If ever there was an IT technology one could count on to stay essentially static, with very little innovation, it would be SSL. (I’ll squint my eyes and blur the distinctions with TLS) Yes, new ciphers and authentication hashes occasionally get added, but the basic scheme works and hasn’t undergone significant change in many years.
What has changed, however, is the security threat facing SSL communications. (No, not BEAST. That’s for a different discussion) Massive increases in compute power have now put the traditional 1024-bit SSL keys within striking distance of brute force attacks that can crack an organization’s private key. Once compromised, the hacker then has the proverbial keys to the castle. Game over.
The natural reaction, of course, is to strengthen security to keep the good guys in control. That’s exactly why the world is moving to 2048-bit SSL. Conservatively, doubling the key length results in 232 better security. That should hold the black hats at bay for quite some time. But, there’s a price to be paid. SSL transaction performance drops by ~80% with 2048-bit keys. It’s a math issue. Just like high school algebra or calculus, harder problems take longer to complete.
This 80% performance drop becomes a glaring pain point if you’re an application owner and you flip the switch to 2048-bit SSL. If the infrastructure isn’t ready, the network slows down, traffic latencies increase, and user experience suffers. At the same time, if you’re a large IT vendor delivering one of the most popular devices terminating SSL in enterprise and Internet data centers, you better have a plan for handling 2048-bit SSL. Turns out, Citrix NetScaler has a plan – a very good one at that.
Today, Citrix announced new high-end NetScaler MPX and SDX appliances: http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=2310251. These new solutions drive massive throughput performance (50 Gbps) and connection rates – as you’d expect from NetScaler. What is stunning is the amount of SSL processing that we packed into these 2U appliances. 18 months ago we made the decision to get ahead of the SSL curve. As a result, we can now handle 90,000+ new SSL transactions per second using 2048-bit keys! As far as we can tell, it’s the best in the industry. In truth, we didn’t do much more than listen to our customers and anticipate their needs.
What we didn’t anticipate, however, is that we’d be the only one listening. Seems that some other vendors just didn’t get the memo on 2048-bit SSL. http://citrix.com//site/resources/dynamic/salesdocs/NS_F5_PerformanceChallenge-f2.pdf
Application delivery controllers (ADCs), of course, do a lot more than terminate SSL. What has changed for network managers is that 2048-bit SSL performance – transactions per second, specifically – is now a topline consideration when picking the right load balancer/ADC solution, and when selecting the best vendor. Pick poorly, and your application users will certainly let you know.
It’s time to get your network ready for 2048-bit SSL.