current community

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 128 down vote favorite
44

When generating SSH authentication keys on a Unix/Linux system with ssh-keygen, you're given the choice of creating a RSA or DSA key pair (using -t type).

What is the difference between RSA and DSA keys? What would lead someone to choose one over the other?

share|improve this question
 
So, How many bits is suggested for SSH RSA Public key??? –  Bhanu Oct 3 '13 at 11:23
 
@Bhanu The default of ssh-keygen from OpenSSH 6.3p1 is 2048 bits. Read the answers below, and you will also find out that 2048 bits is sufficient. –  Lekensteyn Oct 3 '13 at 12:46
add comment

6 Answers

up vote 84 down vote accepted

Go with RSA.

DSA is faster for signature generation but slower for validation, slower when encrypting but faster when decrypting and security can be considered equivalent compared to an RSA key of equal key length. That's the punch line, now some justification.

The security of the RSA algorithm is based on the fact that factorization of large integers is known to be "difficult", whereas DSA security is based on the discrete logarithm problem. Today the fastest known algorithm for factoring large integers is the General Number Field Sieve, also the fastest algorithm to solve the discrete logarithm problem in finite fields modulo a large prime p as specified for DSA.

Now, if the security can be deemed as equal, we would of course favour the algorithm that is faster. But again, there is no clear winner.

You may have a look at this study or, if you have OpenSSL installed on your machine, run openssl speed. You will see that DSA performs faster in generating a signature but much slower when verifying a signature of the same key length. Verification is generally what you want to be faster if you deal e.g. with a signed document. The signature is generated once - so it's fine if this takes a bit longer - but the document signature may be verified much more often by end users.

Both do support some form of encryption method, RSA out of the box and DSA using an El Gamal. DSA is generally faster in decryption but slower for encryption, with RSA it's the other way round. Again you want decryption to be faster here because one encrypted document might be decrypted many times.

In commercial terms, RSA is clearly the winner, commercial RSA certificates are much more widely deployed than DSA certificates.

But I saved the killer argument for the end: man ssh-keygen says that a DSA key has to be exactly 1024 bits long to be compliant with NIST's FIPS 186-2. So although in theory longer DSA keys are possible (FIPS 186-3 also explicitly allows them) you are still restricted to 1024 bits. And if you take the considerations of this [article], we are no longer secure with 1024 bits for either RSA or DSA.

So today, you are better of with an RSA 2048 bit key.

share|improve this answer
6  
Sorry, you got it wrong on several points. DSA is defined in a finite field of size p where p is a big prime integer, not a power of 2. With regards to discrete logarithm, a finite field of size 2^1024 is weaker than a finite field of size p, with a specific algorithm (designed by Coppersmith) which is faster than Index Calculus. The current FIPS 186 is FIPS 186-3, and this one allows DSA keys longer than 1024 bits (and ssh-keygen can make 2048-bit DSA keys). In the case of SSH (client side) there is no question of encryption, only signatures. –  Thomas Pornin Jul 9 '11 at 22:04
5  
Although FIPS-3 does allow larger key lengths, current ssh-keygen (Fedora 15) does not -> ssh-keygen -t dsa -b 2048 -> DSA keys must be 1024 bits. Although SSH does just involve signatures I think it's still relevant to point out the difference. You're right about DSA being defined on Zp, I will change that. Thanks for your remarks! –  emboss Jul 9 '11 at 22:38
2  
@Thomas, it's called openssl gendsa. (The key format is the same.) –  grawity Oct 10 '11 at 5:52
3  
DSA [...] is faster when decrypting is not quite right: DSA can only sign/validate, there is no encryption build in. –  Paŭlo Ebermann Nov 6 '11 at 21:43
1  
@emboss:I don't understand this answer.DSA is NOT an encryption scheme.It is a signature validation scheme –  Jim Apr 21 '12 at 9:04
show 2 more comments
up vote 22 down vote

In SSH, on the client side, the choice between RSA and DSA does not matter much, because both offer similar security for the same key size (use 2048 bits and you will be happy).

Historically, version 1 of the SSH protocol supported only RSA keys. When version 2 was defined, RSA was still patented, so support of DSA was added, so that an opensource patent-free implementation could be made. RSA patent expired more than 10 years ago, so there is no worry now.

Theoretically, in some very specific situations, you can have a performance issue with one or the other: if the server is a very small machine (say, an i486), it will prefer clients with RSA keys, because verifying a RSA signature is less computationally expensive than verifying a DSA signature. Conversely, a DSA signature is shorter (typically 64 bytes vs 256) so if you are very short on bandwidth you would prefer DSA. Anyway, you will have a hard time detecting those effects, let alone find them important.

