- What is the difference between the RSA, DSA, and ECDSA keys that ssh uses?
- How to generate RSA private and public keys in your PC
- What is encryption?
- What is RSA?
- How the RSA algorithm works
- Encrypting data with the public key
- Encrypting data with the private key
- RSA private key size consideration
- How to create RSA private and public keys
- How to generate private and public keys on Linux
- How to generate private and public keys in Windows
- Related Articles
What is the difference between the RSA, DSA, and ECDSA keys that ssh uses?
Do you need all of them?
No, your ssh server only needs one and the client only needs to support that one type of key for ssh connections.
RSA, DSA, ECDSA, EdDSA, & Ed25519 are all used for digital signing, but only RSA can also be used for encrypting.
RSA (Rivest–Shamir–Adleman)is one of the first public-key cryptosystems and is widely used for secure data transmission. It’s security relies on integer factorization, so a secure RNG (Random Number Generator) is never needed. Compared to DSA, RSA is faster for signature validation but slower for generation.
DSA (Digital Signature Algorithm) is a Federal Information Processing Standard for digital signatures. It’s security relies on a discrete logarithmic problem. Compared to RSA, DSA is faster for signature generation but slower for validation. Security can be broken if bad number generators are used.
ECDSA (Elliptical curve Digital Signature Algorithm) is an Elliptic Curve implementation of DSA (Digital Signature Algorithm). Elliptic curve cryptography is able to provide the relatively the same level of security level as RSA with a smaller key. It also shares the disadvantage of DSA of being sensitive to bad RNGs.
EdDSA (Edwards-curve Digital Signature Algorithm) is a digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves. Signature creation is deterministic in EdDSA and its security is based on the intractability of certain discrete logarithm problems, so it’s safer than DSA & ECDSA which requires high quality randomness for each and every signature.
Ed25519, is the EdDSA signature scheme, but using SHA-512/256 and Curve25519; it’s a secure elliptical curve that offers better security than DSA, ECDSA, & EdDSA, plus has better performance (not humanly noticeable).
Other notes
RSA keys are the most widely used, and so seem to be the best supported.
ECDSA, (introduced in OpenSSH v5.7), is computationally lighter than DSA, but the difference isn’t noticeable unless you have a machine with very low processing power.
As of OpenSSH 7.0, SSH no longer supports DSA keys (ssh-dss) by default. A DSA key used to work everywhere, as per the SSH standard (RFC 4251 and subsequent).
Ed25519 was introduced in openSSH 6.5.
How to generate RSA private and public keys in your PC
In this article, you will learn what data encryption is, what RSA data encryption algorithm is, how it works and how to generate a pair of RSA private and public keys in your PC using the OpenSSL library in your Linux terminal or Windows command prompt.
What is encryption?
Encryption is the process of securing data by encoding it mathematically into an unreadable format known as ciphertext.
It is a data security practice for protecting sensitive information from being read by unauthorized parties.
An encrypted data will appear scrambled and meaningless to anyone who tries to view read it and must be decrypted to be read and make sense.
There exist various cryptographic algorithms for doing data encryption such as the DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), AES (Advanced Encryption Standard), RC4, and RSA (Rivest, Shamir, and Adleman) encryption among others. In this article, we put our focus on the RSA algorithm.
What is RSA?
RSA is the most popular and widely used asymmetric encryption algorithm available to the public. It also happens to be the very first asymmetric encryption algorithm.
Its name is derived from the surnames of the three mathematicians (Rivest, Shamir, and Adleman) who invented it.
RSA is considered an asymmetric algorithm due to its use of a pair of keys. Asymmetric encryption uses a key pair (private and public keys) that is mathematically linked to encrypt and decrypt data.
As their names suggest, a public key is shared publicly, while a private key is secret and known only by the key pair creator (it must not be shared with anyone).
How the RSA algorithm works
In RSA, either of the keys can encrypt the data, while the other key decrypts it. If for instance the public key is used for encryption, the private key must be used to decrypt the data.
Encrypting data with the public key
This is very applicable especially when sending sensitive data across a network such as the Internet. In such a case, the recipient of the data shares their public key with the sender.
The sender then encrypts the data using the public key and sends it to the recipient. Since the data was encrypted with the public key, it can only be decrypted using the private key.
Since the private key is kept secret by the data recipient, only him/her can decrypt that data. Even if a hacker accesses the data while in transit, they can’t read it, and thus it is secure.
Encrypting data with the private key
Alternatively, the data can be encrypted using the private key. Using the above example, the sender of the data encrypts it using their private key and sends the ciphertext (encrypted data) together with the public key to the recipient.
The recipient can then decrypt the data using the shared public key. The data can be read in transit using this method. The purpose of this method is not to prevent data from being read, but to verify the identity of the sender.
Since only the sender has the private key in this case, if a person accessed, decrypted, and modified the data in transit, they won’t be able to encrypt the data in a way that the recipient public key can decrypt it (since they don’t have the encrypting private key). Hence the recipient would know the data had been modified in transit.
The RSA algorithm is based on the fact that it is easy to generate a number by multiplying two large numbers, but extremely difficult to factorize that number back into the original prime numbers. The two keys are derived from two numbers, one of which is a multiplication of two large prime numbers. They both use the same two prime numbers to compute their value.
RSA private key size consideration
If somebody can factorize the large number, the private key is compromised. The encryption strength in RSA, therefore, relies on the key size. The larger the key size, the stronger the encryption.
You can therefore specify the private key size from the four options when creating it.
Though keys from 1024 bits in length are considered strong, experts believe that 1024 bit keys could be broken in the near future. I recommend you use from 2048 bits length.
How to create RSA private and public keys
We will focus on creating the keys using the OpenSSL library.
OpenSSL is a robust open-source software library/toolkit for general-purpose cryptography and secure communication.
OpenSSL allows users to perform various SSL related tasks, such as CSR (Certificate Signing Request) and private keys generation and SSL certificate installation.
It is available for Linux, Windows, macOS, and BSD systems. It comes pre-compiled in most Linux distributions. If you are on Windows, you will need to first install it.
How to generate private and public keys on Linux
Open the terminal of your Linux distribution.
Navigate to the directory where you want to generate the RSA keys using the cd command. Alternatively, you can right-click on the folder in which you want to create the keys and select the «Open in terminal» option to open the terminal on that directory.
Type the command below and hit enter to generate the private key.
Once the above command is executed successfully, a file named «privatekey.pem» will be created on your present directory. The «2048» above specifies the private key size. You can modify it accordingly depending on your required size.
Proceed to export the public key from the key pair generated using the command below.
Another file named «publickey.pem» will be created in the directory. Below is the screenshot of the two files created in my directory from the commands above.
On opening the files, the private key (privatekey.pem) looks as shown below:
A public key (publickey.pem) looks as shown below:
How to generate private and public keys in Windows
As I mentioned earlier, you need to make sure the OpenSSL library is installed in your Windows PC (as it is not installed by default), or else it will fail to generate the RSA keys and give the error below.
Once you have installed it, open the command prompt.
Use the cd command to navigate to the directory in which you want to create the keys.
Once in the directory of your choice in cmd, use the following command to generate an RSA private key.
On successful execution of the above command, a file named «privatekey.pem» will be created on your present directory.
Export the public key from the key pair generated using the command below.
On successful execution, a new file named «publickey.pem» will be created on your present directory. Now you will be having two files for the two keys as shown below.
The private key should be kept secret and should never be shared. On the other hand, the public key can be shared or embedded in application scripts.
I also highly recommend that you should back up the keys. If by any chance you lose these keys, just forget the encrypted data as well.