When used with SSH keys, why are the DSA keys referred to as DSS keys i.e why does the public key begin with ssh-dss?
While generating a DSA key, why does the resulting public key begin with ssh-dss? Why not ssh-dsa? While trying to know more about it, I came across an article saying - The DSA private key is used to generate digital signatures, and the DSA public key is used to verify digital signatures. The difficulty of the discrete logarithm problem is the basis for the NIST Digital Signature Standard (DSS) public key algorithm.
To explain why the public key is called ssh dss, you must understand that DSS is simply a document that describes the signing procedure and specifies certain standards. The original document is FIPS 186 and the latest revision in 2013 is FIPS 186-4. DSS is a standard for digital signing.
DSA is a cryptographic algorithm that generates keys, signs data, and verifies signatures. DSA, in itself, can use any hash function for its internal "cryptomagic", and it can also use any (L, N) for its parameters' length. DSS, as a standard, defines DSA's optional specifications.
DSS says that DSA should use SHA-1 as its hash function (recently, SHA-2). DSS says that DSA should use specific length pairs such as (2048,224), (3072,256), etc.When SSH says DSS, they mean that they're implementing DSA in compliance with the DSS.
Answer (1)
The terms "DSA" and "DSS" are closely related but refer to slightly different things, which explains why DSA keys are referred to as DSS keys in the context of SSH.
Understanding DSA and DSS
- DSA (Digital Signature Algorithm): This is an algorithm for digital signatures, which is used to generate a pair of keys (a private key and a public key) and to sign data. It is specified in the Digital Signature Algorithm (DSA) standard.
- DSS (Digital Signature Standard): This is a federal standard for digital signatures. DSS specifies DSA as the algorithm to be used for generating and verifying digital signatures. The DSS standard was established by the National Institute of Standards and Technology (NIST).
Why SSH Uses ssh-dss
In the context of SSH (Secure Shell), the public key format identifier is defined as ssh-dss when using DSA keys. This is because SSH key type identifiers often use the name of the standard or the protocol rather than the specific algorithm. Since DSA is part of the DSS standard, the key type is referred to as ssh-dss.
Breakdown of the Naming Convention
- ssh-: This prefix is used to indicate that the key is to be used with the SSH protocol.
- dss: This part refers to the Digital Signature Standard, which specifies the use of the DSA algorithm.
Example of a DSA Public Key in SSH
When you generate a DSA key pair for SSH, the public key file begins with ssh-dss. Here’s an example of what a DSA public key might look like:
ssh-dss AAAAB3NzaC1kc3MAAACBAP... user@hostname- ssh-dss: Indicates the type of key.
- The string starting with AAAAB3...: The actual base64-encoded key data.
- user@hostname: An optional comment that typically includes the username and host where the key was generated.
Summary
- DSA refers to the algorithm itself.
- DSS refers to the standard that specifies the use of DSA.
- In SSH, the key type identifier ssh-dss is used to signify that the key is a DSA key, as specified by the DSS standard.
This naming convention helps in maintaining consistency and clarity within the SSH protocol, aligning with the standards and specifications used to define the cryptographic algorithms.