z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Algorithms and key sizes

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

When executing in FIPS mode, System SSL continues to take advantage of the CP Assist for Cryptographic Function (CPACF) when available. Hardware cryptographic functions allowed in FIPS mode support clear keys and secure PKCS #11 keys. Secure keys stored in the PKDS are not supported.

Table 1 summarizes the differences between FIPS mode and non-FIPS mode algorithm support. Hardware availability depends on the processor and CPACF feature installed. See Using cryptographic features with System SSL for more information about processors, CPACF algorithm availability, and cryptographic card support.
Table 1. Algorithm support: FIPS and non-FIPS
  Non-FIPS FIPS
Algorithm Sizes System SSL software Direct calls to CPACF Support through ICSF Sizes System SSL software Direct calls to CPACF Support through ICSF
RC2 40 and 128 X            
RC4 40 and 128 X            
DES 56 X X          
3DES 168 X X   168 X X  
AES 128 and 256 X X   128 and 256 X X  
AES-GCM 128 and 256     X 128 and 256     X
MD5 48 X            
SHA-1 160 X X   160 X X  
SHA-2 224, 256, 384, and 512 X X   224, 256, 384, and 512 X X  
RSA 512–4096 X   X 1024–4096 X   X
DSA 512–2048 X     1024-2048      
DH 512–2048 X     2048     X
ECC 160-521     X 192-521     X
Note: NIST SP800-131 recommended transition key sizes RSA >= 2048 and DSA 2048 are not enforced by System SSL. Enforcement is the responsibility of the calling application or system administrator.
Parent topic: System SSL and FIPS 140-2

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014