To complement, clarify and organize in few points:
1. We have symmetric and asymmetric crypto. And some other
crypto-related functions (SHA, RNG). However it worth to know, the
asymmetric crypto is approx. 1000 times slower than symmetric crypto
(with the same crypto-strength). That's why we
Nicely put.
> Symmetric or "secret key" encryption is probably what you think of
when you think of encryption.
> You encrypt and decrypt with the same secret key, just like when you
passed coded notes in grade school.
> It is a part of almost everything where encryption is involved. It is
I'm trying to put this in my own words. I'm not an expert on Z crypto
architecture, but I am sure someone will correct me if I am wrong.
The CPACF instructions are like the TRT instruction. You *could* do what TRT
does with a loop using IC and compare and so forth, but the TRT instruction is
On Wed, 24 Jan 2024 20:15:18 +0400, Peter wrote:
>Still I am trying to understand encryption and decryption load goes to
>general CP In case if you don't have CPACF or ICSF ?
There's no such thing as "don't have CPACF". All machines have it. It's
on-chip and part of the instruction set.
Encryption and decryption - processor or TCPIP
If I'm interpreting the z16 materials right it's within the core's area.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@lists
If I’m interpreting the z16 materials right it’s within the core’s area.
From: IBM Mainframe Discussion List on behalf of
Eric D Rossman
Date: Thursday, 25 January 2024 at 15:07
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
> Actua
> Actually, every processor core includes its own CPACF coprocessor section.
> In other words, CPACF is "on core."
It's a fine distinction. My background is in HW so I describe it as separate
from the "CP" proper, even though it is on the same chip.
Eric Rossman
Hi,
there is another possibilty for a delay in TLS session setup:
When you connect in clear to a TN3270 server and then have told your client to use STARTTLS. This
may be a fast initial solution in case when your firewall cerberos :-) cannot rapidly a new port,
i.e. 992.
Best
/PS
Eric Rossman wrote:
>The CPACF is a physically separate chip that runs in lockstep
>with the CP that invokes it. So, it is does cost general CP but
>much less than implementing it in millicode.
Actually, every processor core includes its own CPACF coprocessor section. In
other words, CPACF is
rame Discussion List On Behalf Of
Timothy Sipples
Sent: Wednesday, January 24, 2024 5:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
>So Timothy (and probably just for me), I've seen a couple
>of sites without crypto HSM cards not bother t
Thanks Timothy, and thanks to others who helped with my side questions.
On 1/24/2024 2:20 AM, Timothy Sipples wrote:
So Timothy (and probably just for me), I've seen a couple
of sites without crypto HSM cards not bother to run ICSF.
Can I assume in that case there's pretty-much no way any
> > Peter wrote:
> > > Still I am trying to understand encryption and decryption
> > > load goes to general CP Incase if you don't have CPACF or
> > > ICSF ?
> Phil Smith III wrote:
> > Even with CPACF and ICSF, some/most of the encryption load
> > is on the CPU.
> > They aren't magic. CPACF is
You will need at least a CPACF to initialise ICSF.
Lennie
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Tony Harminc
Sent: 24 January 2024 18:55
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
On Wed, 24 Jan 2024 at 12:38
On Wed, 24 Jan 2024 at 12:38, Phil Smith III wrote:
> Peter wrote:
> >Still I am trying to understand encryption and decryption load goes to
> >general CP Incase if you don't have CPACF or ICSF ?
>
> Even with CPACF and ICSF, some/most of the encryption load is on the CPU.
> They aren't magic.
Peter wrote:
>Still I am trying to understand encryption and decryption load goes to
>general CP Incase if you don't have CPACF or ICSF ?
Even with CPACF and ICSF, some/most of the encryption load is on the CPU. They
aren't magic. CPACF is faster, but it's still fundamentally executing Z
Discussion List ; Eric D Rossman
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Eric
Still I am trying to understand encryption and decryption load goes to general
CP Incase if you don't have CPACF or ICSF
Eric
Still I am trying to understand encryption and decryption load goes to
general CP Incase if you don't have CPACF or ICSF ?
On Wed, Jan 24, 2024, 6:44 PM Eric D Rossman wrote:
> Responding to a bunch of questions/comments in one reply.
>
> Tom Brennan:
> > I thought I heard that you can
Peter wrote:
>After implementing ATTLS there is some delay in our CICS transaction but I
>was suspecting if sn absence of crypto processor can overload the general
>processor to cause this delay ?
