Yubikey FIPS tokens vs Thales/Gemalto USB tokens

SSL.com ships code signing certificates that are pre-installed on Yubikey FIPS tokens and Thales SafeNet (Gemalto) USB tokens. Both are hardware devices used for secure authentication through code signing, the process of using an X.509 certificate to digitally sign a piece of code, software, or other executable in a way that ensures that the product has not been tampered with or otherwise compromised. Each offers unique features and benefits depending on the specific needs of the users and organizations. Here’s a detailed comparison of their pros and cons:

YubiKey Tokens

Pros

1. Versatility: YubiKey supports multiple authentication protocols, including FIDO U2F, FIDO2, Smart Card (PIV), OTP, and more, making it highly versatile for various security needs.
2. Ease of Use: YubiKeys are known for their simplicity, requiring just a touch to authenticate, which enhances user convenience without compromising security.
3. Durability: Several Yubikey models are crush-resistant and water-resistant, making them durable for users on the go.
4. Wide Integration: YubiKey is widely supported across various platforms and services, enhancing its utility for users who need multi-platform compatibility.
5. Remote attestation: SSL.com customers from anywhere in the world can generate a key pair on their own YubiKey and an attestation certificate that proves that the private key was generated on the device. The attestation certificate can then be used to order code and document signing certificates from SSL.com that may be installed manually on the YubiKey.

Cons

1. Cost: YubiKeys can be more expensive compared to other security tokens, which might be a consideration for budget-conscious businesses or individuals.
2. Physical Device: Being a physical device, it can be lost or stolen, which may pose a risk if not managed properly.
3. Limited Storage: Some YubiKey models have limitations on the number of credentials or certificates they can store compared to other solutions.
4. Limited RSA Key Size: Yubikey token is not able to support RSA algorithm key size greater than 2048 bits. This is a limitation for users who want to sign a kernel mode driver and submit it to Microsoft Hardware Lab Kit which requires a minimum RSA key size of 3072 bits.

Thales SafeNet (Gemalto) Tokens 

Pros

1. Robust Security Features: Thales SafeNet tokens offer advanced security features including tamper-resistant hardware, making them suitable for environments requiring stringent security measures.
2. Flexible Solutions: Thales SafeNet provides a range of tokens including USB tokens and smart cards, catering to different user preferences and needs.
3. Strong Enterprise Focus: Thales SafeNet tokens are designed with enterprise environments in mind, offering extensive management tools that facilitate large-scale deployments and management.
4. Kernel Mode Signing: Thales SafeNet Tokens  can handle RSA keys in 3072 bits which is required for Kernel mode signing. This may in the future but currently Microsoft only allows driver mode signing in RSA using the Gemalto token. Microsoft does not currently allow signing in ECC.

Cons

1. Complexity: The additional security and management features can lead to a steeper learning curve and more complex deployment processes.
2. Cost: Similar to YubiKey, advanced features and robust security measures come at a higher cost, which might not be ideal for all users.
3. Non-support for Remote Attestation: Users looking for remote attestation features might need to consider other products that specifically offer this capability.
4. Physical Device Risks: Like any physical token, there is always a risk of loss or damage, potentially leading to access issues or security breaches.
5. Software Dependency: Some functionalities might require specific software or management solutions, which could introduce dependencies and potential compatibility issues.
6. Battery-Dependent Models: Some of the advanced tokens may require a battery, which adds a maintenance element.

Summary

SSL.com ships code signing certificates that are pre-installed on Yubikey FIPS tokens and Thales SafeNet tokens. Both of them provide robust security for digital certificates and authentication processes. The choice between the two often depends on specific needs such as budget constraints, required security levels, platform compatibility, and user convenience. YubiKey might be more suitable for users seeking a simple, versatile, and easy-to-use solution across multiple platforms, while Thales SafeNet tokens could be the choice for organizations needing highly secure, customizable, and enterprise-focused solutions.

Since both Yubikey and Thales SafeNet tokens are physical devices, there is a risk of these being lost or stolen, which introduces serious security vulnerabilities and could lead to costly replacements. In the context of modern remote work, managing the distribution and maintenance of these hardware tokens presents substantial logistical obstacles for IT teams, involving considerable expenses and manpower. However, they lack the convenience of cloud-based solutions, particularly when it comes to collaboration among developers.

Ultimately, both options aim to enhance security without significantly hindering user experience, and the decision should align with the organization’s security strategy and operational requirements.

eSigner: Cloud Signing as an Alternative to Tokens

Digital signing as a service is a modern and efficient method for managing digital signatures, exemplified by SSL.com’s eSigner cloud signing service, which facilitates both code and document signing. eSigner manages the public key infrastructure (PKI) and hardware security modules (HSMs) necessary for secure signing. The service securely stores non-exportable signing keys within its HSMs, inaccessible to both the customer and SSL.com, ensuring a level of security comparable to that provided by physical tokens, without the hassle for clients.

For enhanced security, eSigner incorporates OAuthTOTP to provide robust two-factor authentication, enabling code and document signing from any device with internet access, anywhere in the world. It also supports EV code signing, allowing developers to sign Windows 10 kernel-mode drivers.

Furthermore, eSigner simplifies the process of sharing signing certificates among team members through the SSL.com dashboard. This makes it straightforward for team members to access certificates, with each individual assigned a unique PIN. This functionality supports seamless and secure collaboration for teams spread across different locations, ensuring high security standards without sacrificing speed or efficiency in operations.

For more details about eSigner, visit our dedicated service page.