accepted as a match by the system and a
False Reject as when a matching pair of biometric data is wrongly rejected by the system. These
are errors that are bred from biometric accuracy. Biometric devices are usually built to fit two

23. needs either secure and convenient or highly secure. According to
http://ezinearticles.com/?Biometrics&id=16097 a heavy security emphasis errs on the side of denying
legitimate matches and does not tolerate acceptance of imposters. This simply implies that a
biometric device built to provide high security will usually have more FRR than FAR, the
devices’ threshold will usually be high; this could be annoying for users and could be termed as
inconvenient. On the contrary, still based on http://ezinearticles.com/?Biometrics&id=16097 , a heavy
emphasis on user convenience results in little tolerance for denying legitimate matches but will
tolerate some acceptance of imposters. This means that a biometric device built to provide
security but also taking being convenient into consideration will usually have a high FAR than
FRR. This could be bad as unauthorized users could luckily gain access.
Those were just two accuracy errors; there is one more error with biometric devices. Not all
individuals can use biometric devices for one reason or more and this is usually referred to
failure to enroll (FTE). People with certain eye diseases like cataract may fail to enroll and
moreover people with no hands cannot enroll for fingerprint or hand geometry. Now tokens, you
can replace lost tokens at any time and change login credentials. Tokens can be used by anybody,
it does not have ant failure to enroll issues. It is so user friendly

24. Justification of selected two factor authentication model
USB Token
A USB Token is a portable end-user authentication token that can connect to a standard
computer interface such as a USB jack; often used in addition to a password or instead to replace
user name and password for workstations. A USB token can be used to help control access to
websites, VPN, a file, email, a network or/ and a disk.
USB tokens are cost effective
“The chief advantage USB tokens offer over smart-card-based network login systems is the lack
of need for a card reader, says a spokesperson for Aladdin Knowledge Systems, of Arlington
Heights, Illinois, who asked not to be named.”
http://www.pcworld.com/article/89263/usb_tokens_offer_pocketsized_security.html
The above statement clearly reflects that the use of a USB token is of advantage to any other
authentication method. It is very cost effective, especially for companies with many employees,
as a USB token requires nothing but a USB port which can be found in all computers today.
All other kinds of authentication methods, like smartcard and fingerprint may require external
readers to be implemented which can be very costly for the users. A USB itself can also be
purchased at very reasonable prices hence will not put financial pressure on the users.
USB tokens are so easy to use
As if being cost effective is not enough, USB tokens are so easy to use. A living example is of
eToken PRO. All you have to do to authenticate yourself is simply plug in the token into the
USB port and enter an eToken password. Logging off is also as simple as easy as logging in. All
the user has to do is unplug the USB to log off (http://www.safenet-inc.com/aladdin-
content/etoken/devices/pro-usb.aspx ).

25. Extremely portable
Tokens are very small and usually designed to fit in a key chain. It is not a hassle to carry them
everywhere. Users can securely carry all their credentials with them wherever they go, and using
the eToken USB key is as simple as plugging in to any computer with a USB port.
USB tokens are secure
This application allows the users to securely store their username and password on a hardware
device. The hardware based system physically links the user to their identity hence offering
greater security than passwords alone as many user passwords are easy to guess. Since the
username and password will be stored in the hardware device, they need to be protected as well.
So a user defined PIN will also be implemented. This is so much more convenient and secure
because the user doesn’t have to waste time by keying in complicated username or password
instead all they will be required to do is to plug in their USB key and enter a pin. If the pin
entered is correct, their login data will be automatically read from the USB key.
Apart from that, all the login credentials stored in the USB token will be encrypted. This helps to
tighten the security of the USB, even if the user lost their USB token, they will not have to worry
about anyone knowing immediately what was stored within the USB.
Added to that, USB token is very secure as even if an intruder copied the login
credentials stored within it and pasted them in a different USB, they will still not be able
to use that other USB to login, as the computer already knows the original USB token by
its serial number.
The computer will automatically lock itself as soon as the USB is unplugged. This is an
assurance that important data cannot be accessed by a third party even in a case where the
computer was lost, stolen or left unattended as long as the USB is unplugged.

