News & Events

RSA-1024 Vs. RSA-2048 bit encrytion in DS3 Authentication Server PDF E-mail



Please be informed that DS3 uses RSA-1024 bit rather than RSA-2048 bit for end-to-end encryption in DS3 Authentication Server. While DS3 has developed the RSA-2048 bit encryption feature, it has not integrated the new feature as a standard feature in the existing DS3 Authentication Server due to performance and other reasons.  If you are interested in adopting RSA-2048 bit encryption, please read this notice carefully, and then make an educated decision.


The end-to-end encryption in DS3 Authentication Server is implemented in two components. The RSA-2048 bit encryption, when tested on these components showed major problems as explained below:

·         JavaScript end-to-end encryption library

In the current implementation, the user credentials are encrypted on web browsers using a JavaScript supporting RSA-1024 bit encryption. When DS3 tested RSA-2048 bit encryption on the same browsers, many web browsers, especially the older mobile browsers such as HTC Tattoo native web browser, failed to support RSA-2048 bit encryption due to limited computation power of in-browser JavaScript engine.


·         DS3 Authentication Server backend

DS3 Authentication Server is fitted with an in-built HSM for encryption, decryption and secure storage of keys. Switching from RSA-1024 bit encryption to RSA-2048 bit encryption caused significant impact on the performance of DS3 Authentication Server as the increase in key length led to an exponential increase in the computational intensity of the HSM. This, in turn, reduced the number of transactions handled by the DS3 Authentication Server (per second) by about 75% to 80%.  This is a significant drop in performance which can severely cripple the overall throughput of the DS3 Authentication Server.


Thus, DS3 does not recommend switching the end-to-end encryption to RSA-2048 until the web browsers are equipped to handle RSA-2048 bit encryptions and DS3 optimizes its RSA-2048 bit encryption implementation to improve the performance of the server. Since the optimization and/or possible redesign involve major rework, DS3 plans to integrate RSA-2048 bit encryption into the current implementation only in Q4 2013.  As a mitigating step, web servers should already be using RSA-2048 certificates so that the underlying session encryption is protected at RSA-2048 bit strength.


In the meantime, DS3 assures you that the current implementation using the RSA-1024 bit encryption is sufficient, and complies with most of the regulatory bodies, including Monetary Authority of Singapore Internet Banking and Technology Risk Management Guidelines (MAS IBTRM) version 3.0. But, if you are still interested in using the RSA-2048 bit encryption, DS3 can integrate the new feature into the DS3 Authentication Server provided you understand the risks involved with adopting RSA-2048 bit encryption, and assume responsibility for the poor performance of the DS3 Authentication Server and related systems.


If you would like to adopt the DS3 RSA-2048 bit implementation at this time, please confirm that you have read this letter and understand the risks/issues involved with RSA-2048 bit encryption by sending an email to the DS3 project team. DS3 will get back to you with our quotation as soon as possible.


We thank you for your understanding in this matter, and look forward to serving you again in future.






DS3 is member of

    IBM Information Governance Council  

Follow us on