This article is intended to provide just enough background, information, and tutelage to get a programmer interested in testing the waters in the world of cryptography. Linux on System z applications provide the perfect playground, with the ease of programming in the Linux environment and the security available in the System z hardware. Because the world is changing and data encryption is a hot topic, a crypto 101 project is desperately needed.
The Building Blocks to Crypto Success
The Common Cryptographic Architecture (CCA) and the CryptoExpress2 Peripheral Component Interconnect (PCI) card configured as a coprocessor (CEX2C) can meet the cryptographic needs of the most demanding applications and end-to-end enterprise solutions. This software and hardware combination opens the door for Linux applications running on System z to take advantage of the latest secure key hardware available today.
On the hardware side, CryptoExpress2 is a flexible card you can configure in one of two ways. As a coprocessor, the hardware can provide a wide array of crypto functions. However, if all that’s required is high-speed Secure Socket Layer (SSL) acceleration, then the hardware can be alternatively configured as an accelerator to optimize clear key Rivest-Shamir-Adleman (RSA) operations, speeding up the computationally expensive SSL handshake operation. The applications use the accelerator mode differently and won’t be covered here. Each CryptoExpress2 feature is comprised of two physical cards, which can be configured as either a coprocessor or an accelerator, and used accordingly.
On the software side, the CCA security Application Program Interface (API) provides a robust set of functionality that can be integrated into custom applications to meet the cryptographic needs of traditional industries such as banking and finance, insurance, government, or virtually any application that needs the security only a Hardware Security Module (HSM) can provide.
A broad range of cryptographic functions are available to Linux on System z applications. The following provides a general explanation of the more common tasks the CCA library supports in conjunction with CEX2C hardware:
• Information can be encrypted and decrypted using the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode to enable data confidentiality.
• Data can be hashed to obtain a digest or it can be processed to obtain a Message Authentication Code (MAC) that can be used to verify the data’s integrity.
• Digital signatures can be created and validated to demonstrate both data integrity and to form the basis for non-repudiation.
• Personal Identification Numbers (PINs) and transaction validation codes can be generated, encrypted, translated, and verified with a comprehensive set of services specifically targeted for the finance industry.