Minimize the Impact of 2048-bit keys in SSL processing Gail Ferreira Product Marketing Manager [email protected] Ken Salchow Sr. Manager, Technical Marketing [email protected]
Minimize the Impact
of 2048-bit keys in SSL processing
Gail Ferreira
Product Marketing Manager [email protected]
Ken Salchow
Sr. Manager, Technical Marketing [email protected]
2
© F5 Networks
Agenda
• Change in Best Practices
• Implications
– Performance Impact
• Preparation for Migration to 2048-bit keys
– Size accordingly, whether terminate on:
• Servers, or
• Offload to BIG-IP
• Advantages of SSL Offload
• Next Steps
3
© F5 Networks
Key Length Guidance/Best Practices
•
Recommends transition to 2048-bit key lengths by Jan 1st 2011
Special Publication 800-57 Part 1 Table 4
• Microsoft uses and recommends 2048-bit keys
Per the NIST guidelines for all servers and other products
• Red Hat recommends 2048+ length for keys using RSA algorithm
4
© F5 Networks
Result: Issuing Certificate Authorities
only issue 2048-bit certificates
• VeriSignStarted focusing on 2048-bit keys in 2006; complete transition by October 2010
Indicates their transition is to comply with best practices as recommended by NIST
• GeoTrustClearly indicates why it transitioned to ONLY 2048-bit Keys in June 2010
• Entrust – also indicates why it transitioned
• GoDaddy"we enforce a new policy where all newly issued and renewed certificates must be 2048-bit“
• Extended Validation (EV) required 2048-bit keys on 1/1/09
5
© F5 Networks
Performance ImpactSSL termination on application servers
Key Length32 Bit
Hardware
64 Bit
Hardware
1024 525 TPS 20 Servers 1,570 TPS 7 Servers
2048 96 TPS 105 Servers 273 TPS 37 Servers
4096 15 TPS 667 Servers 38 TPS 264 Servers
6
© F5 Networks
Performance Impact
Key
Length6900 Series 8900 Series 11000 Series
VIPRION
(PBx4 100/200)
1024 25,000 TPS 58,000 TPS 100,000 TPS 200,000 TPS
2048 5,000 TPS 11,600 TPS 20,000 TPS 40,000 TPS
4096 1,471 TPS 3,412 TPS 5,882 TPS 11,765 TPS
SSL termination on BIG-IP
7
© F5 Networks
Performance ImpactBIG-IP with Session Reuse (SID)
Key Size 6900 Series 8900 Series 11000 Series
VIPRION
(PBx4
100/200)
1024 50,000TPS 116,000 TPS 200,000 TPS 400,000 TPS
2048 25,000 TPS 58,000 TPS 100,000 TPS 200,000TPS
4096 10,297 TPS 23,884 TPS 41,174 TPS 82,355 TPS
Note: Session Reuse should be viewed as a range, and is dependent on
the type of traffic.
8
© F5 Networks
F5 Advantages for SSL Offload
• Specialized Hardware
• Streamlines & Consolidates
Management
• Flexible Deployment
9
© F5 Networks
Next Steps: Quantify
• Obtain a current quantification of SSL transaction load
– If terminating on server – determine total across
applications or systems
– If using Enterprise Manager: examine SSL history
– iControl script on F5 Dev Central
10
© F5 Networks
Next Steps: Calculate
• Calculate expected 2048-bit impact
– Divide current device’s 1024-bit SSL TPS capacity
by 5 to obtain device’s 2048-bit SSL TPS capacity
11
© F5 Networks
Next Steps: Assess
• Assess options for cost-effectively processing 5x
computations
13
© F5 Networks
Implications of Migration to 2048-bit Keys
• Industry Average: 5x reduction in SSL TPS
– 20% of 1024-bit SSL TPS performance
– Same processing impact regardless of where processed
• Need to re-assess capacity for 2048-bit SSL
– Know your SSL TPS requirements
– Assess current capacity for 2048-bit SSL processing
• Additional Considerations:
– Virtualized systems don’t perform for 2048-bit keys
– FIPS or other security/encryption requirements require
additional hardware
– Type of traffic impacts benefit of session reuse