ICSF protects data from unauthorized disclosure or modification. It protects data that is stored within a system, stored in a file on magnetic tape off a system, and sent between systems. It can also be used to authenticate identities of senders and receivers and to ensure the integrity of messages transmitted over a network. It uses cryptography to accomplish these functions.
Cryptography enciphers data, using an algorithm and a cryptographic key, so the data is in an unintelligible form. Deciphering data involves reproducing the intelligible data from the unintelligible data. To encipher and decipher data, ICSF uses either the U.S. National Institute of Science and Technology Data Encryption Standard (DES) algorithm, Advanced Encryption Standard (AES), Elliptic Curve Cryptography (ECC) or the RSA algorithm.
ICSF supports several Public Key Algorithms (PKA), which do not require exchanging a secret key. You can use these algorithms to exchange AES or DES secret keys securely and to compute digital signatures for authenticating messages and users. For digital signatures, you use a pair of keys: a private (secret) key to sign a message and a corresponding public key to verify the signature. ICSF supports the RSA, and ECC algorithms.
You use ICSF callable services and programs to generate, maintain, and manage keys that are used in the cryptographic functions. A unique key performs each type of cryptographic function on ICSF. All secret keys are encrypted under another key, a master key or a wrapping key. There are up to four CCA master keys depending on your cryptographic coprocessors: DES, RSA, AES and ECC. All master keys are physically secure within the boundary of the cryptographic coprocessors. Operational secret keys are encrypted under their respective master key.
The P11 master key is used to protect secure PKCS #11 keys. Secure PKCS #11 keys are supported only on features configured for PKCS #11. The P11 master key is physically secure within the boundary of the coprocessors.