This blog post was originally released on 08/26/20.
What’s worse than an unsafe private key? An unsafe public key.
The “secure” in secure shell comes from the combination of hashing, symmetric encryption, and asymmetric encryption. Together, SSH usescryptographic primitives to safely connect clients and servers. In the 25 years since its founding, computing power and speeds in accordancewith Moore’s Law have necessitatedincreasingly complicated low-level algorithms. This article will focus on asymmetric keygen algorithms.
As of 2020, the most widely adopted algorithms are RSA, DSA, ECDSA, and EdDSA, but it is RSA and EdDSA that provide the best security andperformance.
Encryption Within the SSH Protocol
SSH is used almost universally to connect to shells on remote machines. The most important part of an SSH session is establishing a secureconnection. This happens in two broad steps:
- Negotiation & Connection
- Authentication
Negotiation & Connection
In order for an SSH session to work, both client and server must support the same version of the SSH protocol. Modern clients will supportSSH 2.0, as SSH 1.0 has identified flaws. After coming to a consensus on which protocol version to follow,both machines negotiate a per-session symmetric key to encrypt the connection from the outside. Generating a symmetric key at this stage,when paired with the asymmetric keys in authentication, prevents the entire session from beingcompromised if a key is revealed. Negotiation terms happen through the Diffie-Helman keyexchange, which creates a shared secret key to secure the whole data stream by combining theprivate key of one party with the public key of the other. These keys are different from the SSH keys used for authentication. For thoseinterested in learning more about this step, this comprehensive article, SSH Handshake Explained, is agreat starting point.
Authentication
After completing the negotiation and connection, a reliable and secure channel between the client and server has been established. During the KEX, the client has authenticated the server, but the server has not yet authenticated the client. In most cases, public-key authentication is used by the client. This method involves two keys, a public and private key. Either can be used to encrypt a message, but the other must be used to decrypt. This is what is meant by asymmetric encryption. [Figure 2] If Bob encrypts a message with Alice’s public key, only Alice’s private key can decrypt the message. This principle is what allows the SSH protocol to authenticate identity. If Alice (client) can decrypt Bob’s (server) message, then it proves Alice is in possession of the paired private key. This is, in theory, how SSH keys authentication should work. Unfortunately with the dynamic nature of infrastructure today, SSH keys are increasingly shared or managed improperly, compromising its integrity. To learn more, read this article, How to SSH Properly.
Asymmetric Encryption Algorithms
What makes asymmetric encryption powerful is that a private key can be used to derive a paired public key, but not the other way around.This principle is core to public-key authentication. If Alice had used a weak encryption algorithm that could be brute-forced by today'sprocessing capabilities, a third party could derive Alice's private key using her public key. Protecting against a threat like this requirescareful selection of the right algorithm.
There are three classes of these algorithms commonly used for asymmetric encryption: RSA, DSA, and elliptic curve based algorithms. Toproperly evaluate the strength and integrity of each algorithm, it is necessary to understand the mathematics that constitutes the core ofeach algorithm.
RSA: Integer Factorization
First used in 1978, the RSA cryptography is based on the held belief that factoring large semi-prime numbers is difficult by nature. Giventhat no general-purpose formula has been found to factor a compound number into its prime factors, there is a direct relationship betweenthe size of the factors chosen and the time required to compute the solution. In other words, given a number n=p\*q wherep and q are sufficiently large prime numbers, it can be assumed that anyone who can factor n into itscomponent parts is the only party that knows the values of p and q. The same logic exists for public and privatekeys. In fact, p & q are necessary variables for the creation of a private key, and n is a variable for the subsequent public key. This presentation simplifies RSA integer factorization. For those interested inlearning more, click here.
DSA: Discrete Logarithm Problem & Modular Exponentiation
DSA follows a similar schema, as RSA with public/private keypairs that are mathematically related. What makes DSA different from RSA is thatDSA uses a different algorithm. It solves an entirely different problem using different elements, equations, and steps. While the discretelog problem is fun, it is out of scope for this post. What is important to note is the use ofa randomly generated number, m, is used with signing a message along with a private key, k. This number m must be kept private. Morein this later.
