Why We Choose Ed25519 for SSH Certificate Authorities

When building Mezite, we had to make a fundamental decision about the cryptography underpinning our Certificate Authorities (CAs). The CA is the root of trust for the entire SSH infrastructure. It signs short-lived certificates for users and hosts, meaning its security properties directly dictate the security of the access platform.

We choose Ed25519 as the exclusive algorithm for our CA keypairs. Here is why we mandate this modern elliptic curve over older standards like RSA.

The Security Proposition

Ed25519 is an Edwards-curve Digital Signature Algorithm (EdDSA) that uses the Curve25519 elliptic curve. It provides several critical security advantages that align with our “security by design” philosophy.

Resistance to Side-Channel Attacks

One of the most dangerous classes of attacks against cryptographic keys involves monitoring the physical or temporal characteristics of the system performing the signing operation. If an algorithm takes slightly different amounts of time to sign a certificate depending on the bits of the private key, an attacker on the same physical host (or even across a network) can infer the key.

Ed25519 is fundamentally designed to be immune to these timing attacks. The algorithm executes in constant time regardless of the key or the message being signed. There are no data-dependent branch conditions and no data-dependent memory access patterns. When the Mezite Auth Service signs a short-lived certificate, it does so safely, even in multi-tenant environments.

Foolproof Key Generation

Historically, generating secure RSA or ECDSA keys relies heavily on a high-quality source of randomness for the nonces during the signing process. If the random number generator fails or is biased, the private key can be catastrophically compromised.

Ed25519 eliminates this failure mode. It is a deterministic algorithm. The signature process relies on a cryptographic hash of the message and the private key, rather than requiring fresh entropy for every signature. This removes a significant footgun from the implementation.

The Performance Advantage

In a certificate-based SSH architecture, signing certificates is a hot path. Every time a user logs in, the User CA issues a new certificate. Every time an agent joins, the Host CA issues a host certificate.

Ed25519 is incredibly fast. It is significantly faster at both signing and verification than RSA, while offering higher security margins (a 256-bit Ed25519 key provides roughly 128 bits of security, comparable to a 3072-bit RSA key).

This performance means the Mezite binary spends less CPU time performing cryptographic operations and more time routing connections, contributing to the platform’s high throughput and low latency.

Key Size and Storage

As stated on our security page, we store the User CA and Host CA private keys encrypted at rest in the database (SQLite or PostgreSQL).

A 256-bit Ed25519 private key is remarkably small—just 32 bytes. Compared to multi-kilobyte RSA keys, this tiny footprint makes it trivial to encrypt, store, and transmit securely. The small key size also keeps the resulting SSH certificates compact, preventing fragmentation issues during the SSH handshake.

Conclusion

Cryptography is hard, and complexity is the enemy of security. By standardizing on Ed25519 for our Certificate Authorities, we remove the complexity of algorithm negotiation, eliminate timing attack vectors, and ensure high performance for every certificate issuance. It is a critical component of what makes Mezite a secure, minimal-attack-surface platform.

---