IBM System z - Security: IBM zEnterprise EC12

IBM Enterprise PKCS #11 (EP11) enhancements

The following functions are supported when the Crypto Express4S PCIe adapter is configured as an EP11 coprocessor:

PKCS #11 v2.1 Probabilistic Signature Scheme (PSS): EP11 now supports the latest algorithm that is used in digital signature applications, offering enhanced security characteristics over prior digital signature algorithms.

EP11 Key agreement algorithms supported:

Offload Generation of Domain Parameters are necessary inputs for the creation of Digital Signature Algorithm (DSA) and Diffie-Hellman key pairs. This enhancement is designed to provide the ability to offload the task of generating domain parameters to EP11. These domain parameters can then be used to create key-pairs.

Common Cryptographic Architecture (CCA) enhancements

The following functions are supported when the Crypto Express4S PCIe adapter is configured as a CCA coprocessor:

Export Triple Data Encryption Standard (TDES) key under Advanced Encryption Standard (AES) transport keys: The AES encryption algorithm has greater security than the TDES encryption algorithm. CCA has added the ability to use AES key-encrypting keys (KEKs) to wrap your TDES keys to help those customers who want to begin moving to AES for key management. All of the TDES key wrapping functions are still available, but a parallel set of AES wrapping functions are now available for use.

Diversified Key Generation Cipher Block Chaining (CBC) support: During the Europay, Mastercard and Visa (EMV) smart card personalization process, session keys are derived and then used to secure messages to the EMV cards. Some EMV card personalization specifications require the use of TDES CBC mode to derive these session keys. This enhancement adds that capability to the existing key derivation options in CCA.

Initial PIN Encrypting Key (IPEK) support: The IPEK is the initial key that is loaded into a point-of-sale (POS) terminal before it is deployed for use, when that terminal will use the Derived Unique Key Per Transaction (DUKPT) key protocol. CCA has added a function that allows the Hardware Security Module (HSM) to securely derive an IPEK and return it to the application program in an encrypted key token, which can then be securely installed in a POS terminal.

Remote Key Export (RKX) key wrapping method support: In a previous release, CCA added the capability to wrap keys using a proprietary enhanced mode algorithm. This included the ability to set a default preference for the wrapping method to be used, as well as options to override that default in most CCA functions. The RKX function now supports that ability as well.

Integration of User Defined Extensions (UDX) into CCA: A UDX is designed to allow you to add custom functions to the CCA application programming interface (API) running in the Hardware Security Module (HSM). CCA has included the following three UDXs in the standard CCA APIs avoiding the requirement for a UDX: Recover PIN from Offset, Symmetric Key Export with Data, and Authentication Parameter Generate.

The following support for DK AES PIN Support is available as of 1/31/2014:

Die Deutsche Kreditwirtschaft (DK) AES PIN support: The German banking industry organization, DK, has defined a new set of Personal Identification Number (PIN) processing functions to be used on the internal systems of the banks and servers. CCA is designed to support these functions that are essential to those parts of the German banking industry governed by DK requirements. The functionality includes key management support for new AES key types, AES key derivation support, and several DK specific PIN and administrative functions. The intellectual property rights regarding the methods and specification of this support belong to the German Banking Industry Committee. DK is an association of the German banking industry. The German Banking Industry Committee is the hybrid term, in English, for Die Deutsche Kreditwirtschaft. Prior to August 2011, DK was named ZKA for Zentraler Kreditausschuss, or Central Credit Committee.

The support for UDX Simplification for PKA Key Translate & AES CMAC Support are planned to be available 3/31/2014:

New Message Authentication Code (MAC) support: CCA now supports new message authentication codes using the Advanced Encryption Standard Cipher-based MAC (AES-CMAC) algorithm.

