IBM Z10 EC manual Configurable Crypto Express2

Enhancements to CP Assist for Cryptographic Function (CPACF):

CPACF has been enhanced to include support of the fol- lowing on CPs and IFLs:

•Advanced Encryption Standard (AES) for 192-bit keys and 256-bit keys

•SHA-384 and SHA-512 bit for message digest

SHA-1, SHA-256, and SHA-512 are shipped enabled and do not require the enablement feature.

Support for CPACF is also available using the Integrated Cryptographic Service Facility (ICSF). ICSF is a com- ponent of z/OS, and is designed to transparently use the available cryptographic functions, whether CPACF or Crypto Express2, to balance the workload and help address the bandwidth requirements of your applications.

The enhancements to CPACF are exclusive to the System z10 and supported by z/OS, z/VM, z/VSE, and Linux on System z.

Configurable Crypto Express2

The Crypto Express2 feature has two PCI-X adapters. Each of the PCI-X adapters can be defi ned as either a Coprocessor or an Accelerator.

Crypto Express2 Coprocessor – for secure-key encrypted transactions (default) is:

•Designed to support security-rich cryptographic func- tions, use of secure-encrypted-key values, and User Defi ned Extensions (UDX)

•Designed to support secure and clear-key RSA opera- tions

•The tamper-responding hardware and lower-level fi rm- ware layers are validated to U.S. Government FIPS 140- 2 standard: Security Requirements for Cryptographic Modules at Level 4.

Crypto Express2 Accelerator – for Secure Sockets Layer (SSL) acceleration:

•Is designed to support clear-key RSA operations

•Offl oads compute-intensive RSA public-key and private- key cryptographic operations employed in the SSL pro- tocol Crypto Express2 features can be carried forward on an upgrade to the System z10 EC, so users may con- tinue to take advantage of the SSL performance and the confi guration capability.

The confi gurable Crypto Express2 feature is supported by z/OS, z/VM, z/VSE, and Linux on System z. z/VSE offers support for clear-key operations only. Current versions of z/OS, z/VM, and Linux on System z offer support for both clear-key and secure-key operations.

Additional cryptographic functions and features with Crypto Express2

Key management – Added key management for remote loading of ATM and Point of Sale (POS) keys. The elimina- tion of manual key entry is designed to reduce downtime due to key entry errors, service calls, and key manage- ment costs.

Improved key exchange – Added Improved key exchange with non-CCA cryptographic systems.

New features added to IBM Common Cryptographic Architecture (CCA) are designed to enhance the ability to exchange keys between CCA systems, and systems that do not use control vectors by allowing the CCA system owner to defi ne permitted types of key import and export while preventing uncontrolled key exchange that can open the system to an increased threat of attack.

These are supported by z/OS and by z/VM for guest exploitation.