SSH employs various cryptographic key types including RSA, DSA, ECDSA, and Ed25519. Each type utilizes distinct mathematical principles and offers different performance characteristics.
The following output shows typical SSH host key files present on a system:
-rw------- 1 root root 607 Oct 4 22:43 ssh_host_dsa_key
-rw-r--r-- 1 root root 623 Oct 4 22:43 ssh_host_dsa_key.pub
-rw------- 1 root root 241 Oct 4 22:43 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 194 Oct 4 22:43 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1602 Oct 4 22:43 ssh_host_rsa_key
-rw-r--r-- 1 root root 378 Oct 4 22:43 ssh_host_rsa_key.pub
-rw------- 1 root root 1602 Oct 4 22:43 ssh_host_rsa_key
-rw-r--r-- 1 root root 411 Oct 4 22:43 ssh_host_id_ed25519
-rw-r--r-- 1 root root 103 Oct 4 22:43 ssh_host_id_ed25519.pub
These represent keys generated using different cryptographic methods. When establishing a SSH connection, the server presents its public key, which the client uses to encrypt data sent to the server. If the server is configured to use RSA, it will utilize an RSA-generated key pair.
The client responds with its own public RSA key from the listed key files. This ensures secure communication back to the client.
All these keys coexist on the system because servers may be configured to accept connections via any of these algorithms. The client sends the appropriate key based on what the server supports.
Key Details:
- RSA, DSA, ECDSA, EdDSA, and Ed25519 are all used for digital signatures; however, only RSA also supports encryption.
- RSA (Rivest–Shamir–Adleman) is among the earliest public-key cryptosystems. Its security is based on the difficulty of factoring large integers, making it resilient to poor random number generators (RNGs). RSA has faster signature verification compared to DSA but slower key generation.
- DSA (Digital Signature Algorithm) is a federal standard for digital signatures. It relies on the discrete logarithm problem. While DSA generates signatures faster than RSA, verification is slower. Security can be compromised if a weak RNG is used.
- ECDSA (Elliptic Curve Digital Signature Algorithm) is the elliptic curve variant of DSA. It provides equivalent security to RSA with much smaller keys. Like DSA, it is sensitive to poor RNG quality.
- EdDSA (Edwards-curve Digital Signature Algorithm) is a digital signature scheme using Schnorr signature variants over twisted Edwards curves. Signatures in EdDSA are deterministic and secure against weaknesses related to randomness in DSA and ECDSA.
- Ed25519 is a specific implementation of EdDSA using SHA-512/256 and Curve25519. It offers superior security and performance compared to DSA, ECDSA, and EdDSA.
Additional Notes:
- RSA remains the most widely supported key type, ensuring broad compatibility.
- ECDSA, introduced in OpenSSH v5.7, is computationally lighter than DSA but the difference is negligible on modern hardware.
- Starting with OpenSSH 7.0, DSA key support was deprecated due to known vulnerabilities. Therefore, the available options are RSA or one of the ECC-based algorithms.
- Ed25519 was introduced in OpenSSH 6.5.
Conclusion:
- SSH supports four primary key types: DSA, RSA, ECDSA, and Ed25519.
- Based on mathematical foundations, these can be grouped into two categories: RSA and DSA on one side, and ECDSA and Ed25519 on the other. The latter group represents more advanced cryptography.
- DSA is considered insecure and is no longer recommended.
- ECDSA faces political and technical concerns, making it less advisable.
- RSA maintains the highest compatibility and is the default when generating keys with
ssh-keygen. However, small key sizes (e.g., 1024 bits) pose security risks. A minimum key size of 3072 bits is advised. - Ed25519 is the most secure and efficient key type currently available. It uses shorter keys than RSA while offering bettter performance and security. Compatibility issues may arise with older SSH implementations.
In summary:
Prefer Ed25519 if possible; otherwise, RSA is acceptable.
Example command to generatte an Ed25519 key:
$ ssh-keygen -t ed25519