Passwords vs. X.509 Certificates for IoT Security 🔒
Passwords are simple strings, unlike X.509 certificates that offer verified identity for IoT device security.
LMTX DEV
458 views • Jan 30, 2023
About this video
Why Passwords are not equivalent to X.509 Certificates for IoT Devices?
A Password is just a string of characters. It does not provide any information about the user - the User - Password relation is stored in some external system, it is not “embedded” into the password itself.
A Password does not have any information about the expiry date. Once again, the expiry date is stored in some external system, it is not “embedded” into the password itself.
There are several ways to crack passwords. A strong password policy can mitigate this threat, but that policy needs to be enforced by some external system.
An X.509 Certificate provides the User - Certificate relation stored in the Subject field (Subject: CN=gg-thing-0001).
An X.509 Certificate has “embedded” information about the expiry date.
An X.509 Certificate includes the Public Key while the corresponding Private Key is securely stored on the IoT Device. The X.509 Certificate does not include the Private Key!
To impersonate the certificate owner, the attacker has to “guess” the Private Key corresponding to the Public Key embedded into X.509 Certificate - that is typically way more difficult than cracking passwords.
That is why I strongly recommend using X.509 Certificates for IoT Devices instead of the “username/password” combination.
#iot #security #internetofthings
A Password is just a string of characters. It does not provide any information about the user - the User - Password relation is stored in some external system, it is not “embedded” into the password itself.
A Password does not have any information about the expiry date. Once again, the expiry date is stored in some external system, it is not “embedded” into the password itself.
There are several ways to crack passwords. A strong password policy can mitigate this threat, but that policy needs to be enforced by some external system.
An X.509 Certificate provides the User - Certificate relation stored in the Subject field (Subject: CN=gg-thing-0001).
An X.509 Certificate has “embedded” information about the expiry date.
An X.509 Certificate includes the Public Key while the corresponding Private Key is securely stored on the IoT Device. The X.509 Certificate does not include the Private Key!
To impersonate the certificate owner, the attacker has to “guess” the Private Key corresponding to the Public Key embedded into X.509 Certificate - that is typically way more difficult than cracking passwords.
That is why I strongly recommend using X.509 Certificates for IoT Devices instead of the “username/password” combination.
#iot #security #internetofthings
Tags and Topics
Browse our collection to discover more content in these categories.
Video Information
Views
458
Likes
7
Duration
1:00
Published
Jan 30, 2023
Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.
Trending Now