Features

Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET™ applications.

IBM® 4758 and 4764 Cryptographic Coprocessors

The primary benefit of the IBM Cryptographic Coprocessors is their provision of a secure environment for executing cryptographic functions and managing cryptographic keys. Master keys are stored in a battery backed-up, tamper-resistant hardware security module (HSM). The HSM is designed to meet Federal Information Processing Standard (FIPS) PUB 140 security requirements.

You can use the Coprocessors with i5/OS™ SSL or with i5/OS application programs written by you or an application provider. The 4764 Cryptographic Coprocessor offers improved performance over that of the 4758 Cryptographic Coprocessor.

SSL application features

Establishment of secure sockets layer (SSL) or transport layer security (TLS) sessions requires computationally intensive cryptographic processing. When the Cryptographic Coprocessors are used with i5/OS, SSL can offload this intensive cryptographic processing, and free the server CPU for application processing. The Cryptographic Coprocessors also provide hardware-based protection for the private key that is associated with the server’s SSL digital certificate.

When configured with SSL, the Cryptographic Coprocessor can be used to create and store a private key in the FIPS 140 certified HSM. Or it can be used to create a private key, encrypt it with the master key – all performed within the HSM – and then store the encrypted private key via system software in a key store file. This enables a given private key to be used by multiple Cryptographic Coprocessor cards. Master keys are always stored in the FIPS 140 certified hardware module.

i5/OS CCA application features

You can use your Cryptographic Coprocessor to provide a high-level of cryptographic security for your applications. To implement i5/OS applications using the facilities of a Cryptographic Coprocessor you or an applications provider must write an application program using a security application programming interface (SAPI) to access the security services of your Cryptographic Coprocessor. The SAPI for the Cryptographic Coprocessor conforms to the IBM Common Cryptographic Architecture (CCA) and is supplied by i5/OS Option 35 CCA Cryptographic Service Provider (CCA CSP).

With i5/OS the Cryptographic Coprocessor SAPI supports application software that is written in ILE C, RPG, and Cobol. Application software via the SAPI can call on CCA services to perform a wide range of cryptographic functions, including Tripe-Data Encryption Standard (T-DES), RSA, MD5, SHA-1, and RIPEMD-160 algorithms. Basic services supporting financial PIN, EMV2000 (Europay, MasterCard, Visa) standard, and SET (Secure Electronic Transaction) block processing are also available. In support of an optional layer of security the Cryptographic Coprocessor provides a role-based access control facility, which allows you to enable and control access to individual cryptographic operations that are supported by the Coprocessor. The role-based access controls define the level of access that you give to your users.

The SAPI is also used to access the key management functions of the Coprocessor. Key-encrypting keys and data encryption keys can be defined. These keys are generated in the Cryptographic Coprocessor and encrypted under the master key so that you can store these encrypted keys outside of your Coprocessor. You store these encrypted keys in a key store file, which is an i5/OS database file. Additional key management functions include the following:
  • Create keys using cryptographically secure random-number generator.
  • Import and export encrypted T-DES and RSA keys securely.
  • Clone a master key securely.
Multiple Cryptographic Coprocessor cards can be used to meet your performance capacity and/or high-availability requirements. See Manage multiple Cryptographic Coprocessors for more information.

Security APIs for the 4758 and 4764 Cryptographic Coprocessors are documented in the IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release 3.23. You can find these and other publications in the IBM PCI Cryptographic Coprocessor documentation library.