IBM 990 User Manual
Page 133
Chapter 5. Cryptography
121
•
Key generation, up to 2048-bit
•
Signature Verification, up to 2048-bit
•
Import and export of DES keys under an RSA key, up to 2048-bit
– Public Key Encrypt (PKE)
Public Key Encrypt service is provided for the Mod_Raised_to Power (MRP) function.
MRP is used to offload compute intensive portions of the Diffie-Hellman protocol onto
the PCICA or PCIXCC features of the z990.
– Public Key Decrypt (PKD)
Public Key Decrypt supports a zero-pad option for clear RSA private keys. PKD is used
as an accelerator for raw RSA private operations, including the use of CRT format
keys. The function may be exploited on Linux to allow use of the PCICC and PCIXCC
features of the z990 for improved performance of digital signature generation.
– Derived Unique Key Per Transaction (DUKPT)
The service is provided to write applications that implement the DUKPT algorithms as
defined by the ANSI X9.24 standard. DUKPT provides additional security for
point-of-sale transactions that are standard in the retail industry. DUKPT algorithms are
supported on the PCIXCC feature.
– Europay Mastercard VISA (EMV) 2000 standard
Applications may be written to comply with the EMV 2000 standard for financial
transactions between heterogeneous hard- and software. Support for EMV 2000
applies only to the PCIXCC feature of the z990.
Other key functionalities of the PCIXCC serve to enhance the security of public/private key
encryption processing:
Retained key support (RSA private keys generated and kept stored within the secure
hardware boundary)
Support for 4753 Network Security Processor migration
User Defined Extensions (UDX) support enhancements, including:
– For Activate UDX requests:
•
Establish Owner
•
Relinquish Owner
•
Emergency Burn of Segment
•
Remote Burn of Segment
– Import UDX File function
– Reset UDX to IBM default function
– Query UDX Level function
UDX allows the user to add customized operations to a cryptographic processor.
User-Defined Extensions to the Common Cryptographic Architecture (CCA) support
program that executes within the PCIX Cryptographic Coprocessor will be supported via
an IBM Service Offering.
For unique customer applications, the PCIX Cryptographic Coprocessor will support the
loading of customized cryptographic functions on z990. Support is available via ICSF and the
z990 Cryptographic Support.