z9 (2005) was the first machine with CPACF. The (likely) oldest machine in use is the z13 whose CPACF supported DES, AES (including XTS and GCM), SHA-1, SHA-2, SHA-3/SHAKE, but not TRNG or ECC. (TRNG was provided by HSMs or via clock sampling [NIST SP 800-90A/B/C])
z14 added faster XTS, a new GCM instruction (KMA), and TRNG native to CPACF but, sadly, still not ECC. z15 sped up CPACF (I don't recall the details) and added ECC to CPACF. z16 made more performance improvements to CPACF. Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Lennie Bradshaw Sent: Monday, January 20, 2025 9:50 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: TTLSCipherParms if no ICSF Ah, A mere 25 years then 😉. I am guessing that there is a minimum hardware capability requirement, in terms of CPACF. Lennie -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Eric Rossman Sent: 20 January 2025 05:55 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: TTLSCipherParms if no ICSF It hasn't been the case since around 2000 when we added AES SW support or a little later when we added the PKCS#11 interfaces. ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Lennie Bradshaw <lennie-brads...@outlook.com> Sent: Sunday, January 19, 2025 4:59:03 PM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: [EXTERNAL] Re: TTLSCipherParms if no ICSF < BTW why would you not want to use ICSF? I think there has been some confusion in the past that ICSF requires crypto hardware but that is not the case.> I think, "no longer the case" would be more accurate. Lennie -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Keith Gooding Sent: 19 January 2025 18:31 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: TTLSCipherParms if no ICSF Peter. Attls uses z/os System SSL component to implement SSL/TLS so the answer to your question should be in the z/OS Cryptographic Services System SSL programming manual. Although that document has a table containing a list of supported crypto methods I cannot see any mention of which ones can be used without ICSF. However the following section implies that most algorithms are supported with ICSF but the Elliptic Curve algorithms are not. https://www.ibm.com/docs/en/zos/2.5.0?topic=ssl-overview-hardware-cryptographic-features-system Also if you want to make use of the performance improvements available with a crypto card configured as a crypto accelerator you need ICSF. I think historically SYSTEM SSL implemented the crypto algorithms itself but when ICSF came along it was changed to use ICSF if available. It was not necessary to implement Elliptic Curve algorithms because ICSF is used. BTW why would you not want to use ICSF? I think there has been some confusion in the past that ICSF requires crypto hardware but that is not the case. Keith Gooding > On 17 Jan 2025, at 20:22, Peter > <000005e4a8a0a03d-dmarc-requ...@listserv.ua.edu> wrote: > Hello > > If there is No ICSF running then what ciphersuites can be used in TTLS > policy ? > > Is there a default cipher which can be used in the TTLS policy? > > Can someone please point me in the right direction? > > Peter. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
