IBM PCIe Cryptographic Coprocessor Version 1

4765 hardware

The IBM PCIe Cryptographic Coprocessor Version 1 (PCIeCC) provides a flexible solution to your high-security cryptographic and secure processing needs. It is available on IBM Power Systems™ running IBM AIX® and IBM i®, IBM System z™ and IBM-approved x86 servers:

Here are some highlights of the PCIeCC:

FIPS PUB 140-2 certified electronics and cryptographic algorithms

The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules is the benchmark standard by which cryptographic implementations are measured. The evaluations cover the encapsulated processing subsystem and its specialized cryptographic hardware, code loading, tamper detection and response mechanisms, and the cryptographic algorithms: DES, triple-DES, RSA, DSS, and SHA-1.

The PCIeCC has been certified by NIST.

Coprocessor models and features

The PCIeCC operates on a PCIe bus and has two batteries to power the tamper-sensing electronics when no system power is supplied.

Cryptographic software support options

IBM supplies support program code for the IBM CCA cryptographic implementation.

CCA provides extensive support of processes based on AES, ECC, DES and RSA, including many functions of special interest in the finance industry. A recent addition to CCA includes Elliptic Curve Cryptography (ECC) key generation along with support for digital signature generation and verification using the Elliptic Curve Digital Signature Algorithm (ECDSA). Another recent addition includes MAC generation and verification using HMAC based on FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC).

Standard capabilities include PIN processing, Secure Electronic Transaction (SET™) services, data encryption and hashing techniques, and RSA-based public-key cryptography.

The CCA Support Program supports the PCIeCC in the following environments:

Separately purchased add-on features. CCA can be installed on additional operating systems by purchasing a separate add-on feature. An add-on feature is available for each of these operating systems:

With a new cryptographic hardware management solution, it is now possible to centrally manage multiple serves with one or more cryptographic coprocessors installed. The new Crypto Hardware and Initialization Management (CHIM) solution is now available for IBM-approved x86 servers and IBM Power Systems.

To purchase any of these add-on features, contact the IBM Crypto Competence Center at The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 4.x on the IBM System z servers.

The United States Bureau of Export Administration classifies both Support Programs and the coprocessors as 'Retail Cryptographic Implementations'. Thus, IBM can export these hardware and software products to essentially all customers. (Export restrictions remain in effect for a certain few countries and organizations).

Custom programming

Using toolkits available from IBM under custom contract, you can implement your own applications for the coprocessor, or extend IBM's CCA application. You can make a fast start on your custom application development when you extend CCA using its flexible access-control system and many existing services.

IBM will issue you a unique identifier and certify your code-signing key so that you can sign your own custom coprocessor software. You develop your software using conventional C-language compilers and use the toolkit-provided debugging programs. You or your customers can then load coprocessor software in a normal server environment. Using the PKI-based outbound authentication capabilities of the coprocessor's control program, you can securely administer the coprocessor environment, even from remote locations. Auditors can inspect the coprocessor's digitally signed status response to confirm that the coprocessor remains untampered and running uniquely identified software.

News for current customers


New product release for IBM 4765 now available on IBM IBM-approved x86 servers and IBM AIX operating system, effective October 2015.

New product release CCA 5.0 for Linux on IBM z Systems™ now available effective July 2015. See Overview page for additional information.

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

Add-on features are being offered for the IBM 4765 on IBM-approved x86 systems to support additional operating systems. See the IBM 4765 software updates page.

On System z, the coprocessor is available as Crypto Express3, Crypto Express4, and Crypto Express5. It is also available for Linux.