User Defined Extension (UDX) simplification for PKA Key Translate: The Integrated Cryptographic Service Facility (ICSF) and CCA are designed to allow businesses to create extensions to the base CCA services. All UDX services are provided under contract to specific customers by IBM Global Business Services. With this announcement, ICSF and CCA add support for a UDX to the base CCA services. Support is added for translating an external RSA CRT key into new formats. These new formats use tags to identify key components. Depending on which new rule array keyword is used with the PKA Key Translate callable service, the service TDES encrypts those components in either CBC or ECB mode.

Trusted Key Entry (TKE) 7.3 Licensed Internal Code (LIC)

The following functions are newly supported with supported in the TKE 7.3 level of LIC:

Full function migration wizard for EP11: The full function migration wizard is designed to provide the ability to quickly and accurately collect and apply data to the Crypto Express features configured as EP11 coprocessors. This wizard previously supported CCA, and has now been enhanced to also support EP11.

Workstation setup wizard: The setup wizard performs the most common TKE workstation workstation initialization functions, ensuring speed and accuracy of new TKE hardware deployment. It simplifies the process while greatly reducing errors. The wizard can also be run to verify the TKE workstation has been configured correctly.

Allow Set Master Key from the TKE workstation: Initially setting or changing any type of master key on a Crypto Express feature must be done carefully. If a master key is set or changed when key stores have not been properly prepared for the new master key, the keys in the store will become unusable. In an initial setup or recovery situation, establishing or changing the master key quickly is critical. The TKE workstation will allow you to set any master key from the TKE workstation. The Crypto Express feature is intended for initial setup or recovery situations where key stores are prepared for the master key that will be set by the TKE workstation.

Restricted PIN support: The latest CCA enhancements are designed to allow users to prevent the automatic generation of certain PIN values, or the replacement of existing PINs with certain PIN values. The TKE 7.3 LIC includes a new tab for specifying restricted PIN values. This enhancement is exclusive to the TKE 7.3 LIC.

New AES operational keys: Five new AES operational keys can be managed from the TKE 7.3 workstation. The key types are MAC, PINCALC, PINPROT, PINPRW, and DKYGENKY.

Close Host and Unload Authority Signature Key: The Close Host enhancement is designed to allow you to explicitly sign off a host. The Unload Authority Signature Key enhancement allows you to explicitly remove the current authority signature key without ending the TKE application. When you have many users with different roles, users no longer have to end the TKE application before the TKE workstation is utilized by another user.

New access control for managing host list entries: The TKE workstation profile role has a new access control point to allow you to create, change, or delete a host list entry. This is designed to provide stronger separation of duties between users of a host list entry and users that manage the entries.

Domain Group changes:

When creating or changing a domain group, a domain can only be included in the group once. This ensures that domain commands are only sent to a domain once.

If you manage a host crypto module role from a domain group, the user must explicitly select which Domain Access Control Points are to be set. The user either specifies every domain access control point is selected for every crypto module in the group, or only the domain access control points for the domains in the group are selected. This enhancement allows you to manage a 'module-scoped role' from inside a domain group.

User-defined CCA and EP11 Domain Control lists: When managing CCA or EP11 Domain Control Points, the user can save the settings to a file which can then later be applied to other domains. This enhancement allows for fast and accurate deployment of new or recovered domains.

Increased session key strength: When using the latest version of smart cards on a TKE 7.3 workstation, a 256-bit AES session key will be used for all smart card operations. Refer to the TKE Workstation User's Guide, TKE Version 7.3, SC14-7511, in the Library, Hardware products for servers, TKE workstation section of Resource Link for further information.

Contact IBM

Browse z Systems


Infrastructure matters. Businesses turn to the IBM mainframe for unmatched security, operational efficiency, speed, seamless scale, and lower cost per transaction. The IBM z System, the world’s premier data and transaction engine, is enabled for mobile, integrates transactions and analytics, and delivers efficient and trusted clouds.

Operating Systems

IBM z Systems supports multiple operation systems:


IBM z Systems combine leading-edge innovation and unparalleled capabilities to power cloud, business analytics, mobile applications, and the most important workloads.

Learn more