Cryptographic Asynchronous Functions - IBM z13s Technical Manual

6.5.1 Cryptographic asynchronous functions

The optional PCIe cryptographic coprocessor Crypto Express5S provides asynchronous
cryptographic functions to z13s servers. Over 300 cryptographic algorithms and modes are
supported, including the following:
DES/TDES w DES/TDES MAC/CMAC: The Data Encryption Standard is a widespread
symmetrical encryption algorithm. DES and TDES are no longer considered sufficiently
secure for many applications. They have been replaced by AES as the official US
standard, but are still used in the industry, together with MAC and the Cipher Based
Message Authentication Code (CMAC) for verifying the integrity of messages.
AES, AESKW, AES GMAC, AES GCM, AES XTS mode, CMAC: AES replaced DES as
the official US standard in October 2000. Also, the enhanced standards for AES Key Warp
(AESKW), the AES Galois Message Authentication Code (AES GMAC) and
Galois/Counter Mode (AES GCM), as well as the XEX-based tweaked-codebook mode
with ciphertext stealing (AES XTS) and CMAC are supported.
MD5, SHA-1, SHA-2 (224, 256, 384, 512), HMAC: The Secure Hash Algorithm (SHA-1
and the enhanced SHA-2 for different block sizes) as well as the older message-digest
(MD5) algorithm and the advanced Hash-Based Message Authentication Code (HMAC)
are used for verifying both the data integrity and the authentication of a message.
Visa Format Preserving Encryption (VFPE): A method of encryption where the resulting
cipher text has the same form as the input clear text, developed for use with credit cards.
RSA (512, 1024, 2048, 4096): RSA has been published in 1977 and was named with the
initial letters of the surnames of its authors Ron Rivest, Adi Shamir, and Leonard Adleman.
It is a widely used asymmetric public-key algorithm, which means that the encryption key
is public while the decryption key is kept secret. It is based on the difficulty of factoring the
product of two large prime numbers. The number describes the length of the keys.
ECDSA (192, 224, 256, 384, 521 Prime/NIST): Elliptic Curve Cryptography (ECC) is a
family of asymmetric cryptographic algorithms based on the algebraic structure of elliptic
curves. ECC can be used for encryption, pseudo-random number generation, and digital
certificates. The Elliptic Curve Digital Signature Algorithm (ECDSA) Prime/NIST method is
used for ECC digital signatures that are recommended for government use by the National
Institute of Standards and Technology (NIST).
ECDSA (160, 192, 224, 256, 320, 384, 512 BrainPool): ECC Brainpool is a workgroup of
companies and institutions that collaborate on developing ECC algorithms. The ECDSA
algorithms that are recommended by this group are supported.
ECDH (192, 224, 256, 384, 521 Prime/NIST): Elliptic Curve Diffie-Hellman (ECDH) is an
asymmetric protocol used for key agreement between two parties that use ECC-based
private keys. The recommendations by NIST are supported.
ECDH (160, 192, 224, 256, 320, 384, 512 BrainPool): ECDH according to the Brainpool
recommendations.
Montgomery Modular Math Engine: The Montgomery Modular Math Engine is a method
for fast modular multiplication. Many crypto systems like RSA and Diffie-Hellman key
Exchange use this method.
Random Number Generator (RNG): The generation of random numbers for cryptographic
key generation is supported.
Prime Number Generator (PNG): The generation of prime numbers is supported.
Clear Key Fast Path (Symmetric and Asymmetric): This mode of operations gives a direct
hardware path to the cryptographic engine and provides high performance for public-key
cryptographic functions.
Chapter 6. Cryptography
213