Chapter 8. Cryptography Performance
With an increasing demand for security in today’s information society, cryptography enables us to
encrypt the communication and storage of secret or confidential data. This also requires data integrity,
authentication and transaction non-repudiation. Together, cryptographic algorithms, shared/symmetric
keys and public/private keys provide the mechanisms to support all of these requirements. This chapter
focuses on the way that System i cryptographic solutions improve the performance of secure e-Business
transactions.
There are many factors that affect System i performance in a cryptographic environment. This chapter
discusses some of the common factors and offers guidance on how to achieve the best possible
performance. Much of the information in this chapter was obtained as a result of analysis experience
within the Rochester development laboratory. Many of the performance claims are based on supporting
performance measurement and other performance workloads. In some cases, the actual performance data
is included here to reinforce the performance claims and to demonstrate capacity characteristics.
Cryptography Performance Highlights for i5/OS V5R4M0:
y
Support for the 4764 Cryptographic Coprocessor is added. This adapter provides both cryptographic
coprocessor and secure-key cryptographic accelerator function in a single PCI-X card.
y
5722-AC3 Cryptographic Access Provider withdrawn. This product is no longer required to enable
data encryption.
y
Cryptographic Services API function added. Key management function has been added, which helps
you securely store and handle cryptographic keys.
8.1 System i Cryptographic Solutions
On a System i, cryptographic solutions are based on software and hardware Cryptographic Service
Providers (CSP). These solutions include services required for Network Authentication Service,
SSL/TLS, VPN/IPSec, LDAP and SQL.
IBM Software Solutions
The software solutions are either part of the i5/OS Licensed Internal Code or the Java Cryptography
Extension (JCE).
IBM Hardware Solutions
One of the hardware based cryptographic offload solutions for the System i is the
IBM 4764 PCI-X
Cryptography Coprocessor (Feature Code 4806).
This solution will offload portions of cryptographic
processing from the host CPU. The host CPU issues requests to the coprocessor hardware. The hardware
then executes the cryptographic function and returns the results to the host CPU. Because this hardware
based solution handles selected compute-intensive functions, the host CPU is available to support other
system activity. SSL/TLS network communications can use these options to dramatically offload
cryptographic processing related to establishing an SSL/TLS session.
IBM i 6.1 Performance Capabilities Reference - January/April/October 2008
©
Copyright IBM Corp. 2008
Chapter 8 Cryptography Performance
142