In an asymmetric cryptographic process one key is used to encipher the data, and a different but corresponding key is used to decipher the data. A system that uses this type of process is known as a public key system. The key that is used to encipher the data is widely known, but the corresponding key for deciphering the data is a secret. For example, many people can use your public key to send enciphered data to you with confidence, knowing that only you should possess the secret key for deciphering the data.

Public key cryptographic algorithms are used in processes that simplify the distribution of secret keys, assuring data integrity and provide nonrepudiation through the use of digital signatures.

The widely known and tested public key algorithms use a relatively large key. The resulting computer processing time makes them less than ideal for data encryption that requires a high transaction rate. Public key systems, therefore, are often restricted to situations in which the characteristics of the public key algorithms have special value, such as digital signatures or key distribution. PKA calculation rates are fast enough to enable the common use of digital signatures.

ICSF supports these public key algorithms:

• Rivest-Shamir-Adelman (RSA)
• Digital Signature Standard (DSS)
• Elliptic Curve Digital Signature Algorithm (ECDSA)

Note:

DSS is only supported on the IBM zSeries 900.

The RSA Public Key Algorithm

The Rivest-Shamir-Adelman (RSA)² public key algorithm is based on the difficulty of the factorization problem. The factorization problem is to find all prime numbers of a given number, n. When n is sufficiently large and is the product of a few large prime numbers, this problem is believed to be difficult to solve. For RSA, n is typically at least 512 bits, and n is the product of two large prime numbers. The ISO 9796 standard and RSA's Frequently Asked Questions About Today's Cryptography provide more information about the RSA public key algorithm.

The DSS Public Key Algorithm

The U.S. National Institute of Science and Technology (NIST) Digital Signature Standard (DSS) public key algorithm is based on the difficulty of the discrete logarithm problem. The discrete logarithm problem is to find x given a large prime p, a generator g and a value y = (g^**x) mod p. In this equation, ^** represents exponentiation. This problem is believed to be very hard when p is sufficiently large and x is a sufficiently large random number. For DSS, p is at least 512 bits, and x is 160 bits. DSS is defined in the NIST Federal Information Processing Standard (FIPS) 186 Digital Signature Standard.

A DSS key pair includes a private and a public key. The DSS private key is used to generate a digital signature, and the DSS public key is used to verify a digital signature.

DSS is only supported on the IBM zSeries 900.

Elliptic Curve Digital Signature Algorithm (ECDSA)

The ECDSA algorithm uses elliptic curve cryptography (an encryption system based on the properties of elliptic curves) to provide a variant of the Digital Signature Algorithm.