The answer is that it depends. If you have a crypto express, you can use it as a clear key RSA accelerator (as mentioned by some folks already) without any consideration of master keys. You can use it as a coprocessor without master keys for a small subset of functions (random number generation first comes to mind, but there are others).
Also, regardless of having crypto express, CPACF is useful. Clear key ECDHE (used with TLS) works great with z15 where we added the KDSA instruction. Also used with TLS (1.3 especially likes it) is AES GCM which became a new hardware instruction (KMA) and new function codes for another (PCC) on z14. Eric ICSF design and development -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Frank Swarbrick Sent: Friday, October 28, 2022 12:59 PM To: [email protected] Subject: [EXTERNAL] Crypto Express question We are pushing our "host security module" processing off our mainframe back to our card issuer processor, and I have a couple of questions. If we use ICSF just for TLS and the like, does this still require the DES and RSA keys to be loaded? We already don't have AES or ECC master keys, so I am thinking we wouldn't need DES or RSA keys either. But someone who should know seems to think we still need master keys, even if we're not using it as a crypto coprocessor. Other question is, can TLS encryption processes that use ICSF services work at all if there is no crypto card at all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