ECDSA & EdDSA: Elliptic Curve Discrete Logarithm Problem
Algorithms using elliptic curves are also based on the assumption that there is no generally efficient solution to solving a discrete logproblem. However, ECDSA/EdDSA and DSA differ in that DSA uses a mathematical operation known as modular exponentiation while ECDSA/EdDSAuses elliptic curves. The computational complexity of the discrete log problem allows both classes of algorithms to achieve the same levelof security as RSA with significantly smaller keys.
Comparing Encryption Algorithms
Choosing the right algorithm depends on a few criteria:
- Implementation - Can the experts handle it, or does it need to be rolled?
- Compatibility - Are there SSH clients that do not support a method?
- Performance - How long will it take to generate a sufficiently secure key?
- Security - Can the public key be derived from the private key? (The use of quantum computing to break encryption is not discussed in this article.)
RSA
| Implementation | RSA libraries can be found for all major languages, including in-depth libraries (JS, Python, Go, Rust, C). |
|---|
| Compatibility | Usage of SHA-1 (OpenSSH) or publickeys under 2048-bits may be unsupported. |
|---|
| Performance | Larger keys require more time to generate. |
|---|
| Security | Specialized algorithms like Quadratic Sieve and General Number Field Sieveexist to factor integers with specific qualities. |
|---|
Time has been RSA’s greatest ally and greatest enemy. First published in 1977, RSA has the widest support across all SSH clients and languages and has truly stood the test of time as a reliable key generation method. Subsequently, it has also been subject to Moore’s Law for decades and key bit-length has grown in size. According to NIST standards, achieving 128-bit security requires a key with length 3072 bits whereas other algorithms use smaller keys. Bit security measures the number of trials required to brute-force a key. 128 bit security means 2128 trials to break.
DSA
| Implementation | DSA was adopted by FIPS-184 in 1994. It has ample representation in major crypto libraries, similar to RSA. |
|---|
| Compatibility | While DSA enjoys support for PuTTY-based clients, OpenSSH 7.0 disables DSA by default. |
|---|
| Performance | Significant improvementin key generation times to achieve comparable security strengths, though recommendedbit-length is the same as RSA. |
|---|
| Security | DSA requires the use of a randomly generated unpredictable and secretvalue that, if discovered, can reveal the private key. |
|---|
Recall earlier in the article:
“What is important to note is the use of a randomly generated number, m, is used with signing a message along with a private key, k.This number m must be kept privately.”
The value mis meant to be a nonce, which is a unique value included in many cryptographic protocols. However, the additionalconditions of unpredictability and secrecy makes the nonce more akin to a key, and therefore extremely important.
Not only is it difficult to ensure true randomnesswithin a machine, but improper implementation can break encryption. For example:
Android’s Java SecureRandom class was known to create colliding Rvalues. In otherwords, the class reused some randomly generated numbers. This exposed a number of different Android-based Bitcoinwallets to having their private keys stolen. The requirements of the nonce m means thatany two instances with the same nonce value could be reverse engineered and reveal the private key used to sign transactions.
Taking this a step further, fail0verflow discovered the private key used to sign firmware updates forthe Sony Playstation 3. In other words, programmers could write their own code, sign it with the revealed private key, and run it on thePS3. As it turns out, Sony was using the same random number to sign each message.
ECDSA & EdDSA
The two examples above are not entirely sincere. Both Sony and the Bitcoin protocol employ ECDSA, not DSA proper. ECDSA is an elliptic curveimplementation of DSA. Functionally, where RSA and DSA require key lengths of 3072 bits to provide 128 bits of security, ECDSA canaccomplish the same with only 256-bit keys. However, ECDSA relies on the same level of randomness as DSA, so the only gain is speed andlength, not security.
In response to the desired speeds of elliptic curves and the undesired security risks, another class of curves has gained some notoriety.EdDSA solves the same discrete log problem as DSA/ECDSA, but uses a different family of elliptic curves known as the EdwardsCurve (EdDSA uses a Twisted EdwardsCurve). While offering slight advantages in speed over ECDSA, its popularity comesfrom an improvement in security. Instead of relying on a random number for the nonce value, EdDSA generates a nonce deterministically as ahash making it collision resistant.
