Elliptic Curve Cryptography support

System SSL uses ICSF callable services for Elliptic Curve Cryptography (ECC) algorithm support. For ECC support through ICSF, ICSF must be initialized with PKCS #11 support. For more information, see z/OS Cryptographic Services ICSF System Programmer's Guide. In addition, the application user ID must be authorized for the appropriate resources in the RACF CSFSERV class, either explicitly or through a generic resource profile. See CSFSERV resources required for hardware support through ICSF callable services for the required CSFSERV resources for each ECC function.

If the ICSF started task is not running as required or ECC support is otherwise unavailable, System SSL will fail if an ECC-based operation is required. In this event, notification is available through return or status codes and System SSL trace output.

Current ICSF cryptographic support for ECC can be verified using the DISPLAY CRYPTO function of the SSL Started Task. See SSL started task for more information.

ECC public/private keys must be defined over prime finite fields (Fp type fields) only; characteristic two finite fields (F2m type fields) are not supported. EC domain parameters may be defined using either the specifiedCurve format or the namedCurve format, as described in RFC 5480. If the EC domain parameters are defined using the specifiedCurve format, then they must match a supported named curve.

The following named curves are supported:
  • NIST recommended curves
    • secp192r1 – {1.2.840.10045.3.1.1}
    • secp224r1 – {1.3.132.0.33}
    • secp256r1 – {1.2.840.10045.3.1.7}
    • secp384r1 – {1.3.132.0.34}
    • secp521r1 – {1.3.132.0.35}
  • Brainpool defined curves
    • brainpoolP160r1 – {1.3.36.3.3.2.8.1.1.1}
    • brainpoolP192r1 – {1.3.36.3.3.2.8.1.1.3}
    • brainpoolP224r1 – {1.3.36.3.3.2.8.1.1.5}
    • brainpoolP256r1 – {1.3.36.3.3.2.8.1.1.7}
    • brainpoolP320r1 – {1.3.36.3.3.2.8.1.1.9}
    • brainpoolP384r1 – {1.3.36.3.3.2.8.1.1.11}
    • brainpoolP512r1 – {1.3.36.3.3.2.8.1.1.13}
For data signature generation and verification operations involving ECC-based algorithms, z/OS System SSL supports ECDSA with SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 digest algorithms. When creating signed certificates using the System SSL certificate management utility, gskkyman, or through CMS APIs that use a default digest algorithm, the recommended digest for the ECC key size of the signing private key is used (as specified in the following table).
Table 1. Recommended digest sizes for ECDSA signature key sizes
ECC curve type ECDSA key sizes (bits) Recommended digest algorithm Signature algorithm type
x509_ecurve_brainpoolP160r1
x509_ecurve_secp192r1
x509_ecurve_brainpoolP192r1
x509_ecurve_secp224r1
x509_ecurve_brainpoolP224r1
x509_ecurve_secp256r1
x509_ecurve_brainpoolP256r1
x509_ecurve_brainpoolP320r1
 160-383 SHA-256 x509_alg_ecdsaWithSha256
x509_ecurve_secp384r1
x509_ecurve_brainpoolP384r1
 384-511 SHA-384 x509_alg_ecdsaWithSha384
x509_ecurve_brainpoolP512r1
x509_ecurve_secp521r1
 512 and greater SHA-512 x509_alg_ecdsaWithSha512
System SSL regards certain EC named curves to be the default curve for their key size. For CMS APIs that require ECC key generation and accept a key size parameter only, the default curve for the key size specified is used. These default EC named curves are outlined in the following table.
Table 2. Default EC named curves for specified key sizes
Key size (bits) Default EC named curve Named curve OID
224 secp224r1 1.3.132.0.33
256 secp256r1 1.2.840.10045.3.1.7
320 brainpoolP320r1 1.3.36.3.3.2.8.1.1.9
384 secp384r1 1.3.132.0.34
512 brainpoolP512r1 1.3.36.3.3.2.8.1.1.13
521 secp521r1 1.3.132.0.35