26. Possible USB Token problems
Applications
As stated earlier on, the USB token model is not a new concept hence there have been several
applications that have been developed based on it. Below is a list of secure USB token vendors.
(http://www.24-7pressrelease.com/press-release/smart-insights-report-secure-usb-token-market-
to-account-for-over-eur-1-billion-in-2014-159606.php )
The report includes a detailed analysis about the following Secure USB Token vendors:
• ActivIdentity
• Aladdin
• Entrust
• Feitian Technology
• Gemalto
• Giesecke & Devrient
• Ironkey
• Neowave
• RSA
• Sandisk
• Todos
• Vasco
• Watchdata

27. Cryptography
“Cryptography is the art and science of encryption” (Schneier, 2003), it is the science of secret
writing in order to prevent the contents of a message to be disclosed to unauthorized persons by
using specific methods and processes in order to provide make the said message to be available
to authorized person.
A secure computing environment would not be complete without considering the use of
cryptographic techniques. This is where the encryption comes in, since it would be vital for
keeping the two-factor authentication data on the USB token secure.
Encryption
Encryption is the process of disguising a message in such a way as to hide its substance
(Schneier, 1996). It’s a technique of secret writing and hiding of data while the data is being
transmitted or stored from one form which is plain readable text, into another unreadable form
known as cipher text with the use of specific cryptographic algorithms and allows for the
reversal of the same process to occur.
A typical encryption process is outlines below:
Figure 2.1
Encryption and decryption process
Encryption Decryption
Cipher textPlaintext Plaintext
Cipher Key

28. Methods of encryption are set into two categories depending on the type of security keys used for
the encryption and decryption of data. The two categories are Symmetric and Asymmetric.
Symmetric Encryption
In the method for symmetric encryption the sender and the receiver are required to conclude on a
Secret Key that they intent to use to encrypt and decrypt their messages. For this method of
encryption user need to make sure that each person who needs the key gets it without any risk of
it getting out. Symmetric encryption is much faster than asymmetric encryption and it easier to
use.
From Schneier (1996), symmetric algorithm, sometimes called conventional algorithms, are
algorithms that allow for the encryption key to be calculated from the decryption key and vice
versa. In most symmetric algorithms, the encryption key and the decryption key are the same.
Symmetric-key encryption and decryption algorithms are denoted by:
Ek(M) = C
Dk(M) = M
Where Ek is Encryption key, C is Ciphertext, Dk is Decryption key and M is message.
The symmetric-key encryption is again divided into two categories, which are block
cipher/algorithm and stream cipher/algorithm. Block cipher operates the plaintext in a group of
bits (called block) at a time whereas Stream cipher operates the plaintext on a single bit or byte at
a time. Well-known algorithms for symmetric encryption include Blowfish, Twofish, and
IDEA.
Asymmetric Encryption
In asymmetric encryption two different type of encryption keys are used; Public Key and Private
Key, one for encryption and another one for decryption. The data is encrypted by using public
key of the sender and is decrypted by applying the same algorithm but by using the matching
Private Key of the receiver. Anyone who has public key is able to send encrypted data to
someone who has private key. Secret keys are never shared.

29. Asymmetric-key encryption is mainly used to secure a network infrastructure communications.
This is best due to the fact that if the symmetric-key encryption is used, instead, to generate the
key, then there would be a single key for both the encryption and decryption process. The
problem with this is that the risks involved when an attacker manages to steal the encryption key,
then he or she would have full access to the network and can eavesdrop on practically all the
communication across the network. However, symmetric-key encryption is appropriate for
securing individual computing systems/workstations within the network.
Asymmetric algorithm is slower than symmetric. Therefore, in some application a combination
of both is used to encrypt data. The asymmetric key is used for authentication and after this has
been successfully done; one or more symmetric keys are generated using the asymmetric
encryption. There are several algorithms which can be used for encryption such as Blowfish,
Rijndael (AES), RSA, IDEA, Twofish and etc.
This project aims to implement a symmetric key type encryption algorithm since it is most
suitable for individual-stand-alone computer systems.
Blowfish Algorithm
Blowfish is a symmetric block cipher type encryption algorithm that was designed by Bruce
Schneier. It operates a 64-bit block cipher with a variable-length key. The algorithm consists of
two parts: key expansion and data encryption. Key expansion converts a key of up to 448 bits
into several sub key arrays numbering a total of 4168 bytes.
According to Schneier (1996), blowfish was designed to meet the following criteria:
• Fast. Blowfish encrypts data on 32-bit microprocessors at a rate of 26 clock cycles per
byte.
• Compact. Blowfish can run in less than 5K of memory.
• Simple. Blowfish uses only simple operations: addition, XORs, and table lookups on 32-
bit operands. Its design is easy to analyze which makes it resistant to implementation
errors
• Variably Secure. Blowfish’s key length is variable and can be as long as 448 bits.

30. Blowfish is considered simple to implement because it has various key length (32 up to 448 bits).
It is also more secure and faster compared to DES, and slowly gain acceptance and has been
implemented in various application as well as hardware implementation.
Figure 2.3 Blowfish encryption algorithm process
(Schneier, 1993)
Based on the figure above:
• The input is a 64-bit data element.
• Data encryption consists of a simple function iterated 16 times.

31. • Each round consists of a key-dependant permutation, and a key- and data-dependant
substitution.
• All operations are additions and XORs on 32-bit words. The only additional operations
are four indexed array data lookups per round.
However, recently several cryptographers did an examination on Blowfish. In 1995, Serge
Vaudenay examined weak keys in Blowfish and found out that there is a class of keys that can be
detected--although not broken--in Blowfish variants of 14 rounds or less. Schneier (1996) reveals
that Vincent Rijmen's Ph.D. thesis includes a second-order differential attack on 4-round
Blowfish that cannot be extended to more rounds.
Data Encryption Standard (DES)
Data Encryption Standard (DES) is a widely-used method of data encryption using a private
(secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption
keys that can be used. For each given message, the key is chosen at random from among this
enormous number of keys. Like other private key cryptographic methods, both the sender and the
receiver must know and use the same private key. It was developed in the 1970s by the National
Bureau of Standards with the help of the National Security Agency. Its purpose is to provide a
standard method for protecting sensitive commercial and unclassified data. IBM created the first
draft of the algorithm, calling it LUCIFER. DES officially became a federal standard in
November of 1976. In general, DES takes as input a 64 bit key, of which only 56 bits are used.
DES is a symmetric-key encryption algorithm that uses a single key for both encryption and
decryption. DES is a block cipher; it encrypts data in 64-bit blocks. A 64-bit block of plaintext
goes in one end of the algorithm and a 64-bit block of cipher text comes out the other end
(Schneier (1996)). DES has 56 bits key length, with every eight bit used for parity checking and
ignored. The parity bits also known as error detection and these bits are least-significant bits of
the key bytes. Therefore, DES has a maximum of 56 bits effective key length.
DES works on bits and each group of four bits makes up a hexadecimal number and end up with
the cipher text. The cipher text with the same DES key will be decrypting the hexadecimal
number into original plaintext (Grabbe (2005)). DES is an algorithm with a combination of the

32. basic encryption techniques; substitution followed by permutation. This is known as rounding.
DES has 16 rounds; it applies the same combination of techniques on the plaintext block 16
times (Schneier, 1996).
The algorithm derives its strength from the repeated application of these two techniques of
substitution and transposition, one on top of the other, for a total of 16 cycles. The sheer
complexity of tracing a single bit through 16 rounds iterations of substitution and permutations is
what made it secure at its inception into general security use. The algorithms uses only standard
arithmetic and logical operations on up to 64 bit numbers so, it is suitable for implementation in
software and most current computers. The algorithm is repetitive making it suitable for
implementation on a single-purpose chip.

33. Figure 2.2 DES Block Cipher Encryption Operation
(NSA, 1999)
Figure 2.2 above shows DES block cipher encryption operation on a 64-bit block of input to a
64-bit block of output.
Intial Permutation: The initial permutation transposes the input block. The 64 bit plaintext is
permuted similar to the one below.

