IBM Z10 BUISNESS CLASS Z10 BC User Manual

Support for AES encryption algorithm includes the master

key management functions required to load or generate

AES master keys, update those keys, and re-encipher key

tokens under a new master key.

Support for 13- thru 19-digit Personal Account Numbers

Credit card companies sometimes perform card security

code computations based on Personal Account Number

(PAN) data. Currently, ICSF callable services CSNBCSV

(VISA CVV Service Verify) and CSNBCSG (VISA CVV

Service Generate) are used to verify and to generate a

VISA Card Verifi cation Value (CVV) or a MasterCard Card

Verifi cation Code (CVC). The ICSF callable services cur-

rently support 13-, 16-, and 19-digit PAN data. To provide

additional fl exibility, new keywords PAN-14, PAN-15, PAN-

17, and PAN-18 are implemented in the rule array for both

CSNBCSG and CSNBCSV to indicate that the PAN data is

comprised of 14, 15, 17, or 18 PAN digits, respectively.

Support for 13- through 19-digit PANs is exclusive to

System z10 and is offered by z/OS and z/VM for guest

exploitation.

TKE 5.3 workstation

The Trusted Key Entry (TKE) workstation and the TKE

5.3 level of Licensed Internal Code are optional features

on the System z10 BC. The TKE 5.3 Licensed Internal

Code (LIC) is loaded on the TKE workstation prior to ship-

ment. The TKE workstation offers security-rich local and

remote key management, providing authorized persons a

method of operational and master key entry, identifi cation,

exchange, separation, and update. The TKE workstation

supports connectivity to an Ethernet Local Area Network

(LAN) operating at 10 or 100 Mbps. Up to ten TKE work-

stations can be ordered.

Enhancement with TKE 5.3 LIC

The TKE 5.3 level of LIC includes support for the AES

encryption algorithm, adds 256-bit master keys, and

includes the master key management functions required to

load or generate AES master keys to cryptographic copro-

cessors in the host.

Also included is an imbedded screen capture utility to

permit users to create and to transfer TKE master key entry

instructions to diskette or DVD. Under ‘Service Manage-

ment’ a “Manage Print Screen Files” utility will be available

to all users.

The TKE workstation and TKE 5.3 LIC are available on the

z10 EC, z10 BC, z9 EC, and z9 BC.

Smart Card Reader

Support for an optional Smart Card Reader attached to

the TKE 5.3 workstation allows for the use of smart cards

that contain an embedded microprocessor and associated

memory for data storage. Access to and the use of con-

fi dential data on the smart cards is protected by a user-

defi ned Personal Identifi cation Number (PIN).

TKE 5.3 LIC has added the capability to store key parts

on DVD-RAMs and continues to support the ability to store

key parts on paper, or optionally on a smart card. TKE 5.3

LIC has limited the use of fl oppy diskettes to read-only.

The TKE 5.3 LIC can remotely control host cryptographic

coprocessors using a password-protected authority signa-

ture key pair either in a binary fi le or on a smart card.

The Smart Card Reader, attached to a TKE workstation

with the 5.3 level of LIC will support System z10 BC,

z10 EC, z9 EC, and z9 BC. However, TKE workstations

with 5.0, 5.1 and 5.2 LIC must be upgraded to TKE 5.3

LIC.

39