IBM 890 manual Enabling use of less than 512-bit keys for clear key RSA operations

–A mixture of both secure and clear key applications can run on the same Crypto Express2 feature

–Based on the increased throughput, the ability to con- solidate both secure key and clear key crypto work- loads and I/O slots on the same feature

*The SSL rate was achieved with a z990 with 16 proces- sors and 6 PCICA features (12 accelerator cards). These measurements are examples of the maximum transactions/ second achieved in a lab environment with no other pro- cessing occurring and do not represent actual fi eld mea- surements. Details available upon request.

All logical partitions (LPARs) in all Logical Channel Sub- Systems (LCSSs) have access to the Crypto Express2 feature, up to 30 LPARs per feature.11

The Crypto Express2 feature is exclusive to z890 and z990, requires the October 2004 level of Licensed Internal Code, and is supported by z/OS, z/OS.e, z/VM, VSE/ESA, and Linux on zSeries. z/VM, VSE/ESA and Linux on zSeries offer support for clear key SSL transactions only.

Enabling use of less than 512-bit keys for clear key RSA

operations

The Crypto Express2 and PCIXCC features will now sup- port applications that require clear key RSA operations using keys less than 512-bits, including ICSF Callable services and their corresponding verbs: Digital Signature Verify (CSNDDSV), Public Key Encrypt (CSNDPKE), and Public Key Decrypt (CSNDPKD). All other ICSF Callable services that require a Crypto Express2 or PCIXCC feature continue to require keys of more than 511-bits.

Enabling the lower limit for clear key RSA operations may allow the migration of some additional cryptographic appli- cations to z890 and z990 servers without requiring the applications to be rewritten.

Support of applications that require clear key RSA operations using keys less than 512-bits applies to the Crypto Express2 and PCIXCC features, is exclusive to z890 and z990, and is supported by z/OS, z/OS.e, and z/VM. Refer to the Hardware and Software requirements sections for more information.

Cryptographic support for 19-digit PANs

Crypto Express2 and PCIXCC now offer CVV generation and verifi cation services for 19-digit PANs. Industry prac- tices for use of Card Validation Value (CVV) are moving to base CVV computations on a 19-digit PAN instead of the 13-digit and 16-digit PANs currently in use and supported by ICSF and the PCIXCC feature. ICSF, Crypto Express2, and PCIXCC now support use of the 19-digit PAN in the CVV generation and verifi cation services (CSNBCSG and CSNBCSV, respectively).

Support of CVV generation and verifi cation services for

19-digit PANs, an anti-fraud security feature, is supported by the Crypto Express2 and PCIXCC features on the z890 and z990 and by z/OS and z/OS.e.

2048-bit key RSA management for PCICC on z800, z900

2048-bit key (clear and secure) RSA management capabil- ity for z800 and z900 servers, in support of new Automated Teller Machine (ATM) standards, will be available via the 2048-bit key RSA management for PCICC (#0867) feature. 1024-bit key RSA management is available today via a Functional Control Vector (FCV) on the PCI Cryptographic Coprocessor (PCICC) Enablement diskette (#0865). This capability is unique to PCICC and does not apply to the CMOS Cryptographic Coprocessor Facility (CCF).

The 2048-bit functional control vector (FCV) will support four ICSF services: Public Key Decrypt (PKD), Symmetric Key Import (SYI), Symmetric Key Export (SYX) and Sym- metric Key Generate (SYG). Applications that require 2048- bit key RSA management will be able to migrate with ease.