Taking a step back, the use of elliptic curves does not automatically guarantee some level of security. Not all curves are the same. Only afew curves have made it past rigorous testing. Luckily, the PKI industry has slowly come to adoptCurve25519 in particular for EdDSA. Put together that makes the public-key signature algorithm,Ed25519.
| Implementation | EdDSA is fairly new Crypto++ and cryptlib do not currently support EdDSA. |
|---|
| Compatibility | Compatible with newer clients, Ed25519 has seen the largest adoptionamong the Edward Curves, though NIST also proposed Ed448 in their recentdraft of SP 800-186. |
|---|
| Performance | Ed25519 is the fastest performing algorithm across all metrics. As withECDSA, public keys are twice the length of the desired bit security. |
|---|
| Security | EdDSA provides the highest security level compared tokey length. It also improves on the insecurities found in ECDSA. |
|---|
Teleport cybersecurity blog posts and tech news
Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.
RSA vs. DSA vs. ECDSA vs. EdDSA
Below we list the common differences between RSA, DSA, ECDSA, and EdDSA algorithms:
| RSA | DSA | ECDSA | EdDSA |
|---|
| Popularity | Most widely implemented and supported. | Its notorious security history makes it less popular. | Fairly new but not as popular as EdDSA. | Fairly new but favoured by most modern cryptographic libraries. |
|---|
| Performance | Larger keys require more time to generate. | Faster for signature generation but slower for validation. | Public keys are twice the length of the desired bit security. | EdDSA is the fastest performing algorithm across all metrics. |
|---|
| Security | Specialized algorithms like Quadratic Sieve and General Number Field Sieve exist to factor integers with specific qualities. | DSA requires the use of a randomly generated unpredictable and secret value that, if discovered, can reveal the private key. | Vulnerable if pseudo random number aren't cryptographically strong. | EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA. |
|---|
How to generate SSH keys with RSA, DSA, ECDSA, or EdDSA?
RSA is the default key type when generated using the ssh-keygen command. To generate SSH keys with given algorithm type, supply -t flag to ssh-keygen command. Below is an example of generating ed25519 key:
$ ssh-keygen -t ed25519 -C "unique name to identify this key."
Both public and private keys (ssh key pair) are generated with the above command. The private key never leave user's computer, and the public key is stored in the server's authorized_keys file.
The SSH key fingerprint can be checked with the following command:
$ ssh-keygen -l -f <key file>
For more details, learn how to generate SSH keys.
Conclusion
When it comes down to it, the choice is between RSA 2048/4096 and Ed25519 and the trade-off is between performance and compatibility. RSA isuniversally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smallerkeys. Peter Ruppel puts the answer succinctly:
The short answer to this is: as long as the key strength is good enough for the foreseeable future, it doesn't really matter. Because herewe are considering a signature for authentication within an SSH session. The cryptographic strength of the signature just needs to withstandthe current, state-of-the-art attacks.
Just don’t use ECDSA/DSA!
Certificates better than keys
Although keys are a relatively secure authentication method for SSH when compared with password-based authentication, keys create an equal amount of operational and security overhead on the administration side. Key rotation and key invalidation remain a challenge that can be resolved using certificate-based authentication. Teleport offers SSH certificate-based access solution with additional benefits of audit logging, session recording, and RBAC for SSH. Teleport is open source and can be used as a drop replacement for OpenSSH servers. Learn why certificates are better than keys for SSH and get started with Teleport today - https://goteleport.com/docs/getting-started/linux-server/
FAQs
RSA, DSA, and ECDSA
They differ in how they create and verify signatures, which are used to prove the identity of the sender and the integrity of the message. RSA stands for Rivest-Shamir-Adleman, DSA stands for Digital Signature Algorithm, and ECDSA stands for Elliptic Curve Digital Signature Algorithm.
What is the difference between DSA RSA and ECDSA? ›
RSA, DSA, and ECDSA
They differ in how they create and verify signatures, which are used to prove the identity of the sender and the integrity of the message. RSA stands for Rivest-Shamir-Adleman, DSA stands for Digital Signature Algorithm, and ECDSA stands for Elliptic Curve Digital Signature Algorithm.
