CRYPTO - Crypto Hardware Activity report

The Crypto Hardware Activity report provides information about the activities in the various cryptographic hardware functions. Most cryptographic hardware functions can only be used through Cryptographic Support for z/OS (ICSF). ICSF is a standard component of z/OS. It provides cryptographic services in the z/OS environment. The report provides the following sections:

  • Cryptographic CCA coprocessors

    This section provides measurements about secure cryptographic functions executed on Common Cryptographic Architecture (CCA) coprocessors, use of secure encrypted key values, clear key and secure PKA operations, and special user cryptographic functions (using the user defined extension (UDX) capability of the card). For cryptographic CCA coprocessors, special attention should be given to RSA key-generation operations because these operations require a high amount of cryptographic processing capacity. Therefore, they are reported in addition to the total number of operations.

  • Cryptographic PKCS11 coprocessors

    This section provides measurements about secure public-key operations executed by cryptographic symmetric- and asymmetric-key functions.

  • Cryptographic accelerators

    This section provides measurements about public key operations (RSA cryptography operations) used with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols which are widely used to help secure e-business applications. The data for cryptographic accelerators is showing details for the two available algorithms, modular exponentiation (ME) and Chinese Remainder Theorem (CRT) for available key lengths (1024, 2048, and 4096 bit). This provides information how the usage of these algorithms affects the utilization of the accelerator.

  • ICSF Services

    The Crypto Hardware Activity report provides performance measurements on selected ICSF activities:

    • Using the single and triple Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) to encipher and decipher data.
    • Generating and verifying message authentication codes (MAC). The MAC is a value calculated from the message according to a secret shared DES key or AES key and sent to the receiver together with the message. The receiver can recalculate the MAC and compare it with the MAC received. If the MAC values are identical, the message has not been altered during transmission.
    • Using public hash functions. A hash is calculated from the transmission data according to a public key or function in cases where it is impossible to share a secret key. If the recalculated hash is identical to the one calculated before transmission, data integrity is ensured.
    • Translating and verifying PINs.
    • Digital signature generation and verification. A digital signature is created using the data to be signed and a private key, using one of the following algorithms:
      • RSA (Ron Rivest, Adi Shamir and Leonard Adleman)
      • ECC (Elliptic Curve Cryptography)
      • Start of changeQSA (Quantum Safe)End of change
      The digitally signed data is sent to the receiver. The receiver can verify that the signature is valid, using the signer's public key.
    • Format preserving encryption (FPE) Start of changeand Feistel-based encryption (FFX)End of change to encipher, decipher, and translate data while preserving the original formatting of the data.