
The surprising persistence of RSA keys in SSH - tomwas54
https://utcc.utoronto.ca/~cks/space/blog/tech/SSHRSAKeysPersistence
======
enzanki_ars
For the longest time, to the best of my knowledge, instructions provided by
GitHub and GitLab, probably the two most popular software with easy to access
instructions on generating a SSH keys defaulted to displaying the RSA key
generation instructions first instead of an Ed25519 key.

The good news is that GitLab uses Ed25519 keys as the recommended default [0].
GitHub still recommends RSA keys by default [1].

[0]: [https://docs.gitlab.com/ee/ssh/README.html#generating-a-
new-...](https://docs.gitlab.com/ee/ssh/README.html#generating-a-new-ssh-key-
pair)

[1]: [https://help.github.com/en/github/authenticating-to-
github/g...](https://help.github.com/en/github/authenticating-to-
github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-
new-ssh-key)

~~~
SomaticPirate
I’m still not sure why I should use Ed25519? Is it just cryptographically
“tougher”?

~~~
numpad0
RSA getting weaker

ECDSA suspected backdoored by NSA

EdDSA/Ed25519 like ECDSA but community made

RSA32768 might be okay but weird

~~~
cryptonector
ECDSA isn't thought to be backdoored so much as designed on purpose to be very
difficult to get right / very easy to get catastrophically wrong.

------
RcouF1uZ4gsC
I think a big reason for the persistence of RSA keys is that they are easier
to understand than eliptical curve.

Basically, every first year computer science student who has taken discrete
math can write a (horribly broken, ineffecient) implementation of RSA
encryption and decryption and have a pretty good intuitive understanding of
what is going on.

In fact, I did that just for fun as a first year CS student.

With elliptical curves, I have read through the multiple websites and
explanations and over several years and still feel I do not have an intuitive
grasp of what is really going on.

~~~
cordite
In my second year, I had to do this on paper, showing every step. The prime
sizes were about 10 digits as to keep things within a few sheets of paper.

It seems my memory of it was traumatizing, one of the few assignments I had
where I remember where I sat in the library computing this assignment on
paper. Without electronic assistance.

~~~
callalex
At least you took the sound advice of always using a library to do
cryptography.

~~~
D2187645
lol

------
jonathanoliver
I'm still waiting for AWS EC2 to allow non-RSA keys. I've got other keys for
everything else but an RSA for EC2.

~~~
usr1106
What service are you referring to? My EC2 instances running CoreOS Container
Linux (moving to Fedora CoreOS as we speak...) have an ed25519 host key only
and users can ssh in using their ed25519 key pair. Yeah, we don't create them
using AWS web UI, but using terraform / ignition.

~~~
jonathanoliver
So when I use the EC2 web dashboard and try to add my SSH key, it gives me an
error unless it's an RSA key. Obviously once I'm logged into a given sever
over SSH, I can change my key to be whatever is supported by the underlying VM
OS.

------
beagle3
Neither the pgpcard (which I got from g10code while they were still selling
them) nor my 100 or so Yubikeys purchased over the last 5 years support
ed25519.

~~~
p_l
As far as I understand, none of the hw token vendors support ed25519, because
none of the secure element vendors do.

Your best bet is AFAIK ECDSA with NIST parameters.

~~~
cjcampbell
Yubikey is supporting ed25519 as of firmware 5.2.3
([https://www.yubico.com/blog/whats-new-in-yubikey-
firmware-5-...](https://www.yubico.com/blog/whats-new-in-yubikey-
firmware-5-2-3/))

~~~
captn3m0
I’ll try to upgrade, thanks

~~~
dmm
You can't upgrade the Yubikeys. You have to buy a new one.

[https://support.yubico.com/support/solutions/articles/150000...](https://support.yubico.com/support/solutions/articles/15000006434-upgrading-
yubikey-firmware)

~~~
sterlind
Ugh that's really frustrating. If it's for security, why can't they just blank
the key like they do when the master key is used?

~~~
cjcampbell
Ahh, I should have made that more clear in my comment. Definitely frustrating,
as those dang keys aren’t cheap!

------
nullc
Why would it be surprising?