What is the difference between EdDSA and DSA? ›
DSA requires the use of a randomly generated unpredictable and secret value that, if discovered, can reveal the private key. Vulnerable if pseudo random number aren't cryptographically strong. EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.
What is the difference between DSA and RSA SSH key? ›
DSA is faster at decrypting and signing, while RSA is faster at encrypting and verifying. So if you often encounter performance issues, it might be a good idea to look at where the problem lies (i.e., whether it's client-based or server-based) and base your choice of key algorithm on that.
Which is better RSA or ECDSA? ›
ECDSA provides the same level of security as RSA but it does so while using much shorter key lengths. Therefore, for longer keys, ECDSA will take considerably more time to crack through brute-forcing attacks. Another great advantage that ECDSA offers over RSA is the advantage of performance and scalability.
What is the difference between EdDSA and ECDSA? ›
EdDSA is more simple than ECDSA, more secure than ECDSA and is designed to be faster than ECDSA (for curves with comparables key length). Like ECDSA, the EdDSA signature scheme relies on the difficulty of the ECDLP problem (elliptic-curve discrete logarithm problem) for its security strength.
What is the preferred SSH key type? ›
While many types of SSH keys (RSA, DSA, ECDSA, ed25519) exist, RSA remains the most common and provides the broadest system compatibility.
Why is EdDSA better than ECDSA? ›
ECDSA vs EdDSA
Unlike ECDSA the EdDSA signatures do not provide a way to recover the signer's public key from the signature and the message. Generally, it is considered that EdDSA is recommended for most modern apps.
Is EdDSA faster than ECDSA? ›
Among them are RSA's key size and ECDSA's known vulnerability to side-channel attacks. EdDSA solves the problem of key size. Its key size is comparable to ECDSA, but it's faster and designed with performance in mind.
Are DSA keys deprecated? ›
DSA keys have been deprecated due to weakness by OpenSSH, and we should wind down our support for these keys.
So, if you're concerned about accidentally using SSH, DSA may be a better choice. In other words, the difference between RSA and DSA is in what each can do. RSA can be used as a digital signature and an encryption algorithm. Also, RSA is a block cipher, while DSA is a stream cipher.
What is ECDSA key? ›
Elliptic Curve Digital Signature Algorithm, or ECDSA, is one of the more complex public key cryptography encryption algorithms. Keys are generated via elliptic curve cryptography that are smaller than the average keys generated by digital signing algorithms.
How do I know if my key is RSA or DSA? ›
For example, if you see "algo 1", "algo 2", or "algo 3", then the key is using RSA. If you see "algo 17", then you are using DSA (Digital Signature Algorithm). If you see that this key is using < 2048 bits, then you should deprecate & replace your key.
What are the advantages of ECDSA over RSA? ›
Advantages of using ECDSA to RSA
Using ECDSA for digital signature carries a number of important advantages, such as: a high level of security; no problems with application performance; quick process of signing and verification (40% faster than RSA);
Is SSH RSA obsolete? ›
The ssh-rsa signature scheme has been deprecated since OpenSSH 8.8 which was released in 2021-08-20 (release notes). The reason is as quoted: In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm.
Is RSA better than elliptic curve DSA? ›
How Does ECC Compare To RSA And DSA? The biggest difference between ECC and RSA/DSA is the greater cryptographic strength that ECC offers for equivalent key size. An ECC key is more secure than an RSA or DSA key of the same size.
What is the maximum key size for ECDSA? ›
For RSA, the largest supported key size is 4096 bits. For ECDSA, the largest supported key size is 384 bits.
Where is EdDSA used? ›
For example, EdDSA can be used to guarantee the authenticity of digital documents. Once a digital document is created and signed, the digital signature creates a unique footprint for that document. A manipulation of it no matter how small the signature is invalid.
Is ECDSA crackable? ›
It's mathematically challenging to crack an ECDSA code, although hackers will certainly try to do so. Faster load times. Websites aim to load pages within about a half-second.
Which version of SSH is most secure? ›
SSH-2 (Standard version of SSH)
SSH2 is a much more secure and efficient than SSH-1. SSH-2 supports SFTP, a secure version of FTP. The main point to note is that, SSH-1 and SSH-2 are entirely different protocols.
