RSA vs DSA

[Atte Peltomaki]

>  > > So, what about "(b) RSA is just a better protocol [(algorighm)]"?
>  > > I've read a few pieces which recommend RSA over DSA, although most 
>  > > crypto programs (OpenSSL/SSH etc.) say RSA is depricated/a last resort. 
>  > > Any insights?
>  > 
>  > The OpenSSL and OpenSSH guys are right. DSA is stronger than RSA, as
>  > long as it is done correctly. But since it is harder to implement DSA
>  > correctly, a lot of fools might suggest avoiding it :)
> 
> When considering the "strength" of an algorithm, take in to acount
> that DSA was never intended for encryption and was selected by a
> standards body (NIST) under less than "open competition".
> 
> A decent FAQ with some good refrences in it can be found at
> http://www.rsasecurity.com/rsalabs/node.asp?id=2239
> 
> Summary of the FAQ: DSA is as secure as anyother "unbroken" signature
> algorithm. DSA is faster at key generation and signing. RSA is faster
> at verification. So, consider your application when choosing the
> algorithm.

I gathered from the rsasecurity.com docs that there is a technique to
break RSA, but as of today it has not been succesfully incorporated.
Which to my understanding would mean that RSA is a bad choice of
algorithm when thinking about the future, when someone figures out how
to (easily) use the technique.

. .of course I could've as well interpreted the text below completely
wrong..

*clip*
Another way to break the RSA cryptosystem is to find a technique to 
compute eth roots mod n. Since c = me mod n, the eth root of c mod n 
is the message m. This attack would allow someone to recover encrypted 
messages and forge signatures even without knowing the private key. 
This attack is not known to be equivalent to factoring. No general 
methods are currently known that attempt to break the RSA system in 
this way. However, in special cases where multiple related messages 
are encrypted with the same small exponent, it may be possible to 
recover the messages.
*clip*


Atte