IBM PCIe Cryptographic Coprocessor

4765 hardware

The IBM PCIe Cryptographic Coprocessor provides a flexible solution to your high-security cryptographic and secure processing needs. It is available on IBM Power Systems™ running IBM AIX® and IBM i®, IBM System z™ and IBM System x™:

Here are some highlights of the IBM PCIe Cryptographic Coprocessor:

FIPS PUB 140-2 certified electronics and cryptographic algorithms

The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules is the benchmark standard by which cryptographic implementations are measured. The evaluations cover the encapsulated processing subsystem and its specialized cryptographic hardware, code loading, tamper detection and response mechanisms, and the cryptographic algorithms: DES, triple-DES, RSA, DSS, and SHA-1.

The IBM PCIe Cryptographic Coprocessor has been certified by NIST.

Coprocessor models and features

The IBM PCIe Cryptographic Coprocessor operates on a PCIe bus and has two batteries to power the tamper-sensing electronics when no system power is supplied.

Cryptographic software support options

IBM supplies support program code for the IBM CCA cryptographic implementation.

CCA provides extensive support of processes based on AES, ECC, DES and RSA, including many functions of special interest in the finance industry. A recent addition to CCA includes Elliptic Curve Cryptography (ECC) key generation along with support for digital signature generation and verification using the Elliptic Curve Digital Signature Algorithm (ECDSA). Another recent addition includes MAC generation and verification using HMAC based on FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC).

Standard capabilities include PIN processing, Secure Electronic Transaction (SET™) services, data encryption and hashing techniques, and RSA-based public-key cryptography.

The CCA Support Program supports the IBM PCIe Cryptographic Coprocessor in the following environments:

Separately purchased add-on features. CCA can be installed on additional operating systems by purchasing a separate add-on feature. An add-on feature is available for each of these operating systems:

With a new cryptographic hardware management solution, itcis now possible to centrally manage multiple serves with one or more cryptographic coprocessors installed. The new Crypto Hardware and Initialization Management (CHIM) solution is now available for IBM System x and IBM Power Systems.

To purchase any of these add-on features, contact the IBM Crypto Competence Center at The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 4.x on the IBM System z servers.

The United States Bureau of Export Administration classifies both Support Programs and the coprocessors as 'Retail Cryptographic Implementations'. Thus, IBM can export these hardware and software products to essentially all customers. (Export restrictions remain in effect for a certain few countries and organizations).

Custom programming

Using toolkits available from IBM under custom contract, you can implement your own applications for the coprocessor, or extend IBM's CCA application. You can make a fast start on your custom application development when you extend CCA using its flexible access-control system and many existing services.

IBM will issue you a unique identifier and certify your code-signing key so that you can sign your own custom coprocessor software. You develop your software using conventional C-language compilers and use the toolkit-provided debugging programs. You or your customers can then load coprocessor software in a normal server environment. Using the PKI-based outbound authentication capabilities of the coprocessor's control program, you can securely administer the coprocessor environment, even from remote locations. Auditors can inspect the coprocessor's digitally signed status response to confirm that the coprocessor remains untampered and running uniquely identified software.