Chapter 5. Cryptography 121
Draft Document for Review April 7, 2004 6:15 pm 6947ch05.fm
Import and export of DES keys under an RSA key, up to 2048-bit
Public Key Encrypt (PKE)
Public Key Encrypt service is provided for the Mod_Raised_to Power (MRP) function.
MRP is used to offload compute intensive portions of the Diffie-Hellman protocol onto
the PCICA, or PCIXCC features of the z990
Public Key Decrypt (PKD)
Public Key Decrypt supports a zero-pad option for clear RSA private keys. PKD is used
as an accelerator for raw RSA private operations, including the use of CRT format
keys. The function may be exploited on Linux to allow use of the PCICC, and PCIXCC
features of the z990 for improved performance of digital signature generation.
Derived Unique Key Per Transaction (DUKPT)
Service is provided to write applications that implement the DUKPT algorithms as
defined by the ANSI X9.24 standard. DUKPT provides additional security for
point-of-sale transactions that are standard in the retail industry. DUKPT algorithms are
supported on the PCIXCC feature.
Europay Mastercard VISA (EMV) 2000 standard
Applications may be written to comply with the EMV 2000standard for financial
transactions between heterogeneous hard- and software. Support for EMV 2000
applies only to the PCIXCC feature of the z990.
Other key functionality of the PCIXCC serve to enhance the security of public/private key
encryption processing:
򐂰Retained key support (RSA private keys generated and kept stored within the secure
hardware boundary)
򐂰Support for 4753 Network Security Processor migration
򐂰User Defined Extensions (UDX) support enhancements, including:
For Activate UDX requests:
Establish Owner
Relinquish Owner
Emergency Burn of Segment
Remote Burn of Segment
Import UDX File function
Reset UDX to IBM def ault function
Query UDX Level function
UDX allows the user to add customized operations to a cryptographic processor.
User-Defined Extensions to the Common Cryptographic Architecture (CCA) support
program that executes within the PCIX Cryptographic Coprocessor will be supported via
an IBM Service Offering.
For unique customer applications, the PCIX Cryptographic Coprocessor will support the
loading of customized cryptographic functions on z990. Support is available via ICSF and the
z990 Cryptographic Support.
More information can be found in the publication IBM zSeries CCA User Defined Extensions
Reference and Guide, available on the cryptocards Web site:
http://www.ibm.com/security/cryptocards