Minimize the Impact

of 2048-bit keys in SSL processing

Gail Ferreira

Product Marketing Manager g.ferreira@f5.com

Ken Salchow

Sr. Manager, Technical Marketing k.salchow@f5.com

2

© F5 Networks

Agenda

• Change in Best Practices

• Implications

– Performance Impact

• Preparation for Migration to 2048-bit keys

– Size accordingly, whether terminate on:

• Servers, or

• Offload to BIG-IP

• Advantages of SSL Offload

• Next Steps

3

© F5 Networks

Key Length Guidance/Best Practices

•

Recommends transition to 2048-bit key lengths by Jan 1st 2011

Special Publication 800-57 Part 1 Table 4

• Microsoft uses and recommends 2048-bit keys

Per the NIST guidelines for all servers and other products

• Red Hat recommends 2048+ length for keys using RSA algorithm

4

© F5 Networks

Result: Issuing Certificate Authorities

only issue 2048-bit certificates

• VeriSignStarted focusing on 2048-bit keys in 2006; complete transition by October 2010

Indicates their transition is to comply with best practices as recommended by NIST

• GeoTrustClearly indicates why it transitioned to ONLY 2048-bit Keys in June 2010

• Entrust – also indicates why it transitioned

• GoDaddy"we enforce a new policy where all newly issued and renewed certificates must be 2048-bit“

• Extended Validation (EV) required 2048-bit keys on 1/1/09

5

© F5 Networks

Performance ImpactSSL termination on application servers

Key Length32 Bit

Hardware

64 Bit

Hardware

1024 525 TPS 20 Servers 1,570 TPS 7 Servers

2048 96 TPS 105 Servers 273 TPS 37 Servers

4096 15 TPS 667 Servers 38 TPS 264 Servers

6

© F5 Networks

Performance Impact

Key

Length6900 Series 8900 Series 11000 Series

VIPRION

(PBx4 100/200)

1024 25,000 TPS 58,000 TPS 100,000 TPS 200,000 TPS

2048 5,000 TPS 11,600 TPS 20,000 TPS 40,000 TPS

4096 1,471 TPS 3,412 TPS 5,882 TPS 11,765 TPS

SSL termination on BIG-IP

7

© F5 Networks

Performance ImpactBIG-IP with Session Reuse (SID)

Key Size 6900 Series 8900 Series 11000 Series

VIPRION

(PBx4

100/200)

1024 50,000TPS 116,000 TPS 200,000 TPS 400,000 TPS

2048 25,000 TPS 58,000 TPS 100,000 TPS 200,000TPS

4096 10,297 TPS 23,884 TPS 41,174 TPS 82,355 TPS

Note: Session Reuse should be viewed as a range, and is dependent on

the type of traffic.

8

© F5 Networks

F5 Advantages for SSL Offload

• Specialized Hardware

• Streamlines & Consolidates

Management

• Flexible Deployment

9

© F5 Networks

Next Steps: Quantify

• Obtain a current quantification of SSL transaction load

– If terminating on server – determine total across

applications or systems

– If using Enterprise Manager: examine SSL history

– iControl script on F5 Dev Central

10

© F5 Networks

Next Steps: Calculate

• Calculate expected 2048-bit impact

– Divide current device’s 1024-bit SSL TPS capacity

by 5 to obtain device’s 2048-bit SSL TPS capacity

11

© F5 Networks

Next Steps: Assess

• Assess options for cost-effectively processing 5x

computations

12

© F5 Networks

Questions?

Gail Ferreira

g.ferreira@f5.com

Ken Salchow

k.salchow@f5.com

13

© F5 Networks

Implications of Migration to 2048-bit Keys

• Industry Average: 5x reduction in SSL TPS

– 20% of 1024-bit SSL TPS performance

– Same processing impact regardless of where processed

• Need to re-assess capacity for 2048-bit SSL

– Know your SSL TPS requirements

– Assess current capacity for 2048-bit SSL processing

• Additional Considerations:

– Virtualized systems don’t perform for 2048-bit keys

– FIPS or other security/encryption requirements require

additional hardware

– Type of traffic impacts benefit of session reuse