[patch] ssh-keygen(1): by default generate ed25519 key (instead of rsa)

Ethan Rahn ethan.rahn at gmail.com
Thu Nov 10 11:09:53 AEDT 2022


 The US government �� approved way to measure "how secure is this key" is
via security strength. NIST SP 800-57 Part 1 Rev. 5 Table 2 (
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
page 54) specifies different ways of comparing algorithms by security
strength.

Curve25519, which ed25519 uses, has an order of 2^252 + ${some_stuff} (
src: https://en.wikipedia.org/wiki/Curve25519 ) which makes it
comparable to a 3072 bit RSA key per the NIST guidelines.

I believe OpenSSH generates 2048 bit RSA keys by default so this would,
technically, be more secure. I make no comments on usability for legacy
clients ;)

Cheers,

Ethan

On Wed, Nov 9, 2022 at 3:21 PM Thomas Dwyer III <tomiii at tomiii.com> wrote:

> For what it's worth, the current RSA default is FIPS compliant. Although
> NIST included ed25519 in FIPS 186-5 and the public comment period closed
> more than two years ago, it's still in draft; 186-4 does not include
> ed25519 (it does include ecdsa though, with the curves that OpenSSH already
> supports).
>
>
> Tom.III
>
>
> On Sun, Nov 6, 2022 at 8:04 PM Damien Miller <djm at mindrot.org> wrote:
>
> > On Mon, 7 Nov 2022, Darren Tucker wrote:
> >
> > > On Mon, 7 Nov 2022 at 00:51, Job Snijders <job at openbsd.org> wrote:
> > > [...]
> > > > Perhaps now is a good time to make Ed25519 the default when invoking
> > > > ssh-keygen(1) without arguments?
> > >
> > > I don't think so.  Outside of DSA (which is REQUIRED in RFC4253 but is
> > > considered weak these days), RSA keys are the most widely supported
> > > key type and thus most likely to work in any given situation, which
> > > makes them an appropriate default.  If you know this is not the case
> > > for your environment, that's what "-t" is for.
> >
> > I don't mind using defaults to apply a little nudge towards better
> > algorithms. OpenSSH has supported ed25519 keys for almost a decade,
> > and RFC 8709 has been a standard for a couple of years.
> >
> > So I'm cautiously supportive of doing this.
> >
> > -d
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list