27.1 ECC certification and key agreement Elliptic Curve Cryptography (ECC) offers significant benefits over other asymmetric cryptographic algorithms, particularly when providing the next generation of security-level requirements. To take advantage of these benefits, System SSL needs to support the creation of ECC-based certificates. With z/OS V1R13, System SSL now has the functionality to generate an ECC-based public/private key pair for use in an x.509 certificate. This certificate then can be used in TLS session negotiations. ECC offers equivalent security with smaller key sizes than RSA. By using this new support, users can: Create ECC certificates or certificate requests through the gskkyman utility Create ECC certificates or certificate requests through the Certificate Management APIs Store the certificates into key database files or PKCS#11 tokens Refer to 27.6, "System SSL ECC example" on page 639 to learn how to use this new function. 27.2 ECC support for Transport Layer Security (TLS) System SSL has been updated to enable TLS V1.0 and TLS V1.1 handshakes to utilize ECC cipher suites and digital certificates during the secure connection negotiation. System SSL will now support twenty new RCC cypher suites. The RFC that describes the implementation of ECC for TLS is RC 4492. It can be found at the following site: