IBM z14 Cryptographic Performance October 2017 IBM z14 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX6S) 1 IBM z14 Cryptographic Performance October 2017 © Copyright IBM Corporation 1994, 2017. IBM Corporation Marketing Communications, Server Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America All Rights Reserved IBM, the IBM logo, ibm.com, z/OS, RACF, and zEnterprise are trademarks or registered trademarks of International Business Machines Corporation of the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. SUSE, the SUSE logo, openSUSE and the openSUSE logo are registered trademarks of SUSE LLC and SUSE Linux is a trademark of SUSE LLC. Other company, product and service names may be trademarks or service marks of others. IBM may not offer the products, services or features discussed in this document in all countries in which IBM operates, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM's intellectual property rights may be used instead of the IBM product, program, or service. Evaluation and verification of operation in conjunction with other products, except those expressly designated by IBM, is the user's responsibility. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY, 10504-1785 USA. All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only. Performance is in External Throughput Rate (ETR) based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance rates stated here. 2 IBM z14 Cryptographic Performance October 2017 Table of Contents ................................................................................................................................................1 IBM z14 Performance of Cryptographic Operations...................................................................1 (Cryptographic Hardware: CPACF, CEX6S).......................................................................1 Preface....................................................................................................................................5 1. Introduction.........................................................................................................................5 2. Cryptographic Hardware Supported on z14.......................................................................6 2.1 Central Processor Assist for Cryptographic Function (CPACF)...................................6 2.2 Crypto Express6S (CEX6S) Feature............................................................................7 3. Performance Information....................................................................................................9 3.1 Definitions.....................................................................................................................9 3.2 CP Assist for Cryptographic Function (CPACF).........................................................10 3.2.1 CPACF Performance - MSA Architecture Interface.................................................10 3.2.1.1 CPACF MSA Architecture Interface - Clear Key Mode.........................................11 3.2.1.2 CPACF MSA Architecture Interface - Protected Key Mode..................................16 3.2.2 CPACF Performance - ICSF API.............................................................................20 3.2.2.1 CPACF ICSF API - Clear Key Operations............................................................22 3.2.2.2 CPACF ICSF API - Protected Key Operations.....................................................24 3.3 Crypto Express6S Performance (z/OS).....................................................................28 3.3.1 CEX6S CCA Coprocessor (CEX6C) - Encryption/Decryption and MAC Operations ..........................................................................................................................................28 3.3.2 CEX6S CCA Coprocessor - VISA Format Preserving Encryption (FPE)................32 3.3.3 CEX6S CCA Coprocessor - Financial Services Examples.....................................33 3.3.4 CEX6S CCA Coprocessor - Random Number Generation.....................................33 3.3.5 CEX6S CCA Coprocessor - PKA Operations..........................................................34 3.3.6 CEX6S CCA Coprocessor - PCI-HSM mode..........................................................37 3.3.7 CEX6S Enterprise PKCS #11 Coprocessor (CEX6P) – Encryption / Decryption and HMAC operations.............................................................................................................38 3.3.8 CEX6S Enterprise PKCS #11 Coprocessor (CEX6P) - PKA Operations................40 3.3.9 CEX6S Accelerator Performance............................................................................42 3.4 Crypto Express6S Performance (Linux on Z)............................................................44 3.4.1 CEX6S CCA Coprocessor (CEX6C) - Encryption/Decryption................................44 3.4.2 CEX6S CCA Coprocessor - VISA Format Preserving Encryption (FPE)................46 3.4.3 CEX6S CCA Coprocessor – Financial Services Examples....................................47 3.4.4 CEX6S CCA Coprocessor - Random Number Generation.....................................47 3.4.5 CEX6S CCA Coprocessor - PKA Operations..........................................................48 3.5 SSL Handshake Performance....................................................................................50 3.5.1 SSL / TLS Protocol based Communication.............................................................50 3.5.2 System SSL.............................................................................................................53 with z/OS V2R3 and Cryptographic Support for z/OS V2R1-V2R3 (ICSF FMID 3 IBM z14 Cryptographic Performance October 2017 HCR77C1)........................................................................................................................53 4 IBM z14 Cryptographic Performance October 2017 Preface The performance information presented in this publication was measured on IBMTM z14TM in an unconstrained environment for the specific benchmark with a system control program (operating system) as specified. Many factors may result in variances between the presented information and the information a customer may obtain by trying to reproduce the data. IBM does not guarantee that your results will correspond to the measurement results herein. This information is provided ‘as is’ without warranty, express or implied. The features described herein are presented for informational purposes; actual performance and security characteristics may vary depending on individual customer configurations and conditions. The performance numbers stated for some of the operations are only for demonstration purposes. When quoting some key length or cryptographic algorithms one may not conclude that IBM implies the key length or cryptographic algorithm is adequate and can therefore be used safely. The cryptographic functions described here may not be available in all countries and may require special enablement subject to export regulations. 1. Introduction The purpose of this publication is to provide performance information to the user of cryptographic services on z14. z14 supports the following cryptographic hardware features: 1. Central Processor Assist for Cryptographic Function (CPACF). 2. Crypto Express5S (CEX5S) feature. 3. Crypto Express6S (CEX6S) feature. The CPACF delivers cryptographic support for Advanced Encryption Standard (AES), Triple DES (TDES) and Data Encryption Standard (DES) data encryption/decryption, as well as Secure Hash Algorithm (SHA). The Crypto Express5S feature is supported on z14, however this document does not present performance information for CEX5S. Performance information for CEX5S on z13TM can be found at IBM z13 Performance of Cryptographic Operations. The Crypto Express5S is the same feature which is available in