IBM Z10 EC User Manual

Enhancements to CP Assist for Cryptographic Function (CPACF):

CPACF has been enhanced to include support of the fol-

lowing on CPs and IFLs:

• Advanced Encryption Standard (AES) for 192-bit keys

and 256-bit keys

• SHA-384 and SHA-512 bit for message digest

SHA-1, SHA-256, and SHA-512 are shipped enabled and

do not require the enablement feature.

Support for CPACF is also available using the Integrated

Cryptographic Service Facility (ICSF). ICSF is a com-

ponent of z/OS, and is designed to transparently use

the available cryptographic functions, whether CPACF

or Crypto Express2, to balance the workload and help

address the bandwidth requirements of your applications.

The enhancements to CPACF are exclusive to the System

z10 and supported by z/OS, z/VM, z/VSE, and Linux on

System z.

Confi gurable Crypto Express2

The Crypto Express2 feature has two PCI-X adapters.

Each of the PCI-X adapters can be defi ned as either a

Coprocessor or an Accelerator.

Crypto Express2 Coprocessor – for secure-key encrypted

transactions (default) is:

• Designed to support security-rich cryptographic func-

tions, use of secure-encrypted-key values, and User

Defi ned Extensions (UDX)

• Designed to support secure and clear-key RSA opera-

tions

• The tamper-responding hardware and lower-level fi rm-

ware layers are validated to U.S. Government FIPS 140-

2 standard: Security Requirements for Cryptographic

Modules at Level 4.

Crypto Express2 Accelerator – for Secure Sockets Layer

(SSL) acceleration:

• Is designed to support clear-key RSA operations

• Offl oads compute-intensive RSA public-key and private-

key cryptographic operations employed in the SSL pro-

tocol Crypto Express2 features can be carried forward

on an upgrade to the System z10 EC, so users may con-

tinue to take advantage of the SSL performance and the

confi guration capability.

The confi gurable Crypto Express2 feature is supported by

z/OS, z/VM, z/VSE, and Linux on System z. z/VSE offers

support for clear-key operations only. Current versions of

z/OS, z/VM, and Linux on System z offer support for both

clear-key and secure-key operations.

Additional cryptographic functions and features with

Crypto Express2

Key management – Added key management for remote

loading of ATM and Point of Sale (POS) keys. The elimina-

tion of manual key entry is designed to reduce downtime

due to key entry errors, service calls, and key manage-

ment costs.

Improved key exchange – Added Improved key

exchange with non-CCA cryptographic systems.

New features added to IBM Common Cryptographic

Architecture (CCA) are designed to enhance the ability to

exchange keys between CCA systems, and systems that

do not use control vectors by allowing the CCA system

owner to defi ne permitted types of key import and export

while preventing uncontrolled key exchange that can open

the system to an increased threat of attack.

These are supported by z/OS and by z/VM for guest

exploitation.

35