RSA versus DSA / Protocol 1 versus Protocol 2

Dan Kaminsky dan at doxpara.com
Mon Feb 25 09:19:33 EST 2002


> > I would really appreciate a list of pros and cons of each algorithm,
RSA -
> > DSA.
>
> Go buy a book.

I don't think any book actually refers to pros or cons of RSA vs. DSA for
SSH usage.  At one point, DSA was explicitly distrusted by the PuTTY
developers due to a severe weakness if badly implemented.  Quoting from
their FAQ:

===
A.7.3 How come PuTTY now supports DSA, when the website used to say how
insecure it was?
DSA has a major weakness if badly implemented: it relies on a random number
generator to far too great an extent. If the random number generator
produces a number an attacker can predict, the DSA private key is exposed -
meaning that the attacker can log in as you on all systems that accept that
key.

The PuTTY policy changed because the developers were informed of ways to
implement DSA which do not suffer nearly as badly from this weakness, and
indeed which don't need to rely on random numbers at all. For this reason we
now believe PuTTY's DSA implementation is probably OK. However, if you have
the choice, we still recommend you use RSA instead.

===

The pragmatic view of RSA vs. DSA:  RSA is faster, DSA is more deployed for
SSH2 use.  Using the same RSA key for SSH1 and SSH2 is, last I checked,
probably a cryptographic disaster.  In my mind, this is enough of a reason
to default to DSA.  (If nothing else, making key generation scripts fail
because we changed the syntax yet again is probably a bad idea.)

--Dan







More information about the openssh-unix-dev mailing list