IBM 890 Network Card User Manual


 
35
A third generation Cryptographic feature – Crypto Express2
Crypto Express2 features support for on demand business
in a security-rich environment.
Crypto Express2 provides the functions of PCICA and
PCIXCC in a single feature that is expected to provide
improved secure key and system throughput. Like its prede-
cessors, the Crypto Express2 feature has been designed to
satisfy the security requirements of an enterprise server.
The Integrated Cryptographic Service Facility (ICSF),
a component of z/OS, is designed to transparently use
the available cryptographic functions, the CP Assist for
Cryptographic Function (CPACF) as well as the PCICA,
PCIXCC, and Crypto Express2 features to balance the
workload and satisfy the requirements of the applications.
The Crypto Express2 feature is designed for Federal Infor-
mation Processing Standard (FIPS) 140-2 Level 4 Certifi ca-
tion and has two coprocessors per feature for improved
system throughput. A performance benefi t is expected
with multitasking applications. A performance benefi t may
not be realized with single-threaded applications, which
can utilize only one of the two coprocessors.
The Crypto Express2 feature supports the following:
Consolidation and simplifi cation via a single crypto
coprocessor feature on z890 and z990
Compute-intensive public key cryptographic functions
designed to help reduce CP utilization and increase
system throughput
Card Validation Value (CVV) generation and verifi cation
services for 19-digit Personal Account Number (PANs)
Enabling use of less than 512-bit keys for clear key RSA
operations
2048-bit key RSA management capability
Functions previously supported by the PCICA and
PCIXCC features offered on z890 and z990 including:
Compute-intensive public key cryptographic func-
tions to help reduce CP usage and increase system
throughput
Hardware acceleration for Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) protocols to help
support security-rich on demand business applica-
tions and transactions
SSL performance equivalent to the PCICA feature
The functional enhancements announced in April
2004, namely: PKE MRP support, PKD zero pad sup-
port, TDES DUKPT, and EMV2000
User Defi ned Extension (UDX) Service Offering – pro-
grammable to deploy standard functions and algorithms
Up to a maximum of eight features per server
The combined maximum number of Crypto Express2,
PCICA, and PCIXCC features on a z890 and z990
cannot exceed eight features per server
10
– The z890 and z990 can support up to eight Crypto
Express2 features (16 coprocessors)
– The z890 and z990 can support up to six PCICA
features (12 accelerators)
– The z890 and z990 can support up to four PCIXCC
features (four coprocessors)
With Crypto Express2, both the z890 and z990 can
have up to sixteen secure key coprocessors in com-
parison to the four coprocessors with the PCIXCC
features. This is expected to translate into increased
secure key and system throughput.
With Crypto Express2, both the z890 and z990 servers
can utilize up to sixteen cryptographic coprocessors
for clear key SSL acceleration in comparison to twelve
accelerators with the PCICA features. The number
of SSL handshakes per second in a 16 CP z990 is
expected to remain at over 11,000 when running the
z/OS operating system*.