Comparing SSH Keys – RSA, DSA, ECDSA, or EdDSA? | Teleport

This blog post was in the first place released on 08/26/20 .
What ’ mho worse than an insecure individual key ? An dangerous public key .
The “ dependable ” in secure shell comes from the combination of hash, symmetrical encoding, and asymmetrical encoding. together, SSH uses cryptanalytic primitives to safely connect clients and servers. In the 25 years since its establish, computing power and speeds in accordance with Moore ’ s Law have necessitated increasingly complicated low-level algorithm. This article will focus on asymmetrical keygen algorithm .
As of 2020, the most widely adopted algorithm are RSA, DSA, ECDSA, and EdDSA, but it is RSA and EdDSA that provide the best security and performance.

Encryption Within the SSH Protocol

SSH is used about universally to connect to shells on distant machines. The most authoritative part of an SSH seance is establishing a fasten connection. This happens in two broad steps :

  • Negotiation & Connection
  • Authentication

Negotiation & Connection

In arrange for an SSH seance to work, both customer and server must support the like interpretation of the SSH protocol. mod clients will support SSH 2.0, as SSH 1.0 has identified flaws. After coming to a consensus on which protocol version to follow, both machines negotiate a per-session symmetrical samara to encrypt the connection from the outside. Generating a symmetrical winder at this phase, when paired with the asymmetrical keys in authentication, prevents the entire seance from being compromised if a key is revealed. negotiation terms happen through the Diffie-Helman key substitution, which creates a shared mysterious key to secure the unharmed data stream by combining the private key of one party with the public samara of the early. These keys are different from the SSH keys used for authentication. For those interest in learning more about this measure, this comprehensive article, SSH Handshake Explained, is a great originate point .
shared secret creationFigure 1: Shared Secret Creation


After completing the negotiation and connection, a dependable and secure channel between the customer and waiter has been established. During the KEX, the client has authenticated the waiter, but the server has not so far authenticated the node. In most cases, public-key authentication is used by the customer. This method acting involves two keys, a public and secret cardinal. Either can be used to encrypt a message, but the other must be used to decrypt. This is what is meant by asymmetrical encoding. [ figure 2 ] If Bob encrypts a message with Alice ’ s public key, only Alice ’ s individual key can decrypt the message. This principle is what allows the SSH protocol to authenticate identity. If Alice ( node ) can decrypt Bob ’ s ( server ) message, then it proves Alice is in possession of the opposite individual cardinal. This is, in theory, how SSH keys authentication should work. unfortunately with the dynamic nature of infrastructure nowadays, SSH keys are increasingly shared or managed improperly, compromising its integrity. To learn more, read this article, How to SSH Properly .

Asymmetric Encryption Algorithms

What makes asymmetrical encoding mighty is that a individual samara can be used to derive a pair public key, but not the other way around. This principle is core to public-key authentication. If Alice had used a weak encoding algorithm that could be brute-forced by today’s march capabilities, a third base party could derive Alice ‘s individual key using her public key. Protecting against a threat like this requires careful survival of the right algorithm .
There are three classes of these algorithms normally used for asymmetrical encoding : RSA, DSA, and egg-shaped curve based algorithm. To by rights evaluate the strength and integrity of each algorithm, it is necessary to understand the mathematics that constitutes the kernel of each algorithm .

RSA: Integer Factorization

beginning used in 1978, the RSA cryptography is based on the declare belief that factoring big semi-prime numbers is unmanageable by nature. Given that no general-purpose formula has been found to factor a compound count into its prime factors, there is a direct kinship between the size of the factors chosen and the time required to compute the solution. In early words, given a number n=p\*q where p and q are sufficiently large prime numbers, it can be assumed that anyone who can factor n into its component parts is the only party that knows the values of p and q. The same logic exists for public and individual keys. In fact, p & q are necessary variables for the universe of a private key, and n is a variable for the subsequent public cardinal. This presentation simplifies RSA integer factorization. For those concern in learning more, cluck here .