34. 58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Key Transformation: The 64 bit key becomes a 56 bit key by deletion of every 8bit. At each step
of the cycle the key is split in two 28 bit halves. The halves are shifted left by a specific number
of digits, the halves are pasted together again and 48 of these 56 bits are permuted to use a key
during this cycle.
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

35. Expansion Permutation: Each right half is expanded from 32 to 48 bits by means by the
expansion permutation. The expansion permeates the order of the bits and also repeats certain
bits.
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
S-Box tables for the DES: Substitution is performed by eight S-Boxes. An S-box is a table by
which six bits of data are replaced by four bits. The 48-bit input is divided into eight 6-bit blocks,
identified as B1, B2, B3, B4, B5, B6, B7, B8. Block Bi is operated on y S-box Si, as shown in figure
below.
The S-boxes are substitution based on table of 4 rows and 16 columns. Suppose that block Bi is
the six bits b1, b2, b3, b4, b5, having a decimal value from 0 to 15. Call this value c. The
substitution from the S-boxes transforms each 6-bit block Bi into the 4-bit result shown in row,
columns c of section Si of table3.6. For example, assume that block B7 in binary is. Then r
=01=1 and c=1001 =9. The transformation of block B7 is found in row 1, column 9 of section 7
of table below. The value 3= 0011 is substituted for the value 010011. )
Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

36. 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
The P-Box permutation: After an S-Box substitution, all 32 bits of results are permuted by a
straight permutation, P. This permutation maps each input to an output position; no bits are used
twice and no bits are ignored.
The Final Permutation: The final permutation is the inverse of the initial permutation finishes off
the algorithm.
DES has been an encryption standard worldwide for nearly 20 years. “DES [70] has finally
outlived its usefulness. Its restricted key size of 56 bits and small block size of 46 bits make it
unsuitable for today’s fast computers and large amount of data” (Schneier, 2003). Therefore, it is
considered too old for current days and has been proven to be breakable. The 56-bit of key length
is too small to process the necessary amount of information abundant in today’s information
systems.
Advanced Encryption Standard (AES) Algorithm
Advanced Encryption Standard (AES) or widely known as Rijndael algorithm is a block cipher
algorithm invented by Steven Rijmen and Joan Daemen. This algorithm is based on fixed block
size of 128 bits and key size of 128, 192, and 256 bits.
It was issued as FIPS PUB 197 by NIST standard is the successor to DES. In January 1997 the
AES initiative was announced and in September 1997 the public was invited to propose suitable
block ciphers as candidates for the AES. The AES algorithm was selected in October 2001 and
the standard was published in November 2002. NIST's intent was to have a cipher that will
remain secure well into the next century. (http://www.rsa.com/rsalabs/node.asp?id=2235)

37. “The AES algorithm is based on permutations and substitutions. Permutations are
rearrangements of data, and substitutions replace one unit of data with another. AES performs
permutations and substitutions using several different techniques.” (McCaffrey 2003),
Savard (2003) noted that the AES algorithm operates on a 4x4 array of bytes, and has 3 different
numbers of rounds:
• With 128 bits of block and key, it has 9 rounds
• With 192 bits of block and key, it has 11 rounds
• With 256 bits of block and key, it has 13 rounds
The steps of this algorithm are described in its sequence below:
1. Key expansion
Mc Caffey (2003) stated that AES algorithm uses a key schedule generated from the seed
key array of bytes. The AES specification refers to this as the KeyExpansion routine.
Generating, in essence, multiple keys from an initial key instead of using a single key
greatly increases the diffusion of bits.
2. Initial round
The main operation in Initial Round step is ‘AddRoundKey’. The subkey is combined
with the state in this step. The process is simply XORs in the subkey for the current
round.
3. Rounding
“During each round, there are few operation applied on the state which is SubBytes,
ShiftRow, MixedColumn and AddRoundKey.” (Hann, 2007),
• SubBytes: The SubBytes operation is a non-linear byte substitution, operating on each
byte of the state independently. The substitution table (S-Box) is invertible and is
constructed by the composition of two transformations: Since the S-Box is independent
of any input; pre-calculated forms are used, if enough memory (256 bytes for one S-Box)
is available. Each byte of the state is then substituted by the value in the S-Box whose
index corresponds to the value in the state, denoted by: a(i,j) = SBox[a(i,j)]

