Staller, Allan wrote: >Any Crypto Assist processors present? Makes a big difference!
I'm sure Allan knows this, but I wanted to elaborate: be careful. There are two crypto assist processors available on System z: the Crypto Express (aka "CEX", pronounced, well, with a soft "C", available as CEX2 and CEX3, at least on z10/zEnterprise) and Central Processor Assist for Cryptographic Functions (aka "CPACF", usually pronounced see-paff, with the second "C" being silent -- particularly funny, since it's for the most important word in the name!). CEX are for *security* and not *speed*. They're also optional and extra-cost. It's possible that a CEX might beat z cycles for large data volumes (yeah, like tapes), but I wouldn't bet on it. CPACF is for *speed*. It's part of the CPU, but must be enabled as a no-cost feature (feature code 3863). (Note that with Protected Key on z10/zEnterprise and latest ICSF, you get (most of) the best of both worlds, but I don't believe this is relevant to the topic at hand.) So you want to make sure CPACF is enabled (visible in the HMC) and that your encryption product of choice can use it. Yes, encryption in software is quite expensive. If the algorithm is one supported by CPACF (AES, DES), then it's super-cheap: one hardware instruction. Of course that one hardware instruction might take "a while" by most standards, but it's still a lot cheaper than z cycles. -- ...phsiii Phil Smith III p...@voltage.com Voltage Security, Inc. www.voltage.com (703) 476-4511 (home office) (703) 568-6662 (cell) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
