IBM PCIe Cryptographic Coprocessor

Product summary

The IBM PCIe Cryptographic Coprocessor provides a flexible solution to your high-security cryptographic and secure processing needs. It is available on IBM Power Systems™ running IBM AIX® and IBM i®, IBM System z™, and IBM System x™:

Here are some highlights of the IBM PCIe Cryptographic Coprocessor:

FIPS PUB 140-2 certified electronics and cryptographic algorithms
The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules is the benchmark standard by which cryptographic implementations are measured. The evaluations cover the encapsulated processing subsystem and its specialized cryptographic hardware, code loading, tamper detection and response mechanisms, and the cryptographic algorithms: DES, triple-DES, RSA, DSS, and SHA-1.

Coprocessor models and features
The IBM PCIe Cryptographic Coprocessor operates on a PCIe bus and has two batteries to power the tamper-sensing electronics when no system power is supplied.

Cryptographic software support options
IBM supplies support program code for the IBM CCA cryptographic implementation.

Additions to CCA beginning with the PCIe Cryptographic Coprocessor include Elliptic Curve Cryptography (ECC) key generation along with support for digital signature generation and verification using the Elliptic Curve Digital Signature Algorithm (ECDSA). Another addition includes MAC generation and verification using HMAC based on FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC).

CCA provides extensive support of processes based on AES, DES, ECC, and RSA, including many functions of special interest in the finance industry. Standard capabilities include PIN processing, Secure Electronic Transaction (SET™) services, data encryption and hashing techniques, and RSA-based public-key cryptography.

The CCA Support Program supports the IBM PCIe Cryptographic Coprocessor in the following environments:

Separately purchased add-on features. CCA can be installed on additional operating systems by purchasing a separate add-on feature. An add-on feature is available for each of these operating systems:

With a new cryptographic hardware management solution, itcis now possible to centrally manage multiple serves with one or more cryptographic coprocessors installed. The new Crypto Hardware and Initialization Management (CHIM) solution is now available for IBM System x and IBM Power Systems.

To purchase any of these add-on features, contact the IBM Crypto Competence Center at The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 4.x on the IBM System z servers.

The United States Bureau of Export Administration classifies both Support Programs and the coprocessors as 'Retail Cryptographic Implementations'. Thus, IBM can export these hardware and software products to essentially all customers. (Export restrictions remain in effect for a certain few countries and organizations.)

Custom Programming
Using toolkits available from IBM under custom contract, you can implement your own applications for the coprocessor, or you can extend IBM's CCA application. You can make a fast start on your custom application development when you extend CCA using its flexible access-control system and many existing services.

Each toolkit user will be issued a unique identifier by IBM along with a code-signing key. This allows customer coprocessor software to be signed. Custom software is developed using conventional C-language compilers. Debugging programs are provided as part of the toolkit. You or your customers can then load coprocessor software in a normal server environment. Using the PKI-based outbound authentication capabilities of the coprocessor's control program, you can securely administer the coprocessor environment, even from remote locations. Auditors can inspect the coprocessor's digitally signed status response to confirm that the coprocessor remains untampered and running uniquely identified software.

News for current customers


New product release CCA 5.0 for Linux on IBM z Systems™ now available effective July 2015. See Overview page for additional information.

IBM PureFlex™ customers can purchase an IBM 4765 as an add-on feature as of September 10, 2013. See CCA Release 4.3.5 for more information.

New product release CCA 4.3.8 for IBM 4765 now available on IBM AIX operating system effective June 2013. See Library page for additional information.

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

New product release for IBM 4765 now available on IBM ServerProven System x servers, effective July 2012. This release includes support for the SLES 11.2 O/S. Support is also included for controlling the wrapping of a key with a weaker key, DUKPT for encryption and MAC keys, ciphertext translation, and AMEX enhanced CSC generation and PIN/Change Unblock.

Important notice to ECC users: This release contains important security-related changes for ECC users. See Release 4.3.4 information for details.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.

On System z, the coprocessor is available as Crypto Express3 and is also available for Linux.