IBM 4764 PCI-X Cryptographic Coprocessor

Announcement

On May 24, 2011, IBM announced that the IBM 4764-001 Cryptographic Coprocessor and its associated feature code 1008 (battery-replacement kit) will be withdrawn from marketing effective December 31, 2011 (IBM United States Withdrawal Announcement 911-129).

On or after the effective date for the withdrawal of this offering, you can no longer order this product directly from IBM. However, IBM will continue to honor contracts until expiration or termination of the current contract. You may be able obtain the product on an as-available basis through IBM Business Partners.

Effective December 31, 2011, Feature code 1008 can no longer be used to order battery replacement kits. Battery replacement kits and multi-battery packs are now available for ordering as part numbers.

  • Battery-replacement kit, part number 45D8663 (replaces feature code 1008)
  • Multi-battery pack (20 quantity), part number 74Y0460

To order the battery-replacement kit, or the multi-battery pack, customers in:

  • US or Canada can call the IBM Maintenance Parts and Warranty Center at 800-388-7080. When calling, provide the part number and your IBM End User Customer number.
  • Other countries will need to follow these steps:
    • Find the general contact information number for your country by going to www.ibm.com/planetwide/ and clicking on your country. You can also call the IBM general contact information number 800-IBM-4YOU (800-426-4968). When calling, ask for the general contact information number for your country.
    • Using the general contact information number retrieved for your country from the previous step, call and ask for the parts phone number. Call the parts phone number to order the part or parts. When calling, provide the part number and your IBM End User Customer number.

Product summary

The IBM PCI-X Cryptographic Coprocessor provides a flexible solution to your high-security cryptographic and secure processing needs.

It is available on IBM Power Systems™ running IBM AIX® and IBM i®, and IBM System z™:

  • FC 4807, 4765-001, IBM Power Systems POWER6® or POWER7®, no custom carrier
  • FC 4808, 4765-001, IBM Power Systems POWER6, custom carrier and instruction EC N23386
  • FC 4809, 4765-001, IBM Power Systems POWER7, custom carrier and instruction EC N23597
  • IBM System z™ IBM Crypto Express3 (CEX3C)

IBM System x™ 4764-001 (IBM ServerProven Models only)
IBM Power Systems™ running IBM i Feature #4764
IBM Power Systems running IBM AIX® Feature #4806
IBM System z™ Features #0863, #0868

A flexible solution to your high-security cryptographic and secure processing needs.

Highlights

  • Tamper-responding hardware design is certified under FIPS PUB 140-2. Suitable for high-security processing and cryptographic operations.
  • Hardware to perform DES, random number generation, and modular math functions for RSA and similar public-key cryptographic algorithms.
  • Secure code loading that enables updating of the functionality while installed in application systems.
  • IBM Common Cryptographic Architecture (CCA) as well as custom software options.
  • The IBM 4764 provides a secure platform on which developers can build secure applications.

FIPS PUB 140-2 certified electronics and cryptographic algorithms

The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules (PDF, 1.40MB) is the benchmark standard by which cryptographic implementations are measured. The evaluations cover the encapsulated processing subsystem and its specialized cryptographic hardware, code loading, tamper detection and response mechanisms, and the cryptographic algorithms: DES, triple-DES, RSA, DSS, and SHA-1.

The IBM PCI-X Cryptographic Coprocessor has been certified by NIST for IBM System x, IBM System p, IBM System i, and IBM System z.

Coprocessor models and features

The IBM 4764 Model 001 operates on a 3.3-volt PCI-X bus and has two batteries to power the tamper-sensing electronics when no system power is supplied.

Cryptographic software support options

IBM supplies support program code for the IBM CCA cryptographic implementation.

IBM Common Cryptographic Architecture (CCA) provides extensive support of processes based on AES, DES and RSA, including many functions of special interest in the finance industry. A recent addition to CCA includes Elliptic Curve Cryptography (ECC) key generation along with support for digital signature generation and verification using the ECC Digital Signature Algorithm (ECDSA). Another recent addition includes MAC generation and verification using HMAC based on FIPS PUB 198-1, The Keyed-Hash message Authentication Code (HMAC). You can extend the CCA implementation through custom programming described below.

Standard capabilities include PIN processing, Secure Electronic Transaction™ services, data encryption and hashing techniques, and RSA-based public-key cryptography.

The CCA Support Program supports the IBM 4764 PCI-X Cryptographic Coprocessor installed on a ServerProven System x server on the following operating systems:

  • SUSE Linux Enterprise Server 10 by Novell (32-bit) on Release 3.30.04 or later
  • SUSE Linux Enterprise Server 10 Service Pack 1 by Novell (32-bit) on Release 3.60 or later
  • SUSE Linux Enterprise Server 11 Service Pack 1 by Novell (32-bit) on Release 3.60 or later
  • Red Hat Enterprise Linux 5.2, Server Edition (32-bit) on Release 3.30.05 or later
  • Red Hat Enterprise Linux 5.4, Server Edition (32-bit) on Release 3.60 or later
  • Microsoft Windows Server 2003, Standard Edition (32-bit)
  • Microsoft Windows Server 2003 R2, Standard Edition (32-bit) on Release 3.60 or later
  • Operating systems also supported under the appropriate feature code are IBM AIX on IBM Power Systems (32-bit), IBM i5/OS on IBM Power Systems, and Linux on IBM System z9 and System z10.

Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 3.x on the IBM System p, IBM System i and IBM System z servers.

The United States Bureau of Export Administration classifies both Support Programs and the coprocessors as 'Retail Cryptographic Implementations'. Thus, IBM can export these hardware and software products to essentially all customers. (Export restrictions remain in effect for a certain few countries and organizations.)

Custom Programming

Minting of electronic money and electronic postage are examples of critical functions that must run in a highly trustworthy environment. Using toolkits available from IBM under custom contract, you can implement your own applications for the coprocessor, or extend IBM's CCA application. You can make a fast start on your custom application development when you extend CCA using its flexible access-control system and many existing services.

IBM will issue you a unique identifier and certify your code-signing key so that you can sign your own custom coprocessor software. You develop your software using conventional IBM or Microsoft C-language compilers and use the toolkit-provided debugging programs. You or your customers can then load coprocessor software in a normal server environment. Using the PKI-based outbound authentication capabilities of the coprocessor's control program, you can securely administer the coprocessor environment, even from remote locations. Auditors can inspect the coprocessor's digitally signed status response to confirm that the coprocessor remains untampered and running uniquely identified software.