[Gllug] RSA or DSA
Steve Nelson
sanelson at gmail.com
Mon May 16 14:04:09 UTC 2005
On 5/16/05, John Winters <john at sinodun.org.uk> wrote:
> The utility ssh-keygen offers you the choice of RSA or DSA keys, with no
> default selection and no clues about why you might choose one over the
> other.
>
> Can anyone offer any advice about which is the better choice, and why?
Well, first question has to be better for what? Given the context of
ssh-keygen, I think I know what you mean, however,
Both are standardised and patent-free (RSA was subject to a patent,
but this has now expired)
Both are fine for digital signatures - in that they are unlikely to be
forgeable now or any time soon. In terms of signing, RSA is to be
preferred, as it verifies quicker. However when we're talking about
the authentication that takes places during initial message exchange
in a network connection situation, the number of signing and
verification operations are the same, and so we actually need to
compare the sum of the verification and authentication processes. In
this case, the difference is marginal.
RSA authenticates faster than DSA, but in the context of ssh the
difference in speed is still negligible for an 8 character (or
slightly longer if you use MD5) password. Also it is only in the
authentication phase that the keys are used anyway - the encryption
thereafter will be via some other cipher such as DES or blowfish.
You may hear some people say 'RSA is less secure than DSA' - by which
they mean that a longer RSA key has been cracked than DSA, although it
needs to be pointed out that the DSA algorithm has been develped
largely in private, and as such has not seen such sustained
cryptoanalytical investigation as RSA - this may also explain why a
longer RSA key has been cracked than DSA.
At a mathematical level there is an argument that DSA is more secure
than RSA. RSA is based on the principle (not proven) that factoring
large primes (as a way to crack the key) is difficult. DSA comes from
a very different model (discrete logarithms in a finite field, I am
told by my cryptoanalyst friend). It is arguable that the latter
presents a tougher computational and theoretical challenge.
A DSA key of the same size as an RSA key will produce a smaller
signature, and a DSA key will offer the same level of secuirty at a
shorter key length.
RSA can be used for public key encryption, but this isn't recommended,
as there are better tools available. Although many https
implementations are using obsolete SSL libraries and are using RSA.
In terms of your key pairs - I'd recommend if you went for RSA to go
for 1536 bit, which is about the equivalent strength encryption as a
90 bit key of a secret key algorithm. Bear in mind, again coming back
to https, that 1024 is frequenty used.
Because of the way that DSA is implemented in openssh, there is little
point in creating a key longer than 1280 bit. In order to increase
security, we need to enhance not only key length, but also other
parameters. However, ssh-keygen doesn't allow for this, and beyond
1280 bit there is no proven improvement in security.
This isn't the case for RSA - you can carry on increasing the key
length and getting an increase in security.
In conclusion, here's what I use:
ssh-keygen -t dsa -b 1280
Hope that helps,
Steve
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list