What's the difference between id_rsa.pub and id_dsa.pub?

encryption ssh rsa public-key-encryption dsa
84,730

Solution 1

id_rsa.pub and id_dsa.pub are the public keys for id_rsa and id_dsa.

If you are asking in relation to SSH, id_rsa is an RSA key and can be used with the SSH protocol 1 or 2, whereas id_dsa is a DSA key and can only be used with SSH protocol 2. Both are very secure, but DSA does seem to be the standard these days (assuming all your clients/servers support SSH 2).

Update: Since this was written DSA has been shown to be insecure. More information available in the answer below.

Solution 2

SSH uses public/private key pairs, so id_rsa is your RSA private key (based on prime numbers), which is more secure than your id_dsa DSA private key (based on exponents). Keep your private keys safe and share your id_rsa.pub and id_dsa.pub public keys broadly.

DSA is insecure

DSA has a guessable parameter if your computer's random number generator is sub par, which will reveal your secret key. ECDSA (DSA's elliptical curve upgrade) is similarly vulnerable. Even with good random numbers, DSA has other strength concernsPDF/🎬 (these are also found in Diffie-Hellman).

OpenSSH creates insecure 1024 bit keys(workaround) and now disables DSA by default.

Use Ed25519 when possible

Elliptic curve cryptography offers increased complexity with smaller key sizes. Ed25519 (based on the complexity of plane-modeled elliptical curves) is the preferred implementation due to its assumed lack of meddling (leaked documents show that the US NSA weakens crypto standards).

Unfortunately, Ed25519 is still rather new, requiring OpenSSH 6.5 or GnuPG 2.1 (see the full list).

Use RSA with 4096 bits when Ed25519 is unavailable

RSA key sizes of 4096 bits should have comparable complexity to Ed25519.

Ed25519 is still preferred to RSA due to a worry that RSA may be vulnerable to the same strength concerns as DSA, though applying that exploit to RSA is expected to be considerably harder.

Solution 3

rsa is considered more secure.

Not anymore (May 2020, ten years later), with OpenSSH 8.2, as reported by Julio

Future deprecation notice

It is now possible1 to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K.
For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.

(See "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) )

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

The better alternatives include:

  • The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512.
    These algorithms have the advantage of using the same key type as "ssh-rsa", but use the safe SHA-2 hash algorithms.
    These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

  • The ssh-ed25519 signature algorithm.
    It has been supported in OpenSSH since release 6.5.

  • The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521.
    These have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key algorithm for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list:

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.

Solution 4

Yes, rsa is considered more secure.

In October 2014, OpenSSH 7 (the default with Ubuntu 16.04LTS) has disabled default support for DSA. Take this as a strong sign that DSA is not a recommended method anymore.

https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Share:
84,730

Related videos on Youtube

Andrew
Author by

Andrew

Updated on September 27, 2021

Comments

  • Andrew
    Andrew over 2 years

    Is one more secure than the other?

  • David Larrabee
    David Larrabee almost 14 years
    assuming you are just using the default names (which logically that looks like it), theatrus hit it right on the head.
  • Adam Katz
    Adam Katz almost 9 years
    I must disagree with this. Today (and, though to a lesser extent, also in 2010 when this was posted), 1024 bits (the largest key size available to DSA) is considered too weak. Therefore, RSA is the better option. As to SSH v1: I didn't consider this secure ten years ago.
  • Mike Pelley
    Mike Pelley almost 9 years
    @AdamKatz DSA has supported support 2048-bit and 3072-bit keys since 2009 (as per FIPS 186-3). Most ssh clients/servers support larger DSA keys including OpenSSH and PuTTY. Most key generators also support larger DSA keys, but ssh-keygen from OpenSSH still does not (even though both ssh and sshd do). For Linux, you can generate larger DSA keys using OpenSSL as described in this blog post.
  • Mike Pelley
    Mike Pelley almost 9 years
    Just one correction: DSA has supported 2048-bit and 3072-bit keys since 2009 (as per FIPS 186-3). More information in my comment above.
  • Adam Katz
    Adam Katz almost 9 years
    Interesting! I hadn't known that, and that certainly helps level the field between the two (though the lack of OpenSSH support is pretty damning). Still, I wouldn't say that DSA is the standard (either now or in 2010), while RSA absolutely is (and we're transitioning to elliptical curve systems like Ed25519).
  • Adam Katz
    Adam Katz over 8 years
    Infosec SE has a nice answer to this question that goes into more depth. It cites a Black Hat 2013 talk that suggests DSA is no longer secure, even at larger key sizes.
  • Adam Katz
    Adam Katz over 8 years
    I've updated this answer to be more comprehensive about the issues with DSA. It is now more detailed than the (equally valid) Infosec SE answer. There's even more detail when you hover your mouse over some of the links.
  • akauppi
    akauppi almost 8 years
    You did not answer the real part of the question: which is more secure. Downvoting since this was the topmost answer. Does not need to be.
  • lilHar
    lilHar over 4 years
    This post taught me so much, needs so much more upvotes.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Java ssh-rsa string to public key
How to set PKCS1 v1.5 padding to RSA in Dart?
RSA Implementation in C#
encrypting and decryption large file using rsa in java
Create .pem file for public key RSA encryption C# .net
Convert single line RSA private ssh key to multi line
When trying to convert an SSH file, I got this error: Couldn't load private key (SSH-2 public key (OpenSSH format))
Command line not letting me type password in PuTTY
Best encryption and signing algorithm for GnuPG: RSA/RSA or DSA/Elgamal?
How does SSH encryption work?