Our graphical password schemes are motivated primarily by PDAs that offer graphical input capabilities. We now describe our implementation of a memo pad encryption tool for the Palm Pilot that uses a user-input graphical password to derive the encryption key. The Pilot supports a very natural form of graphical input, and as such, provides an ideal platform for implementing the DAS scheme. Either of the schemes of Sections 2 and 3 could be used to enter the password. Here we illustrate our tool using the DAS scheme.

In our tool, an encryption/decryption key is derived from a DAS
password (i.e., its sequence of coordinates) as follows: Let be a bit string that represents the sequence of coordinates
(including the unique ``pen up'' indicator). The key *k* is defined
as where *h* is the cryptographic hash function
SHA-1. This key derivation assures that two distinct coordinate
sequences are transformed (with high probability) into two distinct,
fixed-length keys. Triple-DES^{} is then used to
encrypt and decrypt data records stored on the PDA, using keys derived
from *k*.

Key selection is as follows: the user is prompted with an empty grid
to input the password design. Once the password is entered, *k* is
derived and a pre-defined phrase *p* is encrypted (as *E*_{k}(*p*)) and
stored on the PDA. On repeat access, the user is prompted again with
the empty grid, upon which she draws the same design. A symmetric key
*k*' is derived and an attempt is made to decrypt *E*_{k}(*p*). If it
results in *p*, then *k*' = *k* and the password (and key) is
accepted. The user then can proceed to encrypt/decrypt data
records. *k* is deleted from the PDA at the latest when the PDA is
powered off.

An adversary who captures the PDA can presumably obtain all of the
ciphertext encrypted under *k*, and since *p* is either public or
stored in plaintext on the device, the adversary has at least one
known plaintext/ciphertext pair with which to attack *E*.
For a strong encryption scheme *E*, however, the best
bet for the attacker remains to guess the original password, which,
as we will show in Section 3.3, on average
is likely to be much harder than if the attacker were
faced with attacking a textual password.

The interface for our DAS implementation is shown in
Figure 3. Our application shares the database of the
`memopad` application, and allows a user to encrypt/decrypt
records in the database based on a user specified drawing. The
encryption tool for the Palm Pilot is available from
https://cs.nyu.edu/fabian/pilot/gpw.html.