IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
   
     Home      Products      Services & industry solutions      Support & downloads      My IBM     
   
Security Solutions
Services
Products
Evaluated products
Case studies
Self-assessment
News
Resource Center
Education
Research
Privacy
Events
Contacts

Related links
Safety & Security Solutions
Secure Servers & Storage
Software Security
Tivoli Security
Digital Media
Wireless
Research Security
Identrus

Security > Library

Security
  White paper
As the Internet becomes the basis for electronic commerce and as more businesses automate their data processing operations, the potential for unauthorized disclosure of sensitive data increases. Online databases are becoming increasingly large and complex. Sensitive data is transmitted on communication lines and, often, stored offline. As a result, the efficient, economical protection of enterprise-critical information has become increasingly important in many diverse application environments.

The protection required to conduct commerce on the Internet, provide data confidentiality, and authenticate individuals can be provided only by cryptographic services and techniques.

The high-speed, physically secure IBM Integrated CMOS Cryptographic Coprocessor for S/390 Generation 3, Generation 4, Generation 5, Multiprise 2000 TM and Application StarterPak TM Enterprise Servers, together with the Integrated Cryptographic Service Facility (ICSF), a component of the OS/390 TM V2 operating system, enables you to encrypt and decrypt data, to generate and manage cryptographic keys and perform other cryptographic functions dealing with data integrity and digital signatures.

The Integrated Cryptographic Solution for Enterprise Servers includes:

OS/390

Highlights

  • High speed, secure, CMOS Cryptographic Coprocessor(s).
  • Standard starting with Generation 4 and Application StarterPak TM.
  • Integrated Cryptographic Service Facility (ICSF).
  • Included within OS/390 V2 Optional Trusted Key Entry (TKE) system.
Protect information privacy
The Cryptographic Coprocessor and ICSF together enable you to process confidential information - such as purchase orders, proprietary engineering drawings, or confidential financial information - without compromising security.

Safeguard data integrity
In applications such as electronic funds transfers and high-volume transaction processing, the Cryptographic Coprocessor and ICSF together help to prevent unauthorized data alteration so that figures are not deliberately or inadvertently changed during the transmission process.

Network security coordination. The rules and protocols supported enable a host processor to coordinate encrypted transmissions with a variety of network devices. The transmissions can be exchanged using either DES or RSA algorithm techniques. Secure transmission can be performed either at an application level or using ACF/ VTAM TM Session Level Encryption and DES.

Efficient operating speed. Cryptographic coprocessor performance at processor speed helps to conserve your valuable processor resources. Standards compliance.The Cryptographic Coprocessor and ICSF support international cryptographic standards for personal identification number (PIN) processing, message authentication and modification detection codes along with hashing algorithms such as the Secure Hash Standard (SHS), the Data Encryption Algorithm (DEA) and encryption modes, the Digital Signature Standard and Rivest-Shamir-Adelman (RSA), the de facto public key algorithm standard.

Designed and packaged for extra security. The length of the Cryptographic Coprocessor DES master key - 112 bits - affords a high degree of security. DES triple-length keys - 168 bits - can be used for data encryption and are used to protect application managed public keys. Hardware support of 1024-bit arithmetic and internal nonvolatile memory protected within a single CMOS tamper-resistant secure chip.

Electronic key exchange.
Key exchange can be performed electronically, and key management functions, such as key generation, key import and key export are provided. Key exchange is also available under RSA application-owned keys via ICSF Application Programming Interfaces (APIs). Support for multiple PR/SM TM partitions. The Cryptographic Coprocessor can support up to the maximum Processor Resource/Systems Manager TM (PR/SM TM ) partitions available to the Enterprise Servers, each with its own unique master key.

Easy migration.
ICSF function of OS/390 V2 is upwardly compatible with ICSF V1. A migration utility is provided for converting the IBM Programmed Cryptographic Facility (PCF), the IBM Cryptographic Unit Support Program (CUSP), or ICSF V1.1 Cryptographic Key Data Set (CKDS) to the CKDS structure support by ICSF V2.

