EP11 is specifically designed for customers seeking support for open standards and enhanced security. 

The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 as they can be migrated easily to IBM z and by that benefit from enhanced security using secure key cryptography.

EP11 provides many interesting additions to the PKCS #11 with Login Sessions, attribute bound keys and different operational modes. More information about the EP11 Library can be found in the Enterprise PKCS #11 (EP11) Library structure document. 

EP11 (BSI-DSZ-CC-1094) has been certified to meet the requirements of the BSI (Federal Office for Information Security in Germany) for conformance with common criteria in version 3.1 (rev. 4) with Evaluation Assurance Level (EAL) 4.

View the IBM EP11 common criteria certificate here.

EP11 includes these capabilities:

Cryptographic algorithms, including:

  • Hashing and MAC algorithms: SHA-1, SHA-2 (up to SHA-512), HMAC, CMAC
  • Symmetric Key algorithms: AES (128/192/256 bit) and TDES 
  • RSA (up to 4096 bit) with PKCS #1/SHA-256, PSS SHA-256 padding or with self-hashing or or OAEP with SHA-1
  • EC-DSA/DH for key agreement protocols (NIST Prime curves to 521 bits, Brainpool curves to 512 bits and the Secpk256k1 curve) 
  • Hardware-based Digital Random Number Generator (DRNG)

EP11 is based on the Public-Key Cryptography Standard #11 v2.20. This includes: 

  • Key/Key Pair Generation
  • Encrypt/Decrypt
  • Key Wrap/Unwrap
  • Key Derivation
  • Digest, Sign and Verify operations
  • Get random number
  • Mechanism List and Info operations

EP11 extensions to the PKCS #11 standard:

  • Bulk encryption and decryption, sign, verify, and hash operations
  • Secure administration interface with the help of the Trusted Key Entry (TKE) console
  • Enhanced protection of keys through the use of attribute bound keys
  • Support for session bound keys, which are bound onto a specific user
  • System audit messages
  • Allowing multi-tenancy by storing secrets outside the HSM in wrapped/MACed form only, thus allowing a large number of users
  • Reduced risk of misuse by using trusted public keys (SPKI)
  • Control points and operational modes allow for fine-granular control of policy and compliance

Among the standards supported are:

  • Key management and related standards FIPS 197, NIST SP 800-67 Revision 1, FIPS 186-4, NIST SP 800-38A, RFC 3447, ANSI X9.63-2001
  • Random Number Generation according to ISO 18031 and NIST SP 800-90A Revision 1
  • EP11 provides modes compliant to FIPS 140-2 and BSI-CC
ep11 Diagram