SSH supports two signature algorithms for key pairs: RSA and DSA. Which is preferred, if any? For RSA, what is the minimum acceptable key length?
Asked
Active
Viewed 3.8k times
5 Answers
71
RSA is generally preferred (now that the patent issue is over with) because it can go up to 4096 bits, where DSA has to be exactly 1024 bits (in the opinion of ssh-keygen). 2048 bits is ssh-keygen's default length for RSA keys, and I don't see any particular reason to use shorter ones. (The minimum possible is 768 bits; whether that's "acceptable" is situational, I suppose.)
chaos
- 7,463
- 4
- 33
- 49
-
I have often wondered why people feel the need to secure their ssh connections with 2048 bit key, when your bank, which you presumably trust, is very unlikely to go over 256 bits, and is more likely to stick with 128 bits. I'm certainly not saying there's anything wrong with using a large key, I'm just…sayin'. – msanford Jul 13 '09 at 19:57
-
25The bank SSL connection is a different kind of cipher being used and more specifically the key used for the main parts of the transaction is generated and used solely for that transaction and then discarded. – Ophidian Jul 13 '09 at 20:20
-
The reason is actually to do with scaling. encryption isn't cheap and the higher your keystrength is the less SSL connections you can serve. If you have a retail bank with every consumer trying to use SSL then you are going to have to pick a compatible key suite but one that also matches your hardware. – Spence Aug 05 '09 at 23:22
-
15msanford: Like Ophidian said they are different kinds of encryptions. 256bit RSA keys would be completely useless for pretty much any purpose. The symmetric keys are in the range 128-512bit, while assymetric *start* at 768bit, and are secure at about 1500-2000bit and up. 768bit public keys can and have been broken. 128bit symmetric cannot (in itself) practically be broken. – Thomas Aug 06 '09 at 11:06
-
actually RSA goes up to 4096. I always specify with a -b 4096. @spence what does SSL have to do with ssh? I use 4096 bit keys because generation time is a 1 time thing, and compared to what would happen if my keys fell into the wrong hands and were cracked. I don't notice any performance loss using a 4096 bit key after it's generated. – xenoterracide Nov 11 '09 at 19:40
-
It is not true that RSA can only go up to 2048 bits. It is perfectly possible to create, say, a 4096 bit key. – wzzrd Nov 11 '09 at 19:42
-
2@xenoterracide, ssh uses the openssl libraries. When SSH first starts it uses RSA/DSA keys to do host verification and to setup the symmetrical keys for the session. This is the same procedure that SSL servers and client follow, so you will find that we people talk about SSH, they will often refer to allow the research and documentation done for SSL – Walter Mar 17 '10 at 15:05
-
GoDaddy now uses 2048-bit keys for SSL and others have pointed out that 1024-bit is now considered "at-risk" due to advances in computing power. – Walter Mar 17 '10 at 15:07
5
It's not about symmetric or asymetric encryption. It's about particular algorithms (RSA and DSA) requiring higher bit count to achieve acceptable security level. For example, ECC is also an asymmetric encryption, but it provides good security at much lower bit counts than RSA or DSA.
3
256 bit certificates that banks use for SSL connections are symmetric cyphers such as 3DES or AES, hence the lower bit count. When you see 1024 and 2048 (and even 4096) these are asymmetric ciphers.
2
DSA keys have much shorter signaures than RSA keys (for the same "level of security"), so one reason for using DSA would be in constrained environments.
Jus12
- 405
- 1
- 4
- 8