While authentication within organizations is a well-understood
problem, traditional solutions are often inadequate at the scale
of the Internet, where the lack of a central authority, the open
nature of the systems, and issues such as privacy and anonymity
create new challenges. For example, users typically establish
dozens of web accounts with independently administered services
under a single password, which increases the likelihood of exposure of
their credentials; users wish to receive email from anyone who is not
a spammer, but the openness of the email infrastructure makes it hard
to authenticate legitimate senders; users may have a rightful
expectation of privacy when viewing widely-accessed protected
resources such as premium website content, yet they are commonly
required to present identifying login credentials, which permits
tracking of their access patterns.
This dissertation describes enhanced authentication mechanisms to tackle the challenges of each of the above settings. Specifically, the dissertation develops: 1) a remote authentication architecture that lets users recover easily in case of password compromise; 2) a social network-based email system in which users can authenticate themselves as trusted senders without disclosing all their social contacts; and 3) a group access-control scheme where requests can be monitored while affording a degree of anonymity to the group member performing the request.
The proposed constructions combine system designs and novel cryptographic techniques to address their respective security and privacy requirements both effectively and efficiently.