Improved key exchange – Added Improved key
exchange with non-CCA cryptographic systems. New fea-
tures added to IBM Common Cryptographic Architecture
(CCA) are designed to enhance the ability to exchange
keys between CCA systems, and systems that do not
use control vectors by allowing the CCA system owner
to defi ne permitted types of key import and export while
preventing uncontrolled key exchange that can open the
system to an increased threat of attack.
These are supported by z/OS and by z/VM for guest
exploitation.
Support for ISO 16609
Support for ISO 16609 CBC Mode T-DES Message
Authentication (MAC) requirements ISO 16609 CBC Mode
T-DES MAC is accessible through ICSF function calls
made in the PCI-X Cryptographic Adapter segment 3
Common Cryptographic Architecture (CCA) code.
This is supported by z/OS and by z/VM for guest exploita-
tion.
Support for RSA keys up to 4096 bits
The RSA services in the CCA API are extended to sup-
port RSA keys with modulus lengths up to 4096 bits. The
services affected include key generation, RSA-based
key management, digital signatures, and other functions
related to these.
Refer to the ICSF Application Programmers Guide, SA22-
7522, for additional details.
Cryptographic enhancements to Crypto Express2 and
Crypto Express2-1P
Dynamically add crypto to a logical partition.
Today, users can preplan the addition of Crypto Express2
features to a logical partition (LP) by using the Crypto
page in the image profi le to defi ne the Cryptographic
Candidate List, Cryptographic Online List, and Usage and
Control Domain Indexes in advance of crypto hardware
installation.
With the change to dynamically add crypto to a logical
partition, changes to image profi les, to support Crypto
Express2 features, are available without outage to the
logical partition. Users can also dynamically delete or
move Crypto Express2 features. Preplanning is no longer
required.
This enhancement is supported by z/OS, z/VM for guest
exploitation, z/VSE, and Linux on System z.
Secure Key AES
The Advanced Encryption Standard (AES) is a National
Institute of Standards and Technology specifi cation for the
encryption of electronic data. It is expected to become the
accepted means of encrypting digital information, includ-
ing fi nancial, telecommunications, and government data.
AES is the symmetric algorithm of choice, instead of Data
Encryption Standard (DES) or Triple-DES, for the encryp-
tion and decryption of data. The AES encryption algorithm
will be supported with secure (encrypted) keys of 128,
192, and 256 bits. The secure key approach, similar to
what is supported today for DES and TDES, provides the
ability to keep the encryption keys protected at all times,
including the ability to import and export AES keys, using
RSA public key technology.
38