With the purchase of an IBM PCIeCC HSM, you also receive IBM’s Common Cryptographic Architecture (CCA). CCA includes these capabilities:
Cryptographic algorithms, including:
- Symmetric key algorithms: AES (128-256 bit), Triple-DES (112, 192 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
- Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
- Hashing algorithms: SHA-1, SHA-2 (224-512), MD5, RIPEMD-160, MDC
- HMAC using SHA-1 or SHA-2
- Hardware-based prime number generator
Financial cryptography support, including:
- Sophisticated key typing and key usage control
- PIN processing
- EMV smart card personalization and transaction processing
- ATM remote key distribution
- Key derivation
- TR-31 key block support
Relevant standards that are supported (not a complete list):
- Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
- Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
- Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
- Random number generation: NIST SP 800-90A
- Hashing and HMAC: NIST FIPS 180, NIST FIPS 198
Custom programming support:
- UDX (User Defined eXtensions) toolkit allows adding custom functions to the CCA API
- Toolkit also allows developing your own custom firmware in place of IBM CCA or EP11
The IBM CCA Support Program (known as ICSF on IBM Z® running z/OS®) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.
CCA provides the usual AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide.
The CCA software has been independently reviewed and certified by two regional banking organizations.
It has been reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.
It has been approved under the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") scheme used by the Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks. See the 4765 Releases page for details.
Capabilities include the following:
- ATM remote key loading is a method of secured transport of DES keys from a Hardware Security Module (HSM) to an ATM or other remote device using asymmetric techniques.
- Cryptographic-quality random-number generation using the coprocessor hardware to seed a FIPS 140-2 and NIST SP 800-90A compliant random number generator.
- Secure import and export of AES and DES/TDES keys encrypted using symmetric-key and public-key techniques.
- Local keys securely held in one of two ways:
- An unlimited number of DES keys and also RSA and ECC private keys can be held external to the coprocessor encrypted (wrapped) by their associated triple-length DES master key along with an unlimited number of AES keys wrapped by the 256-bit AES master key. The master keys are secured within the coprocessor.
- A modest number of RSA private keys can be retained within the secure coprocessor.
- Master keys can be loaded as multiple cleartext key parts by trusted individuals using split knowledge and dual-control. The DES and PKA master keys can be randomly generated within the coprocessor and they can also be cloned, while an AES master key currently cannot be cloned. Active DES and PKA master keys can be securely cloned to additional coprocessor cards using an m-of-n secret splitting technique. See "Cloning of a DES or PKA master key" below for more information.
- Protection of keys is assured through triple-DES encryption, AES encryption, or retention of the keys within the coprocessor's secure module. Generation options permit the secure storage of valuable RSA keys at a single node or backing them up on additional node(s). With the CCA architecture and its control vector technology, you can enable extensive control of key usage in distributed cryptographic systems. Approximately 75 to 150 coprocessor-generated RSA private keys can be retained within the secure coprocessor to guarantee that the value of the key cannot be disclosed or transported to another site. With the CCA master key architecture, an unlimited number of AES, DES, ECC, and RSA keys can be securely held external to the coprocessor. Externally stored keys can be managed either by CCA or by application programs.
- Cloning of a DES or PKA master key enables back-up and/or redundant coprocessors to use the same master-key-encrypted local keys. Master-key cloning operates with the access control system ensuring a secure, controlled process through a cryptographically protected m-of-n key-shares design. Note: Cloning of AES master keys is currently not supported.
- ATM and POS PIN-processing is supported through six services. PIN generation and verification services support several popular PIN-generation algorithms including customer-selected PIN options. A variety of PIN-block formats are processed with support for secure re-encryption and re-formatting of PIN blocks. ANSI X9.24 Derived Unique Key Per Transaction (DUKPT) PIN block encryption is supported, using both single-length and double-length keys. Additional services support the card verification value/card validation code/card security code (CVV/CVC/CSC) processes for the protection of card transactions.
- Digital signature generation and validation using RSA supports several different hash-formatting methods including ISO 9796-1 and PKCS #11 standards. Support of SHA up to 512 bits and MD5 algorithms is provided. The modular-exponentiation hardware engine supports keys up to 4096 bits in length. Using the CCA services and the FIPS 140-2 certified hardware, you have a high-security, flexible base on which to implement PKI solutions.
- DES and triple-DES data encryption/decryption supports CBC and ANSI X9.23 "last block" padding rules.
- Message Authentication Code (MAC) generation is supported using several algorithms and techniques. AES CMAC and several DES/TDES MAC methods are supported, as well as HMAC using both SHA-1 and SHA-2 hash algorithms. Strong CCA key typing allows you to prevent a MAC receiver from generating a fraudulent MAC.
- Derived key support is available for dynamically creating DES keys from a key generating key in support of protocols such as used with EMV smart cards. Through use of the UDX toolkit, you or your software vendor can extend CCA to support the many special derived-key operations needed in modern smart card systems.
- EMV™ (EMVCo LLC) Secure Messaging is supported with functions that create secure messages to send keys and PINs to EMV smart cards.
Crypto Hardware and Initialization Management (CHIM)
Customers can use CHIM to centrally manage multiple servers with one or more cryptographic coprocessors installed. CHIM is available for IBM-approved x86 servers and IBM Power Systems™. To find out more about CHIM, contact the IBM Crypto Competence Center in Copenhagen, Denmark. Their website is https://www.ibm.com/dk/security/cccc/ (DK) and their email address is firstname.lastname@example.org.
Download CCA software package
From this website you can download the software packages for the IBM PCIeCC for the platforms shown in the following table.
||Software / Firmware available
|IBM Z servers running Linux
||Obtain CCA or EP11 software for use in IBM Z servers running Linux on this software-package selection page.
|IBM Power Systems servers running IBM AIX®
Obtain CCA software and firmware for use in IBM Power Systems servers running IBM AIX® as follows:
Go to the software-package selection page. If you do not have a universal IBM user ID, you will need to register. Once registered, sign in and select
an offering, then complete the download.
|IBM Power Systems servers running IBM i
Obtain CCA software and firmware for use in IBM Power Systems servers running IBM i as follows:
The CCA software for Power Systems running IBM i is included in IBM i Option 35 Cryptographic Service Provider 7.1 . This must be ordered through your authorized IBM customer representative.
The firmware for the PCIe cryptographic coprocessor is contained within 5733-CY3 Cryptographic Device Manager. An order will be automatically placed for this product when an order is placed for any of the following hardware feature codes:
(a) EJ27 (without custom carrier)
(b) EJ28 (IBM POWER6® custom carrier)
(c) EJ29 (IBM POWER7® custom carrier)
|IBM-approved x86 servers
The purchase of an IBM 4765 includes CCA software and firmware that can be installed on certain x86 servers and operating systems. See the
IBM-approved x86 servers section page for a complete list of the supported servers and operating systems.
How to obtain CCA software and firmware
Obtain CCA software and firmware for use in select IBM-approved x86 servers section as follows:
Get the IBM System serial number from the black label on the edge of one of your IBM 4765 PCIe Cryptographic Coprocessors. Refer to figure 1. This serial number along with your IBM customer number
are required as part of the download package request.
Go to the software-package selection page. If you do not have a universal IBM user ID, you will need to register. Once registered, sign in and select an offering,
then complete the download.
IBM 4765 serial numbers