Let me add my comments on some of this discussion. ICSF will try to use whatever is best for any particular requested operation. For example, if you want to do a clear-key TDES encryption of some data, it will use the CPACF even if you also have a Crypto Express (CEX) coprocessor. It does that because it knows the CPACF is faster. CPACF is always available (assuming it is enabled in your machine), and ICSF also has built-in software for some things the CPACF does not support. Speed, of course, is not the only factor that must be considered. In many cases, functions that are available in the CEX simply do not exist in CPACF - all of the banking-specific functions such as payment card transaction processing or key management are good examples. Standards (and good security practices) demand that many cryptographic functions be done inside a secure hardware device like the CEX, and similarly many of these demand that keys must never appear in unencrypted form outside of a secure hardware device. One post said "It may be ... that the recently announced "protected" clear keys can be used without a coprocessor, increasing the security level even for clear keys." This is not correct - in order to use the protected keys, you MUST also have a CEX coprocessor. This is because the protection of those keys is actually done through use of the CEX, while the encryption itself is done in the CPACF.
Another post said "Since z990 (approx. 10 years) you can have crypto cards". Actually, the first one of our crypto coprocessor cards to be supported in the mainframes was the PCI Cryptographic Coprocessor, or PCICC, which was announced on the S/390 G5/G6 machines in 2000. See http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/3/649/ENUSA00-0293/index.html&lang=en&request_locale=en for one of the announcement notices, which says in part: "New for 2000, the IBM PCI Cryptographic Coprocesser (PCICC) is an orderable feature that adds additional cryptographic function and cryptographic performance to G5/G6 servers." Todd Arnold IBM crypto coprocessor development Charlotte, NC ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
