IBM 990 5.2 z990 Cryptographic processors

6947ch05.fm Draft Document for Review April 7, 2004 6:15 pm

122 IBM eServer zSeries 990 Technical Guide

The Web site will direct the customer's request to an IBM Global Services (IGS) location

appropriate for the customer's geographic location. A special contract will be negotiated

between IGS and the customer, covering development of the UDX by IGS per the cu stomer 's

specifications, as well as an agreed-upon level of the UDX.

Under a special contract with IBM, PCIX Cryptographic Coprocessor customers will gain the

flexibility to define and load custom cryptographic functions themselves. This service offering

can be requested via the IBM Cryptocards Web site by selecting the Custom Programming

option.

5.2 z990 Cryptographic processors

Three types of cryptographic hardware features are available on z990. The cryptographic

features are usable only when explicitly enabled through IBM.

򐂰CP Assist for Cryptographic Function (CPACF)

The CP Assist for Cryptographic Function feature provides hardware acceleration for DES,

TDES, MAC, and SHA-1 cryptographic services. Cryptographic keys must be protected by

The application system.

򐂰PCIX Cryptographic Coprocessor (PCIXCC)

The PCIX Cryptographic Coprocessor provides a replacement for both the PCICC and the

CMOS Cryptographic Coprocessor Facility (CCF). The PCIXCC on z990 provides

equivalent PCICC functions at higher performance. It also includes functions that were

implemented in the CCF. The PCIXCC supports highly secure cryptographic functions,

use of secure encrypted key values and user-defined extensions.

򐂰PCI Cryptographic Accelerator (PCICA)

Secure Web transactions frequently employ the secure Socket Layer (SSL) protocol. The

IBM e-business PCI Cryptographic Accelerator offloads your server from

compute-intensive public-key cryptographic operations employed in the protocol. This

cost-effective solution often enables significantly greater server throughput

Each CP has an assist processor on the chip in support of cryptography. The CP Assist for

Cryptographic Function (CPACF) provides high performance hardware encryption and

decryption support. To that end, the following five new instructions are introduced with the

cryptographic assist function:

򐂰KMAC - Compute Message Authentic Code

򐂰KM - Cipher Message

򐂰KMC - Cipher message with chaining

򐂰KIMD - Compute Intermediate Message Digest

򐂰KLMD - Compute Last Message Digest

The CP Assist for Cryptographic Function provides high performance hardware encryption

and decryption support.

The CP Assist for Cryptographic Function offers a set of symmetric cryptographic functions

that enhance the encryption and decryption performance of clear key operations for SSL,

VPN and data storing applications that do not require FIPS 140-2 level 4 security. The

cryptographic architecture includes DES, T-DES data encryption and decryption, MAC

message authorization and SHA-1 hashing. These functions are directly available to

application programs, diminishing programming overhead.