HomePurchaseProductsDownloadsInformation SecurityAboutSupportOur Customers
pgp data securitydownload pgp

Passwords vs PKI and ArticSoft products use of encryption

ArticSoft products ensure your information is securely protected by the use of encryption.

Instead of using weak password mechanisms to protect your information, our products use a superior technology known as public key cryptography.




Passwords vs PKI comparison table

PasswordsPKI

A password protected file has just the password as the 'key'protecting your information.   The password is the 'key'that is used to decrypt files.   The password must be shared with others if they are going to decrypt files you send them.
 

A PKI protected file is further protected by another, much stronger key, to stop an attacker from being able to get hold of the actual key easily.   The key used to decrypt files never leaves your computer - it is never shared.     It is held in a secure keystore that is strongly protected.
 

Most people use short passwords because they are easy to remember but are inherently insecure.   If you use short passwords you should ask yourself why bother using  any security at all?
 

A PKI protected file has a long (and truly random/unpredictable) key  protecting it that can be up to 4096 bits long.

 

A 32 bit password can be broken in 2.15 milliseconds and a 56 bit password can be broken in 10 hours using  a single PC with a simple brute force attack.   Cracking tools are freely available on the Internet for this purpose.
 

ArticSoft products generate a 2048 bit key by default. RSA quote that it would take 3,000,000 years to break a 1024 bit key **


 

Passwords are open to easy Dictionary Attacks (much quicker than brute force attacks) since most people use common names or words for their passwords.   Cracking tools are freely available on the Internet for this purpose.
 

PKI protected files are protected by a truly random key that contain non-displayable characters (not likely to find those in any dictionary) and are therefore not open to Dictionary Attacks.

 

Unless you run an anti-trojan  program on your PC how can you be sure that your passwords are not  being monitored by a keylogger?



 

There is no need to enter a password to encrypt or decrypt individual files.   Your keys are securely stored in a local keystore.   The password protecting the keystore is further protected by additional security measures preventing such an attack.   In addition, any attacker needs your physical keystore to compromise your files.
 

You have to tell the recipient what the password is so they can decrypt the file - this is open to compromise unless you can deliver the password by a secure method.   If the password is intercepted your files are not safe.



 

No exchange of passwords takes place  .   You use other people's  public keys to  encrypt files for them. Only they, with the corresponding private key, can decrypt the files.    The private key never leaves the  computer and is held in a secure store. Even if the protected file is intercepted or sent to the wrong person it cannot be compromised.

 

Password systems are weak because once someone knows a password they can easily guess others that you normally use or get into other systems where you are using that password.   In fact a recent Info Security study showed that 75% of people were willing to give away their passwords for a free pen!
 

There are no passwords to remember.   If I send you a file I have no idea what the password is as it is generated by the application automatically - a random key (that contains non-displayable characters).   Each time you encrypt a file (even it is the same file) a different random key is used to protect it.
 

For each file you encrypt, or for each recipient you send files to, you need to use a different password otherwise if  the password is compromised just once then all of your protected files are  compromised. Just think of all those passwords you and they have to remember!

 

Each time a file is encrypted a different random key is automatically generated on the fly.   You do not have to remember anything - the software does this automatically for you.   The recipient has the key to decrypt files securely protected on their computer.

 

Whoever receives the file has to type in the  characters absolutely perfectly in order to decrypt the file.   Given that most people find it difficult to type in 8 characters perfectly what chance have they got with more?
 

There is no password to  type in so the system is not open to input errors.


 

Passwords are impossible to manage - how does this all  work operationally when each file coming in has a different password that has to be got perfectly right?   Even writing them down reliably becomes quickly impossible.   The reality is that a password based system for adequate security is operationally impossible.
 

Public keys (those used for encryption) can be published anywhere on the Internet or on internal servers for easy access.   Private keys (those used for decryption) remain on the user's PC securely protected.   Unless your private key is ever compromised you only ever need to use the one key for sharing files securely.

 

If you want to make a password that is a strong as the key for the AES 256 bit algorithm you would have to pick a password 256 bits long, and you would have to use all the possible characters on the keyboard plus what are called the non-displayable ones (used internally by the computer) as well.
 

The 2048 bit key used by ArticSoft products ensures the random key for the AES 256 bit algorithm is protected securely.



 

With password systems you have no idea who really sent you the file and whether it has been tampered with by someone else.   There is nothing that prevents someone else changing the contents of the file and you would never know. 
 

With PKI systems you digitally sign files so the recipient knows who has really sent them and whether they have been tampered with by anyone else.   You would know straight away  if someone else has tried to tamper with the file. 
 

A waste of time?   Password systems make you enter a password each time you  want to encrypt or decrypt a file.


 

With ArticSoft products, once you have logged onto your keystore your keys are available to ArticSoft  applications and you do not have to enter anything else to encrypt or decrypt files.
 



Key Length needed for real Security **

The key used in ArticSoft products to protect your information is 2048 bits.   This is equivalent to using a 2048 bit password.   RSA quote that it would take 3,000,000 years to break a 1024 bit key. However, a mathematical paper published in late 2001 (re-examined in spring 2002) describes how a machine can be built that could break 1,024-bit RSA encryption in seconds to minutes (www.counterpane.com/crypto-gram-0203.html#6).   Although the cost of such a machine is beyond the reach of most individuals and smaller corporations, it is well within the reach of large corporations and governments. Keys that are 2,048 bits long are now becoming required, and are rated as espionage strength. Combined with the latest government approved (FIPS 197) encryption algorithm - AES - at it's strongest implementation - 256 bit,  ArticSoft products are a powerful mechanism for protection of your information.

PSST I KNOW YOUR PASSWORD by CNET News.   Read how a well known cracking program, John the Ripper, cracked 3000 passwords an hour from a healthcare company's server.


The myth behind the Algorithm strength

Most products give you a confusing  range of encryption algorithms to choose from with different key lengths.   The reality is however it does not matter how long the algorithm key length is if the password (key) used to protect your information is weak.   It is a bit like strongly securing your door with numerous bolts and locks, only for a burglar to break in through the window.   The weakest point of entry is always the one open to attack.   Also, the algorithm itself could be flawed in its method of implementation. ArticSoft use the US Government approved (FIPS 197) algorithm AES - at it's strongest implementation - 256 bit - if it's good enough to secure Federal Government information  then it's good enough for commerce or your personal use.




Home | Products | Purchase | Downloads | Information Security | About | Support | Our Customers | PGP Feed pgp products 

Passwords vs PKI and ArticSoft products use of encryption