38. • ShiftRow: In this operation, each row of the state is cyclically shifted to the left,
depending on the row index.
The 1st row is shifted 0 positions to the left.
The 2nd row is shifted 1 position to the left.
The 3rd row is shifted 2 positions to the left.
The 4th row is shifted 3 positions to the left.
• MixedColumn: The transformation MixColumn operates on the columns of a state
separately (Fischlin, 2002). It is a linear transformation, whereby each column is
multiplied with a fixed polynomial. Addition and subtraction are performed by the
Exclusive Or operation. The two operations are the same; there is no difference between
addition and subtraction. Although multiplication in Rijndael's Galois field is a little more
complicated.
• AddRoundKey Operation: In this operation, a Round Key is applied to the state by a
simple bitwise XOR. The Round Key is derived from the Cipher Key by the means of the
key schedule. The Round Key length is equal to the block key length (=16 bytes).
4. Final Round.
Final Round has the same operation like Round, but without MixedColumn.
AES or Rijndael Algorithm is very secure, because it can use the key length up to 256-
bits. As the replacement of obsolete DES algorithm, AES is very hard to crack and will
require a brute force attack to use as many combinations as 1,100 followed by 75 zeros.
The standards institute estimates that today's computers would take approximately 149
trillion years to decrypt such a message (Schwartz, 2000).

39. Comparison of encryption algorithms
The table below presents a tabular the comparison of the 3 encryption algorithms reviewed in the
previous section. This will enable the reader to easily understand the various distinction between
them.
Algorithm
Blowfish DES AES
Characteristics
Encryption method Symmetric-key
algorithm, block
cipher
Symmetric-key
algorithm, block
cipher
Symmetric-key
algorithm, block
cipher
Number of bits per block 64-bits 64-bits 128-bits
Number of rounds 16 rounds 16 rounds
Depending on key
length it has:
9 rounds (128 key
length)
11 rounds (192 key
length)
13 rounds (256 key
length)
Number of key-length 56-bits 32-bits up to 448-
bits
128-bits, 192-bits,
and 256-bits
Resilience to cryptanalysis Proven to be
breakable; by brute
Some weak keys in
Blowfish have been
None has
successfully crack

40. force attack using
DES cracking
machine in 3.5
hours (Wiener,
1994).
examined, although
the algorithm has
not broken
(Vaudenay, 1995)
AES encryption
until current time.
AES also used
officially as
encryption standard
of the US National
Institute of
Standards and
Technology
(NIST), and the US
government
reportedly approves
AES with 192 or
256-bit keys for
encrypting top
secret documents
Table 2.1
Comparison of encryption algorithms

41. Table 2.2
Speed comparison of encryption algorithms (Coffey, 2009)
Justification on selected encryption algorithm
Based on the research of several encryption algorithms (Blowfish, DES and AES) and the
comparison shown from the table above, it is assert able that the most suitable encryption
algorithm for this project is AES. The reasons that led to this assertion are as below:
Speed: Based on the comparison table above, DES has the slowest speed (approximately 40
encryption times slower speed) while Blowfish (with 256-bits) has approximately less than 20
encryption times slower speed, AES (256-bits) with 20 encryption times, and AES (128-bits)
with less than 20 encryption times. It can be concluded that although AES has bigger key-length
(128-bits, 192-bits and 256-bits) it is still relatively fast for such high encryption keys.
Trusted: With the key-length up to 256-bits, AES is more secure compared to DES. Even
though Blowfish also provides secure protection due to its key length being up to 448-bits.

42. However, previous studies by cryptologists revealed that there are some weak keys in blowfish,
and there is a class of the keys that can be detected with cryptanalysis.
Therefore, AES is considered as the most secure algorithm compared to Blowfish and DES. AES
is also officially used as the encryption standard for the US National Institute of Standards and
Technology (NIST), and for encrypting secret documents with its 192 or 256-bit keys.
Amongst the 3 encryption algorithms proposed and discussed, in great detail, in previous
sections, AES is the most up to date standard for data encryption worldwide. It has exceeded
expectations of experts within the security community even. The process works better than had
been expected, (Schneier, 2003).

