This invention relates, in general, to processing within a computing environment, and in particular, to providing security within the environment without significantly impacting performance.
Security within a computing environment can take many forms. One such form is the protection of cryptographic (crypto) keys. Today, various devices are available to protect these keys, such as a tamper-resistant cryptographic device.
A tamper-resistant, high-security cryptographic device (or module) supports many cryptographic algorithms or protocols and is typically attached to servers through an input/output (I/O) interface. The tamper-resistant design protects user cryptographic keys so that they never appear in the clear outside the device. The crypto operations performed by the device are thus asynchronous to the central processing units (CPUs) in the server. The device is placed within an enclosure for physical security, and therefore, the device may not be able to operate at a high frequency because of heat dispersion concerns. This type of device generally provides high security, but performance in providing cryptographic operations may be negatively impacted.
Another form of security is the protection of data, and, as an example, a cryptographic assist device is used. A crypto assist device provides high performance, but reduced security. This kind of crypto device implements cryptographic algorithms in hardware for performance, but does not provide additional means to protect user cryptographic keys. For crypto operations, the program submits cryptographic keys in the clear. Since no physical security nor tamper-resistant design is provided, this allows the algorithms, particularly the symmetric algorithms, to be easily implemented in the CPUs of the server. The crypto operations could be synchronous to the CPUs and could operate at high frequencies.