Mainframe > Administrator > Security

Cutting-Edge Cryptography

Can Linux for the IBM System z platform meet the cryptographic needs of today’s enterprise solutions? Simply put, yes.

Can Linux* for the IBM* System z* platform meet the cryptographic needs of today's enterprise solutions? Simply put, yes. Cryptography in general can be a daunting topic with complexity and obfuscation at every turn. This article should lift the shroud a little, define and simplify some basic terminology and show how cryptography can be used in a System z enterprise solution.

The functionality of cryptography on Linux for the System z platform has been growing over the last few years. Software cryptography wasn't cutting it for the growing Web-server scenarios for Linux on the mainframe, known as Linux on S/390*, when hardware cryptography was introduced in the early days. It started a few years ago with simple SSL acceleration at a meager rate, roughly four times faster than software solutions of the time. In the short time since, the support has grown to not only include the SSL acceleration for clear-key applications at improved rates, but now extends to symmetric algorithms, digital signatures and secure key functions.

Handshakes and Keys

Those new to cryptography will start getting glassy-eyed without a brief explanation of a few terms. Currently one of the most computationally expensive crypto operations we encounter nearly every day is the SSL handshake. This handshake is what happens behind the scenes when we go to our favorite online store to buy the latest DVD. Once the handshake is complete, and both sides are trusted, that familiar lock is displayed in our Internet browser. The most common SSL handshake algorithm in use today is the asymmetric RSA algorithm (named after its creators, the esteemed cryptographers Rivest, Shamir and Adleman).

The term asymmetric describes the keys used in this type of cryptography. There is a public key and a private key, which are different; the keys are considered to be asymmetric. The private key is held secretly by the owner while the public key can be distributed widely without any concern for compromise. Public keys like RSA can be used to encrypt data for confidentiality, to sign data for integrity or to authenticate one user to another as is the case of the SSL handshake mentioned above.

Symmetric algorithms are quite different and use the same key for both encryption and decryption. These algorithms can be used to encrypt data at rest, on a hard drive or tape, or data in transit (e.g., the payload or data content of an SSL transaction). Symmetric keys, unlike public keys, shouldn't be shared unless all parties are trusted. Digital signature algorithms, such as the Secure Hash Algorithm (SHA), are also important cryptographic technologies found in the enterprise. Digital signatures are a common way to ensure the integrity of important data.

If that wasn't confusing enough for the newcomers to cryptography, there's also the notion of clear-key and secure-key cryptography. Clear key indicates that the key exists somewhere in the software stack in the clear. This is typically the mode of operation for most consumer retail Web sites. Secure-key cryptography, used by many financial or banking applications to indicate that the key can never be found in a readable form outside the actual cryptographic hardware, is discussed more later in this article.

The core of the secure-key solution on Linux for the System z platform is a combination of the Crypto Express2 Coprocessor, the device driver and the Common Cryptographic Architecture libraries.

Tweet