It appears they are both encryption algorithms that require public and private keys. Why would I pick one versus the other to provide encryption in my client server application?
Asked
Active
Viewed 1.3e+01k times
116
-
3As mentioned by [henri](http://stackoverflow.com/users/126294/henri), DSA isn't for encryption, just signing. – Samveen Aug 21 '13 at 10:01
-
Possible duplicate of [What's the difference between id\_rsa.pub and id\_dsa.pub?](http://stackoverflow.com/questions/2821736/whats-the-difference-between-id-rsa-pub-and-id-dsa-pub) – Adam Katz Jan 05 '17 at 02:20
5 Answers
82
Check AVA's answer below.
My old answer seems wrong
-
So does that mean if the amount of data to encrypt is large it will run faster using RSA? – WilliamKF May 15 '10 at 17:47
-
2No, the other way around. DSA is faster in signing (which is mathematically more or less equal to encrypting), so if you have to encrypt a lot and decrypt often, DSA is faster. – Henri May 15 '10 at 18:06
-
Lots of data to encrypt at the client side but it is only decrypted once at the server, so does DSA still win? – WilliamKF May 15 '10 at 18:24
-
30DSA does not encrypt. Repeat, DSA does not encrypt. Here's a quiz: What does the "S" in DSA mean? – President James K. Polk May 16 '10 at 15:12
-
5@GregS RSA being able to encrypt vs. DSA not being able to encrypt is mostly an issue of terminology. We call several different algorithms RSA, some of which sign (e.g. RSA-PSS), some of which encrypt (e.g. RSA-OAEP). But we gave every algorithms in group based crypto a different name, calling one of the encryption algorithms ElGamal encryption and calling one of the signature algorithms DSA. – CodesInChaos Oct 23 '13 at 12:40
-
Please quote *references* from mailing lists, not the mailing lists itself. 'Some person on the internet' is not a good source. – mikemaccana May 08 '15 at 19:45
28
RSA
RSA encryption and decryption are commutative
hence it may be used directly as a digital signature scheme
given an RSA scheme {(e,R), (d,p,q)}
to sign a message M, compute:
S = M power d (mod R)
to verify a signature, compute:
M = S power e(mod R) = M power e.d(mod R) = M(mod R)
RSA can be used both for encryption and digital signatures,
simply by reversing the order in which the exponents are used:
the secret exponent (d) to create the signature, the public exponent (e)
for anyone to verify the signature. Everything else is identical.
DSA (Digital Signature Algorithm)
DSA is a variant on the ElGamal and Schnorr algorithms.
It creates a 320 bit signature, but with 512-1024 bit security
again rests on difficulty of computing discrete logarithms
has been quite widely accepted.
DSA Key Generation
firstly shared global public key values (p,q,g) are chosen:
choose a large prime p = 2 power L
where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1
choose g = h power (p-1)/q
for any h<p-1, h(p-1)/q(mod p)>1
then each user chooses a private key and computes their public key:
choose x<q
compute y = g power x(mod p)
DSA key generation is related to, but somewhat more complex than El Gamal.
Mostly because of the use of the secondary 160-bit modulus q used to help
speed up calculations and reduce the size of the resulting signature.
DSA Signature Creation and Verification
to sign a message M
generate random signature key k, k<q
compute
r = (g power k(mod p))(mod q)
s = k-1.SHA(M)+ x.r (mod q)
send signature (r,s) with message
to verify a signature, compute:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= r.w(mod q)
v = (g power u1.y power u2(mod p))(mod q)
if v=r then the signature is verified
Signature creation is again similar to ElGamal with the use of a
per message temporary signature key k, but doing calc first mod p,
then mod q to reduce the size of the result. Note that the use of
the hash function SHA is explicit here. Verification also consists of
comparing two computations, again being a bit more complex than,
but related to El Gamal.
Note that nearly all the calculations are mod q, and
hence are much faster.
But, In contrast to RSA, DSA can be used only for digital signatures
DSA Security
The presence of a subliminal channel exists in many schemes (any that need a random number to be chosen), not just DSA. It emphasises the need for "system security", not just a good algorithm.
24
Btw, you cannot encrypt with DSA, only sign. Although they are mathematically equivalent (more or less) you cannot use DSA in practice as an encryption scheme, only as a digital signature scheme.
Henri
- 5,065
- 23
- 24
20
With reference to man ssh-keygen, the length of a DSA key is restricted to exactly 1024 bit to remain compliant with NIST's FIPS 186-2. Nonetheless, longer DSA keys are theoretically possible; FIPS 186-3 explicitly allows them. Furthermore, security is no longer guaranteed with 1024 bit long RSA or DSA keys.
In conclusion, a 2048 bit RSA key is currently the best choice.
MORE PRECAUTIONS TO TAKE
Establishing a secure SSH connection entails more than selecting safe encryption key pair technology. In view of Edward Snowden's NSA revelations, one has to be even more vigilant than what previously was deemed sufficient.
To name just one example, using a safe key exchange algorithm is equally important. Here is a nice overview of current best SSH hardening practices.
Serge Stroobandt
- 28,495
- 9
- 107
- 102
-
Some older versions of `ssh-keygen` allow for other bit sized keys as well (I myself use a 2048 bit DSA key generated using `ssh-keygen` on RHEL). – Samveen Aug 21 '13 at 09:56
