Home - Teleport Blog - Comparing SSH Keys: RSA, DSA, ECDSA, or EdDSA?

Comparing SSH Keys: RSA, DSA, ECDSA, or EdDSA?

by Ev Kontsevoy — Apr 7, 2022

Updated: December 2025

What’s worse than an unsafe private key? An unsafe public key.

The “secure” in Secure Shell Protocol (SSH) comes from the combination of hashing, symmetric encryption, and asymmetric cryptography. Together, SSH uses these cryptographic primitives to safely connect clients and servers.

In the 25 years since its founding, changes in cryptanalysis, protocol design, and operational practices have necessitated increasingly sophisticated low-level algorithms.

This article will explain what the various asymmetric authentication key algorithms used by SSH are and how they are different from each other. As of 2025, the most widely adopted SSH authentication algorithms are RSA, ECDSA, and EdDSA (Ed25519).

For a broader overview of these concepts, start with this article: What is Cryptographic Identity?

How does encryption work within the SSH protocol?

SSH is used almost universally to connect to shells on remote machines.

The most important part of an SSH session is establishing a secure connection. This happens in two broad steps: negotiation and connection, and authentication.

SSH negotiation and connection

Figure 1: Shared Secret Creation

In order for an SSH session to work, both client and server must support the same version of the SSH protocol. Modern clients will support SSH 2.0, as SSH 1.0 has identified flaws.

After coming to a consensus on which protocol version to follow, both machines negotiate a per-session symmetric key to encrypt the connection from the outside.

Generating a symmetric key at this stage, when paired with the asymmetric keys in authentication, prevents the entire session from being compromised if a key is revealed.

Negotiation terms happen through the Diffie-Hellman key exchange, which creates a shared secret key to secure the whole data stream by combining the private key of one party with the public key of the other. These keys are different from the SSH keys used for authentication.

Modern SSH implementations also support post-quantum (hybrid) key exchange (KEX), and recent OpenSSH versions enable a post-quantum hybrid KEX to protect against “store now, decrypt later” attacks.

For those interested in learning more about this step, our SSH Handshake Explained article is a great starting point.

SSH authentication

Figure 2: Only Alice’s private key can decrypt a message signed with Alice’s public key

After completing the negotiation and connection, a reliable and secure channel between the client and server has been established. During the KEX, the client has authenticated the server, but the server has not yet authenticated the client. In most cases, public-key authentication is used by the client.

This method involves two keys: a public key and private key.

In SSH, the private key is used to create a digital signature over session-specific data, and the public key is used by the server to verify that signature. This is what is meant by asymmetric cryptography in SSH authentication.

By successfully verifying the signature, the server confirms that the client is in possession of the corresponding private key, without that key ever leaving the client system.

As illustrated in Figure 2, if Bob encrypts a message with Alice’s public key, only Alice’s private key can decrypt the message. This principle is what allows the SSH protocol to authenticate identity. If Alice (client) can decrypt Bob’s (server) message, then it proves Alice is in possession of the paired private key.

Either key can be used to encrypt a message, but the other must be used to decrypt. This is what is known as asymmetric encryption.

This is, in theory, how SSH keys authentication should work. Unfortunately with the dynamic nature of infrastructure today, SSH keys are increasingly shared or managed improperly, compromising its integrity.

To learn more about SSH authentication best practices, read this article: How to SSH Properly.

What are asymmetric encryption algorithms?

What makes asymmetric encryption powerful is that a private key can be used to derive a paired public key, but not the other way around. This principle is core to public-key authentication.

In Figure 2, if Alice had used a weak encryption algorithm that could be brute-forced by today's processing capabilities, a third party could derive Alice's private key from her public key. Protecting against a threat like this requires careful selection of the right algorithm.

There are three classes of these algorithms commonly used for asymmetric encryption:

RSA
DSA
Elliptic curve based algorithms.

To properly evaluate the strength and integrity of each algorithm, it is necessary to understand the mathematics that constitutes the core of each algorithm.

RSA — Integer factorization

First used in 1977, the Rivest–Shamir–Adleman (RSA) public-key cryptography algorithm is based on the held belief that factoring large semi-prime numbers is difficult by nature.

Given that no general-purpose formula has been found to factor a compound number into its prime factors, there is a direct relationship between the size of the factors chosen and the time required to compute the solution.

In other words, given a number n=p\*q where p and q are sufficiently large prime numbers, it can be assumed that anyone who can factor n into its component parts is the only party that knows the values of p and q.

The same logic exists for public and private keys. In fact, p & q are necessary variables for the creation of a private key, and n is a variable for the subsequent public key. This presentation simplifies RSA integer factorization.

