ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajcfeatures.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Features" />
<meta name="abstract" content="Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET applications." />
<meta name="description" content="Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide a rich set of basic services for financial PIN, EMV, and SET applications." />
<meta name="DC.Relation" scheme="URI" content="rzajcco4758.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="features" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Features</title>
</head>
<body id="features"><a name="features"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Features</h1>
<div><p>Cryptographic Coprocessors provide cryptographic processing capability
and a means to securely store cryptographic keys. Cryptographic functions
supported include encryption for keeping data confidential, message digests
and message authentication codes for ensuring that data has not been changed,
and digital signature generation and verification. In addition, the Coprocessors
provide a rich set of basic services for financial PIN, EMV, and SET™ applications.</p>
<div class="section" id="features__features4758"><a name="features__features4758"><!-- --></a><h4 class="sectiontitle">IBM<sup>®</sup> 4758 and 4764 Cryptographic Coprocessors</h4><p>The
primary benefit of the IBM Cryptographic Coprocessors is their provision of
a secure environment for executing cryptographic functions and managing cryptographic
keys. Master keys are stored in a battery backed-up, tamper-resistant hardware
security module (HSM). The HSM is designed to meet Federal Information Processing
Standard (FIPS) PUB 140 security requirements.</p>
<p>You can use the Coprocessors
with i5/OS™ SSL
or with i5/OS application
programs written by you or an application provider. The 4764 Cryptographic
Coprocessor offers improved performance over that of the 4758 Cryptographic
Coprocessor.</p>
</div>
<div class="section"><h4 class="sectiontitle">SSL application features</h4><p>Establishment of secure
sockets layer (SSL) or transport layer security (TLS) sessions requires computationally
intensive cryptographic processing. When the Cryptographic Coprocessors are
used with i5/OS,
SSL can offload this intensive cryptographic processing, and free the server
CPU for application processing. The Cryptographic Coprocessors also provide
hardware-based protection for the private key that is associated with the
server’s SSL digital certificate.</p>
<p>When configured with SSL, the Cryptographic
Coprocessor can be used to create and store a private key in the FIPS 140
certified HSM. Or it can be used to create a private key, encrypt it with
the master key – all performed within the HSM – and then store the encrypted
private key via system software in a key store file. This enables a given
private key to be used by multiple Cryptographic Coprocessor cards. Master
keys are always stored in the FIPS 140 certified hardware module.</p>
</div>
<div class="section"><h4 class="sectiontitle">i5/OS CCA
application features</h4><p>You can use your Cryptographic Coprocessor
to provide a high-level of cryptographic security for your applications. To
implement i5/OS applications
using the facilities of a Cryptographic Coprocessor you or an applications
provider must write an application program using a security application programming
interface (SAPI) to access the security services of your Cryptographic Coprocessor.
The SAPI for the Cryptographic Coprocessor conforms to the IBM Common Cryptographic
Architecture (CCA) and is supplied by i5/OS Option 35 CCA Cryptographic Service
Provider (CCA CSP).</p>
<p>With i5/OS the Cryptographic Coprocessor SAPI
supports application software that is written in ILE C, RPG, and Cobol. Application
software via the SAPI can call on CCA services to perform a wide range of
cryptographic functions, including Tripe-Data Encryption Standard (T-DES),
RSA, MD5, SHA-1, and RIPEMD-160 algorithms. Basic services supporting financial
PIN, EMV2000 (Europay, MasterCard, Visa) standard, and SET (Secure
Electronic Transaction) block processing are also available. In support of
an optional layer of security the Cryptographic Coprocessor provides a role-based
access control facility, which allows you to enable and control access to
individual cryptographic operations that are supported by the Coprocessor.
The role-based access controls define the level of access that you give to
your users.</p>
<div class="p">The SAPI is also used to access the key management functions
of the Coprocessor. Key-encrypting keys and data encryption keys can be defined.
These keys are generated in the Cryptographic Coprocessor and encrypted under
the master key so that you can store these encrypted keys outside of your
Coprocessor. You store these encrypted keys in a key store file, which is
an i5/OS database
file. Additional key management functions include the following:<ul><li>Create keys using cryptographically secure random-number generator.</li>
<li>Import and export encrypted T-DES and RSA keys securely.</li>
<li>Clone a master key securely.</li>
</ul>
Multiple Cryptographic Coprocessor cards can be used to meet your performance
capacity and/or high-availability requirements. See <a href="rzajcmultiplecoprocessors.htm">Manage multiple Cryptographic Coprocessors</a> for more information.</div>
<p>Security
APIs for the 4758 and 4764 Cryptographic Coprocessors are documented in the IBM PCI
Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release
3.23. You can find these and other publications in the <a href="http://www.ibm.com/security/cryptocards/library.shtml" target="_blank">IBM PCI
Cryptographic Coprocessor documentation library</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcco4758.htm" title="IBM offers two Cryptographic Coprocessors, which are available on a variety of server models.">4764 and 4758 Cryptographic Coprocessors</a></div>
</div>
</div>
</body>
</html>