Elliptic Curve Cryptography support

System SSL uses ICSF callable services for Elliptic Curve Cryptography (ECC) algorithm support. For ECC support through ICSF, ICSF must be initialized with PKCS #11 support. For more information, see z/OS Cryptographic Services ICSF System Programmer's Guide. In addition, the application user ID must be authorized for the appropriate resources in the RACF® CSFSERV class, either explicitly or through a generic resource profile. See Table 1 for the required CSFSERV resources for each ECC function.

If the ICSF started task is not running as required or ECC support is otherwise unavailable, System SSL might fail if an ECC-based operation is required. In this event, notification is available through return or status codes and System SSL trace output.

Current ICSF cryptographic support for ECC can be verified using the DISPLAY CRYPTO function of the SSL Started Task. See SSL started task for more information.

ECC public/private keys must be defined over prime finite fields (F_p type fields) only; characteristic two finite fields (F_2m type fields) are not supported. EC domain parameters may be defined using either the specifiedCurve format or the namedCurve format, as described in RFC 5480: Elliptic Curve Cryptography Subject Public Key Information. If the EC domain parameters are defined using the specifiedCurve format, then they must match a supported named curve.

The following named curves are supported:

NIST recommended curves
- secp192r1 – {1.2.840.10045.3.1.1}
- secp224r1 – {1.3.132.0.33}
- secp256r1 – {1.2.840.10045.3.1.7}
- secp384r1 – {1.3.132.0.34}
- secp521r1 – {1.3.132.0.35}
Brainpool defined curves
- brainpoolP160r1 – {1.3.36.3.3.2.8.1.1.1}
- brainpoolP192r1 – {1.3.36.3.3.2.8.1.1.3}
- brainpoolP224r1 – {1.3.36.3.3.2.8.1.1.5}
- brainpoolP256r1 – {1.3.36.3.3.2.8.1.1.7}
- brainpoolP320r1 – {1.3.36.3.3.2.8.1.1.9}
- brainpoolP384r1 – {1.3.36.3.3.2.8.1.1.11}
- brainpoolP512r1 – {1.3.36.3.3.2.8.1.1.13}

Note: In FIPS mode, only NIST recommended curves are currently supported. Curves under 224 bits are not recommended.

For data signature generation and verification operations involving ECC-based algorithms, z/OS® System SSL supports ECDSA with SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 digest algorithms. When creating signed certificates using the System SSL certificate management utility, gskkyman, or through CMS APIs that use a default digest algorithm, the recommended digest for the ECC key size of the signing private key is used (as specified in the following table).

Table 1. Recommended digest sizes for ECDSA signature key sizes
ECC curve type	ECDSA key sizes (bits)	Recommended digest algorithm	Signature algorithm type
x509_ecurve_brainpoolP160r1 x509_ecurve_secp192r1 x509_ecurve_brainpoolP192r1 x509_ecurve_secp224r1 x509_ecurve_brainpoolP224r1 x509_ecurve_secp256r1 x509_ecurve_brainpoolP256r1 x509_ecurve_brainpoolP320r1	160-383	SHA-256	x509_alg_ecdsaWithSha256
x509_ecurve_secp384r1 x509_ecurve_brainpoolP384r1	384-511	SHA-384	x509_alg_ecdsaWithSha384
x509_ecurve_brainpoolP512r1 x509_ecurve_secp521r1	512 and greater	SHA-512	x509_alg_ecdsaWithSha512

System SSL regards certain EC named curves to be the default curve for their key size. For CMS APIs that require ECC key generation and accept a key size parameter only, the default curve for the key size specified is used. These default EC named curves are outlined in the following table.

Table 2. Default EC named curves for specified key sizes
Key size (bits)	Default EC named curve	Named curve OID
160	brainpoolP160r1	1.3.36.3.3.2.8.1.1.1
192	secp192r1	1.2.840.10045.3.1.1
224	secp224r1	1.3.132.0.33
256	secp256r1	1.2.840.10045.3.1.7
320	brainpoolP320r1	1.3.36.3.3.2.8.1.1.9
384	secp384r1	1.3.132.0.34
512	brainpoolP512r1	1.3.36.3.3.2.8.1.1.13
521	secp521r1	1.3.132.0.35