|
⇤ ← Revision 1 as of 2007-03-01 20:19:49
Size: 2684
Comment:
|
Size: 3462
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == Comparison of DSA (Digital Signature Algorithm) with RSA (Rivest, Shamir, Adleman) == | == Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman) == |
| Line 5: | Line 5: |
| The text below was copied from various referenced websites. Conclusions are in bold, added for this wiki. | The text below was copied from various referenced websites. Conclusions are shown at the top, with context below. |
| Line 9: | Line 9: |
| Conclusion: {{{ I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″ }}} Context: {{{ |
|
| Line 29: | Line 36: |
| about the same security as 1536-bit RSA. For that reason '''I always use | about the same security as 1536-bit RSA. For that reason I always use |
| Line 31: | Line 38: |
| generated with “ssh-keygen -t dsa -b 1280″''', both for the server host key | generated with “ssh-keygen -t dsa -b 1280″, both for the server host key |
| Line 43: | Line 50: |
| }}} | |
| Line 46: | Line 54: |
| We now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, '''we still recommend you use RSA instead'''. | Conclusion: {{{ we still recommend you use RSA instead }}} Context: {{{ DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key. The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead. }}} |
1. Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman)
1.1. For the purposes of SSH Authentication
The text below was copied from various referenced websites. Conclusions are shown at the top, with context below.
From [http://ac.umfk.maine.edu/~romeo/?p=69]:
Conclusion:
I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″
Context:
For RSA, a 1536-bit key pair is recommended now for most uses e.g. SSH public-key authentication, but longer keys shall be used for signing documents that should not be forged even after many years. Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key pairs, those are still reasonably secure for now, but in a few years they will become breakable. An 1536-bit RSA public/private key pair requires about the same time for breaking as a 90-bit key of a secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more secure than 90-bit, because either a huge memory (much beyond what is currently possible) is needed for the computation or, if the memory is unavailable, the computation becomes much slower, so the RSA key will be equivalent in strength with a longer secret key. RSA is more appropriate for signing certificates, because it can be verified faster, but for the authentication of the initial message exchange in network connection establishments, like in IPsec, TLS/SSL or SSH, DSA can be better, because there are an equal number of signing and verification operations, so only the sum of the execution times for signing and verification matters. DSA has the advantage that it has the same security as RSA at a shorter key length, i.e. 1280-bit DSA has about the same security as 1536-bit RSA. For that reason I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″, both for the server host key and for the users’ workstations. DSA has a disadvantage that is not a property of the algorithm but only of its implementation in OpenSSL, OpenSSH and other common programs, it has several parameters that must be increased simultaneously for better security, but applications like ssh-keygen let you specify only the key length and they keep the other parameters unchanged. Because of that it is absolutely useless to increase the DSA key length beyond 1280-bit, because the security is not improven. On the other hand, with RSA you can specify 2048-bit, 3072-bit or longer key pairs, if you so desire.
From [http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-dsa PuTTY FAQ]:
Conclusion:
we still recommend you use RSA instead
Context:
DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key. The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead.