On occasion, when explaining how to set up SSH’s public key authentication system, I am asked which is better, RSA or DSA keys. In the next few paragraphs I’ll attempt to answer that question. I’ll preface my discussion with the disclosure that while I have some expertise in Ethernet LANs and TCP/IP networking, I have at best an amateurs understanding of cryptography. The following discussion is based on Internet research, some of which is contradictory and like all things Internet, some links are more reliable than others.
First, what are RSA and DSA keys?
DSA or Digital Signature Algorithm, is a US Government standard designed by the NSA for digital signatures. It is derived from the ElGamal Signature algorithm. The security is based on the difficulty of solving certain types of logarithmic functions. It can only be used for digital signatures.
RSA is named from the initials of the authors, Ron Rivest, Adi Shamir, and Leonard Adleman, who first published the algorithm. It is based on the difficulty of factoring large numbers. Unlike DSA, RSA can be used to encrypt an entire message.
My understanding is that solving the logarithmic and factoring problems are equally as hard, but I have found some references that say that the logarithmic problem is harder (I have also found references that say they are equally as hard).
Things that I do not think matter, but you may have heard or may hear in the future:
- DSA is faster at signing than RSA, but RSA is faster during the verification phase, since authentication requires both phases the difference doesn’t matter.
- As I said above DSA can only be used for authentication while RSA can be used for both authentication and to encrypt a message. However, SSH only uses the keys for authentication, so again the difference doesn’t matter.
- For the same key length, DSA will generate a smaller signature file. However, since each key is going to take a disk block this again doesn’t matter.
- DSA keys were originally limited to 1024 bits but that is no longer the case.
- I searched the “National Vulnerability Database” for “key and DSA” and “key and RSA” and came up with 2 vulnerabilities dealing with DSA keys and 5 vulnerabilities dealing with RSA keys. As far as I can tell, all these vulnerabilities have been addressed in the latest releases of OpenSSL/OpenSSH, now part of the Internet Security Pack for OpenVOS.
Things in favor of DSA:
- DSA can only be used with SSH protocol 2 while RSA can be used with protocols 1 and 2 (See “SSH 2″ Versus “OpenSSL and OpenSSH Release 2”). Protocol 1 has some significant design flaws and has been replaced by Protocol version 2. I see this as a reason to slightly favor using DSA keys, a sort of built in protection from using the older obsolete protocol.
Things in favor of RSA:
- A bad random number generator will leak DSA key bits (don’t ask me how).
- The openssh.org web site appears to be mute on the subject of which is better, but the newer versions of ssh-keygen create an RSA key if you do not specify the type.
- There seem to be more (and newer) RFCs referencing RSA keys than DSA keys.
Some comparisons (file sizes include text that is not part of the key):
|DSA creation time||RSA creation time||DSA bytes||RSA bytes||DSA.pub bytes||RSA.pub bytes|
|1024 bits||1 seconds||1 second||736||951||610||230|
|2048 bits||8 seconds||2 seconds||1264||1743||1122||402|
|4096 bits||50 seconds||25 seconds||2304||3311||2146||742|
Regardless of which key you use, the really important thing is key length. Given the current environment, I would recommend a key length of 2048. It may seem like overkill today, but I am not so sure that it will look that way in 5 years.
As to which type of key to use, I have to lean toward RSA keys.