Enhancements to CP Assist for Cryptographic Function (CPACF):
CPACF has been enhanced to include support of the fol-
lowing on CPs and IFLs:
• Advanced Encryption Standard (AES) for 192-bit keys
and 256-bit keys
• SHA-384 and SHA-512 bit for message digest
SHA-1, SHA-256, and SHA-512 are shipped enabled and
do not require the enablement feature.
Support for CPACF is also available using the Integrated
Cryptographic Service Facility (ICSF). ICSF is a com-
ponent of z/OS, and is designed to transparently use
the available cryptographic functions, whether CPACF
or Crypto Express2, to balance the workload and help
address the bandwidth requirements of your applications.
The enhancements to CPACF are exclusive to the System
z10 and supported by z/OS, z/VM, z/VSE, and Linux on
System z.
Confi gurable Crypto Express2
The Crypto Express2 feature has two PCI-X adapters.
Each of the PCI-X adapters can be defi ned as either a
Coprocessor or an Accelerator.
Crypto Express2 Coprocessor – for secure-key encrypted
transactions (default) is:
• Designed to support security-rich cryptographic func-
tions, use of secure-encrypted-key values, and User
Defi ned Extensions (UDX)
• Designed to support secure and clear-key RSA opera-
tions
• The tamper-responding hardware and lower-level fi rm-
ware layers are validated to U.S. Government FIPS 140-
2 standard: Security Requirements for Cryptographic
Modules at Level 4.
Crypto Express2 Accelerator – for Secure Sockets Layer
(SSL) acceleration:
• Is designed to support clear-key RSA operations
• Offl oads compute-intensive RSA public-key and private-
key cryptographic operations employed in the SSL pro-
tocol Crypto Express2 features can be carried forward
on an upgrade to the System z10 EC, so users may con-
tinue to take advantage of the SSL performance and the
confi guration capability.
The confi gurable Crypto Express2 feature is supported by
z/OS, z/VM, z/VSE, and Linux on System z. z/VSE offers
support for clear-key operations only. Current versions of
z/OS, z/VM, and Linux on System z offer support for both
clear-key and secure-key operations.
Additional cryptographic functions and features with
Crypto Express2
Key management – Added key management for remote
loading of ATM and Point of Sale (POS) keys. The elimina-
tion of manual key entry is designed to reduce downtime
due to key entry errors, service calls, and key manage-
ment costs.
Improved key exchange – Added Improved key
exchange with non-CCA cryptographic systems.
New features added to IBM Common Cryptographic
Architecture (CCA) are designed to enhance the ability to
exchange keys between CCA systems, and systems that
do not use control vectors by allowing the CCA system
owner to defi ne permitted types of key import and export
while preventing uncontrolled key exchange that can open
the system to an increased threat of attack.
These are supported by z/OS and by z/VM for guest
exploitation.
35