[hcoop/zz_old/ikiwiki] / DSAvsRSA.mdwn

== Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman) ==\r
\r
=== For the purposes of SSH Authentication ===\r
\r
The text below was copied from various referenced websites.  Conclusions are shown at the top, with context below.\r
\r
From [http://ac.umfk.maine.edu/~romeo/?p=69]:\r
\r
Conclusion: \r
{{{ \r
I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″ \r
}}}\r
\r
''Note: my version of openssh limits DSA keys to 1024 bits.'' -- RickHull\r
\r
Context:\r
{{{\r
For RSA, a 1536-bit key pair is recommended now for most uses e.g.\r
SSH public-key authentication, but longer keys shall be used for signing\r
documents that should not be forged even after many years.\r
Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key\r
pairs, those are still reasonably secure for now, but in a few years\r
they will become breakable. An 1536-bit RSA public/private key pair\r
requires about the same time for breaking as a 90-bit key of a\r
secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more\r
secure than 90-bit, because either a huge memory (much beyond what is\r
currently possible) is needed for the computation or, if the memory is\r
unavailable, the computation becomes much slower, so the RSA key will be\r
equivalent in strength with a longer secret key.\r
\r
RSA is more appropriate for signing certificates, because it can be\r
verified faster, but for the authentication of the initial message\r
exchange in network connection establishments, like in IPsec, TLS/SSL or\r
SSH, DSA can be better, because there are an equal number of signing and\r
verification operations, so only the sum of the execution times for\r
signing and verification matters. DSA has the advantage that it has the\r
same security as RSA at a shorter key length, i.e. 1280-bit DSA has\r
about the same security as 1536-bit RSA. For that reason I always use\r
1280-bit DSA key pairs for SSH authentication, i.e. the keys are\r
generated with “ssh-keygen -t dsa -b 1280″, both for the server host key\r
and for the users’ workstations.\r
\r
DSA has a disadvantage that is not a property of the algorithm but\r
only of its implementation in OpenSSL, OpenSSH and other common\r
programs, it has several parameters that must be increased\r
simultaneously for better security, but applications like ssh-keygen let\r
you specify only the key length and they keep the other parameters\r
unchanged. Because of that it is absolutely useless to increase the DSA\r
key length beyond 1280-bit, because the security is not improven. On\r
the other hand, with RSA you can specify 2048-bit, 3072-bit or longer\r
key pairs, if you so desire. \r
}}}\r
\r
From [http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-dsa PuTTY FAQ]:\r
\r
Conclusion: \r
{{{ \r
we still recommend you use RSA instead \r
}}}\r
\r
Context:\r
{{{\r
DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key.\r
\r
The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead. \r
}}}\r
Commit	Line	Data
ee25310d	1	== Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman) ==\r
	2	\r
	3	=== For the purposes of SSH Authentication ===\r
	4	\r
	5	The text below was copied from various referenced websites. Conclusions are shown at the top, with context below.\r
	6	\r
	7	From [http://ac.umfk.maine.edu/~romeo/?p=69]:\r
	8	\r
	9	Conclusion: \r
	10	{{{ \r
	11	I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″ \r
	12	}}}\r
	13	\r
	14	''Note: my version of openssh limits DSA keys to 1024 bits.'' -- RickHull\r
	15	\r
	16	Context:\r
	17	{{{\r
	18	For RSA, a 1536-bit key pair is recommended now for most uses e.g.\r
	19	SSH public-key authentication, but longer keys shall be used for signing\r
	20	documents that should not be forged even after many years.\r
	21	Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key\r
	22	pairs, those are still reasonably secure for now, but in a few years\r
	23	they will become breakable. An 1536-bit RSA public/private key pair\r
	24	requires about the same time for breaking as a 90-bit key of a\r
	25	secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more\r
	26	secure than 90-bit, because either a huge memory (much beyond what is\r
	27	currently possible) is needed for the computation or, if the memory is\r
	28	unavailable, the computation becomes much slower, so the RSA key will be\r
	29	equivalent in strength with a longer secret key.\r
	30	\r
	31	RSA is more appropriate for signing certificates, because it can be\r
	32	verified faster, but for the authentication of the initial message\r
	33	exchange in network connection establishments, like in IPsec, TLS/SSL or\r
	34	SSH, DSA can be better, because there are an equal number of signing and\r
	35	verification operations, so only the sum of the execution times for\r
	36	signing and verification matters. DSA has the advantage that it has the\r
	37	same security as RSA at a shorter key length, i.e. 1280-bit DSA has\r
	38	about the same security as 1536-bit RSA. For that reason I always use\r
	39	1280-bit DSA key pairs for SSH authentication, i.e. the keys are\r
	40	generated with “ssh-keygen -t dsa -b 1280″, both for the server host key\r
	41	and for the users’ workstations.\r
	42	\r
	43	DSA has a disadvantage that is not a property of the algorithm but\r
	44	only of its implementation in OpenSSL, OpenSSH and other common\r
	45	programs, it has several parameters that must be increased\r
	46	simultaneously for better security, but applications like ssh-keygen let\r
	47	you specify only the key length and they keep the other parameters\r
	48	unchanged. Because of that it is absolutely useless to increase the DSA\r
	49	key length beyond 1280-bit, because the security is not improven. On\r
	50	the other hand, with RSA you can specify 2048-bit, 3072-bit or longer\r
	51	key pairs, if you so desire. \r
	52	}}}\r
	53	\r
	54	From [http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-dsa PuTTY FAQ]:\r
	55	\r
	56	Conclusion: \r
	57	{{{ \r
	58	we still recommend you use RSA instead \r
	59	}}}\r
	60	\r
	61	Context:\r
	62	{{{\r
	63	DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key.\r
	64	\r
65	The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead. \r
66	}}}\r