DSA: Discrete Logarithm Problem & Modular Exponentiation

DSA follows a alike outline, as RSA with public/private keypairs that are mathematically related. What makes DSA unlike from RSA is that DSA uses a different algorithm. It solves an wholly different trouble using different elements, equations, and steps. While the discrete log problem is fun, it is out of scope for this post. What is significant to note is the habit of a randomly generated act, m, is used with signing a message along with a private key, k. This count m must be keep individual. More in this late .

ECDSA & EdDSA: Elliptic Curve Discrete Logarithm Problem

Algorithms using elliptic curves are besides based on the assumption that there is no by and large efficient solution to solving a discrete log problem. however, ECDSA/EdDSA and DSA differ in that DSA uses a mathematical operation known as modular exponentiation while ECDSA/EdDSA uses egg-shaped curves. The computational complexity of the discrete log problem allows both classes of algorithm to achieve the same degree of security as RSA with significantly smaller keys .
bitcoin elliptic curve calculate 3 – elliptic bend, Secp256k1 used in the Bitcoin protocol

Comparing Encryption Algorithms

Choosing the good algorithm depends on a few criteria :

  • Implementation – Can the experts handle it, or does it need to be rolled?
  • Compatibility – Are there SSH clients that do not support a method?
  • Performance – How long will it take to generate a sufficiently secure key?
  • Security – Can the public key be derived from the private key? (The use of quantum computing to break encryption is not discussed in this article.)


Implementation RSA libraries can be found for all major languages, including in-depth libraries ( JS, Python, Go, Rust, C ) .
Compatibility custom of SHA-1 ( OpenSSH ) or populace keys under 2048-bits may be unsupported .
Performance Larger keys require more time to generate.
Security specialized algorithm like Quadratic Sieve and General Number Field Sieve exist to factor integers with specific qualities .

Time has been RSA ’ s greatest ally and greatest enemy. First published in 1977, RSA has the widest support across all SSH clients and languages and has rightfully stood the test of time as a authentic key generation method acting. subsequently, it has besides been subject to Moore ’ randomness Law for decades and identify bit-length has grown in size. According to NIST standards, achieving 128-bit security requires a key with length 3072 bits whereas other algorithm use smaller keys. Bit security system measures the phone number of trials required to brute-force a key. 128 spot security means 2128 trials to break .
RSA key bit-length figure 4 – national institute of standards and technology 2020 Recommendations for RSA winder bit-length ( Factoring Modulus )


Implementation DSA was adopted by FIPS-184 in 1994. It has ample representation in major crypto libraries, like to RSA .
Compatibility While DSA enjoys accompaniment for PuTTY-based clients, OpenSSH 7.0 disables DSA by default option .
Performance significant improvement in key coevals times to achieve comparable security strengths, though commend bit-length is the lapp as RSA .
Security DSA requires the use of a randomly generated irregular and secret value that, if discovered, can reveal the individual keystone .

Recall earlier in the article :

“ What is crucial to note is the use of a randomly generated number, m, is used with signing a message along with a private key, k. This numeral m must be kept privately. ”
The rate m is meant to be a time being, which is a alone value included in many cryptanalytic protocols. however, the extra conditions of unpredictability and privacy makes the time being more akin to a key, and therefore highly important .
not alone is it unmanageable to ensure genuine randomness within a machine, but improper execution can break encoding. For example :

  1. Android ’ s Java SecureRandom class was known to create colliding R values. In other words, the class reused some randomly generated numbers. This exposed a number of different Android-based Bitcoin wallets to having their individual keys stolen. The requirements of the time being m means that any two instances with the like time being value could be reverse engineer and reveal the secret keystone used to sign transactions .
  2. Taking this a step far, fail0verflow discovered the private key used to sign firmware updates for the Sony Playstation 3. In other words, programmers could write their own code, sign it with the reveal private key, and run it on the PS3. As it turns out, Sony was using the lapp random number to sign each message .


