ICSF supports the use of public key cryptography. This requires the generation of a pair of PKA keys. One key is made public, and the other key is kept private. The private key is protected through encryption under the appropriate PKA master key. The public key is used to encrypt DES or AES data-encrypting keys in a key distribution system. The private key is then used to decrypt the DES or AES data-encrypting key. The private key is also used for generating digital signatures which are verified using the corresponding public key.

ICSF supports the use of these PKA keys.

RSA

An RSA key pair includes a private key and a public key. RSA keys can be used for key distribution and authentication. When used for key distribution, a DES key is encrypted under an RSA public key by the sender. The key can only be decrypted with the receiver's private key. When used for authentication, the RSA private key is used for digital signature generation and the RSA public key is used for digital signature verification.

The optional PCICC, PCIXCC, CEX2C, or CEX3C provide the ability to generate RSA public and private key pairs within their secure hardware boundary.

The Cryptographic Coprocessor Feature (CCF) does not provide the ability to generate RSA public and private keys within its secure hardware boundary. If you have CCF without a PCI Cryptographic Coprocessor, you can generate RSA key pairs in the encrypted form on a TKE Workstation with APAR OW32982 or a workstation with a 4764 or 4758 cryptographic adapter installed. RSA keys generated on the TKE workstation can be loaded directly to the PKDS from the TKE workstation. RSA keys generated on a non-TKE workstation can use the PKA key import callable service to import the RSA key pair to the Cryptographic Coprocessor Feature.

DSS

A DSS key pair includes a private and a public key. The DSS private key is used for digital signature generation, and the DSS public key is used for digital signature verification.

ICSF provides a callable service to generate PKA internal key tokens for use with the DSS algorithm in digital signature services.

Restriction: DSS keys are not supported on the PCIXCC, CEX2C, or CEX3C.

ECC

An ECC key pair includes a private and public key. The ECC private key is used to generate digital signatures, and the ECC public key is used to verify digital signatures.

ICSF generates ECC key pairs using the Elliptic Curve Digital Signature Algorithm (ECDSA). This algorithm uses elliptic curve cryptography (an encryption system based on the properties of elliptic curves) to provide a variant of the Digital Signature Algorithm.

ECC keys are supported on the z196 with a CEX3C. With a CEX3C that is ECC capable, you can use the PKA key generate callable service to generate ECC keys.

RSA, DSS, and ECC public and private keys can be stored in the PKA key data set (PKDS), a VSAM data set. For retained private keys, only the public key is stored in the PKDS. For more information about the PKDS, refer to Setting up and maintaining the PKDS.