Define "some delay". Adding AT-TLS means that a TLS handshake is being added to
the communication.
Responding to a bunch of questions/comments in one reply.
Tom Brennan:
> I thought I heard that you can start ICSF without a crypto
> card and it will use CPACF for some of the heavier encryption
> processing (maybe like generating prime numbers) and save
> individual tasks some CP time.
ICSF
o: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Sorry MaRtin.
L
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Lennie Dymoke-Bradshaw
Sent: 24 January 2024 13:09
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encr
Sorry MaRtin.
L
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Lennie Dymoke-Bradshaw
Sent: 24 January 2024 13:09
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
Matin said " Easily managed by provisioning enough
MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
Thanks. Then if I see zIIP for TCP/IP I should tentatively conclude it's
this. The interesting bit would be if this zIIP usage were large - and
pre-empting Db2 Engine. Easily managed by provisioning enough zIIP.
Cheer
-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 11:58
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Martin,
As Timothy has pointed out, it is for IPSEC processing that a zIIP is used,
not AT/
Mainframe Discussion List On Behalf Of
Martin Packer
Sent: 24 January 2024 10:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using
Lennie Dymoke-Bradshaw wrote:
>In the back of my mind I also think that the crypto processing for TCP/IP
>could be performed on a zIIP processor (which could be using its CPACF, of
>course).
IPSec/IKEv2 can exploit zIIPs (and CPACF).
>So Timothy (and probably just for me), I've seen a couple
>of sites without crypto HSM cards not bother to run ICSF.
>Can I assume in that case there's pretty-much no way any
>encryption processing could be using CPACF?
ICSF supports many, many cryptography-dependent features in z/OS. Even many
edu>
Date: Wednesday, 24 January 2024 at 09:53
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Tom,
It is possible to initialise ICSF without a Crypto Express card. I have done
it. Changes were made to ICSF in support of that initialisation many
ERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP
Woah... right now I'm only about 1000 miles from Timothy so I get to see his
responses in real time and not California time :)
So Timothy (and probably just for me), I've seen a couple of sites without
crypto HSM cards not bot
Woah... right now I'm only about 1000 miles from Timothy so I get to see
his responses in real time and not California time :)
So Timothy (and probably just for me), I've seen a couple of sites
without crypto HSM cards not bother to run ICSF. Can I assume in that
case there's pretty-much no
My case was before AT-TLS, when I believe it was up to each application
to handle the encryption themselves, so we saw a big spike and delay in
the SSHD task each time someone logged on. That timing contributed to
my theory about the prime number generation or similar initial
encryption
It would be worth looking at the RMF report on the crypto processing and
seeing if they are running hot.
Does the PAGENT address space a lot of CPU - is it delayed?
The code may execute on your CICS TCB - executing cross memory (via PC) in
the TCPIP address space(s).I don't recall seeing
Peter wrote:
>I have a general question here. When you don't have crypto processor, So
>when a ATTLS traffic is enabled does the encryption and decryption handled
>by Started task TCPIP or the general processor?
I’ve seen some of the follow-up messages, and it seems like you’re trying to
Ok so TCPIP as a started task when it does encryption and decryption so it
directly overloads the General CP ?
On Wed, Jan 24, 2024, 9:59 AM Tom Brennan
wrote:
> Even though you don't have a crypto processor, do you have CPACF on the
> box? Most machines I've seen do, because it's a no-charge
Even though you don't have a crypto processor, do you have CPACF on the
box? Most machines I've seen do, because it's a no-charge feature. I
don't know for sure, but I thought I heard that you can start ICSF
without a crypto card and it will use CPACF for some of the heavier
encryption
After implementing ATTLS there is some delay in our CICS transaction but I
was suspecting if sn absence of crypto processor can overload the general
processor to cause this delay ?
On Wed, Jan 24, 2024, 9:01 AM Phil Smith III wrote:
> Peter wrote:
> >I have a general question here. When you
Peter wrote:
>I have a general question here. When you don't have crypto processor, So
>when a ATTLS traffic is enabled does the encryption and decryption handled
>by Started task TCPIP or the general processor?
The TCPIP started task is just code and runs on the general processor, so your
Hello
I have a general question here. When you don't have crypto processor, So
when a ATTLS traffic is enabled does the encryption and decryption handled
by Started task TCPIP or the general processor?
Regards
Peter
--
For
37 matches
Mail list logo