How Citrix NetScaler Makes it Easy to Comply Now with Next Year’s NIST Requirement to Migrate to 2048-bit RSA Keys

Robert Chen, Principal Product Marketing Manager, NetScaler » Citrix announced it has enhanced its NetScaler MPX product to offer easy adoption of 2048-bit RSA key requirements as recommended by the National Institute of Standards and Technology (NIST).  Citrix talks about why the company is leading the industry as the first to adapt its networking technology in anticipation of this necessary customer migration.

Q: Why is the industry moving to 2048-bit RSA keys?
A: National Institute of Standards and Technology (NIST) issued Special Publication 800-57 in March 2007, which recommends the use of 2048-bit RSA keys starting Jan. 1, 2011. Federal agencies are required to comply with NIST recommendations. NIST recommendations are also generally adopted by private enterprises and other foreign countries. To ease the transition from 1024-bit RSA-keys to 2048-bit RSA keys, NIST issued Draft SP 800-131 in June 2010, which extends the deadline to move to 2048-bit RSA keys to 2013. Specifically, Draft SP 800-131 states:


  • 2048-bit RSA keys: “Acceptable” – meaning the algorithm and key length is safe to use; no security risk is currently known.
  • 1024-bit RSA keys: “Deprecated from 2011 – 2013” – meaning the use of the algorithm and key length is allowed, but the user must accept some risk.

Q: What does the NIST publications mean for customers?
A: Customers will need to replace their 1024-bit certificates with 2048-bit certificates. Federal, financial services and healthcare industries will likely be the first ones to adopt 2048-bit certificates due to regulatory standards, with other industries following closely behind.

Q: What has Citrix done with its NetScaler product to lessen the impact of moving to 2048-bit keys?
A: We leveraged our multi-core, nCore architecture and recent SSL enhancements, and we partnered with Cavium to optimize the performance of NetScaler for 2048-bit SSL keys. As a result, we were able to increase our performance for 2048-bit SSL keys by 5X.

Q: How are certificate authorities (e.g., Verisign, Entrust, RSA, etc.) responding to this change?
A: Verisign and other CAs are converting their root certificate servers to 2048-bit RSA keys beginning Q4’2010. CAs will default to issuing new certificates in 2048-bit key sizes. Requests for 1024-bit certificates will be treated as “exceptions” and set to expire at the end of 2013.

Q: How will 2048-bit RSA keys affect SSL performance?
A: SSL with 2048-bit RSA keys require significantly greater processing capacity – up to 30x more. This means that to equal the SSL TPS performance of a single ADC for 1024-bit keys requires up to 30 equivalent ADCs.