IBM Z15 Performance of Cryptographic Operations
Total Page:16
File Type:pdf, Size:1020Kb
IBM z15 Cryptographic Performance May 2020 IBM z15 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX7S) 1 IBM z15 Cryptographic Performance May 2020 © Copyright IBM Corporation 1994, 2019. IBM Corporation Marketing Communications, Server Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America All Rights Reserved IBM, the IBM logo, ibm.com, z/OS, RACF, and zEnterprise are trademarks or registered trademarks of International Business Machines Corporation of the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis. Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries. Other company, product and service names may be trademarks or service marks of others. IBM may not offer the products, services or features discussed in this document in all countries in which IBM operates, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM's intellectual property rights may be used instead of the IBM product, program, or service. Evaluation and verification of operation in conjunction with other products, except those expressly designated by IBM, is the user's responsibility. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY, 10504-1785 USA. All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only. Performance is in External Throughput Rate (ETR) based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput equivalent to the performance rates stated here. 2 IBM z15 Cryptographic Performance May 2020 Contents IBM z15 Performance of Cryptographic Operations ................................................................. 1 (Cryptographic Hardware: CPACF, CEX7S) ...................................................................... 1 Preface .................................................................................................................................. 5 1. Introduction ....................................................................................................................... 5 2. Cryptographic Hardware Supported on z15 ...................................................................... 6 2.1 Central Processor Assist for Cryptographic Function (CPACF) ................................... 6 2.2 Crypto Express7S (CEX7S) Feature ........................................................................... 7 3. Performance Information ................................................................................................... 9 3.1 Definitions .................................................................................................................... 9 3.2 CP Assist for Cryptographic Function (CPACF) ........................................................... 9 3.2.1 CPACF Performance - MSA Architecture Interface ................................................... 9 3.2.1.1 CPACF MSA Architecture Interface - Clear Key Mode ......................................... 10 3.2.1.2 CPACF MSA Architecture Interface - Protected Key Mode .................................. 14 3.2.2 CPACF Performance - ICSF API ............................................................................ 17 3.2.2.1 CPACF ICSF API - Clear Key Operations ............................................................ 18 3.2.2.2 CPACF ICSF API - Protected Key Operations ..................................................... 20 3.3 Crypto Express7S Performance (z/OS) ..................................................................... 23 3.3.1 CEX7S CCA Coprocessor (CEX7C) - Encryption/Decryption and MAC Operations ......................................................................................................................................... 24 3.3.2 CEX7S CCA Coprocessor – Key Management ...................................................... 27 3.3.3 CEX7S CCA Coprocessor - Financial Services ...................................................... 27 3.3.4 CEX7S CCA Coprocessor - VISA Format Preserving Encryption (FPE) ................. 28 3.3.5 CEX7S CCA Coprocessor - Random Number Generation ..................................... 28 3.3.6 CEX7S CCA Coprocessor - PKA Operations .......................................................... 29 3.3.7 CEX7S CCA Coprocessor - PCI-HSM mode .......................................................... 31 3.3.8 CEX7S Enterprise PKCS #11 Coprocessor (CEX7P) – Encryption / Decryption and HMAC operations ............................................................................................................ 32 3.3.9 CEX7S Enterprise PKCS #11 Coprocessor (CEX7P) - PKA Operations ................ 34 3.3.10 CEX7S Accelerator Performance .......................................................................... 36 3.4 Crypto Express7S Performance (Linux on Z) ............................................................ 37 3.4.1 CEX7S CCA Coprocessor (CEX7C) - Encryption/Decryption ................................. 37 3.4.2 CEX7S CCA Coprocessor – Financial Services Examples ..................................... 39 3.4.3 CEX7S CCA Coprocessor - VISA Format Preserving Encryption (FPE) ................. 40 3 IBM z15 Cryptographic Performance May 2020 3.4.4 CEX7S CCA Coprocessor - Random Number Generation ..................................... 40 3.4.5 CEX7S CCA Coprocessor - PKA Operations .......................................................... 40 3.5 SSL Handshake Performance ................................................................................... 42 3.5.1 SSL / TLS Protocol based Communication ............................................................. 42 3.5.2 System SSL with z/OS V2R4 and Cryptographic Support for z/OS V2R1-V2R4 (ICSF FMID HCR77D1) ................................................................................................... 44 4 IBM z15 Cryptographic Performance May 2020 Preface The performance information presented in this publication was measured on IBMTM z15TM in an unconstrained environment for the specific benchmark with a system control program (operating system) as specified. Many factors may result in variances between the presented information and the information a customer may obtain by trying to reproduce the data. IBM does not guarantee that your results will correspond to the results herein. This information is provided ‘as is’ without warranty, express or implied. The features described herein are presented for informational purposes; actual performance and security characteristics may vary depending on individual customer configurations and conditions. The performance numbers stated for some of the operations are only for demonstration purposes. When quoting some key length or cryptographic algorithms one may not conclude that IBM implies the key length or cryptographic algorithm is adequate and can therefore be used safely. The cryptographic functions described here may not be available in all countries and may require special enablement subject to export regulations. 1. Introduction The purpose of this publication is to provide performance information to the user of cryptographic services on z15. z15 supports the following cryptographic hardware features: 1. Central Processor Assist for Cryptographic Function (CPACF). 2. Crypto Express5S (CEX5S) feature. 3. Crypto Express6S (CEX6S) feature. 4. Crypto Express7S (CEX7S) feature. The CPACF delivers cryptographic support for Advanced Encryption Standard (AES), Triple DES (TDES) and Data Encryption Standard (DES) data encryption/decryption, Secure Hash Algorithm (SHA) and some PKCS#11 Public Key Algorithms. The Crypto Express5S, CryptoExpress6S and Crypto Express7S features are supported on z15, however this document does not present performance information for CEX5S or CEX6S. Performance information for CEX5S on z13TM