Key features of the 4767 PCIe Cryptographic Coprocessor

High-end secure coprocessor

The IBM 4767 PCIe Crytographic Coprocessor is a high-end secure coprocessor implemented on a PCIe card with a multi-chip embedded module. It is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of-sale transaction servers.

Highest level of certification: FIPS PUB 140-2, Level 4

Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The IBM 4767 cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices.

Performance and architectural improvements

The IBM 4767 hardware provides significant performance and architectural improvements over its predecessor while enabling future growth. For example, the 4767 can exceed 15,000 PIN translation operations per second. The secure module contains redundant IBM PowerPC 476 processors, custom symmetric key and hashing engines to perform AES, DES, T-DES, SHA-1, SHA-384, SHA-512, and SHA2, MD5 and HMAC, and custom public key cryptographic algorithm engines to support RSA and Elliptic Curve Cryptography.

Tamper responding design

The secure module is protected by a tamper responding design that protects against a wide variety of attacks against the system and immediately destroys all keys and sensitive data if tampering is detected. Other hardware support includes a secure realtime clock, hardware random number generator and a prime number generator.

Common Cryptographic Architecture, Enterprise PKCS #11 APIs

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the coprocessor (HSM) to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services. IBM also provides the Enterprise PKCS #11 (EP11) interface to run secure key cryptographic operations using the industry-standard PKCS #11/openCryptoki API.

Embedded certificate allows external verification

During the final manufacturing step, the coprocessor generates a unique public/private key pair that is stored in the device. The tamper detection circuitry is activated and remains active throughout the useful life of the coprocessor, protecting this private key as well as other keys and sensitive data. The public key of the coprocessor is certified at the factory by an IBM private key and the certificate is retained in the coprocessor. These safeguards ensure the HSM is genuine and untampered.

Available for select IBM Z, x86 and Power servers

The technology is available on select IBM Z® models (z14, z13s and z13 only) as the Crypto Express5S (CEX5S) feature. On z/OS, support is provided by ICSF cryptographic services. On Linux® on Z, CEX5S support is provided by CCA and by Enterprise PKCS #11 (EP11). On x86 servers, the PCIeCC2 is available as MTM 4767-002 with support from specific Windows®, SLES, and RHEL releases. On IBM Power Systems™ POWER8®, it is supported by IBM AIX®, IBM i®, and PowerLinux™ operating systems.

You may also be interested in

IBM Multi-Cloud Data Encryption

IBM Multi-Cloud Data Encryption

Learn more

IBM z14

IBM mainframe servers to secure the cloud

Learn more

IBM Security Key Lifecycle Manager for z/OS

Centralize, simplify and strengthen encryption key management

Learn more