4k and especially 8kbit RSA provide greater assumed security, and the
cpu/communication performance of 4/8kbit RSA is perfectly adequate for SSH.
They also provide greater compatibility.

Why would I _downgrade_ my cryptographic security to use a different
cryptosystem with performance characteristics which aren't very relevant for
interactive logins and get reduced compatibility at the same time?

I'd be much more interested in an ed448 or a ed25519+SPHINCS+ hybrid for SSH
authentication -- at least they wouldn't be unambiguously less secure than
what I'm currently using per our best current understanding.

Same deal for GPG/PGP: they added ed25519 which has less security than the
keys most people were already using (4kbit RSA)... when the performance
advantages are essentially irrelevant for the application. The non-performance
related advantages seem small relative to to the compatibility and security
posture.

------
gok
It's startling how much software "validates" SSH keys by seeing if it starts
with "ssh-rsa"

------
rubatuga
Unless there’s a good reason for not using RSA, this is a non-issue

~~~
genr8
There is a good reason, its just buried in complex crypto math and I won't be
the one to explain it for you. If you are still using RSA, you should have
upgraded to 4096 bit RSA by now. If not, you should be regenerating and
changing your keys and not using one 5 or 10 year old 2048-bit RSA key because
"2048 should be enough for anyone" and not thinking "I reused this key all
over the place and im lazy and i'm sentimental and don't like change".
People's key practices are just as bad as their password practices. His
personal blog post was not meant to be a comprehensive lesson. But you can do
what you want.

If this is the first time you're hearing about RSA starting to be phased out,
and the new Ed25519, look into it. Or click this if you're lazy.
[https://medium.com/risan/upgrade-your-ssh-key-to-
ed25519-c6e...](https://medium.com/risan/upgrade-your-ssh-key-to-
ed25519-c6e8d60d3c54)

Also of note, is Ed25519 does not harden itself with additional "bits" in the
normal RSA sense, it relies on "rounds" of KDF to apply more brute-force
protection to the passphrase (you did set a passphrase on your key right?). I
would suggest using the -a option with 1000 or more rounds. If you pick 50,000
rounds you might be waiting 5 minutes to log in though.

Also of note, ECDSA (the other one) has had curve trust concerns due to NIST
possibly being subverted by the NSA. You can read for days on this, but bottom
line is we've all agreed to move on.
[https://security.stackexchange.com/a/227771](https://security.stackexchange.com/a/227771)
/ [https://safecurves.cr.yp.to/](https://safecurves.cr.yp.to/)

~~~
bawolff
> Also of note, is Ed25519 does not harden itself with additional "bits" in
> the normal RSA sense, it relies on "rounds" of KDF to apply more brute-force
> protection to the passphrase

That doesn't make sense. Key stretching your pass phrase, and the number of
bits your key pair is, is totally separate. The reason people dont talk about
number of bits in Ed25519, is that the security margins are higher and many of
the more efficient algos for cryptoanalyzing this stuff dont work on elliptic
curves, so you dont have to be constantly changing the key strength to keep up
with better computers, its just always 256 bits.

~~~
wizeman
Except Ed25519 only has 128 bits of security, not 256

~~~
bawolff
I was under the impression the key size was 256 bits but the security level
was 128 bits.

But IANA cryptographer.

------
ryanlol
FWIW the .ssh/authorized_keys command= restriction for sftp doesn’t prevent
arbitrary command execution if your system is configured with procfs.

[https://seclists.org/fulldisclosure/2014/Oct/35](https://seclists.org/fulldisclosure/2014/Oct/35)

~~~
theamk
> OpenSSH 6.7 contains a mitigation,

> OpenSSH 6.7 was released on 2014-10-06.

I am not sure why this matters? If you have not updated your system for 8
years, I am sure you have worse problems than restricted account privilege
escalation.

------
mikedilger
ssh-keygen defaults to RSA

~~~
LeoPanthera
I'm surprised that this isn't a bigger deal. Most people won't specify a type
and use whatever the default is.

------
divbzero
As the author mentions, defaults can play a significant role. In particular,
it would probably help for _ssh-keygen_ to default to _ed25519_.

~~~
toyg
... and break tons of usages where the software does not support newer
schemes?

Switching defaults is always a complex trade-off.

