Personal Entropy from Graphical Passwords: Methods for Quantification and Practical Key Generation

In many cryptosystems incorporating human beings, the users' limited memories and their indifference to keeping the systems secure may cause some severe vulnerability of the whole systems. Thus we need more studies on personal entropy, from an information theoretical point of view, to capture the characteristics of human beings as special information sources for cryptosystems. In this paper, we discuss and analyze the use of personal entropy for generating cryptographic keys. In such a case, it is crucially important to precisely evaluate the amount of personal entropy that indicates the actual key length. We propose an advanced key generation scheme based on the conventional graphical passwords proposed in [12]. We improve them to make the most of the secret information extracted in one drawing, i.e., we incorporate the on-line pen pressure and pen inclination information in addition to utilize more secret information. We call the scheme dynamic graphical passwords, and propose a practical construction of them. We also show a precise way of quantifying their entropy, and finally, as an experimental result, we can generate a key of over 110-bit long, using the data of a single drawing. When quantifying their entropy, we need to precisely evaluate the entropy of graphical passwords as well as that of the on-line information of pen movements. We need to precisely evaluate the entropy of graphical passwords by considering the users' biased choices of their graphical passwords. It is expected that they tend to choose their passwords that are memorable as easily as possible, thus we quantify the burden of memorizing each graphical password by the length of its description using a special language based on [12]. We improve the approach in [12] by more directly reflecting how easily each graphical password can be memorized.