For those interested in learning more about RSA and integer factorization, please reference this presentation.

DSA — Discrete logarithm & modular exponentiation

The Digital Signature Algorithm (DSA) follows a similar schema as RSA with public/private key pairs that are mathematically related.

What makes DSA different from RSA is that DSA uses a different algorithm. DSA solves an entirely different problem using different elements, equations, and steps. Learn more about the discrete log problem here.

What is important to note is the use of a randomly generated number, m, is used with signing a message along with a private key, k. This number m must be kept private.

Because SSH DSA is constrained to older hash functions and fixed key sizes, and relies heavily on high-quality randomness, it is no longer recommended for modern SSH deployments.

ECDSA and EdDSA — Elliptic curve discrete logarithm problem

Algorithms using elliptic curves are also based on the assumption that there is no generally efficient solution to solving a discrete log problem.

Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) use elliptic curves while DSA uses a mathematical operation known as modular exponentiation.

The computational complexity of the discrete log problem allows both classes of algorithms to achieve the same level of security as RSA with significantly smaller keys.

Figure 3 - Elliptic curve, Secp256k1 used in the Bitcoin protocol

Comparing encryption algorithms

Choosing the right algorithm depends on a few criteria:

Implementation — Can the experts handle it, or does it need to be rolled?
Compatibility — Are there SSH clients that do not support a method?
Performance — How long will it take to generate a sufficiently secure key?
Security — Can the public key be derived from the private key?

RSA

Implementation	RSA libraries can be found for all major languages, including in-depth libraries (JS, Python, Go, Rust, C).
Compatibility	RSA keys remain widely supported, but RSA signatures using SHA-1 (ssh-rsa) are disabled by default in modern OpenSSH. Current best practice is to use RSA with SHA-2 signatures (rsa-sha2-256 or rsa-sha2-512).
Performance	Larger keys require more time to generate.
Security	Specialized algorithms like Quadratic Sieve and General Number Field Sieve exist to factor integers with specific qualities.

Time has been RSA’s greatest ally — and greatest enemy.

RSA has the widest support across all SSH clients and languages, and thus far has stood the test of time as a reliable key generation method. Due to its longevity, it has also been subject to Moore’s Law for decades, and key bit-length has grown in size accordingly.

According to NIST standards, achieving 128-bit security requires a key with length 3072 bits whereas other algorithms use smaller keys. Bit security measures the number of trials required to brute-force a key, and 128 bit security means it would take 2128 trials to break.

DSA

Implementation	DSA was adopted by FIPS-184 in 1994. It has ample representation in major crypto libraries, similar to RSA.
Compatibility	DSA is disabled by default in OpenSSH and should be considered legacy-only for SSH authentication.
Performance	Significant improvement in key generation times to achieve comparable security strengths, though recommended bit-length is the same as RSA.
Security	DSA requires the use of a randomly generated unpredictable and secret value that, if discovered, can reveal the private key.

Recall earlier in the article:

“What is important to note is the use of a randomly generated number, m, is used with signing a message along with a private key, k. This number m must be kept privately.”

The value m is meant to be a nonce — a unique value included in many cryptographic protocols. However, the additional conditions of unpredictability and secrecy makes the nonce more akin to a key, and therefore extremely important.

Not only is it difficult to ensure true randomness within a machine, but improper implementation can break encryption.

Android’s Java SecureRandom class was known to create colliding R values. In other words, the class reused some randomly generated numbers. This exposed a number of different Android-based Bitcoin wallets to having their private keys stolen. The requirements of the nonce m means that any two instances with the same nonce value could be reverse engineered and reveal the private key used to sign transactions.
Taking this a step further, fail0verflow discovered the private key used to sign firmware updates for the Sony Playstation 3. In other words, programmers could write their own code, sign it with the revealed private key, and run it on the PS3. As it turns out, Sony was using the same random number to sign each message.

ECDSA and EdDSA

The two examples above are not entirely sincere, as both Sony and the Bitcoin protocol employ ECDSA, not DSA proper. ECDSA is an elliptic curve implementation of DSA.

Functionally, where RSA and DSA require key lengths of 3072 bits to provide 128 bits of security, ECDSA can accomplish the same with only 256-bit keys. However, ECDSA relies on the same level of randomness as DSA. Therefore the only gain is speed and length, not security.

In response to the desired speeds of elliptic curves and the undesired security risks, another class of curves has gained some notoriety. EdDSA solves the same discrete log problem as DSA/ECDSA, but uses a different family of elliptic curves known as the Edwards Curve (EdDSA uses a Twisted Edwards Curve).

