Chapter 5. Cryptography 123
Draft Document for Review April 7, 2004 6:15 pm 6947ch05.fm
The CP Assist for Cryptographic Function complements but does not execute public key
(PKA) functions and is a prerequisite for the secure cryptographic operations provided b y t he
PCIX Cryptographic Coprocessor (PCIXCC) feature, and the PCI Cryptographic Accelerator
(PCICA) feature. The CP Assist for Cryptographic Function runs at z990 processor speed,
and since the facility is available on every CP in the system, there are no affinity issues as in
earlier CMOS processors.
The functions of the CP Assist for Cryptographic Function must be enabled or disabled by the
manufacturing process to conform to United States export requirements.
5.2.2 PCIX Cryptographic Coprocessor (PCIXCC)
The optional Peripheral Component Interconnect Extended Cryptographic Coprocessor
(PCIXCC) provides a high performance cryptographic environment with added function. In
fact, the PCIX Cryptographic Coprocessor consolidates the functions previously offered on
the z900 by the Cryptographic Coprocessor feature (CCF), and the PCI Cryptographic
Coprocessor (PCICC) feature. CCF and PCICC features are not available on the z990. The
PCIXCC feature provides asynchronous functions only.
The PCIXCC feature is designed for FIPS 140-2 Level 4 compliance rating for secure
cryptographic hardware. Unauthorized removal of the card or feature zeroizes its content.
The PCIX Cryptographic Coprocessor features on the z990 enable the user to do the
following:
򐂰Encrypt and decrypt data utilizing secret-key algorithms. Triple-length key DES and
double-length key DES algorithms are supported.
򐂰Generate, install, and distribute cryptographic keys securely using both public and secret
key cryptographic methods.
򐂰Generate, verify, and translate personal identification numbers (P INs).
򐂰Ensure the integrity of data by using message authentication codes (MACs), hashing
algorithms, and Rivest-Shamir-Adelman (RSA) public key algorithm (PKA) digital
signatures.
Three methods of master key entry are provided by ICSF for the PCIX Cryptographic
Coprocessor features:
1. A pass phrase initialization method that generates and enters all master keys that are
necessary to fully enable the cryptographic system in a minimal number of steps.
2. A simplified master key entry procedure provided through a series of Clear Master Key
Entry panels from a TSO terminal.
3. In enterprises that require enhanced key-entry security, a Trusted Key Entry (TKE)
workstation is available as an optional feature.
The security-relevant portion of the cryptographic functions is performed inside the secure
physical boundary of a tamper-resistant card. Master keys and other security-relevant
information are also maintained inside this secure boundary.
The PCIXCC features operate with the Integrated Cryptographic Service Facility (ICSF) and
IBM Resource Access Control Facility (RACF®), or equivalent software products, in a z/OS or
OS/390 operating environment to provide data privacy, data integrity, cryptographic key
installation and generation, electronic cryptographic key distribution, and personal
identification number (PIN) processing.