IBM Z cryptographic hardware categories

CP Assist for Cryptographic Functions (CPACF)

CPACF is a set of z/Architecture® instructions provided by the Message Security Assist (MSA) facility and its extensions. It mainly provides symmetric cryptographic functions (AES, DES, TDES) and hash functions, but also selected asymmetric functions (ECC) using clear keys and protected keys. No additional hardware is necessary, though CPACF requires specific microcode to be loaded which you can order as no-charge feature code (LIC #3863). This feature code is required for libzpc. However, hash functions can be performed by CPACF without this feature code.

CPACF instructions provide the potential for significantly improved performance of cryptographic operations. CPACF supports various symmetric algorithms (including DES, TDES, and AES), algorithms for elliptic curve cryptography (ECC), and SHA-based digest algorithms:

• On IBM z15® and later: ECC algorithms for NIST curves (P-256, P-384, P-521), Edwards curves (ED25519, ED448), and Montgomery curves (X25519, X448) for clear and protected keys are available.
• On IBM z14® and later: SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256 algorithms are available. A true random number generator is available.
• On all IBM Z systems: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms are available. AES, DES, and TDES algorithms for clear and protected keys are also available.

The feature code LIC #3863 must be activated before you can use CPACF on the system.

Every central processor (CP) has one CPACF, and therefore, CPACF encryption throughput roughly scales with the number of CPs in the system.

CPACF protected keys are effective keys (clear keys where the key bytes are visible) wrapped with a temporary machine-generated firmware wrapping key (WK) specific to the LPAR, KVM virtual server, or z/VM® guest virtual machine. The effective key inside the protected key cannot be discovered by the operating system. The effective key is unwrapped from the protected key inside the CPACF and used in cryptographic functions performed by the CPACF whenever a program uses a protected key to encrypt or decrypt data. CPACF protected keys are never in an unwrapped (unencrypted) state in memory that is addressable by the operating system. Using CPACF functions with protected keys leverages the encryption performance benefits of CPACF hardware while providing added protection required by security-sensitive applications.

The CPACF hardware that performs the symmetric key operations (AES, TDES, DES), and SHA functions, operates synchronously to CP operations. The CP cannot execute any other instruction while a CPACF cryptographic operation is being processed. The hardware has a fixed set up time per request and a fixed operation speed for the unit of operation. Therefore maximum throughput can be achieved for larger blocks of data. These instructions operate on buffers of arbitrary length, up to a hardware defined limit.

The CPACF hardware can be accessed by Message Security Assist instructions provided by the system architecture. However, application programs should use provided software libraries, utilities, or operating system services rather than use the MSA instructions directly. That is, instead of writing programs in assembler language issuing the IBM Z Message Security Assist (MSA) cryptographic instructions, Linux® users should use APIs of libzpc, which in turn invoke the MSA instructions. Thus, libzpc is a cryptographic library making use of protected-key cryptography only, provided by CPACF. For clear key cryptography, you can use, for example, the libica library or the OpenSSL libcrypto library.

IBM Crypto Express cryptographic coprocessors

A Crypto Express cryptographic coprocessor is often also referred to as cryptographic card or cryptographic adapter or just adapter. An IBM Crypto Express adapter is a tamper-responding hardware security module (HSM) that supports cryptographic operations using secure keys in a protected environment. An HSM can generate and safeguard internal master keys that are never visible outside the HSM and which are used to wrap an effective key (clear key) to produce a secure key. Therefore, a secure key can only be decrypted and used for cryptographic operations within the HSM. A cryptographic coprocessor is divided into multiple domains, also called AP queues. Each AP queue acts as an independent cryptographic device (HSM) with its own state, including its own set of master keys.

An HSM is a general-purpose computing environment that withstands both physical and logical attacks and has special hardware to perform cryptographic operations. The HSM is accessed from a host computer system using a carefully-designed set of API functions.

IBM Crypto Express adapters generate and process secure keys. Each domain of a cryptographic coprocessor can contain active master keys which are used to generate secure keys. Thus, a secure key is actually an effective key (clear key) wrapped by the tamper-proof master key of a domain within a cryptographic coprocessor. Secure keys are persistent key objects that can be safely stored on unprotected media, because they are protected by a specific master key that resides in a hardware security module certified with FIPS 140-2 Level 4. Using these keys requires access to a domain of a cryptographic coprocessor where the master key is activated.

If data needs to be encrypted or decrypted, it is sent to the cryptographic coprocessor where it is processed by the effective key which in turn is extracted (unwrapped) from the secure key with the help of the master key.

You can find more information about IBM Crypto Express cryptographic coprocessors in this web site:

https://www.ibm.com/security/cryptocards