Cryptographic Synchronous Functions - IBM z13s Technical Manual

These functions are provided as problem-state z/Architecture instructions that are directly
available to application programs. These instructions are known as Message-Security Assist
(MSA). When enabled, the CPACF runs at processor speed for every CP, IFL, and zIIP. For
more information about MSA instructions, see z/Architecture Principles of Operation,
SA22-7832.
The CPACF must be explicitly enabled by using an enablement feature (feature code 3863)
that is available for no additional charge. The exception is the support for the hashing
algorithms SHA-1, SHA-256, SHA-384, and SHA-512, which is always enabled.

6.4.1 Cryptographic synchronous functions

As the CPACF is working synchronously to the PU, it provides cryptographic synchronous
functions. For IBM and client-written programs, CPACF functions can be started by the MSA
instructions. z/OS ICSF callable services on z/OS, in-kernel crypto APIs, and a
cryptographic functions library running on Linux on z Systems can also start CPACF
synchronous functions.
The CPACF coprocessor in z13s servers is redesigned for improved performance compared
to the zBC12 by more than two times for large block data, depending on the function that is
being used. These tools might benefit from the throughput improvements:
DB2/IMS encryption tool
DB2 built-in encryption
z/OS Communication Server: IPsec/IKE/AT-TLS
z/OS System SSL
z/OS Network Authentication Service (Kerberos)
DFDSS Volume encryption
z/OS Java SDK
z/OS Encryption Facility
Linux on z Systems: Kernel, openSSL, openCryptoki, and GSKIT
The z13s hardware includes the implementation of algorithms as hardware synchronous
operations. This configuration holds the PU processing of the instruction flow until the
operation completes. z13s servers offer the following synchronous functions:
Data encryption and decryption algorithms for data privacy and confidentially:
– Data Encryption Standard (DES):
• Single-length key DES
• Double-length key DES
• Triple-length key DES (also known as Triple-DES)
– Advanced Encryption Standard (AES) for 128-bit, 192-bit, and 256-bit keys
Hashing algorithms for data integrity, such as SHA-1, and SHA-2 support for SHA-224,
SHA-256, SHA-384, and SHA-512
Message authentication code (MAC):
– Single-length key MAC
– Double-length key MAC
Pseudo-random number generation (PRNG) and deterministic random number generation
(DRNG) for cryptographic key generation.
For the SHA hashing algorithms and the random number generation algorithms, only clear
keys are used. For the symmetric encryption/decryption DES and AES algorithms, clear keys
208
IBM z13s Technical Guide
libica