1 == Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman) ==
3 === For the purposes of SSH Authentication ===
5 The text below was copied from various referenced websites. Conclusions are shown at the top, with context below.
7 From [http://ac.umfk.maine.edu/~romeo/?p=69]:
11 I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″
14 ''Note: my version of openssh limits DSA keys to 1024 bits.'' -- RickHull
18 For RSA, a 1536-bit key pair is recommended now for most uses e.g.
19 SSH public-key authentication, but longer keys shall be used for signing
20 documents that should not be forged even after many years.
21 Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key
22 pairs, those are still reasonably secure for now, but in a few years
23 they will become breakable. An 1536-bit RSA public/private key pair
24 requires about the same time for breaking as a 90-bit key of a
25 secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more
26 secure than 90-bit, because either a huge memory (much beyond what is
27 currently possible) is needed for the computation or, if the memory is
28 unavailable, the computation becomes much slower, so the RSA key will be
29 equivalent in strength with a longer secret key.
31 RSA is more appropriate for signing certificates, because it can be
32 verified faster, but for the authentication of the initial message
33 exchange in network connection establishments, like in IPsec, TLS/SSL or
34 SSH, DSA can be better, because there are an equal number of signing and
35 verification operations, so only the sum of the execution times for
36 signing and verification matters. DSA has the advantage that it has the
37 same security as RSA at a shorter key length, i.e. 1280-bit DSA has
38 about the same security as 1536-bit RSA. For that reason I always use
39 1280-bit DSA key pairs for SSH authentication, i.e. the keys are
40 generated with “ssh-keygen -t dsa -b 1280″, both for the server host key
41 and for the users’ workstations.
43 DSA has a disadvantage that is not a property of the algorithm but
44 only of its implementation in OpenSSL, OpenSSH and other common
45 programs, it has several parameters that must be increased
46 simultaneously for better security, but applications like ssh-keygen let
47 you specify only the key length and they keep the other parameters
48 unchanged. Because of that it is absolutely useless to increase the DSA
49 key length beyond 1280-bit, because the security is not improven. On
50 the other hand, with RSA you can specify 2048-bit, 3072-bit or longer
51 key pairs, if you so desire.
54 From [http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-dsa PuTTY FAQ]:
58 we still recommend you use RSA instead
63 DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key.
65 The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead.
HCoop / hcoop / zz_old / ikiwiki / blob