Impact when moving from 2048 to 4096 bit RSA keys

Question

Hi, I am trying to determine the impact of moving from 2048 bit RSA keys to 4096 bit RSA keys for a clientside ssl profile and would like to get some details of the impact when doing so.&nbsp;
I read that the TPS would drop to 20% of what we would be capable when staying on 2048 bit keys. Assuming unlimited license.How much more latency would we have to face in the handshake process?Is there a list of incompatible clients available? Something like 'Outlook 2007, Firefox 12, ...'How much will the increased keysize strengthen the tls connection assuming we stick to the same cipher?Any other sideeffects?
I did also open a F5 support case to this (C2910446 - Analysis of impact when moving from 2048 to 4096 bit RSA keys) but I was wondering if anyone from the community got some interesting ideas/comments to share.&nbsp;
Once I get a proper response from F5 support I can share here as well as I think many might be interested.&nbsp;
Cheers,
Torsten&nbsp;

y_ajit_381334 · Answer

Hi Torsten, &nbsp;
I Would be interested in knowing the response on this from F5 support team.&nbsp;

fozail · Answer

Hi,&nbsp;
Changing from 2048 to 4096 bit keys, would reduce number of supported TPS as you have noticed/got the information. However at the same time it would need more resources as well to cope up with 4096 bit keys. Hence it might depend that what hardware do you have where you would like to change the key.&nbsp;
I would suggest that involve account manager to get more concrete information on this.&nbsp;

torsten_sorger · Answer

We did just close the case and it pretty much boils down to this:&nbsp;
Performance should be impacted by (up to) 17x comparing 1024 and 4096 bit keys, factor between 1024 and 2048 is 4x. See K13067: Performance impact of transitioning to 2048-bit SSL key sizes to this in detail.&nbsp;
Regarding licensing, there is quite some explanation available in K6475: Overview of SSL TPS licensing limits.&nbsp;
A few ressources outside  were provided regrading this topic:&nbsp;
Yubico Blog - The Big Debate, 2048 vs. 4096, Yubico’s PositionRandom Notes - HTTPS Performance, 2048-bit vs 4096-bitCertSimple - So you're making an RSA key for an HTTPS certificate. What key size do you use?
For actual measurements F5 refers to professional services.&nbsp;

Forum Discussion

Impact when moving from 2048 to 4096 bit RSA keys

3 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Related Content

Moving from Viprion to rseries

Remove subnet from NAT pools without any impact

Shape Security and Volterra moving to F5 Distributed Cloud Services

Moving Target

Impact of disabling TCP Timestamp in TCP and fasl4 profile