43. Methodology
Methodology is one factor that when used well can play a big role in the successful development.
Methodology is a process followed to structure, plan and control the process of developing an
information system. It is very essential to select an appropriate methodology as each project is
suited by a specific methodology. The methodology selected should be of the greatest benefit
and should fully utilize the resources. Failure to selecting a suitable methodology could lead to
the unsuccessful development of a project.
There are many types of methodologies that can be used to structure, plan and control the
process of developing a system, each of these have their strengths and weaknesses. Below is a
brief discussion of some methodologies, followed by a justification of our selected methodology.
1) Waterfall
2) Spiral
3) Rapid Application Development
Comparison of Methodologies
Waterfall
The waterfall methodology divides the whole process of developing a system into several sequential
phases. Each phase has a specific goal. Some of these sequential phases can take place one after the
other and some can occur at the same time.
This methodology is mainly focusing on the planning, time schedules, target dates budgets and
implementation of an entire system at an instant. Each and every phase in the methodology is
monitored carefully and documentation of the system and methodology is done in parallel with the
development. Once a phase is over, the documentation is completed, reviewed by the stake holders
and the information technology management. There after the approval for the work done is taken and
then the next phase is initiated.

44. http://skysigal.xact-solutions.com/Resources/SoftwareDevLifeCycle/WaterfallMethodSDLC/tabid/600/Default.aspx states that
according to a Version One survey (2007), nearly 70% of software development organizations
are still using the Waterfall Method/Methodology. Indeed the waterfall methodology has been
relied upon by a lot of organizations for many years.
Traditionally, the SDLC is pictured as a waterfall model shown above. This is because the result
of each phase often referred to as a deliverable, flows down into the next phase.
The SDLC Phases:
1. Identifying problems, opportunities, and objectives
2. Determining information requirements
3. Analyzing system needs
4. Designing the recommended system
5. Developing and documenting software
6. Testing and maintaining the system
7. Implementing and evaluating the system

45. Management information systems: Solving business problems with information technology. (4th ed.). New York:
(McGraw-Hill Irwin)
This methodology is of benefit as it is very easy to maintain. This is due to its orderly mannered step
by step sequence that allows for carefulness on one phase before moving to the next. It allows for the
project team to produce work of good quality and work that is highly reliable. With its detailed step,
progress can be reviewed at the end of each phase. In other words, the project team can monitor if
there is progress or not.

46. Spiral
Spiral model is a software development process that unites elements of both design and
prototyping in stages, in an attempt to combine advantages of top-down and bottom-up theory.
Besides that, Spiral model, also known as the spiral lifecycle model. The spiral methodology is
an incremental improvement on the waterfall methodology. It in a way fixes the problems
introduced by the Waterfall method for example, it allows for mistakes done in previous phases
to be corrected. The spiral model is preferred for huge, costly, and complex projects.
Strengths
• It promotes reuse of existing software in early stages of development.
• Allows quality objectives to be formulated during development.
• Provides preparation for eventual evolution of the software product.
• Eliminates errors and unattractive alternatives early
• It balances resource expenditure.
• Doesn’t involve separate approaches for software development and software maintenance
• Provides a viable framework for integrated hardware-software system development.
Weaknesses
• Requires considerable expertise in risk evaluation and reduction
• Complex and relatively difficult to follow strictly
• Applicable only to large systems
• Risk assessment could cost more than development
• Need for further elaboration of spiral model steps (milestones, specifications, guidelines
and checklists

47. RAD
“RAD is a technique that emphasizes extensive user involvement in the rapid and evolutionary
construction of working prototypes of a system to accelerate the system development process.”
(Whitten, 2001)
This technique concentrates on how to develop a system or software in a fast and efficient way.
It has become well known for speeding up the development of systems.
RAD actively involves the users of the system in the analysis, design and construction activities.
This helps the users to know how the system works hence making room for their suggestions.
The idea behind it all is to quicken the requirements analysis and design phases. This further
reduces the amount of time until the users begin to see a working system.
Strengths
• Fast methodology to use for developing a system.
• The result will likely satisfy the users.
• Saves time, effort, and money.
• Prototype helps the user to know how the system will work, hence if there is anything
lacking in the system, it can be fixed by the analyst.
Weaknesses
• Documentation is not important in RAD
• Neither testing nor implementing phases are not covered
• Once the system has been completed, if there is any mistake or error in it, it is hard to
detect because there is no proper documentation.

