SSH key-type, rsa, dsa, ecdsa, are there easy answers for which to choose when?

  • As someone who knows little about cryptography, I wonder about the choice I make when creating ssh-keys.

    ssh-keygen -t type, where type is either of dsa,rsa and ecdsa.

    Googling can give some information about differences between the types, but not anything conclusive. So my question is, are there any "easy" answers for developers/system administrators with little cryptography knowledge, when to choose which key type?

    I'm hoping for an answer in the style of "Use DSA for X and Y, RSA for Z, and ECDSA for everything else", but I also realise it's quite possible such simple answers are not available.

    Only RSA is an encryption algorithm. Both DSA and ECDSA are used for digital signing - the latter being an Elliptic Curve implementation of DSA (Digital Signature Algorithm). Elliptic curve cryptography is able to provide the same security level as RSA with a smaller key and is a "lighter calculation" workload-wise. So, use RSA for encryption, DSA for signing and ECDSA for signing on mobile devices.

    @HenningKlevjer: Although RSA can do both encryption and signing, SSH2 uses it only for signing.

  • In practice, a RSA key will work everywhere. ECDSA support is newer, so some old client or server may have trouble with ECDSA keys. A DSA key used to work everywhere, as per the SSH standard (RFC 4251 and subsequent), but this changed recently: OpenSSH 7.0 and higher no longer accept DSA keys by default.

    ECDSA is computationally lighter, but you'll need a really small client or server (say 50 MHz embedded ARM processor) to notice the difference.

    Right now, there is no security-related reason to prefer one type over any other, assuming large enough keys (2048 bits for RSA or DSA, 256 bits for ECDSA); key size is specified with the -b parameter. However, some ssh-keygen versions may reject DSA keys of size other than 1024 bits, which is currently unbroken, but arguably not as robust as could be wished for. So, if you indulge in some slight paranoia, you might prefer RSA.

    To sum up, do ssh-keygen -t rsa -b 2048 and you will be happy.

    DSA always makes me uneasy because a signature generated with a broken RNG can compromise the key. RSA keys have an easier to understand and less worrisome failure mode: generating a key with a broken RNG compromises the key, running a session with a broken RNG compromises the session at most.

    @Thomas I'm curious, since this question was posted before the Snowden affair. Has anything recently come to light that would affect this answer?

    No. In fact, everything that was revealed in that affair only confirms what was already known, i.e. that when big governmental agencies spy on people, then don't do it by trying to break cryptography upfront; they rather work around it. In the SSH case, they would collect metadata (_this_ client machine connects to _that_ server) that is not protected by the SSH protocol, regardless of the server key algorithm or size.

    *"As per the SSH standard (RFC 4251 and subsequent), a DSA key will work everywhere"* - In practice, that is no longer true. OpenSSH silently disabled DSA somewhere around 7.0 or 7.1.

    As far as I have understood, this answer is no longer true. OpenSSH 7.0 deprecated ssh-dsa keys, as far as I understand due to security concertns. See

    What is the reasoning behind saying `2048` is enough? And, is there an estimate for how long it will be enough? Given Moore's Law and (even though I don't know if I say something stupid here) quantum computing? I am far off from being a security expert, and I am curious where this value (2048) comes from.

    When you say RSA will work everywhere -- this is going to come off really pedantic, but it doesn't. It doesn't work places that don't support encryption keys, and in some places where the keys are technically supported, like Github, they often fail to work. A better formulation would be "Out of the available encryption systems, RSA is most likely to be supported." Or something like that. I'm sure you can word it more succinctly.

    @user50849 >.. posted before the Snowden affair. Has anything recently come to light ... Actually yes Snowden did revel a lot about ssh specifically what was compromised and what was not. Some of this was specifically spelled out and some was ascertained from the author who published the interview.

    Go with 4096. More is overkill. If you use ssh a lot, you can still set up multiplexing in your ssh client, in case the waiting time bothers you.

    Correction on "how gov't spies on people": Sometimes they do attack the crypto. mentions that one NSA attack on VPNs might use their disclosed vulnerability. So don't get complacent. :-P

    This is rather outdated nowadays. Actually, if we’d reasonably look at processing powers, even 16384 would not be enough for RSA. Plus, RSA had a really bad name since the whole NSA debacle with built-in backdoors e.g. in the random number handling. Thankfully, we have `ed29919` now, which was specifically created because both ecdsa and rsa were not trustworthy enough anymore for anyone but the most black-eyed blind followers, and I’d recommend using that nowadays.

    @Evi1M4chine The "NSA backdoor in RSA" was a backdoor in a random-number-generator by RSA Corporation, wasn't it? Nothing to do with the algorithm also called RSA.

    @exhuma 2048 should be enough simply because we do not yet know how to break keys of that size. It would take tens of millions of dollars to break a 1024-bit key, and 2048 is significantly larger. The best algorithm to crack RSA, called GNFS, is not fast enough to break it. And Moore's law only applies to an increase in computing power (well, transistors), but what would be needed to break RSA 2048 would be a breakthrough in factoring algorithms. And a fully capable quantum computer would break RSA of _any_ (realistic) size. Only newer post-quantum algorithms (e.g. R-LWE) are safe from that.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM