IBM 4765 PCIe Cryptographic Coprocessor

CCA support program



The IBM CCA Support Program (known as ICSF on System z) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.

CCA provides the usual AES, DES, and RSA functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide.

The CCA software has been independently reviewed and certified by the German ZKA industry organization for use in specific finance systems. Also, the IBM 4765 Cryptographic Coprocessor is the latest generation of the IBM cryptographic coprocessor family. It is certified by NIST (certificate #1505) under the U.S. Government FIPS 140-2, "Security Requirements for Cryptographic Modules" at the Level 4 standard. The CCA software can be operated compliant with the the FIPS 140-2 cryptographic module standard.

Capabilities include the following:

The DES and PKA master keys can be randomly generated within the coprocessor and they can also be cloned, while an AES master key currently cannot. Each of the AES, DES, and PKA master keys can be inserted in parts by two or more trusted individuals. Active DES and PKA master keys can be securely cloned to additional coprocessor cards using an m-of-n secret splitting technique. See "Cloning of a DES or PKA master key" below for more information.

News for current customers


New product release CCA 5.0 for Linux on IBM z Systems™ now available effective July 2015. See Overview page for additional information.

IBM PureFlex™ customers can purchase an IBM 4765 as an add-on feature as of September 10, 2013. See CCA Release 4.3.5 for more information.

New product release CCA 4.3.8 for IBM 4765 now available on IBM AIX operating system effective June 2013. See Library page for additional information.

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

New product release for IBM 4765 now available on IBM ServerProven System x servers, effective July 2012. This release includes support for the SLES 11.2 O/S. Support is also included for controlling the wrapping of a key with a weaker key, DUKPT for encryption and MAC keys, ciphertext translation, and AMEX enhanced CSC generation and PIN/Change Unblock.

Important notice to ECC users: This release contains important security-related changes for ECC users. See Release 4.3.4 information for details.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.

On System z, the coprocessor is available as Crypto Express3 and is also available for Linux.