113 lines
7.9 KiB
HTML
113 lines
7.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Features" />
|
|||
|
<meta name="abstract" content="Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET applications." />
|
|||
|
<meta name="description" content="Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET applications." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajcco4758.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="features" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Features</title>
|
|||
|
</head>
|
|||
|
<body id="features"><a name="features"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Features</h1>
|
|||
|
<div><p>Cryptographic Coprocessors provide cryptographic processing capability
|
|||
|
and a means to securely store cryptographic keys. Cryptographic functions
|
|||
|
supported include encryption for keeping data confidential, message digests
|
|||
|
and message authentication codes for ensuring that data has not been changed,
|
|||
|
and digital signature generation and verification. In addition, the Coprocessors
|
|||
|
provide a rich set of basic services for financial PIN, EMV, and SET™ applications.</p>
|
|||
|
<div class="section" id="features__features4758"><a name="features__features4758"><!-- --></a><h4 class="sectiontitle">IBM<sup>®</sup> 4758 and 4764 Cryptographic Coprocessors</h4><p>The
|
|||
|
primary benefit of the IBM Cryptographic Coprocessors is their provision of
|
|||
|
a secure environment for executing cryptographic functions and managing cryptographic
|
|||
|
keys. Master keys are stored in a battery backed-up, tamper-resistant hardware
|
|||
|
security module (HSM). The HSM is designed to meet Federal Information Processing
|
|||
|
Standard (FIPS) PUB 140 security requirements.</p>
|
|||
|
<p>You can use the Coprocessors
|
|||
|
with i5/OS™ SSL
|
|||
|
or with i5/OS application
|
|||
|
programs written by you or an application provider. The 4764 Cryptographic
|
|||
|
Coprocessor offers improved performance over that of the 4758 Cryptographic
|
|||
|
Coprocessor.</p>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectiontitle">SSL application features</h4><p>Establishment of secure
|
|||
|
sockets layer (SSL) or transport layer security (TLS) sessions requires computationally
|
|||
|
intensive cryptographic processing. When the Cryptographic Coprocessors are
|
|||
|
used with i5/OS,
|
|||
|
SSL can offload this intensive cryptographic processing, and free the server
|
|||
|
CPU for application processing. The Cryptographic Coprocessors also provide
|
|||
|
hardware-based protection for the private key that is associated with the
|
|||
|
server’s SSL digital certificate.</p>
|
|||
|
<p>When configured with SSL, the Cryptographic
|
|||
|
Coprocessor can be used to create and store a private key in the FIPS 140
|
|||
|
certified HSM. Or it can be used to create a private key, encrypt it with
|
|||
|
the master key – all performed within the HSM – and then store the encrypted
|
|||
|
private key via system software in a key store file. This enables a given
|
|||
|
private key to be used by multiple Cryptographic Coprocessor cards. Master
|
|||
|
keys are always stored in the FIPS 140 certified hardware module.</p>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectiontitle">i5/OS CCA
|
|||
|
application features</h4><p>You can use your Cryptographic Coprocessor
|
|||
|
to provide a high-level of cryptographic security for your applications. To
|
|||
|
implement i5/OS applications
|
|||
|
using the facilities of a Cryptographic Coprocessor you or an applications
|
|||
|
provider must write an application program using a security application programming
|
|||
|
interface (SAPI) to access the security services of your Cryptographic Coprocessor.
|
|||
|
The SAPI for the Cryptographic Coprocessor conforms to the IBM Common Cryptographic
|
|||
|
Architecture (CCA) and is supplied by i5/OS Option 35 CCA Cryptographic Service
|
|||
|
Provider (CCA CSP).</p>
|
|||
|
<p>With i5/OS the Cryptographic Coprocessor SAPI
|
|||
|
supports application software that is written in ILE C, RPG, and Cobol. Application
|
|||
|
software via the SAPI can call on CCA services to perform a wide range of
|
|||
|
cryptographic functions, including Tripe-Data Encryption Standard (T-DES),
|
|||
|
RSA, MD5, SHA-1, and RIPEMD-160 algorithms. Basic services supporting financial
|
|||
|
PIN, EMV2000 (Europay, MasterCard, Visa) standard, and SET (Secure
|
|||
|
Electronic Transaction) block processing are also available. In support of
|
|||
|
an optional layer of security the Cryptographic Coprocessor provides a role-based
|
|||
|
access control facility, which allows you to enable and control access to
|
|||
|
individual cryptographic operations that are supported by the Coprocessor.
|
|||
|
The role-based access controls define the level of access that you give to
|
|||
|
your users.</p>
|
|||
|
<div class="p">The SAPI is also used to access the key management functions
|
|||
|
of the Coprocessor. Key-encrypting keys and data encryption keys can be defined.
|
|||
|
These keys are generated in the Cryptographic Coprocessor and encrypted under
|
|||
|
the master key so that you can store these encrypted keys outside of your
|
|||
|
Coprocessor. You store these encrypted keys in a key store file, which is
|
|||
|
an i5/OS database
|
|||
|
file. Additional key management functions include the following:<ul><li>Create keys using cryptographically secure random-number generator.</li>
|
|||
|
<li>Import and export encrypted T-DES and RSA keys securely.</li>
|
|||
|
<li>Clone a master key securely.</li>
|
|||
|
</ul>
|
|||
|
Multiple Cryptographic Coprocessor cards can be used to meet your performance
|
|||
|
capacity and/or high-availability requirements. See <a href="rzajcmultiplecoprocessors.htm">Manage multiple Cryptographic Coprocessors</a> for more information.</div>
|
|||
|
<p>Security
|
|||
|
APIs for the 4758 and 4764 Cryptographic Coprocessors are documented in the IBM PCI
|
|||
|
Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release
|
|||
|
3.23. You can find these and other publications in the <a href="http://www.ibm.com/security/cryptocards/library.shtml" target="_blank">IBM PCI
|
|||
|
Cryptographic Coprocessor documentation library</a>.</p>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcco4758.htm" title="IBM offers two Cryptographic Coprocessors, which are available on a variety of server models.">4764 and 4758 Cryptographic Coprocessors</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|