Randy George


Upcoming Events

A Network Computing Webinar:
Avoiding Downtime: How Virtualization Can Help In Times of Trouble

June 12, 2013
11:00 AM PT / 2:00 PM ET

Are you caught between a desire for the benefits of the cloud and concerns about security and control? Then you should attend this insight-packed webinar to learn how private data networking technologies like MPLS IP-VPNs can address your concerns and allow you to safely and intelligently reap the savings, agility and other benefits associated with cloud computing.

Join us to hear top industry experts discuss the private data network technologies that are best suited for enterprise cloud access requirements. You won't want to miss this opportunity to learn how your organization can best mitigate risk while reaping the full potential benefits of the cloud.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

See more from this blogger

Get Ready For The Impact Of 2048-bit RSA Keys

Posted by Randy George
July 22, 2010

If you've had to renew an SSL certificate for any of your critical infrastructure delivery devices recently, then you probably took notice of the need to generate and deliver at least a 2048-bit CSR to your Certificate Authority of choice. While this new standard may have little impact on you, for others the impact may be huge.

It dawned on me a few months back when the SSL Cert on my Bluesocket Wireless Controller expired. I started by generating a new CSR on my Bluesocket, I then logged onto GoDaddy to purchase a new cert and low and behold, GoDaddy wouldn't accept my 1024-bit CSR. No big deal, I thought, I'll just open the Bluesocket and generate a 2048-bit CSR. Unfortunately, I couldn't do it without a code upgrade. The key takeaway is to keep an eye out for any SSL-enabled devices in your environment that might require updates in order to support the new key length standard.

In special advisory (800-57), NIST advises that 1024-bit RSA keys will no longer be viable after 2010.  The recommendation, which has been broadly adopted, is to move to 2048-bit keys, which should be viable until 2030, according to NIST. This change has prompted a number of vendors to bolster their SSL acceleration offerings.  A recent Citrix Netscaler PR release points out that that the doubling of the key size from 1024-bit to 2048-bit increases CPU computational requirements from 4x to 8x.  As a result, if you're managing any externally facing services, or commerce related services that are highly SSL dependent and already have high concurrent connect counts, it makes sense to assess the performance implications of jumping to 2048-bit keys before you make the leap, if you haven't already.

Jordan Sissel from semicomplete.com recently did some interesting performance testing on the CPU and network impact of running SSL at various key lengths. His analysis offers a valuable lesson as you plan for the performance impact of 2048 and 4096 bit keys. To summarize, while offloading SSL to a hardware appliance can be valuable computationally, the network latency impact of processing a large number of SSL handshakes can often introduce the bulk of any perceived delays on the front end. There's not a whole lot you can do about latency, aside from strategically locating services and load balancing appropriately.  

The upshot is that if you're moving to 2048-bit keys or higher anytime soon, make sure you assess the performance implications of that move.   

Randy George is a systems analyst and network engineer. Read other stories by him at informationweek.com/randygeorge.


Related Reading

News

Commentary

Most Popular

On the Web

More Insights

White Papers

More >>

Webcasts

More >>

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

May 2013
Network Computing: May 2013

Video


WATCH: Bob Metcalfe Plans Ethernet's 40th

WATCH: CES 2013: It's A Wrap!

WATCH: Intel shows off eye tracking and gesture tech


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Upcoming Events

Featured Whitepapers

 
 
What's this?
More >>


Featured Reports

 
 
What's this?
More >>


BlogRoll

TechWeb Careers