Re: When rsa vs dsa

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 01/23/04 

Date: Fri, 23 Jan 2004 20:36:41 GMT

Gary Armstrong <garyarm_remThis_at_testedgeinc.com> writes:
> Yep brand new and no clue about the issue.
>
> I'm setting up openssh and know zip about cryptology (hope this is the
> correct word). I've read that I can generate both types of keys. Is
> there some reason, I'd want to use one over the other?

one of the issues used to have to do with hardware tokens. dsa
includes generation of a random number as part of the signing process,
poor random number generation can allow the private key to be
recovered. for quite awhile, the crop of availabile hardware tokens
had really bad random number generation ... which resulted in dsa
private keys being extremely vulnerable (with dsa implemented in those
environments).

rsa didn't have the same vulnerability ... although there is frequently
a requirement for a random number NONCE in rsa-signed messages.

RSA signature of a 20-byte SHA-1 is 20 bytes ... plus the size of
the message plus frequently a 20byte random number NONCE contained in
the body of the message ... effectively message length plus 40 bytes
(20 byte signature plus 20 byte nonce).

DSA signature of 20-byte SHA-1 is 40 bytes ... plus the size of the
message ... which is message length plus 40 byte DSA signature.

in any case, infrastructures that wanted to be agnostic with respect
to hardware token and software implementations might have tended to go
with RSA (eliminating the private key vulnerability dependent on
hardware token quality random number generation as part of the signing
process).

more recent crop of hardware tokens tend to have hgiher quality random
number generators ... sufficent for doing both on-chip key generation
as well as DSA (and/or ECDSA) signing.

DSA .. FIPS186-2 reference:
http://csrc.nist.gov/cryptval/dss.htm

SHA ... fips180 reference:
http://csrc.nist.gov/cryptval/shs.html 

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ 
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

Relevant Pages

  • Re: public key authentication
    ... looking at passwords as a form of shared-secrets (or, if you will, ... access to and use of the corresponding private key. ... card and the "something you know" PIN. ... public key hardware tokens can also require a PIN to operate. ...
    (comp.security.ssh)
  • Re: X509 digital certificate for offline solution
    ... since the hardware tokens perform operations using the embedded private ... has accesws and use of the corresponding private key. ... i would assert that the integrity level of the originating environment ...
    (microsoft.public.dotnet.security)
  • RE: how to specify private key to generate signature
    ... can get the private key either from the certificate(if private key is not ... retrieve a DSA Provider from the certificate's PrivateKey property or use ... CspParametersto create a DSA ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework)
  • Re: rsa v. dsa authentication
    ... > thought I read somewhere that RSA is more secure, ... DSA _can_ be worryingly insecure if implemented poorly; ... implementation is capable of giving away your private key (allowing ...
    (comp.security.ssh)
  • Re: Derive Public Key from Private Key
    ... > private key from the public key. ... > This would then allow me to encrypt data that the program could then ... DSA is a Digital Signature Algorithm. ...
    (sci.crypt)