The best way to secure information over the Internet is to encrypt it. IBM System z provides exceptional performance and function via cryptography coprocessors and accelerators that are individually specialized to address various encryption needs. The z/OS operating system provides the infrastructure to exploit the strengths of each cryptographic feature, handling tasks transparently. The result? The performance advantages of hardware assisted cryptography are readily available to applications, such as banking and finance, via the cryptography interfaces of z/OS.
A third generation cryptographic feature, the Crypto Express2, combines the functions of the PCICA and the PCIXCC in a single feature that is expected to provide improved secure key and system throughput. The Crypto Express2 feature supports a mixture of both secure and clear key applications. Crypto Express2 also offers CVV generation and verification services for 19-digit PANs providing advanced anti-fraud security. In addition, Crypto Express2 supports applications that require clear key RSA operations using less than 512-bits. This capability is designed to enable easier migration of some additional cryptographic applications to System z servers without requiring the applications to be rewritten. The Crypto Express2 feature is available on System z models z9 EC, z9 BC, z890 and z990 servers.
The Crypto Express2-1P, announced in April of 2007, now offers a lower cost cryptographic option providing one PCI-X adapter per feature. The Crypto Express 2-1P is specifically designed to help address small and midrange security requirements while maintaining high performance. The Crypto Express2-1P is only available for use on z9 BC servers. Like the Crypto Express2, the Crypto Express2-1P PCI-X adapter can be defined as either a Coprocessor or an Accelerator and a minimum of two features must be ordered. Both Crypto Express2-1P and Crypto Express2 features are supported by z/OS, z/OS.e, z/VM, z/VSE, and Linux on System z. z/VSE offers support for clear-key transactions only. Current versions of z/OS, z/OS.e, z/VM and Linux for System z offer support for both clear-key and secure-key operations.
The CP Assist for Cryptographic Function (CPACF) is incorporated into every central processor that ships with the IBM System server families. The CPACF feature delivers cryptographic support on every Central Processor (CP) with Data Encryption Standard (DES) and Triple DES (TDES) data encryption/decryption along with SHA-1 hashing. The CPACF integrated in every central processor of System z9 EC and z9 BC enhances cryptography by providing support for the Advanced Encryption Standard (AES), and SHA-256 hashing algorithm. As these cryptographic functions are implemented in each central processor (CP) the potential throughput scales with the number of processor units (PUs) ordered with each system.
With unprecedented scalability and data rates the System z processors provide a set of symmetric cryptographic functions, synchronously executed, which can enhance the performance of the en/decrypt function of SSL, VPN (Virtual Private Network) and data storing applications which do not require FIPS 140-2 Level 4 security.
The PCIX Cryptographic Coprocessor (PCIXCC) is a replacement for the PCICC and the CMOS Cryptographic Coprocessor Facility that was originally available for System z processors. PCIXCC provides support for all of the security related cryptographic functions available with its predecessor cryptograpic coprocessor features. In addition, PCIXCC also supports use of encrypted key values and user-defined extensions (UDX).
One focus area for System z has been encryption hardware certification. As encryption has become a key security tool, industry and country requirements have provided the motivation for IBM to work toward attaining higher levels of certification.
Two of our cryptographic features are now certified at the highest level of Federal Information Processing Standard. Both the Crypto Express2 and the PCIX Cryptographic Coprocessor (PCIXCC) features now hold Industry's Top Hardware Rating—FIPS 140-2 Level 4. This certification means that the Crypto Express2 and the PCIX Cryptographic Coprocessor Security Modules satisfy the requirements for a cryptographic module utilized within a security system protecting Sensitive Information (United States) or Protected Information (Canada) within computer and telecommunications systems.
To achieve FIPS 140-2 Level 4 certification, an independent laboratory is permitted to attempt virtually any physical attack on the product and must verify the security of the internal software using a mechanical verification of a mathematical model. The PCIX Cryptographic Coprocessor Security Module is used in the Crypto Express2 and the PCIXCC features available on IBM z9 EC, z9 BC, z990 and z890. To find out more about FIPS certification, please visit, http://csrc.nist.gov/cryptval/140-1/1401val2005.htm#524 (link resides outside of ibm.com).
The Crypto Express2-1P feature is designed to conform to the Federal Information Processing Standard (FIPS) 140-2 Level 4 Certification, and supports User Defined Extension (UDX) services to implement cryptographic functions and algorithms (when defined as a coprocessor).
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols are public key cryptography-based extensions to TCP/IP networking. SSL /TLS helps to ensure private communications between parties on the Internet with the intent of allowing information like the credit card number to be passed from customer to marketing application without the threat of interception.
System z servers provide the performance and scale you need to handle security-rich Web transactions. System z has focused on improving SSL/TLS encryption performance, and it shows. For example, z990 servers offer speed, with capabilities of greater than 11,000 SSL handshakes/second with z/OS 1.4 measured on a z990 with 16 CPs and 6 PCICA features. (To put that into some perspective, as recently as 1998, System z SSL performance was approximately 13 SSLs/second.) This ultra-fast and security-rich SSL comes courtesy of special hardware in the optional Crypto Express2 feature (when one or both of the two PCI-X adapters are configured as an accelerator) and the PCI Cryptographic Accelerator (PCICA) features.
IBM has also extended cryptography support and enabled the accelerator capability within the Crypto Express2 and PCICA features for Integrated Facility for Linux (IFL) engines available on System z servers. IFLs are engines dedicated to running Linux workloads. Accelerator support was previously made available for standard engines on System z servers running Linux.
Customers that do not need the high performance of the Crypto Express2 and PCICA features can use the PCICC or PCIXCC cryptographic features for SSL support.
IBM will provide support for loading of customized cryptographic functions into the Crypto Express2 and PCIX Cryptographic Coprocessor (PCIXCC) features to perform User Defined Extensions (UDX). Select the 'Custom Programming' tab on this link for details.
| |
|
IBM System z10 EC also provides cryptography solutions for highly secure transactions
|
 |
|
|
|
|
 |
Understanding Clear Key vs. Secure Key |
|
 |
|
Frequently asked questions |
|
|
 |
IBM System z9 Business Class Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX2C, CEX2A)
(142KB) |
|
|
|
IBM System z9-109 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX2C, CEX2A)
(73KB) |
|
|
|
IBM eServer System z 990 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, PCICA, PCIXCC, CEX2C)
(218KB) |
|
|
|
IBM eServer System z 890 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, PCICA, PCIXCC, CEX2C)
(195KB) |
|
|
|
