35
A third generation Cryptographic feature – Crypto Express2
Crypto Express2 features support for on demand business
in a security-rich environment.
Crypto Express2 provides the functions of PCICA and
PCIXCC in a single feature that is expected to provide
improved secure key and system throughput. Like its prede-
cessors, the Crypto Express2 feature has been designed to
satisfy the security requirements of an enterprise server.
The Integrated Cryptographic Service Facility (ICSF),
a component of z/OS, is designed to transparently use
the available cryptographic functions, the CP Assist for
Cryptographic Function (CPACF) as well as the PCICA,
PCIXCC, and Crypto Express2 features to balance the
workload and satisfy the requirements of the applications.
The Crypto Express2 feature is designed for Federal Infor-
mation Processing Standard (FIPS) 140-2 Level 4 Certifi ca-
tion and has two coprocessors per feature for improved
system throughput. A performance benefi t is expected
with multitasking applications. A performance benefi t may
not be realized with single-threaded applications, which
can utilize only one of the two coprocessors.
The Crypto Express2 feature supports the following:
• Consolidation and simplifi cation via a single crypto
coprocessor feature on z890 and z990
• Compute-intensive public key cryptographic functions
designed to help reduce CP utilization and increase
system throughput
• Card Validation Value (CVV) generation and verifi cation
services for 19-digit Personal Account Number (PANs)
• Enabling use of less than 512-bit keys for clear key RSA
operations
• 2048-bit key RSA management capability
• Functions previously supported by the PCICA and
PCIXCC features offered on z890 and z990 including:
– Compute-intensive public key cryptographic func-
tions to help reduce CP usage and increase system
throughput
– Hardware acceleration for Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) protocols to help
support security-rich on demand business applica-
tions and transactions
– SSL performance equivalent to the PCICA feature
– The functional enhancements announced in April
2004, namely: PKE MRP support, PKD zero pad sup-
port, TDES DUKPT, and EMV2000
–
User Defi ned Extension (UDX) Service Offering – pro-
grammable to deploy standard functions and algorithms
• Up to a maximum of eight features per server
– The combined maximum number of Crypto Express2,
PCICA, and PCIXCC features on a z890 and z990
cannot exceed eight features per server
10
– The z890 and z990 can support up to eight Crypto
Express2 features (16 coprocessors)
– The z890 and z990 can support up to six PCICA
features (12 accelerators)
– The z890 and z990 can support up to four PCIXCC
features (four coprocessors)
– With Crypto Express2, both the z890 and z990 can
have up to sixteen secure key coprocessors in com-
parison to the four coprocessors with the PCIXCC
features. This is expected to translate into increased
secure key and system throughput.
– With Crypto Express2, both the z890 and z990 servers
can utilize up to sixteen cryptographic coprocessors
for clear key SSL acceleration in comparison to twelve
accelerators with the PCICA features. The number
of SSL handshakes per second in a 16 CP z990 is
expected to remain at over 11,000 when running the
z/OS operating system*.