The IBM 4768[1] PCIe Cryptographic Coprocessor is a hardware security module (HSM)[2] that includes a secure cryptoprocessor implemented on a high security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.
The IBM 4768[3] is validated to FIPS PUB 140-2 Level 4,[4] the highest level of certification achievable for commercial cryptographic devices. It has achieved PCI-HSM certification.[5] The IBM 4768 data sheet[6] describes the coprocessor in detail.
IBM supplies two cryptographic-system implementations:
- The PKCS#11[7] implementation creates a high-security solution for application programs developed for this industry-standard API.
- The IBM Common Cryptographic Architecture (CCA) implementation provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be added.
Applications may include financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and general-purpose cryptographic applications using symmetric key algorithms, hashing algorithms, and public key algorithms.
The operational keys (symmetric or RSA private) are generated in the coprocessor and are then saved either in a keystore file or in application memory, encrypted under the master key of that coprocessor. Any coprocessor with an identical master key can use those keys. Performance benefits include the incorporation of elliptic curve cryptography (ECC) and format preserving encryption (FPE) in the hardware.
IBM supports the 4768 on certain IBM Z mainframes as Crypto Express6S (CEX6S) - feature code 0893.[8] The 4768 / CEX6S is part of IBM's support for pervasive encryption[9][10][11] and drive to encrypt all data.[12]
In September 2019 the successor IBM 4769 was announced.
References
edit- ^ "PCleCC3 Overview | IBM". www.ibm.com. 2018-03-20. Retrieved 2018-04-18.
- ^ Smirnoff, Peter. "Understanding Hardware Security Modules (HSMs)". Retrieved 2018-04-18.
- ^ "IBM z14 / Pervasive Encryption". www.ibm.com. 2017-08-03. Retrieved 2018-04-18.
- ^ "Certificate Detail - Cryptographic Module Validation Program | CSRC". csrc.nist.gov. 11 October 2016.
- ^ "PCI Security Standards - PCI-HSM certification for IBM 4768". PCI Security Standards Council. Retrieved 2018-07-24.
- ^ "IBM 4768 Data Sheet" (PDF). 9 November 2020. Archived from the original (PDF) on July 24, 2018.
- ^ "Cryptsoft". www.cryptsoft.com. Retrieved 2018-04-18.
- ^ "IBM z14 Hardware Overview" (PDF). IBM.
- ^ Jordan, M.; Sardino, N.; McGrath, M.; Zoellin, C.; Morris, T. E.; Carranza Lewis, C.; Vance, G.; Naylor, B.; Pickel, J.; Almeida, M. S.; Wierbowski, D.; Meyer, C.; Buendgen, R.; Zagorski, M.; Schoone, H.; Voss, K. (March 2018). "Enabling pervasive encryption through IBM Z stack innovations - IBM Journals & Magazine". IBM Journal of Research and Development. 62 (2/3): 2:1–2:11. doi:10.1147/JRD.2018.2795898. Retrieved 2018-04-18.
- ^ "IBM z14: Enforcing Data As The New Perimeter, Enabling Scale For The Cloud". Brian D. Colwell. 2017-07-17. Archived from the original on 2018-02-11. Retrieved 2018-04-24.
- ^ "SHARE : Blogs : Blockchain Through the Prism of Pervasive Encryption: Part II". event.share.org. Retrieved 2018-04-24.
- ^ "IBM Processor Claims New Level of Data Encryption". www.eetimes.com. Retrieved 2018-04-24.
External links
editThese links point to various relevant cryptographic standards.
ISO 13491 - Secure Cryptographic Devices: https://www.iso.org/standard/61137.html
ISO 9564 - PIN security: https://www.iso.org/standard/68669.html
ANSI X9.24 Part 1: Key Management using Symmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-1-2017
ANSI X9.24 Part 2: Key Management using Asymmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-2-2016
FIPS 140-2: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
Payment Card Industry (PCI) PIN Transaction Security (PTS): Hardware Security Module (HSM) Modular Security Requirements: search this site: https://www.pcisecuritystandards.org/document_library