Why PKI is Better than Passwords

The Comodo CA digital identity is made up of 2 components using X.509 certificates:

  • A Private Cryptographic Key which is never shared in the authentication process. In a password based system, the user/device sends the password to the service being accessed, where the service then compares the password to what has been previously stored. The attacks involve stealing a copy of the password, stealing the password in transit, stealing it from the service which has the password stored or brute force by trying every possible password.

  • Digital Certificate. The certificate contains the public key which is paired with the private key. That same public key is the only one capable of deciphering or verifying the private key signature. The certificate also includes the unique name of the authorized owner of the private key. The public key and unique name are cryptographically bound together by a Certification Authority. Any attempt to tamper with either the public key or unique identity will be detected.

In the PKI method, the service being accessed will send a challenge to the private key, which in turn signs the challenge and returns it to the service as “proof of possession” of the private key. Unlike the password approach, there is no risk of the private key being stolen. As well, the length of the private key would take decades to brute force with the world’s fastest computers versus hours for an 8-character password.

Unlike other vendors, Comodo CA offers both Elliptic Curve and RSA keys at the same price. The Elliptic Curve key is a newer technology which offers  faster cryptographic operations, improving the user experience and load on your servers. This will be more noticeable on constrained devices such as mobile, tablet, IoT devices or heavily loaded web servers.

The Comodo CA digital identity provides the enterprise 3 layers of protection, along with improved productivity. Security does not need to be a cost to the enterprise, it can boost productivity such as reduced password resets, online forms, and providing services not otherwise possible with poor security.

  • Authentication: PKI provides strong authentication in the enterprise use cases. As an additional level of security, a PIN can be added that the private key looks for before performing an action. Since the PIN is never sent beyond the private key, there is no need to change it like a password.

  • Encryption: In the unlikely case that the attacker can circumvent the authentication, or for privacy when information is transferred across the internet, the same digital identity can be used to encrypt the information so only authorized private key holders can view the confidential information. The encryption digital identity may be placed into an escrow provided by Comodo CA so that it can be recovered by the owner in the event their copy is no longer available, to be able to decrypt existing files.

  • Digital Signature: The same digital identity can cryptographically sign documents or commands. Any attempt to tamper with the document or command would be detected by the recipients. An example would be a contract or a command to an IoT device to operate your thermostat. Since a copy of the digital identity used for encryption is often held in escrow, the enterprise may create a second digital identity for non-repudiation digital signature which has no other copy.