Crypto Express5S As A Cca Coprocessor - IBM z13s Technical Manual

Several of these algorithms require a secure key and must run on an HSM, some of them can
also run with a clear key on the CPACF. Many standards are only supported when the Crypto
Express5S card is running in CCA mode, many also when the card is running in EP11 mode.
The three modes for the Crypto Express5S card are further described n the following topics.
A summary of which algorithms are supported in which modes is shown in 6.7,
"Cryptographic functions comparison" on page 225.

6.5.2 Crypto Express5S as a CCA coprocessor

A Crypto Express5S card running in CCA mode supports the IBM CCA. CCA is both an
architecture and a set of APIs. It provides cryptographic algorithms and secure key
management, especially many special functions required for banking. Over 129 APIs with
more than 600 options are provided, with new functions and algorithms are always being
added.
The IBM CCA provides functions for these purposes
Encryption of data (DES/TDES/AES)
Key management
– Using TDES or AES keys
– Using RSA or Elliptic Curve keys
Message authentication
– (MAC/HMAC/AES-CMAC)
Key generation
Digital signatures
Random number generation
Hashing (SHA, MD5, other)
ATM PIN generation and processing
Credit card transaction processing
Visa Data Secure Platform (DSP) Point to Point Encryption (P2PE)
Europay, MasterCard and Visa (EMV) card transaction processing
Card personalization
Other financial transaction processing
Integrated role-based access control system
User Defined Extensions support
UDX allows the user to add customized operations to a cryptographic coprocessor.
User-Defined Extensions to the CCA support customized operations that run within the
Crypto Express features when defined as a coprocessor.
UDX is supported under a special contract through an IBM or approved third-party service
offering. The Crypto Cards website directs your request to an IBM Global Services location
for your geographic location. A special contract is negotiated between IBM Global Services
and you. The contract is for the development of the UDX code by IBM Global Services
according to your specifications and an agreed-upon level of the UDX.
A UDX toolkit for z Systems is tied to specific versions of the CCA card code and the related
host code. UDX is available for the Crypto Express5S (Secure IBM CCA coprocessor mode
only) features. An UDX migration is no more disruptive than a normal Microcode Change
Level (MCL) or ICSF release migration.
In z13s servers, up to four UDX files can be imported. These files can be imported only from
a DVD. The UDX configuration window is updated to include a Reset to IBM Default button.
214
IBM z13s Technical Guide