Client certificate authentication vs. password authentication

In the early days of computing, computers were protected by locked doors — if you had the key to open the door to get into the computer room, you could use the computer and all of its resources. Since they didn't store much of anything, that wasn't a big problem: the computer equipment itself was more valuable than any data that it might have protected.

These days, although we do expend some effort in protecting our computer equipment whose value can run to a few thousand dollars, it's usually our data that we're usually most concerned about. This trend has been evolving for quite a while — after computers started moving out of large research institutions into large corporations, although the computer itself was still protected behind locked doors, access to it was made through terminals to which one had to log in before gaining access to the computer and any of the data that it was responsible for maintaining.

These logins were protected in a simple enough way, with a shared secret (aka password). When the user account was configured, a secret word was associated with it which (presumedly) was only known to two entities - the human account holder and the computer itself. The user could then type their password into the access terminal, the computer could verify it and, if it matched, grant access.

As it turns out, though, protecting these passwords was a bit tricky. The very same passwords which were used as the safeguards against unauthorized access to the data on the computer were themselves data on the computer! By default, without some extra precaution, anybody with an account would be able to read anybody else's password and hence impersonate them. Role-based access control helped a little bit here: the computer could maintain lists of which users could access which data. Unix, for instance, kept all of its data, including lists of users and their passwords, in files. The operating system could then be made responsible for associating each file with an owner (one specific user) as well as a group (collection of users). Owners, groups, and "the rest of the world" (at least, the part of the world that was authorized to access that computer in the first place) were given specific permissions to read, write or execute the file. Ordinary users could simply not be given access to read the password file.

System administrators, however, did have access to these password files, along with everything else. And a slight misconfiguration or mistake could expose the password file to other users, or even non-users. Obfuscating, encrypting, or hashing passwords go a long way toward mitigating the risk here, but the fact remains that the authenticating system must store the password in some form or another.

While system administrators and computer manufacturers wrestled with this problem, security researchers were investigating a seemingly unrelated problem: the problem of secure key exchange. In addition to restricting access to computer systems and their data, there was a lot of interest in protecting data in transit as well as computer systems increasingly became networked with one another. The only way to protect data against passive eavesdroppers is to encrypt it — scramble it in such a way that it can only be descrambled with the aid of a shared secret. When used in the context of user authentication, a shared secret is called a password, but when used in the context of encryption, a shared secret is called a key. The problem that security researchers were running across was in sharing the key between the communicating entities without making it accessible to anybody else.

Researchers at MIT developed a complex key agreement protocol called Kerberos. It required an offline (unsecured) key agreement between each communication participant and a centralized key distribution center, but afterwards, each communicating party would be granted a temporary encryption key by it for a communication session. Martin Hellman and Whitfield Diffie, however, developed an alternative key agreement method that relied on the intractability of the discrete logarithm problem and required no up-front key agreement. The protocol is simple enough to understand (although it undoubtedly took a stroke of genius to think of it). When two parties want to communicate, they first agree on two numbers p and g. The first party (the initiator) then picks a random number x and computes:

x' = gx%p

y' = gy%p

k = y'x%p

k = x'y%p

gxy%p = gx%py%p = x'y%p = gy%px%p = y'x%p

Security researchers Ron Rivest, Adi Shamir and Leonard Adelman expanded on this idea and came up with the RSA cryptosystem that is similarly based on the intractability of the discrete logarithm problem. It's a bit more complicated (but not much; I examined it in more detail here), but it allows the key to be computed beforehand and split into two pieces: the private key and the public key. Once they've been computed, the private key holder can share the public key; the public key can then be used to encode secret messages that only the private key holder can decrypt.

Additionally, and most pertinent to the discussion of authentication, RSA can be used to verify identity by having the private key holder "encrypt" an assertion of identity using the private key. Anybody in possession of the corresponding public key can verify that the message really came from the holder of the private key by "decrypting" the same assertion with the public key: only the private key holder would be able to produce such a valid assertion. Once a public key has been successfully associated with a particular user, the system can request a signed assertion of identity rather than a password in order to establish credentials. This is the basis of a Public Key Infrastructure (PKI). These credentials — public and private keys — are typically stored as X.509 certificates; this form of authentication is called certificate-based authentication.