On the server, a DSA key is preferred, because then the key exchange will use a transient Diffie-Hellman key, which opens the road for "Perfect Forward Secrecy" (i.e. if a bad guy steals the server private key, he still cannot decrypt past connections that he would have recorded).

share|improve this answer
3  
Can you elaborate on the risk of using an RSA key on the server side? –  jrdioko Jul 10 '11 at 1:15
2  
@jrdioko: when connecting, a session key is established, using a key exchange mechanism such as RSA (encryption) or Diffie-Hellman. A corresponding private key is used on the server. If that key is transient (generated on-the-fly, kept in RAM only, discarded after usage), then it is safe against subsequent stealing. When the server key (the one which is permanent, stored in a file) is for signatures only (e.g. DSA key), then you are sure that the key exchange key is transient (the public key is then signed by the server), and that's good. –  Thomas Pornin Jul 10 '11 at 17:46
1  
Can't one use DHE with RSA-signature, too? –  Paŭlo Ebermann Nov 6 '11 at 21:45
3  
@Paŭlo: actually, with SSHv2, DHE is always used, even with a RSA key. Using a DSA key is just an easy way to be sure of getting PFS, because it cannot be used otherwise. –  Thomas Pornin Nov 7 '11 at 19:51
add comment
up vote 7 down vote

Another important advantage of RSA over both DSA and ECDSA is that you don't ever need a secure random number generator to create signatures.

To generate a signature, (EC)DSA needs a value that has to be random, secret/unpredictable and can never be used again. If one of those properties is violated, it's possible to trivially recover the private key from one or two signatures.

This has happened before (once with a broken patch of the OpenSSL PRNG in Debian, and once with a bug in Android's SecureRandom implementation), and is pretty hard to completely prevent.

With RSA, in those situations only your ephemeral session key would have been compromised, if the actual authentication key pairs have been created using a properly seeded PRNG before.

Theoretically, there is a way to make (EC)DSA signatures depend on the message and private key, which can avoid total failure in case of a broken RNG, but until this gets integrated into your SSH client (there is no OpenSSL release version including the patch right now), I'd definitely go with RSA keys.

share|improve this answer
add comment
up vote 6 down vote

RSA and DSA are two completely different algorithms. RSA keys can go up to 4096 bits, where DSA has to be exactly 1024 bits (although OpenSSL allows for more.) According to Bruce Schneier, "both DSA and RSA with the same length keys are just about identical in difficulty to crack."

share|improve this answer
add comment
up vote 4 down vote

A presentation at BlackHat 2013 suggests that significant advances have been made in solving the problems on complexity of which the strength of DSA and some other algorithms is founded, so they can be mathematically broken very soon. Moreover, the attack may be possible (but harder) to extend to RSA as well.

The presentation suggests using elliptic curve cryptography instead. The only ECC algorithm supported by OpenSSH is ECDSA, so that's the safest bet against the underlying algorithm being mathematically broken.

However, OpenSSH only supports NIST curves for ECDSA and according to this study those curves look really suspicious for NSA backdoors. And if NSA can already crack it, then it won't be as hard to crack for somebody else as a proper curve would be.

Also, both DSA and ECDSA have a nasty property: they requires a parameter usually called k to be completely random, secret, and unique. In practice that means that if you connect to your server from a machine with a poor random number generator and e.g. the the same k happens to be used twice, an observer of the traffic can figure out your private key. (source: Wikipedia on DSA and ECDSA, also this).

The bottom line is:

  • Never use DSA.
  • RSA is the best bet, at least until OpenSSH implements better curves, such as Ed25519.
  • Don't use ECDSA just yet. You might get stronger-than-RSA encryption out of it someday, when OpenSSH implements better curves. But even then you'd have to use a really really good random number generator at all times and change keys often, before the k parameter happens to repeat itself even once.
share|improve this answer
add comment
up vote 3 down vote

The problem with ECDSA is not so much backdoors. Bernstein/Lange specifically mention that curve cryptanalysis does not attack specific curves, but classes of curves (see slide 6).

The problem with ECDSA is that NIST curves are hard to implement correctly (ie. constant time and with all proper verification) compared to Curve25519. OpenSSL has a constant-time P256 implementation, so OpenSSH is safe in that regard.

If you're still worried about NIST curves, OpenSSH recently added support for the Ed25519 scheme (I can't post the link due to reputation)

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.