Posted in: Uncategorized

New IBM Mainframe Gets Crypto Upgrade

A few weeks ago, IBM announced its most powerful and technologically advanced mainframe ever — the new zEnterprise EC12.

The new system features state-of-the-art technologies that demonstrate IBM’s ongoing commitment to secure and manage critical information with the System z mainframe. More specifically, the mainframe includes a new cryptographic co-processor called the Crypto Express4S designed by IBM scientists in Zurich.

To help understand this innovation better we spoke with its two developers Silvio Dragone, who designed the hardware, and Tamas Visegrady, who wrote the code.

Q. What exactly does a cryptographic co-processor do?

Tamas Visegrady: It’s a device to segregate security relevant operations. This means sensitive data can be secured in a dedicated environment, reducing risk.

Silvio Dragone: Exactly. It is a card to physically control security separated from the processor. You can think of it as a PC dedicated to just cryptography.

Q. What exactly did you develop?

SD: The work was originally developed within IBM’s Systems and Technology Group (STG) in Poughkeepsie, NY. We began collaborating with them few years ago, particularly as stronger requirements were being made by the EU, such as new passports, which have smart chips. Working closely with STG, we designed the architecture for the recent Crypto Express4S hardware enhancements and wrote specifications plus prototype code for the new mainframe crypto provider firmware.

TV: Another unique feature of the card was developed by our Zurich colleague Heiko Wolf. He is an expert in nanopatterning, and made the cards tamper-proof with specially designed packaging and materials.

Q. What was the biggest challenge in developing the Crypto Express4S?

SD: Well, the Crypto Express4S is the last line of defense in protecting data. And when it comes to our clients, this tends to be very sensitive data such as passports, national ID cards and financial information. So, losing this data is not an option.

The front cover of a contemporary
biometric passport

The biggest challenge is designing the hardware and software so it’s fail proof. We refer to it as “mainframe reliability,” which is very unique. It’s not often that hardware and software guys agree on everything, but Tamas and I meet in the middle more times then not.

TV: We’ve been developing cryptographic co-processor’s for 10 years and one of the biggest challenges is to continue to push the boundaries of its development for each new mainframe.  For the 4S, it is significantly faster based on some new algorithms, but speed can sometimes become a trade-off with security. So, it’s a big challenge to get them working together.

Often you read about raw speed being the key factor of a cryptographic co-processors, but that’s like saying a 32 megapixel camera is the best. There are many factors to consider and in our opinion we will accept a small drop in speed for an increase in reliability and security.

Q. So what’s next?

TV: As mainframes benefit from advancements in technology, whether it’s more speed or more power, it trickles down to the cryptographic co-processor. So, we need to work this into our designs to keep up with the needs of the industries we support.

SD: We keep an eye on what is happening in terms of security threats and try to preempt any weaknesses before they impact our clients.