So: which is better? One of the main benefits of passwords is that they're "portable": they exist in the memory of a human user who can walk around from one system to the next and authenticate regardless of location. One of the downsides, though, is that the authenticating side must also have the password in some form; in a PKI, the authenticator need only know the public key, which is useless without the private key. On the flip side, a private key is typically a very long number - somewhere on the order of 300 decimal digits at a minimum. No human could possibly be expected to remember a secure private key, much less one for each system to which he might be expected to authenticate. As a result, the private key does need to be stored — not by the authenticator, but by the end-user.

In the end, password-based authentication is a necessity when humans are expected to authenticate, but certificate-based authentication represents a good compromise for B2B-type communications where unattended file transfers need to be secured. There's some research being done into Secure Remote Password that tries to combine the portability of passwords with the additional security of distributed key agreement, but for now, it's not widely supported by off-the-shelf tools.

Add a comment:

Completely off-topic or spam comments will be removed at the discretion of the moderator.

You may preserve formatting (e.g. a code sample) by indenting with four spaces preceding the formatted line(s)

I'm the author of the book "Implementing SSL/TLS Using Cryptography and PKI". Like the title says, this is a from-the-ground-up examination of the SSL protocol that provides security, integrity and privacy to most application-level internet protocols, most notably HTTP. I include the source code to a complete working SSL implementation, including the most popular cryptographic algorithms (DES, 3DES, RC4, AES, RSA, DSA, Diffie-Hellman, HMAC, MD5, SHA-1, SHA-256, and ECC), and show how they all fit together to provide transport-layer security.

