IT Management

The best way to secure data being exchanged over an insecure network such as the Internet is to encrypt it. The Crypto Express2 (CEX2) feature for IBM System z provides cryptographic functions implemented in hardware, which otherwise must be calculated as software algorithms. The software implementation of a cryptographic algorithm is much more expensive in terms of CPU costs compared to a hardware-accelerated algorithm.

CEX2 is an optional card and is a replacement for the older PCI Cryptographic Accelerator (PCICA). PCICA was available for the z800 and z900. CEX2 was introduced for the zSeries z890 and z990 machines and is supported for Systems z9 and z10. Each CEX2 card provides two PCI-X adapters. A PCI-X adapter can be configured either as a cryptographic coprocessor (CEX2C) for secure key encrypted transactions (not discussed in detail here) or as a cryptographic accelerator (CEX2A) for the Secure Sockets Layer (SSL) protocol. Because SSL uses a clear key to protect its data in an SSL session, a CEX2A works only in clear key mode. This article shows the performance throughput improvements when exploiting a CEX2A for the Linux SSL implementation (OpenSSL).

There’s also a lower cost cryptographic feature, Crypto Express2-1P (CEX2-1P), designed to address small and midrange security requirements (e.g., System z10 BC). CEX2-1P provides one PCI-X adapter per feature instead of two.

CEX2 asynchronously executes any cryptographic requests to the Central Processor (CP) on a System z. So cryptographic requests will be calculated in parallel while other tasks can be executed on the CP. When configured as CEX2A, a subset of cryptographic functions is enabled that accelerates intensive public key operations often used in the SSL protocol stack. So, a CEX2A was designed for SSL acceleration and should be used only for that purpose.

CEX2C provides a high-security, high-throughput cryptographic subsystem. The cryptographic hardware relieves the main processor from the tasks involved in performing functions such as:

• Advanced Encryption Standard (AES)

• Data Encryption Standard (DES)

• Triple DES (TDES)

• Rivest-Shamir-Adleman (RSA) cipher

• Secure Hash Functions (SHA).

6 Pages