Image of the glider from the Game of Life by John Conway
Skip to content

Elliptic Curve Cryptography in OpenSSH

I've been meaning to add this as a post, as it's light and quick, but as the release of OpenSSH 5.7, Elliptic Curve Cryptography has been implemented. Why should you care? The generated keys are substantially smaller, the algorithm is faster and lighter, giving a break to slower CPUs and the cryptanalysis hasn't shown any substantial weaknesses, unlike traditional RSA or DSA.

To generate an ECC SSH key for your host, you need to use the "ecdsa" encryption type. The bit strengths are 256, 384 and 521. Generally speaking, the equivalent DSA keys would require 4-times the bit strength of ECDSA keys. In other words, a 256-bit ECDSA key is equivalent in strength to a 1024-bit DSA key.

Pull up your terminal, and type:

% ssh-keygen -t ecdsa -b 256

Go through the prompts, and you should have your generated private and public keys. Then, copy the key over to your remote server, and start using:

% ssh-copy-id -i ~/.ssh/ user@server.tld

Of course, the remote server does need to support ECC in order to take advantage of ECDSA keys, which means it too needs to be running OpenSSH 5.7 or later. Here's a result of the key sizes:

% ls -l ~/.ssh/*.pub
-rw-r--r-- 1 aaron aaron 604 Feb 17 20:05
-rw-r--r-- 1 aaron aaron 176 Feb 17 19:41
-rw-r--r-- 1 aaron aaron 220 Feb 17 19:42
-rw-r--r-- 1 aaron aaron 268 Feb 17 19:42
-rw-r--r-- 1 aaron aaron 228 Feb 17 20:07
-rw-r--r-- 1 aaron aaron 398 Feb 17 20:08

As you can clearly see, ECDSA keys are substantially smaller compared to their DSA counterparts and a bit smaller than equivalent RSA keys. Also, it should be mentioned that when setting up the OpenSSH server on a new host for the first time, you can also choose to have ECDSA host keys generated for the server, rather than the standard RSA or DSA keys.

I don't recommend wiping your existing RSA or DSA keys in favor of ECDSA quite yet. Plenty of OpenSSH and proprietary SSH servers exist that do not support ECC. Thus, your newly generated ECDSA key won't work, even if you copy it to the authorized_keys file. However, if you have the servers that support it, then why not give it a go, and see what you think?

{ 6 } Comments

  1. mindcorrosive | February 18, 2011 at 2:54 am | Permalink

    > The bit strengths are 256, 384 and 521.

    Perhaps you mean 512? 521 is an.. odd number.

    When you say "the algorithm is faster and lighter", do you mean the key generation only, or the encrypt/decrypt cycle?

  2. Aaron | February 18, 2011 at 3:15 am | Permalink

    Nope, it's not a typo. I do in fact mean 521 bits. Here's the RFC:

    When I'm talking about the algorithm, I'm referring to the encryption/decryption algorithm. ECC doesn't depend on S-boxes, so it can achieve higher cycles per byte than most other algorithms.

    Also, because it's based on the algebraic properties of elliptic curves, rather than factoring large primes, the math is an order of magnitude lighter to compute, thus it's great for embedded systems, lower-end CPUs, etc. Even the LOC to implement ECC in any specific language is less than traditional AES, 3DES, RSA, DSA and other algorithms.

  3. Aaron | February 18, 2011 at 3:26 am | Permalink

    Here's a paper describing ECC on constrained devices, such as 8-bit CPUs. It's lengthy, but shows why ECC is such a great fit for smaller devices:

    It mentions in detail the Elliptic Curve Diffie-Hellman (ECDH) protocol (which OpenSSH 5.7 and later supports as well) which is possible on these devices without a cryptographic processor.

    Anyway, FYI.

  4. gepgep | February 19, 2011 at 11:11 am | Permalink


  5. Zooko O'Whielacronx | April 8, 2011 at 12:15 pm | Permalink

    "Generally speaking, the equivalent DSA keys would require 4-times the bit strength of ECDSA keys. In other words, a 256-bit ECDSA key is equivalent in strength to a 1024-bit DSA key."

    That's not the consensus. Check out this cool site that lets you explore recommendations: .

    Here is what it says if you ask it what is equivalent to 256-bit ECC keys:

    Only the German standards body, BSI, thinks that a 256-bit ECC key is equivalently strong to a 2048 DSA key. The other researchers range from 3072 up to 4440 bit DSA keys as being as strong as 256-bit ECDSA keys!

  6. Paul | January 8, 2014 at 11:12 am | Permalink

    If both server and client support ECC and are configured with ECDSA keys, but you still choose to authenticate a session with a password rather than with public key authentication, is ECC still used by default for the key exchange?

{ 2 } Trackbacks

  1. [...] This post was mentioned on Twitter by toorghezi and St├ęphane Bortzmeyer, Jean Baptiste FAVRE. Jean Baptiste FAVRE said: Elliptic Curve #Cryptography in #OpenSSH [...]

  2. [...] Elliptic Curve Cryptography in OpenSSH [...]

Post a Comment

Your email is never published nor shared.