IBM Z10 EC User Manual

Support for ISO 16609

Support for ISO 16609 CBC Mode T-DES Message

Authentication (MAC) requirements ISO 16609 CBC Mode

T-DES MAC is accessible through ICSF function calls

made in the PCI-X Cryptographic Adapter segment 3

Common Cryptographic Architecture (CCA) code.

This is supported by z/OS and by z/VM for guest

exploitation.

Support for RSA keys up to 4096 bits

The RSA services in the CCA API are extended to sup-

port RSA keys with modulus lengths up to 4096 bits. The

services affected include key generation, RSA-based

key management, digital signatures, and other functions

related to these.

Refer to the ICSF Application Programmers Guide, SA22-

7522, for additional details.

Cryptographic enhancements to Crypto Express2

Dynamically add crypto to a logical partition

Today, users can preplan the addition of Crypto Express2

features to a logical partition (LP) by using the Crypto page

in the image profi le to defi ne the Cryptographic Candidate

List, Cryptographic Online List, and Usage and Control

Domain Indexes in advance of crypto hardware installation.

With the change to dynamically add crypto to a logical

partition, changes to image profi les, to support Crypto

Express2 features, are available without outage to the

logical partition. Users can also dynamically delete or

move Crypto Express2 features. Preplanning is no longer

required.

This enhancement is supported by z/OS, z/VM for guest

exploitation, z/VSE, and Linux on System z.

Secure Key AES

The Advanced Encryption Standard (AES) is a National

Institute of Standards and Technology specifi cation for the

encryption of electronic data. It is expected to become the

accepted means of encrypting digital information, includ-

ing fi nancial, telecommunications, and government data.

AES is the symmetric algorithm of choice, instead of Data

Encryption Standard (DES) or Triple-DES, for the encryp-

tion and decryption of data. The AES encryption algorithm

will be supported with secure (encrypted) keys of 128,

192, and 256 bits. The secure key approach, similar to

what is supported today for DES and TDES, provides the

ability to keep the encryption keys protected at all times,

including the ability to import and export AES keys, using

RSA public key technology.

Support for AES encryption algorithm includes the master

key management functions required to load or generate

AES master keys, update those keys, and re-encipher key

tokens under a new master key.

Support for 13- thru 19-digit Personal Account Numbers

Credit card companies sometimes perform card security

code computations based on Personal Account Number

(PAN) data. Currently, ICSF callable services CSNBCSV

(VISA CVV Service Verify) and CSNBCSG (VISA CVV

Service Generate) are used to verify and to generate a

VISA Card Verifi cation Value (CVV) or a MasterCard Card

Verifi cation Code (CVC). The ICSF callable services cur-

rently support 13-, 16-, and 19-digit PAN data. To provide

additional fl exibility, new keywords PAN-14, PAN-15, PAN-

17, and PAN-18 are implemented in the rule array for both

CSNBCSG and CSNBCSV to indicate that the PAN data is

comprised of 14, 15, 17, or 18 PAN digits, respectively.

Support for 13- through 19-digit PANs is exclusive to

System z10 and is offered by z/OS and z/VM for guest

exploitation.

36