[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)

On Thu, May 15, 2008 at 08:09:12AM +1000, Ben Finney wrote:
Roland Mas <lolando@debian.org> writes:

- Keys submitted through the web interface are now filtered, and only
  RSA keys end up in your authorized_keys file.  Don't even try
  putting DSA keys in your authorized_keys2 file, the use of that file
  has been disabled (and it'll be deleted anyway).

Could you explain the rationale for this? My impression was that DSA
was recommended over RSA.

It used to be that RSA was patented in the United States, and so only
DSA, DH, or ElGamal algorithms were appropriate for use in main.

Another reason DSA may be preferred is that it produces smaller
signatures than RSA.  The reason DSA is preferred over RSA for GnuPG
keys is because (AIUI) the keyring maintainers no longer accept v3 keys,
but only v4, which for a while meant that DSA was the only option.
(GnuPG now generates v4 RSA keys as well.)

Still another reason DSA may be preferred over RSA is that it is
conjectured that solving the hard problem underlying DSA (the
Diffie-Hellman Problem) is as difficult as computing discrete logarithms
(the Discrete Logarithm Problem), while the underlying hard problem for
RSA (the RSA Problem) is conjectured to be as difficult as the Factoring
Problem.  If one can solve the Discrete Logarithm Problem, then one can
factor, but the reverse is not true.  Thus, it is conjectured that DSA
is based on a harder problem than RSA.

There are reasons not to prefer DSA.  It has a short key size, usually
limited to 1024 bits, which is not enough for continued security.
Because all signatures are made in the field of q, a 160-bit prime, thus
making them no longer than 160 bits, brute-forcing the algorithm is
easier than with RSA.  Also, DSA absolutely requires a good random
number generator for every signature.  If the nonce is not chosen
randomly, it will leak bits of the key.  This is true for all discrete
logarithm algorithms.  Therefore, anyone who had a DSA key has had it
compromised, and RSA is just as good a choice for a new key.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: