An RSA key pair includes a private and a public key. The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.

The RSA public key algorithm is based on the difficulty of the factorization problem. The factorization problem is to find all prime numbers of a given number, n. When n is sufficiently large and is the product of a few large prime numbers, this problem is believed to be difficult to solve. For RSA, n is typically at least 512 bits, and n is the product of two large prime numbers. For more information about the RSA public key algorithm, refer to the ISO 9796 standard and RSA's Frequently Asked Questions About Today's Cryptography.

Generating RSA keys on a Cryptographic Coprocessor Feature

The Cryptographic Coprocessor Feature does not provide the ability to generate RSA public and private keys within the secure hardware boundary. There are several ways to generate RSA key pairs and load them.

• You can use the optional TKE Workstation with Version 2.0 or higher of the TKE Workstation code to generate the RSA key pair and load them directly into the ICSF public key data set (PKDS) on the server.
• You can generate RSA key pairs in the encrypted form on a workstation with a 4755 cryptographic adapter or a 4764 PCIX Cryptographic Coprocessor installed. A workstation with a 4758 PCI Cryptographic Coprocessor can also be used. Use the PKA key import callable service to import the RSA key pairs in the form of an external PKA private key token.
• You can generate RSA keys in the clear on another platform or by using any suitable software program. Use the PKA Key Token Build callable service to build an external token with clear key values. Then use the PKA key import callable service to import the RSA keys into the PKA key token in the internal format.

Generating RSA keys on a PCICC, PCIXCC, CEX2C, or CEX3C

With the PCICC, PCIXCC, CEX2C, or CEX3C, you can use the PKA key generate callable service to generate RSA public and private key pairs within the secure boundary of the cryptographic coprocessor. The PCICC/PCIXCC can generate RSA keys with a modulus size of 512 to 2048 bits. The CEX2C and CEX3C can generate RSA keys with a modulus size of 512 to 4096 bits. The RSA private key may be retained and used within the secure boundary of the cryptographic coprocessor. This capability is a requirement to be a SET Certificate Authority. The public key and the key name for the private key are stored in the ICSF public key data set (PKDS), but the value of a retained private key never appears in any form outside the cryptographic coprocessor.