IBM Systems Magazine, Mainframe Edition - May/June 2012 - (Page 35)

Administrator Getting the most from your systems Safe and Sound System z cryptography capabilities enable Linux applications to run securely and efficiently By Peter Spera inux*, entering its second decade on System z*, has come a long way in its support for cryptographic hardware. With guidance from a diverse group of clients, IBM has journeyed from the first requirements to accelerate high volumes of SSL-encrypted Web traffic to new custom workloads incorporating specialized, secure key cryptography. L Accordingly, the platform has evolved from acceleration of open-source applications with RSA handshakes for SSL to implementing international banking standards, bringing financial customers’ security policies and intellectual property to life. Three aspects of the System z cryptographic hardware can be applied to solutions running on Linux. All three hardware options intersect with both clear and secure key cryptographic operations utilized by applications running on Linux for System z. They are: the different types of random numbers and the hardware options available to provide a constant stream of numbers to support workload demands. A software random-number solution can provide pseudo-random numbers at best, however, many software implementations are too predictable for cryptographic use. Random numbers used for cryptographic purposes must be computationally impractical to predict. What’s needed is a source of entropy that’s truly random and unpredictable. This source is used as the seed for producing the volumes of random numbers needed to meet cryptographic requirements. For an application requiring high volumes of pseudo-random numbers, the CPACF hardware instruction— part of the System z architecture—meets this need. Figure 1, Part a (below) demonstrates how /dev/prandom, a built-in Linux device, and libICA, a cryptographic library, can utilize the CPACF for generating high volumes of pseudorandom numbers. Figure 1, Part b shows a path to access true random numbers generated by a CryptoExpress3 card configured in coprocessor mode and made available to an application via the built-in device /dev/hwrng. Figure 1 Random Number Options KEY: IBM hardware ISV software IBM software Recommended API hÁCentral Processor Assist for Cryptographic Functions (CPACF) hÁCryptoExpress3 card configured in accelerator mode (CEX3A) hÁCryptoExpress3 card configured in coprocessor mode (CEX3C) a) Pseudorandom Numbers b) True Random Numbers Random Numbers Because random numbers can be a critical part of a cryptographic algorithm, it’s important to understand MAY/JUNE 2 012 35

Table of Contents for the Digital Edition of IBM Systems Magazine, Mainframe Edition - May/June 2012

IBM Systems Magazine, Mainframe Edition - May/June 2012
Table of Contents
Editor’s Desk: System z and Linux: The IT Odd Couple?
IBM Perspective: Opportunities Abound With Linux on System z
Insider: Virtualization Brings New Technology to Mainframe Tape
IT Today: What to Consider When Adding a Linux Workload to Your z/VM System
Cover Story: Better Together: Linux on System z gains followers as clients discover its performance and value
Features: Successes Mount for Linux on Mainframe: Usage patterns evolve, building value for organizations
Tech Corner: zHPF Improves Upon Mainframe's I/O Capabilities
Administrator: System Cryptography Capabilities Enable Linux Applications to Run Securely and Efficiently
Solutions/Advertisers Index: Attunity Replicate - ISPF MQ Message Editor for z/OS - Voltage SecureData z/Protect
Stop Run: Destination z Project Manager's Childhood Interest Leads to Impressive Collection
Reference Point
Special Supplement: Innovate 2012
Special Supplement: Services Blueprint: IBM Systems Lab Services and Training

IBM Systems Magazine, Mainframe Edition - May/June 2012