1

2. Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman)

2.1. For the purposes of SSH Authentication

The text below was copied from various referenced websites. Conclusions are shown at the top, with context below.

From http://ac.umfk.maine.edu/~romeo/?p=69:

Conclusion:

I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″ 

Note: my version of openssh limits DSA keys to 1024 bits. -- RickHull

Context:

For RSA, a 1536-bit key pair is recommended now for most uses e.g.
SSH public-key authentication, but longer keys shall be used for signing
documents that should not be forged even after many years.
Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key
pairs, those are still reasonably secure for now, but in a few years
they will become breakable. An 1536-bit RSA public/private key pair
requires about the same time for breaking as a 90-bit key of a
secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more
secure than 90-bit, because either a huge memory (much beyond what is
currently possible) is needed for the computation or, if the memory is
unavailable, the computation becomes much slower, so the RSA key will be
equivalent in strength with a longer secret key.

RSA is more appropriate for signing certificates, because it can be
verified faster, but for the authentication of the initial message
exchange in network connection establishments, like in IPsec, TLS/SSL or
SSH, DSA can be better, because there are an equal number of signing and
verification operations, so only the sum of the execution times for
signing and verification matters. DSA has the advantage that it has the
same security as RSA at a shorter key length, i.e. 1280-bit DSA has
about the same security as 1536-bit RSA. For that reason I always use
1280-bit DSA key pairs for SSH authentication, i.e. the keys are
generated with “ssh-keygen -t dsa -b 1280″, both for the server host key
and for the users’ workstations.

DSA has a disadvantage that is not a property of the algorithm but
only of its implementation in OpenSSL, OpenSSH and other common
programs, it has several parameters that must be increased
simultaneously for better security, but applications like ssh-keygen let
you specify only the key length and they keep the other parameters
unchanged. Because of that it is absolutely useless to increase the DSA
key length beyond 1280-bit, because the security is not improven. On
the other hand, with RSA you can specify 2048-bit, 3072-bit or longer
key pairs, if you so desire. 

From PuTTY FAQ:

Conclusion:

we still recommend you use RSA instead 

Context:

DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key.

The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead.