Passwords have become the most ubiquitous form of client-server authentication on the Internet nowadays. Password-over-TLS, the almost universal password authentication protocol in practice, suffers from two major drawbacks: (i) it requires a secure channel; and (ii)
the server sees the client's password in the clear.
This dissertation focuses on another approach of password authentication, which eliminates the two shortcomings above. We study cryptographic protocols in the password-only setting, that is, the only information shared between the client and the server is the short and low-entropy password. We present highly efficient realizations of two kinds of such protocols: (1) Password-Protected Secret Sharing (PPSS), in which the client stores a long secret (e.g., its private key) in a group of servers, and recovers the secret via interacting with a subset of servers using a password; and (2) asymmetric Password-Authenticated Key Exchange (aPAKE), in which the client (which enters a password) and the server (which stores a password file) establish the same secret key. All these protocols are resilient to man-in-the-middle attacks (i.e., no authenticated channel is required) as well as server compromise: the only forms of attacks are the unavoidable ones, namely online password guessing attacks and offline dictionary attacks in case of server compromise.
We present thorough description of our protocols, the proofs of their security, and analyses of their computational costs. All security proofs are in the Universally Composable (UC) framework, which addresses subtle vulnerabilities of passwords (non-uniform distribution over the dictionary, reuse of the same password over different accounts, etc.) in a natural and easy-to-argue way, and thus is preferred over the traditional game-based security model.