Before choosing a new port for your SSH access, note that the ports numbered 0-1023 are reserved for privileged services. Hence, it is best to use a port ranging from 1024 to 65535.
What are the different SSH key formats? ›
Supported SSH key formats
| Type of key | Minimum key size (bits) | Example |
|---|
| Ed25519 (ed25519) | 256 | 1 ssh-keygen -t ed25519 -b 256 |
| ECDSA (ecdsa) | 256 | 1 ssh-keygen -t ecdsa -b 256 |
| RSA (rsa) | 2048 | 1 ssh-keygen -t rsa -b 2048 |
| DSA / DSS (dsa) | 1024 | 1 ssh-keygen -t dsa -b 1024 |
The two most popular key exchange algorithms are RSA and Diffie-Hellman (now known as Diffie-Helmlman-Merkle).
Is DSA still secure? ›
DSA is a signature-only algorithm and requires a private key for signing and a public key for verifying. DSA is a faster algorithm and is simpler to implement than RSA. DSA is more secure than RSA as it provides message integrity and non-repudiation.
What is the strength of ECDSA? ›
ECDSA provides higher security strength for lower computational cost. ECDSA P-256, for example, provides 128-bit security strength and is equivalent to an RSA 3072 key.
Who uses ECDSA? ›
Security Encyclopedia
It is a particularly efficient equation based on public key cryptography (PKC). ECDSA is used across many security systems, is popular for use in secure messaging apps, and it is the basis of Bitcoin security (with Bitcoin "addresses" serving as public keys).
Why is DSA weak? ›
DSA has an intrinsic weakness which makes it very easy to create a signature which contains enough information to give away the private key! This would allow an attacker to pretend to be you for any number of future sessions.
Are DSA keys and RSA keys shorter than 2048 bits vulnerable? ›
DSA keys and RSA keys shorter than 2048 bits are considered vulnerable. It is recommended to install a RSA public key length of at least 2048 bits or greater, or to switch to ECDSA or EdDSA. Most of my search returns how to deal with ssh as a client.
When was DSA deprecated? ›
Support for DSA will end on July 31, 2023. All customers using the DSA product will work closely with the DSA expert team to ensure they have moved over to the cloud solution before this date.
Has RSA been cracked? ›
Classical quantum hybrid used to crack RSA encryption
The team say they cracked 48-bit RSA using a 10-qubit quantum computer-based hybrid system and could do the same for 2048-bit if they had access to a quantum computer with at least 372 qubits.
Encryption in SSH
Most widely used encryption methods in SSH are AES and Blowfish. By default, AES is used if supported by the server.
What is the best asymmetric encryption? ›
RSA (Rivest Shamir Adleman) — RSA is considered one of the most secure (and commonly used) asymmetric key encryption algorithms. It's virtually uncrackable using modern computers.
What is an example of ECDSA? ›
ECDSA signatures are 2 times longer than the signer's private key for the curve used during the signing process. For example, for 256-bit elliptic curves (like secp256k1 ) the ECDSA signature is 512 bits (64 bytes) and for 521-bit curves (like secp521r1 ) the signature is 1042 bits.
What is the difference between RSA and ECDSA digital signature? ›
ECDSA keys are much shorter than RSA keys; at this size, the difference is 256 versus 3072 bits. Similarly, ECDSA signatures are much shorter than RSA signatures. This is relevant because DNSSEC stores and transmits both keys and signatures.”
How to match SSH keys? ›
Procedure
- Log in the server as 'root' using SSH, or use the WHM: Terminal feature.
- Change into the /root/. ssh/ directory on the server. ...
- Use the command 'ls -al' to list all files in the directory, and locate your private/public keypair you wish to check. ...
- Use the following command, to test both files. ...
- That's it.
Bitcoin is a good example of a system that relies on ECDSA for security. Every Bitcoin address is a cryptographic hash of an ECDSA public key.
