Cryptography - IBM System z10 EC Reference Manual

Cryptography

The z10 EC includes both standard cryptographic hard-
ware and optional cryptographic features for flexibility and
growth capability. IBM has a long history of providing hard-
ware cryptographic solutions, from the development of
Data Encryption Standard (DES) in the 1970s to delivering
integrated cryptographic hardware in a server to achieve
the US Government's highest FIPS 140-2 Level 4 rating for
secure cryptographic hardware.
The IBM System z10 EC cryptographic functions include
the full range of cryptographic operations needed for
e-business, e-commerce, and financial institution applica-
tions. In addition, custom cryptographic functions can be
added to the set of functions that the z10 EC offers.
New integrated clear key encryption security features on
z10 EC include support for a higher advanced encryption
standard and more secure hashing algorithms. Performing
these functions in hardware is designed to contribute to
improved performance.
Enhancements to eliminate preplanning in the cryptogra-
phy area include the new System z10 function Dynami-
cally Add Crypto to a logical partition. Changes to image
profiles, to support Crypto Express2 features, are available
without an outage to the logical partition. Crypto Express2
features can also be dynamically deleted or moved.
CP Assist for Cryptographic Function (CPACF)
CPACF supports clear-key encryption. The function is
activated using a no-charge enablement feature and offers
the following on every CPACF that is shared between two
CPs or Processor Units (PUs) identified as an Integrated
Facility for Linux (IFL):
• Data Encryption Standard (DES)
• Triple Data Encryption Standard (TDES)
• Advanced Encryption Standard (AES) for 128-bit keys
• Secure Hash Algorithm, SHA-1 and SHA-256
• Pseudo Random Number Generation (PRNG)
Enhancements to CP Assist for Cryptographic
Function (CPACF):
CPACF has been enhanced to include support of the fol-
lowing on CPs and IFLs:
• Advanced Encryption Standard (AES) for 256-bit keys
• SHA-384 and 512 bit for message digest
SHA-1 and SHA-512 are shipped enabled and do not
require the enablement feature. Support for CPACF is
also available using the Integrated Cryptographic Service
Facility (ICSF). ICSF is a component of z/OS, and is
designed to transparently use the available cryptographic
functions, whether CPACF or Crypto Express2, to balance
the workload and help address the bandwidth require-
ments of your applications.
The enhancements to CPACF are exclusive to the System
z10 and supported by z/OS, z/VM, z/VSE and Linux on
System z.
A third generation Cryptographic feature – Crypto Express2
Today, customers can pre-plan the addition of Crypto
Express2 features to logical partitions (LPs) by using the
Crypto page in the image profile to define the Cryptographic
Candidate List, Cryptographic Online List, Usage and Control
Domain Indexes in advance of Crypto hardware installation.
With the change to Dynamically Add Crypto to Logical
Partition, changes to image profiles, to support Crypto
Express2 features, are available without outage to the
logical partition. Customers can also dynamically delete
or move Crypto Express2 features.
Pre-planning is no longer required.
This enhancement is exclusive to System z10 and is sup-
ported by z/OS.
27