IBM PCIe Cryptographic Coprocessor

Product summary

The IBM PCIe Cryptographic Coprocessor provides a flexible solution to your high-security cryptographic and secure processing needs. It is available on IBM Power Systems™ running IBM AIX® and IBM i®, IBM System z™, and IBM System x™:

Here are some highlights of the IBM PCIe Cryptographic Coprocessor:

FIPS PUB 140-2 certified electronics and cryptographic algorithms
The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules is the benchmark standard by which cryptographic implementations are measured. The evaluations cover the encapsulated processing subsystem and its specialized cryptographic hardware, code loading, tamper detection and response mechanisms, and the cryptographic algorithms: DES, triple-DES, RSA, DSS, and SHA-1.

Coprocessor models and features
The IBM PCIe Cryptographic Coprocessor operates on a PCIe bus and has two batteries to power the tamper-sensing electronics when no system power is supplied.

Cryptographic software support options
IBM supplies support program code for the IBM CCA cryptographic implementation.

Additions to CCA beginning with the PCIe Cryptographic Coprocessor include Elliptic Curve Cryptography (ECC) key generation along with support for digital signature generation and verification using the Elliptic Curve Digital Signature Algorithm (ECDSA). Another addition includes MAC generation and verification using HMAC based on FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC).

CCA provides extensive support of processes based on AES, DES, ECC, and RSA, including many functions of special interest in the finance industry. Standard capabilities include PIN processing, Secure Electronic Transaction (SET™) services, data encryption and hashing techniques, and RSA-based public-key cryptography.

The CCA Support Program supports the IBM PCIe Cryptographic Coprocessor in the following environments:

Separately purchased add-on features. CCA can be installed on additional operating systems by purchasing a separate add-on feature. An add-on feature is available for each of these operating systems:

With a new cryptographic hardware management solution, itcis now possible to centrally manage multiple serves with one or more cryptographic coprocessors installed. The new Crypto Hardware and Initialization Management (CHIM) solution is now available for IBM System x and IBM Power Systems.

To purchase any of these add-on features, contact the IBM Crypto Competence Center at The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 4.x on the IBM System z servers.

The United States Bureau of Export Administration classifies both Support Programs and the coprocessors as 'Retail Cryptographic Implementations'. Thus, IBM can export these hardware and software products to essentially all customers. (Export restrictions remain in effect for a certain few countries and organizations.)

Custom Programming
Using toolkits available from IBM under custom contract, you can implement your own applications for the coprocessor, or you can extend IBM's CCA application. You can make a fast start on your custom application development when you extend CCA using its flexible access-control system and many existing services.

Each toolkit user will be issued a unique identifier by IBM along with a code-signing key. This allows customer coprocessor software to be signed. Custom software is developed using conventional C-language compilers. Debugging programs are provided as part of the toolkit. You or your customers can then load coprocessor software in a normal server environment. Using the PKI-based outbound authentication capabilities of the coprocessor's control program, you can securely administer the coprocessor environment, even from remote locations. Auditors can inspect the coprocessor's digitally signed status response to confirm that the coprocessor remains untampered and running uniquely identified software.