z/TPF

z/TPF

z/TPF

The z/TPF group is dedicated to sharing news, knowledge, and insights about the z/TPF product family. Consisting of IBMers and users, this community collaborates to advance the potential of high-volume, high-throughput transaction technology.

 View Only

Support for Elliptic Curve Cryptography (PJ46719)

By Raymond Fan posted Thu June 16, 2022 06:27 PM

  
z/TPF support for Elliptic Curve Cryptography (ECC) provides the capability to use ECC ciphers for OpenSSL sessions (including shared SSL) on the z/TPF system. ECC is considered a more modern cryptographic approach compared to Rivest-Shamir-Adelman (RSA) and provides the following benefits:

  • ECC keys with smaller key sizes provide the same level of security as RSA key exchange with larger key sizes.
  • ECC ciphers that the z/TPF system supports use Ephemeral Diffie-Hellman (DHE) key exchange, which provides perfect forward secrecy (PFS). These ciphers use keys that are generated dynamically, so the private key is not stored as opposed to RSA key exchange.

With APAR PJ46719, the z/TPF system will support the following ephemeral ECC cipher suites that also provide perfect forward secrecy (PFS):
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-NULL-SHA (This cipher is to be used for testing and debugging only. Do not use to secure sensitive data.)

ECC cipher suites use curves for the ECC key exchange. Each of the ECC ciphers above can be used with the following curves for key exchange, which are supported by z/TPF:
  • P-256
  • P-384
  • P-521
  • X25519 (uses curve25519)
  • X448 (uses curve448)

The curve list preference by default is obtained from the OpenSSL default ECC curve list. However, a user can specify a user-defined ECC curve list using the new ZSSLD DEFCURVE-curvelist command where curvelist is a colon separated list of curves in preference order. The specified curve list is used for all TLS sessions that use ECC on all processors in the loosely-coupled complex. For more information, refer to the documentation for the ZSSLD command.

The ZDCOM display for network compliance related information was also updated to include information pertaining to the usage of the newly supported ECC ciphers and curves.

ECC support on z/TPF leverages hardware to optimize performance during the ECC key exchange. This hardware acceleration requires IBM z15 or above, otherwise the key exchange is performed in software.

The new supported cipher algorithms improve the overall security of the z/TPF system. For more information about APAR PJ46719, see the APEDIT.
0 comments
7 views

Permalink

https://community.ibm.com/community/user/blogs/raymond-fan1/2022/06/16/ecc-support