Why is RSA no longer used? ›
RSA is secure, but it's being implemented insecurely in many cases by IoT manufacturers. More than 1 in every 172 RSA keys are at risk of compromise due to factoring attacks. ECC is a more secure alternative to RSA because: ECC keys are smaller yet more secure than RSA because they don't rely on RNGs.
Is there anything better than SSH? ›
Eternal Terminal implements a new style of TCP layer on the host that is more robust than what traditional SSH uses. It is able to recover from lost connections much better and handles brief dropouts with ease.
Which protocol was replaced by SSH and why? ›
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rsh and the related rlogin and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.
Why is RSA better than AES? ›
While AES is a symmetric algorithm designed for rapid data encryption and decryption, RSA is an asymmetric method used primarily for secure key exchange and digital signatures. In certain scenarios, one may outperform the other, making the choice between AES and RSA crucial for optimal security and efficiency.
RSA is more computationally intensive than AES, and much slower. It's normally used to encrypt only small amounts of data.
Why ECC is not widely used? ›
ECC uses a finite field, so even though elliptical curves themselves are relatively new, most of the math involved in taking a discrete logarithm over the field is much older. In fact, most of the algorithms used are relatively minor variants of factoring algorithms.
What is the difference between RSA and DSA search? ›
DSA campaigns target potential customers based on the products or services they're interested in, whereas RSAs target potential customers solely based on the keywords they used in their query.
What is the difference between Google DSA and RSA? ›
Responsive Search Ads (RSAs) feel a little similar to Dynamic Search Ads in that the message is geared to the search query more so than with Expanded Text Ads (ETAs). But while Dynamic Search Ads pull content from the website to display in the ad, RSAs use copy provided by the advertiser within the Google Ads platform.
What is the difference between RSA and DSA key size? ›
For DSA keys, the minimum key size is 512. For RSA keys, the minimum size for clear RSA keys and secure RSA keys on the public key data set (PKDS) is 512 bits. The minimum size for secure RSA keys on the token key data set (TKDS) is 1024 bits and the size must be a multiple of 256.
Is DSA deprecated? ›
Support for DSA will end on July 31, 2023.
What is the difference between AES and RSA? ›
While AES is a symmetric algorithm designed for rapid data encryption and decryption, RSA is an asymmetric method used primarily for secure key exchange and digital signatures. In certain scenarios, one may outperform the other, making the choice between AES and RSA crucial for optimal security and efficiency.
What is the ECDSA key? ›
Elliptic Curve Digital Signature Algorithm, or ECDSA, is one of the more complex public key cryptography encryption algorithms. Keys are generated via elliptic curve cryptography that are smaller than the average keys generated by digital signing algorithms.
What is the difference between DSA and DSS? ›
What is the relationship between DSS (Digital Signature Standard) & DSA (Digital Secure Algorithm). DSA is used in the implemention of DSS. They are the same thing. DSA is an older, obsolete version of DSS.
What is better than RSA encryption? ›
AES (Advanced Encryption Standard) is a symmetric key encryption algorithm that uses the same key to both encrypt and decrypt data. It is considered to be more secure than RSA encryption as it uses a longer key, making it harder for hackers to crack the code.
ECDSA (Elliptic Curve Digital Signature Algorithm) is based on DSA, but uses yet another mathematical approach to key generation. ECC is a mathematical equation taken on its own, but ECDSA is the algorithm that is applied to ECC to make it appropriate for security encryption.
What is ECDSA encryption? ›
Elliptic Curve Digital Signature Algorithm, or ECDSA, is one of the more complex public key cryptography encryption algorithms. Keys are generated via elliptic curve cryptography that are smaller than the average keys generated by digital signing algorithms.
What is the key size for ECDSA? ›
For ECDSA, the largest supported key size is 384 bits.
What is the size of SSH DSA key? ›
For DSA keys, the minimum key size is 512. For RSA keys, the minimum size for clear RSA keys and secure RSA keys on the public key data set (PKDS) is 512 bits. The minimum size for secure RSA keys on the token key data set (TKDS) is 1024 bits and the size must be a multiple of 256.
What size RSA key is best practice? ›
Since 2015, NIST recommends a minimum of 2048-bit keys for RSA, an update to the widely-accepted recommendation of a 1024-bit minimum since at least 2002.