Joshua Davies

Past Posts

• April 30, 2021: A Date Picker Control in Vanilla Javascript
• March 31, 2021: A Web Admin Console for Redis, Part Three
• January 27, 2021: A Web Admin Console for Redis, Part Two
• December 21, 2020: A Web Admin Console for Redis, Part One
• November 30, 2020: What is Procmail and why is it using up all my memory?
• September 30, 2020: Minimal Drag and Drop Support in Javascript
• August 31, 2020: Covariance and Contravariance in Generic Types
• July 31, 2020: How Spread Out Are the Floating Point Numbers?
• June 25, 2020: ERD Diagramming Tool, Part Three
• April 30, 2020: ERD Diagramming Tool, Part Two
• March 31, 2020: ERD Diagramming Tool, Part One
• February 28, 2020: MathJax and "t.setAttribute is not a function"
• December 30, 2019: Solving Systems of Equations with Python
• October 30, 2019: Linear Regression with and without numpy
• September 30, 2019: Reading a Parquet file outside of Spark
• August 30, 2019: UML Diagrams with MetaUML
• July 30, 2019: Clustering in Python
• June 25, 2019: A Walkthrough of a TLS 1.3 Handhsake
• May 31, 2019: A DataType Printer in Java
• April 30, 2019: A Simple HTTP Server in Java, Part 3 - Cookies and Keep Alives
• March 28, 2019: A Simple HTTP Server in Java, Part 2 - POST and SSL
• February 28, 2019: A Simple HTTP Server in Java
• January 29, 2019: Angular CLI Behind the Scenes, Part Two
• September 30, 2018: Angular CLI Behind the Scenes, Part One
• August 31, 2018: Into the MMIX MOR Instruction
• July 24, 2018: Undoing Percentage Changes in your Head
• June 30, 2018: Generating Langford Pairs in Scala
• May 25, 2018: Reflections on Three Years of Reading Knuth
• April 30, 2018: java.lang.NoSuchMethodError: org.junit.vintage. engine.descriptor.RunnerTestDescriptor. getAllDescendants
• March 30, 2018: An Excel Spreadsheet for the Academy Awards
• February 28, 2018: Git for Subversion Users
• January 31, 2018: The Evolution of AngularJS
• December 31, 2017: Numerical Integration in Python
• October 31, 2017: Gradle for Java Developers
• September 29, 2017: Reflections on another year of reading Knuth
• August 30, 2017: SSL OCSP Exchange
• July 27, 2017: A walk-through of an SSL certificate exchange
• June 30, 2017: A walk-through of an SSL key exchange
• May 31, 2017: A walk-through of the SSL handshake
• March 31, 2017: A walk-through of the TCP handshake
• February 28, 2017: The TLS Handshake at a High Level
• January 31, 2017: A Walk-through of a JWT Verification
• August 31, 2016: Reflections on a year of reading Knuth
• July 29, 2016: Matching a private key to a public key
• June 30, 2016: A Completely Dissected GZIP File
• May 31, 2016: Automatic Guitar Tablature Generator, Part 2
• April 28, 2016: Automatic Guitar Tablature Generator, Part 1
• March 31, 2016: Import an encrypted private key into a Java Key Store
• February 26, 2016: Import a private key into a Java Key Store
• January 31, 2016: Debian Linux on MacBook Pro
• December 29, 2015: Is Computer Science necessary or useful for programmers?
• November 30, 2015: Client certificate authentication vs. password authentication
• October 28, 2015: A Utility for Viewing Java Keystore Contents
• September 29, 2015: Debugging jQuery with Chrome's Developer Tools
• August 26, 2015: Getting Perl, MySQL and Apache to all work together on Mac OS/X
• July 30, 2015: Extract certificates from Java Key Stores for use by CURL
• June 29, 2015: Using the Chrome web developer tools, Part 9: The Console Tab
• May 28, 2015: Using the Chrome web developer tools, Part 8: The Audits Tab
• April 30, 2015: Using the Chrome web developer tools, Part 7: The Resources Tab
• March 30, 2015: Using the Chrome web developer tools, Part 6: The Memory Profiler Tab
• February 27, 2015: Using the Chrome web developer tools, Part 5: The CPU Profiler Tab
• January 31, 2015: Using the Chrome web developer tools, Part 4: The Timeline Tab
• December 31, 2014: Using the Chrome web developer tools, Part 3: The Sources Tab
• October 31, 2014: Using the Chrome web developer tools, Part 2: The Network Tab
• September 30, 2014: Using the Chrome web developer tools, Part 1: The Elements Tab
• August 11, 2014: Unable to find valid certification path to requested target
• June 30, 2014: Sort by a Hierarchy
• May 29, 2014: OpenSSL Tips and Tricks
• April 25, 2014: Heartbleed: What the Heck Happened
• February 28, 2014: Replace Microsoft Money with a Spreadsheet
• January 29, 2014: An Illustrated Guide to the BEAST Attack
• December 21, 2013: Where does GCC look to find its header files?
• October 24, 2013: Planning a Subversion import
• August 28, 2013: Compile and test an iOS app from the command line
• July 31, 2013: The Hidden Costs of Software Reuse
• June 26, 2013: Beware of mvn war:inplace
• May 29, 2013: Block Font Design Using Javascript
• April 4, 2013: Parsing a POM file using only SED
• February 22, 2013: Inside the PDF File Format
• December 31, 2012:How and why rotation matrices work
• November 27, 2012:Date Management in Java
• October 21, 2012: Installing Debian Without a Network
• August 14, 2012: My Review of Matt Neuburg's "Programming iOS 5"
• July 16, 2012: An example OAuth 1.0 Handshake and mini-library
• May 23, 2012: A Javascript one-liner to display cookie values
• April 27, 2012: How SSL Certificates Use Digital Signatures
• March 29, 2012: A breakdown of a GIF decoder
• February 15, 2012: The design and implementation of LZW (the GIF compression algorithm)
• January 16, 2012: Calculate the day of week of any date... in your head
• December 4, 2011: Understanding CRC32
• October 29, 2011: Efficient Huffman Decoding
• October 4, 2011: Extract a private key from a Gnu Keyring file
• September 5, 2011: From Make to Ant to Maven
• July 18, 2011: A bottom-up look at the Apache configuration file
• July 6, 2011: Fun with the HTML 5 Canvas Tag
• Jun 16, 2011: Pain and disfiguration upon all comment spammers
• May 31, 2011: Use of RSSI and Time-of-Flight Wireless Signal Characteristics for Location Tracking
• May 7, 2011: Implementing SSL
• Apr 24, 2011: Dissecting the GZIP format