[openssl-users] More secure use of DSA?

Jeffrey Walton noloader at gmail.com
Sun Sep 4 00:37:50 UTC 2016

On Fri, Sep 2, 2016 at 11:50 AM, Leam Hall <leamhall at gmail.com> wrote:
> Thanks to Matt Caswell for helping me fix the DSA question. His solution,
> based of the information I provided, was:
>         openssl genpkey -genparam -algorithm DSA -pkeyopt \
>           dsa_paramgen_bits:2048 -out dsa.params
>         openssl genpkey -paramfile dsa.params -out dsa.key
> Which leads to my next question. For general application and ssh level
> defense, is 2048 the right bit amount? Is there a reason not to go to 4096
> absent very high request counts? Are there other security flags I should
> use?

Security levels are the way to compare different algorithms. With some
hand waiving, its a way to normalize the security provided by an
algorithm. As cryptanalysis progresses on an algorithm, the security
level usually drops. The naive attack is brute force, but sometimes
that's the best known attack.

2048-bit RSA and DSA provides about 112-bits of security. AES-128
provides about 126 bits of security; AES-256 provides about 256-bits
of security. SHA-1 provides about 80-bits of theoretical security due
to the birthday attack, but its closer to 64-bits in practice due to
Stevens attacks (Hash Clash, http://marc-stevens.nl/research/). MD5
provided about 64-bits of theoretical security, but its much less now
(http://www.win.tue.nl/hashclash/rogue-ca/). There are tables of
security levels from various standards groups. See, for example,
SP800-57, SP800-131, ECRYPT II Yearly Report on Algorithms and Key
Sizes, etc.

You often need to match security levels through out your system. For
example, if you are Key Agree'ing or Key Transporting to transport an
AES-128 key (128-bits of security), then you _don't_ want to use a RSA
1024-bit modulus (80-bits of security). Obviously, you don't attack
AES with 128-bits of security; rather, you attack the 80-bits of
security in 1024 RSA because its an easier problem.

Regarding SSH's position on DSA, I often wonder why they did not move
against ECDSA too since its the same algorithm over a different field.
DSA and ECDSA are both ElGamal-like signature schemes, both need a
subgroup order with a minimum size, both use a random k, etc.


More information about the openssl-users mailing list