48. Justification of Selected Methodology
RAD
After thorough research, RAD stood out to be the best methodology for my project. This is
because RAD involves iterative development and the construction of prototypes. Traditionally
RAD approach involves compromises in usability, features, and/or execution speed. It is
described as a process through which the development cycle of an application is expedited. RAD
thus enables quality products to be developed faster, saving valuable resources.
RAD was chosen as the best methodology for this project as it allows for quality projects to be
built in a shorter period of time.
Increased speed
As the name clearly suggests, Rapid Application Development’s primary advantage lies in
increased development speed of an application hence decreased delivery time. The goal of
delivery applications quickly is addressed through the use of Computer Aided Software
Engineering or CASE tools, which focus on converting requirements to code as quickly as
possible, as well as Time Boxing, in which features are pushed out to future releases in order to
complete a feature light version quickly.
Increased Quality
According to RAD, quality is defined as both the degree to which a delivered application meets
the needs of users as well as the degree to which a delivered system has low maintenance costs.
Increased quality is another focus of the Rapid Application Development methodology.
Rapid Application Development attempts to deliver on quality through the heavy involvement of
users in the analysis and particularly the design stages.

49. Chapter3:
Primary
Research

50. Primary Research
According to http://www.entrepreneur.com/encyclopedia/term/82400.html , primary research is defined as
any information that comes directly from the source ie customers. There are several techniques
that can be used to conduct primary research in the IT world.
Some of these techniques are as follows:
• Interviews
• Questionnaire
Interview
An interview is an information gathering technique which is held between two people with a specific
purpose. An interview contains of a question and answer session between an interviewer; who is
responsible for asking the questions and interviewee; who is responsible for answering the questions.
This technique’s main focus is to know the interviewee’s thought and feeling about the current
situation of their organization or system and the proposed system at hand.
Why use an interview?
Interview has over the years been the dominant kind of primary research. It is a very effective
way of getting the interviewee’s opinion regarding any research topic. It is very helpful in
situations where the interviewee lacks reading skills. Apart from that interviews are useful for
untangling complex topics, this is because interviews allows for a deeper and more detailed
conversation about the topic. It allows for clarifications if there are any misunderstandings
meaning it allows for the interviewer to probe deeper into the response given by the interviewee.
Interviews allow for the interviewer to observe the interviewee’s emotion as they speak.
Interview held with the UNFAO technician
Final analysis of interview

51. Questionnaire
Questionnaires are one of the most popular methods of conducting scholarly research. They
provide a convenient way of gathering information from a target population.
According to http://www.businessdictionary.com/definition/questionnaire.html , a questionnaire
is a list of research or survey questions asked to respondents and designed to extract specific
information.
Why use questionnaires?
The responses are gathered in a standardized way, so questionnaires are more objective, certainly
more so than interviews. The information is more quantified than in interviews. Apart from that,
questionnaires allow for information to be collected from a large group of people at the same
time, so it in a way a very quick way of collecting information from a lot of people. In addition,
the computation of the final analysis of the questionnaire is much clearer in terms of being
informative as it can be tabulated.
Results of questionnaire
Final analysis of the Questionnaire

52. References
Books
• Stan Z. Li, Anil K. Jain (2009) Encyclopedia of Biometrics. USA: Springer
Science+Business Media LCC.
• John D. Woodward (Jr.), N.M. Orlans, P.T. Higgins (2003) Biometrics. USA: Brandon A.
Nordin.
• Mark Burnette (2006) Perfect Passwords: Selection, Protection, Authentication. Canada:
Syngress Publishing Inc.
Internet
•
Anon (2007) Two-Factor and Multifactor Authentication Strategies [Online]. UK:
TechTarget. Retrieved from:
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html [Accessed
02nd September 2010]
• SafeNet (2010) eToken PRO – Portable USB Two Factor Authentication Token with
Advanced Smart Card Technology [Online]. USA: SafeNet. Retrieved from:
http://www.safenet-inc.com/aladdin-content/etoken/devices/pro-usb.aspx [Accessed 26th
September 2010]
• Enterpreneur (2010) Primary Market Research [Online]. USA: Enterpreneur. Retrieved
from: http://www.entrepreneur.com/encyclopedia/term/82400.html [Accessed 28th
September 2010]