The two examples above are not entirely earnest. Both Sony and the Bitcoin protocol use ECDSA, not DSA proper. ECDSA is an elliptic curve implementation of DSA. functionally, where RSA and DSA require key lengths of 3072 bits to provide 128 bits of security, ECDSA can accomplish the same with only 256-bit keys. however, ECDSA relies on the same level of randomness as DSA, so the only amplification is speed and length, not security .
In response to the coveted speeds of elliptic curves and the undesired security risks, another class of curves has gained some notoriety. EdDSA solves the lapp discrete logarithm problem as DSA/ECDSA, but uses a different family of egg-shaped curves known as the Edwards Curve ( EdDSA uses a writhe Edwards Curve ). While offering rebuff advantages in accelerate over ECDSA, its popularity comes from an improvement in security. rather of relying on a random number for the time being measure, EdDSA generates a time being deterministically as a hashish making it collision repellent .
Taking a footstep back, the use of egg-shaped curves does not mechanically guarantee some charge of security. not all curves are the same. only a few curves have made it past rigorous testing. fortunately, the PKI diligence has lento come to adopt Curve25519 in especial for EdDSA. Put together that makes the public-key signature algorithm, Ed25519 .

Implementation EdDSA is reasonably newfangled. Crypto++ and cryptlib do not presently support EdDSA .
Compatibility compatible with newer clients, Ed25519 has seen the largest borrowing among the Edward Curves, though NIST besides proposed Ed448 in their recent conscription of SP 800-186 .
Performance Ed25519 is the fastest do algorithm across all metrics. As with ECDSA, populace keys are twice the length of the coveted bit security .
Security EdDSA provides the highest security degree compared to key distance. It besides improves on the insecurities found in ECDSA .

RSA vs. DSA vs. ECDSA vs. EdDSA

Below we list the common differences between RSA, DSA, ECDSA, and EdDSA algorithm :

Popularity Most widely implemented and supported. Its notorious security history makes it less popular. Fairly new but not as popular as EdDSA. Fairly new but favoured by most modern cryptographic librabries.
Performance Larger keys require more time to generate. Faster for signature generation but slower for validation. Public keys are twice the length of the desired bit security. EdDSA is the fastest performing algorithm across all metrics.
Security Specialized algorithms like Quadratic Sieve and General Number Field Sieve exist to factor integers with specific qualities. DSA requires the use of a randomly generated unpredictable and secret value that, if discovered, can reveal the private key. Vulnerable if pseudo random number aren’t cryptographically strong. EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.

How to generate SSH keys with RSA, DSA, ECDSA, or EdDSA?

RSA is the default key character when generated using the ssh-keygen command. To generate SSH keys with given algorithm type, supply -t flag to ssh-keygen command. Below is an exemplar of generating ed25519 key :

$ ssh-keygen -t ed25519 -C  `` alone name to identify this key. ''

Both public and private keys ( ssh key pair ) are generated with the above instruction. The private key never leave user ‘s calculator, and the public cardinal is stored in the server ‘s authorized_keys file .
The SSH key fingerprint can be checked with the following command :

$ ssh-keygen -l -f 

For more details, learn how to generate SSH keys .


When it comes down to it, the option is between RSA 2048/4096 and Ed25519 and the tradeoff is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security system with significantly smaller identify. Peter Ruppel puts the solution succinctly :

The short circuit answer to this is : arsenic long as the key forte is good adequate for the foreseeable future, it does n’t actually matter. Because here we are considering a signature for authentication within an SSH school term. The cryptanalytic lastingness of the key signature equitable needs to withstand the stream, state-of-the-art attacks .

  • Ed25519 for SSH

merely don ’ t manipulation ECDSA/DSA !

Certificates better than keys

Although keys are a relatively plug authentication method acting for SSH when compared with password-based authentication, keys create an equal sum of functional and security operating expense on the presidency side. Key rotation and key annulment remain a challenge that can be resolved using certificate-based authentication. Teleport offers SSH certificate-based access solution with extra benefits of audited account log, seance record, and RBAC for SSH. Teleport is open source and can be used as a drop successor for OpenSSH servers. Learn why certificates are better than keys for SSH and get started with Teleport today – hypertext transfer protocol : //

generator :
Category : crypto topics

Leave a Reply

Your email address will not be published.