High availability
The Cryptographic Coprocessor is implemented with the same robust fault tolerant design found in S/390 Enterprise Servers. High-availability features include a second Cryptographic Coprocessor on all high end Enterprise Servers and supports internal processor and ICSF "re-tries" transparent to the application. DES master keys and other long-life cryptographic keys can be updated dynamically without disrupting service to applications using those keys.

Systems Management
ICSF provides the security administrator with an interactive user dialog to simplify management tasks. In addition, the IBM Resource Access Control Facility (RACF) can be used for access control of both the CKDS's and the use of cryptographic keys and services. And the IBM Systems Management Facility is used to record ICSF events.

Application programming interface.
ICSF supports IBM's Common Cryptographic Architecture and provides a cryptographic application programming interface that enables applications to access the underlying system cryptographic functions easily via Higher Level Language (HLL) callable services. This support has been extended to include more of the Transaction System Security (TSS) APIs, such as those available for digital signatures and distribution of DES and CDMF keys under RSA public keys. ICSF offers a rich variety of 50+ unique API callable services.

What you get
The IBM Cryptographic Coprocessor must be ordered with the Enterprise Server. It must be designated with a proper export enablement configuration. Starting with Generation 4 and Application StarterPak TM , the Cryptographic Coprocessor hardware is standard on all configurations and ICSF a standard component of OS/390 V2.

The Trusted Key Entry is an optional, priced feature and if ordered will be shipped with all hardware and software components installed.

ICSF, a component of OS/390, comes with basic machine-readable material, a user memo, and includes the following ICSF publications:

  • Overview
  • System Programmer's Guide
  • Administrator's Guide
  • Application Programmer's Guide
  • Messages
  • Trusted Key Entry Workstations User's Guide (if ordered)
  • PR/SM TM Planning Guide
  • Support Element Operations Guide (included with the hardware documentation)
  • Program Directory (only with ICSF product)
  • Licensed Program Specifications (only with ICSF product)
ICSF Service
Central service, including the IBM Support Center, will be available until discontinued by IBM upon six months' written notice. Central service for Distributed Systems License Option (DSLO) licenses, including the IBM Support Center, will be provided only through the customer location designated for the basic license.

Cryptographic Coprocessor at a glance

Hardware requirements
The Cryptographic Coprocessor is currently available only on S/390 Generation 3, Generation 4, Generation 5, Multiprise 2000 TM and Application StarterPak TM Enterprise Servers.

Software requirements
The Cryptographic Coprocessor requires the Integrated Cryptographic Service Facility licensed program and its co-requisites prior to OS/390 V2. For OS/390 V2, all components are included.

ICSF at a glance

Hardware and software requirements
ICSF requires an installed Integrated Cryptographic Coprocessor and the following prerequisite product:

  • OS/390 V2R4 or later.
    (For release of OS/390 prior to V2R4 and MVS V5, ICSF standalone product, 5655-120 is available.)
  • OS/390 Security Server (RACF Component), if protection for services and keys desired. For performance, ICSF accesses cryptographic keys from an in-storage copy of the CKDS kept in the ICSF data space.
Cryptographic Coprocessor

Find out more
If you would like more information about the Integrated Cryptographic Coprocessor and the Integrated Cryptographic Service Facility, contact your local IBM marketing representative.

IBM and SecureWay are registered trademarks of International Business Machines Corporation. All other company, product and service names may be trademarks or registered trademarks of their respective companies.

IBM hardware products are manufactured from new or new and used parts. Regardless our warranty terms apply.

References in this publication to IBM products or services do not imply that IBM intends to make them available outside the United States.

The information contained in this document is distributed on an "as is" basis without any warranty, express or implied. While each item may have been reviewed by IBM for technical accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. The implementation of these techniques depends on the customer's ability to evaluate and integrate them into the customer's operational environment.

S/390 Enterprise Server CMOS Cryptographic Coprocessor

This brochure is also available in PDF form. PDF files can be viewed and printed with Adobe's Acrobat(TM) Reader. A free copy of the reader is available from Adobe.


    About IBM      Privacy      Contact