While offering slight advantages in speed over ECDSA, EdDSA’s popularity comes from a significant improvement in security. Instead of relying on a random number for the nonce value, EdDSA generates a nonce deterministically as a hash, making it collision resistant.

Taking a step back, the use of elliptic curves does not automatically guarantee some level of security. Not all curves are the same. Only a few curves have made it past rigorous testing.

Luckily, the PKI industry has slowly come to adopt Curve25519 in particular for EdDSA. Put together that makes the public-key signature algorithm, Ed25519.

Implementation	EdDSA is fairly new Crypto++ and cryptlib do not currently support EdDSA.
Compatibility	Compatible with newer clients, Ed25519 has seen the largest adoption among the Edward Curves, though NIST also proposed Ed448 in their recent draft of SP 800-186.
Performance	Ed25519 is the fastest performing algorithm across all metrics. As with ECDSA, public keys are twice the length of the desired bit security.
Security	EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.

RSA vs. DSA vs. ECDSA vs. EdDSA

Below we list the common differences between RSA, DSA, ECDSA, and EdDSA algorithms:

	RSA	DSA	ECDSA	EdDSA
Popularity	Most widely implemented and supported.	Its notorious security history makes it less popular.	Fairly new but not as popular as EdDSA.	Fairly new but favoured by most modern cryptographic libraries.
Performance	Larger keys require more time to generate.	Faster for signature generation but slower for validation.	Public keys are twice the length of the desired bit security.	EdDSA is the fastest performing algorithm across all metrics.
Security	Specialized algorithms like Quadratic Sieve and General Number Field Sieve exist to factor integers with specific qualities.	DSA requires the use of a randomly generated unpredictable and secret value that, if discovered, can reveal the private key.	Vulnerable if pseudo random numbers aren't cryptographically strong.	EdDSA provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.

How do you generate SSH keys with RSA, DSA, ECDSA, or EdDSA?

RSA is the default key type when generated using the ssh-keygen command.

To generate SSH keys with given algorithm type, supply -t flag to ssh-keygen command. Below is an example of generating ed25519 key:

$ ssh-keygen -t ed25519 -C "unique name to identify this key."

Both public and private keys (the ssh key pair) are generated with the above command. The private key never leaves the user's computer, and the public key is stored in the server's authorized_keys file.

The SSH key fingerprint can be checked with the following command:

$ ssh-keygen -l -f <key file>

For higher assurance environments, hardware-backed SSH keys (such as ed25519-sk using FIDO2 security keys) provide additional protection by requiring physical user presence.

For more details, learn how to generate SSH keys.

Conclusion

When it comes down to it, the choice is between RSA 2048/4096 and Ed25519 — and the trade-off is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smaller keys.

TL;DR — Just don’t use ECDSA/DSA!

Certificates are better than keys

Although keys are a relatively secure authentication method for SSH when compared with password-based authentication, keys create an equal amount of operational and security overhead on the administration side.

Certificate-based authentication addresses these issues by enabling short-lived credentials, centralized issuance, and simpler revocation, which is why many modern SSH deployments are moving from static keys to certificates.

Teleport offers an SSH certificate-based access solution with additional benefits of audit logging, session recording, and RBAC for SSH. Teleport can be used as a drop-in replacement for OpenSSH servers.

Learn why certificates are better than keys for SSH and signup for a free trial of Teleport Enterprise today.

FAQ

What is post-quantum key exchange (KEX)?

Post-quantum (often “hybrid”) key exchange combines a traditional algorithm (like elliptic-curve Diffie–Hellman) with a post-quantum algorithm so the connection stays secure even if one approach is later weakened. In SSH, this helps defend against “store now, decrypt later” attacks, where an attacker records traffic today and tries to decrypt it in the future with more powerful capabilities.

What is the Edwards Curve and how does it apply to SSH?

An Edwards curve is a family of elliptic curves designed to make cryptographic operations fast, consistent, and easier to implement safely. In SSH, EdDSA signatures (most commonly Ed25519) use an Edwards-curve construction to deliver strong security with small keys and high performance.

What is the Twisted Edwards Curve and how does it apply to SSH?

A Twisted Edwards curve is a specific Edwards-curve form that offers efficient arithmetic and strong security properties for real-world implementations. EdDSA uses a twisted Edwards curve (for example, the curve behind Ed25519) to create signatures that are fast, robust, and less reliant on fragile randomness than ECDSA.

What is Curve 25519 and how does it apply to SSH?

Curve25519 is a widely trusted, modern elliptic curve used for secure, high-performance cryptography, and it is designed to be easier to implement correctly than many older curve choices. In SSH, it shows up in two common places: key exchange (X25519) for establishing shared secrets, and Ed25519 for signing and authenticating identities.