IBM Systems currently offers two high-end, high-performance hardware security modules (HSMs) which provide a flexible solution suitable for high-security processing and cryptographic operations to address your cryptographic needs. The latest generation and fastest of the IBM cryptographic coprocessor family of PCIe cards with a multi-chip embedded module is the IBM PCIe Cryptographic Coprocessor Version 2 (PCIeCC2). Its predecessor is the IBM PCIe Cryptographic coprocessor Version 1 (PCIeCC).

What's new. In addition to the functions available on the PCIeCC, the PCIeCC2 has the following:

Highest cryptographic security available. Each of IBM's HSM devices offers the highest cryptographic security available commercially. Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The PCIeCC cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Level 4. See FIPS certification number 1505. Level 4 is the highest level of certification achievable for commercial cryptographic devices, and the PCIeCC2 cryptographic processes are also performed within an enclosure on the HSM that are designed to meet the requirements of Overall Level 4. The certification process for the IBM 4767 Cryptographic Coprocessor Security Module has begun for Level 4, and is listed on the Computer Security Resource Center website in their FIPS 140-1 and FIPS 140-2 Modules In Process List.

Available on multiple platforms. The PCIeCC2 and the PCIeCC are supported on the following platforms:

Table 1 shows the machine type-model (MTM) or feature code (FC) for each version of PCIe HSM.

Table 1. Machine type-model or feature code by HSM version and platform
IBM PCIe Cryptographic Coprocessor IBM-approved x86 server machine type-model (note 1) IBM z Systems feature code (note 2) Power Systems feature code
Version 2 (PCIeCC2) MTM 4767-002 FC 0890 - Crypto Express5S (CEX5S). Only on z13. Not currently supported
Version 1 (PCIeCC) MTM 4765-001 FC 0865 - Crypto Express4S (CEX4S). Excluding z13.

FC 0864 - Crypto Express3 (CEX3). Excluding z13.
FC 4807 (not a blind-stop cassette)

FC 4808 (IBM POWER6® generation-3 blind-swap cassette and instruction EC N23386)

FC 4809 (IBM POWER7® generation-4 blind-swap and instruction EC N23597)
Note:
  1. It may be possible, for a contracted fee, to have an x86 architecture server added to the IBM-approved x86 architecture server list. If interested, please contact Crypto at crypto@us.ibm.com for additional information.
  2. FC 0890, FC 0865, and FC 0864 all require FC 3863 - CPACF Enablement (Central Processor Assist for Cryptographic Functions). CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and the Crypto feature through in-kernel cryptography APIs and, for Linux on z Systems, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Specialized hardware relieves main processor from cryptographic tasks. The PCIeCC2 and PCIeCC both have a PCIe local-bus-compatible interface, and both have tamper responding, programmable, cryptographic coprocessors, each containing a CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time-of-day clock, infrastructure firmware, and software. Their specialized hardware performs AES, DES, TDES, RSA, ECC, AESKW, HMAC, DES/3DES/AES MAC, SHA-1, SHA-224 to SHA-512, SHA-3, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and any sensitive customer applications.

Customizable to meet special requirements. The firmware running in the coprocessor together with the software running on your host can be customized to meet any special requirements that your enterprise has. The Cryptographic Coprocessor Toolkit (CCTK) is available for purchase from IBM, subject to the export regulations of the United States Government. The CCTK can enable developers to build applications for the HSM, authenticate programs, and load programs into the HSM. The custom programming toolkit includes a custom software interface reference which describes the function calls that applications running in the HSM use to obtain services from the HSM operating system and from the HSM host system device driver. Another included reference provides the method for extending the CCA host API and the API reference for the user-defined extensions programming environment. Finally, an Interactive Code Analysis Tool (ICAT) is provided that developers can use to debug applications running on the HSM. Frequently a custom contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. Whenever needed, IBM is also able to bid on developing your custom solution or extension.

Optional use of smart cards. You can optionally use smarts cards with an IBM HSM. A Smart Card Utility Program (SCUP) is a GUI-based component available for use with the Cryptographic Node Management (CNM) utility (also GUI based) to manage smart cards with an IBM HSM. You can use SCUP to initialize smart cards that can then be used with CNM to generate and store CCA DES and PKA master key parts on supported smart cards, load CCA master key parts stored on supported smart cards, and log on to CCA using smart card CCA profiles tied to an RSA key pair associated with ah particular smart card and user profile. Smart cards are available for purchase from IBM, as well as additional assistance in setting up and configuring SCUP and CNM.

CCA Java Native Interface (JNI). In addition to support for C and C++ programming languages, the CCA Support Program includes a CCA Java Native Interface (JNI) that application programmers can use to build Java applications to use with the CCA Support Program. The IBM i Option 35, CCA Cryptographic Service Provider feature does not support the CCA JNI, but it does provide language bindings for COBOL, RPG, and CL.

IBM PCIe Cryptographic Coprocessor Version 2

The IBM PCIe Cryptographic Coprocessor Version 2 (PCIeCC2) is the latest generation of IBM's PCIe hardware security modules (HSMs). It is redesigned for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC2, refer to the IBM 4767 Data Sheet (PDF, 263 KB).

Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The PCIeCC2 cryptographic processes are performed within an enclosure on the HSM that are designed to meet the requirements of FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices. The certification process for the IBM 4767 Cryptographic Coprocessor Security Module has begun for Level 4, and is listed on the Computer Security Resource Center website in their FIPS 140-1 and FIPS 140-2 Modules In Process List.

The PCIeCC2 is available on IBM z Systems mainframe computers (z13 only) and on select IBM-approved x86 architecture servers:

IBM PCIe Cryptographic Coprocessor Version 1

The IBM PCIe Cryptographic Coprocessor Version 1 (PCIeCC) is the predecessor the latest generation of IBM's PCIe hardware security modules (HSMs), the PCIeCC2. The PCIeCC is designed to provide security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC, refer to the IBM 4765 Specification Sheet (PDF, 232 KB).

IBM's HSM devices offer the highest cryptographic security available. Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The PCIeCC cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. See FIPS certification number 1505. Level 4 is the highest level of certification achievable for commercial cryptographic devices.

The PCIeCC is available on IBM z Systems mainframe computers (excluding z13) and on select IBM-approved x86 architecture servers: