Crypto Express5S As An Ep11 Coprocessor; Crypto Express5S As An Accelerator - IBM z13s Technical Manual

Software requirements:
– z/OS V2.2
– z/OS V2.1or z/OS V1.13 with the Cryptographic Support for z/OS V1R13-z/OS V2R1
web deliverable (FMID HCR77B1) with PTFs
– z/VM 5.4, 6.2, and 6.3 with PTFs for guest exploitation

6.5.3 Crypto Express5S as an EP11 coprocessor

A Crypto Express5S card that is configured in Secure IBM Enterprise PKCS #11 (EP11)
coprocessor mode provides PKCS #11 secure key support for public sector requirements.
Before EP11, the ICSF PKCS #11 implementation supported only clear keys. In EP11, keys
can now be generated and securely wrapped under the EP11 Master Key. The secure keys
never leave the secure coprocessor boundary unencrypted.
The secure IBM Enterprise PKCS #11 (EP11) coprocessor runs the following tasks:
Encrypt and decrypt (AES, DES, TDES, and RSA)
Sign and verify (DSA, RSA, and ECDSA)
Generate keys and key pairs (DES, AES, DSA, ECC, and RSA)
HMAC (SHA1, SHA224, SHA256, SHA384, and SHA512)
Digest (SHA1, SHA224, SHA256, SHA384, and SHA512)
Wrap and unwrap keys
Random number generation
Get mechanism list and information
Attribute values
Key agreement (Diffie-Hellman)
The function extension capability through UDX is not available to the EP11.
When defined in EP11 mode, the TKE workstation is required to manage the Crypto
Express5S feature.

6.5.4 Crypto Express5S as an accelerator

A Crypto Express5S card running in accelerator mode supports only RSA clear key and SSL
Acceleration. A request is processed fully in hardware. The Crypto Express accelerator is a
coprocessor that is reconfigured by the installation process so that it uses only a subset of the
coprocessor functions at a higher speed. Reconfiguration is disruptive to coprocessor and
accelerator operations. The coprocessor or accelerator must be deactivated before you begin
the reconfiguration.
FIPS 140-2 certification is not relevant to the accelerator because it operates with clear keys
only. The function extension capability through UDX is not available to the accelerator.
The functions that remain available when the Crypto Express5S feature is configured as an
accelerator are used for the acceleration of modular arithmetic operations. That is, the RSA
cryptographic operations are used with the SSL/TLS protocol. The following operations are
accelerated:
PKA Decrypt (CSNDPKD) with PKCS-1.2 formatting
PKA Encrypt (CSNDPKE) with zero-pad formatting
Digital Signature Verify
The RSA encryption and decryption functions support key lengths of 512 bits to 4,096 bits, in
the Modulus-Exponent (ME) and CRT formats.
218
IBM z13s Technical Guide