Administrator > Security

Presented by:


ASG

Cutting-Edge Cryptography

The latest cryptographic solutions from Linux on the System z platform

The Hardware

In the beginning - at least as far as Linux on the System z platform or the older S/390 is concerned - there was the PCI Cryptographic Coprocessor (PCICC) cryptography card. This coprocessor card had the potential to perform many complex cryptographic functions. Linux, however, was just entering the scene and robust cryptography wasn't an integral component or requirement at that point, so it was used only for RSA acceleration. This first offering got things rolling with roughly 200 handshakes per second. Looking back, it seemed only moments later when the PCI Cryptographic Accelerator (PCICA) card became available, adding five times the speed to the SSL support available to Linux applications on the mainframe.

After that, things really got rolling with the PCI-X Cryptographic Coprocessor (PCIXCC) card and now the Crypto Express2 feature. The Crypto Express2 feature is made up of two physical cards, each of which can be configured as either a crypto coprocessor or a crypto accelerator, adding a great deal of flexibility and configurability to an enterprise solution. A Crypto Express2 feature with only one card is now available with the System z9* Business Class (BC) for those workloads with fewer crypto demands. Each new generation of crypto hardware highlights IBM's commitment to security and the mainframe. In a Linux for System z environment, the Crypto Express2 feature, configured with each card as an accelerator, has reached speeds of approximately 6,000 SSL handshakes per second per feature.

The entry of the z990 mainframe marked the end of the Cryptographic Coprocessor Facility (CCF), which architecturally predated Linux. The CCF was therefore unusable to Linux on the mainframe. The z990 and z890 brought an expanded architecture that included user space, clear key, instructions for the symmetric Data Encryption Standard (DES) and Triple DES (TDES) algorithms and the SHA-1 digital signature algorithm. Following suit the System z9 Enterprise Class (EC) and BC extended this support to include the symmetric Advanced Encryption Standard (AES) 128-bit algorithm, SHA-256 (which is part of the SHA-2 standard) and an instruction for pseudo-random-number generator.

Clear Sailing With System z

Now that the cryptographic hardware available for Linux on the System z platform (represented by the yellow boxes in Figure 1) is better understood, the software solutions that depend on the hardware can be explored. Asymmetric cryptography, symmetric cryptography or digital-signature cryptography are all available to applications requiring clear-key solutions. Crypto hardware alone isn't enough; software components are required to complete the solution, making the crypto functions available to applications in a useable form. Cryptography libraries have been developed or extended to bring the cryptography acceleration found in the hardware to the protected business applications.

The cryptographic solutions on Linux for the System z platform can sound quite daunting or complex, so it's best to refer often to Figure 1 for clarity. If application development is attempted it's most important that only the supported APIs and libraries be used by applications. The appropriate APIs are seen in the blue boxes in the center of the diagram. While the underlying support or the device driver (represented by the purple boxes) could be utilized by applications, they can change at any time and should be avoided.

The approved APIs for access to crypto on Linux for the System z platform are OpenSSL, PKCS#11 (implemented as OpenCryptoki on Linux) and GSKit. They are all available to user-space applications. OpenSSL and PKCS#11 are provided to support well-established open standards. In addition, PKCS#11 also enables Java* applications to take advantage of the cryptographic support on Linux for the System z platform. Additionally, the GSKit libraries utilize System z hardware cryptography to provide support to IBM applications. These IBM applications ship GSKit as necessary. The device driver, along with PKCS#11 and OpenSSL support can be found as part of both the Novell SUSE and Red Hat distributions available for Linux on the System z platform.

Next page: >>