Key features of the 4767 PCIe Cryptographic Coprocessor

High-end secure coprocessor

The IBM 4767 PCIe Crytographic Coprocessor is a high-end secure coprocessor implemented on a PCIe card with a multi-chip embedded module. It is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of-sale transaction servers.

Highest level of certification: FIPS PUB 140-2, Level 4

Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The IBM 4767 cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices.

Performance and architectural improvements

The IBM 4767 hardware provides significant performance and architectural improvements over its predecessor while enabling future growth. For example, the 4767 can exceed 15,000 PIN translation operations per second. The secure module contains redundant IBM PowerPC 476 processors, custom symmetric key and hashing engines to perform AES, DES, T-DES, SHA-1, SHA-384, SHA-512, and SHA2, MD5 and HMAC, and custom public key cryptographic algorithm engines to support RSA and Elliptic Curve Cryptography.

Tamper responding design

The secure module is protected by a tamper responding design that protects against a wide variety of attacks against the system and immediately destroys all keys and sensitive data if tampering is detected. Other hardware support includes a secure realtime clock, hardware random number generator and a prime number generator.

Common Cryptographic Architecture, Enterprise PKCS #11 APIs

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the coprocessor (HSM) to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services. IBM also provides the Enterprise PKCS #11 (EP11) interface to run secure key cryptographic operations using the industry-standard PKCS #11/openCryptoki API.

Embedded certificate allows external verification

During the final manufacturing step, the coprocessor generates a unique public/private key pair that is stored in the device. The tamper detection circuitry is activated and remains active throughout the useful life of the coprocessor, protecting this private key as well as other keys and sensitive data. The public key of the coprocessor is certified at the factory by an IBM private key and the certificate is retained in the coprocessor. These safeguards ensure the HSM is genuine and untampered.

Available for select IBM Z, LinuxONE, x64, and Power servers

The technology is available on select IBM Z models (z14, z13s and z13 only) as the Crypto Express5S (CEX5S) feature. On z/OS, support is provided by ICSF cryptographic services. On Linux on IBM Z, CEX5S support is provided by CCA and by Enterprise PKCS #11 (EP11). On x64 servers, the PCIeCC2 is available as MTM 4767-002 with support for specific Windows, SLES, and RHEL releases. On IBM Power servers POWER8®, it is supported by IBM AIX®, IBM i®, and PowerLinux™ operating systems.

You may also be interested in

IBM z15

Flexibility, responsiveness and cost are fueling your digital transformation and your journey to cloud. Now, you can drive to market faster – while avoiding cloud security risks and complex migration challenges. Designed through collaboration with clients, the new IBM z15™ single-frame and multi-frame systems deliver security, privacy and resiliency at scale as part of your enterprise-wide cloud infrastructure. IBM z15 enables cloud native services while extending the value of your most valuable data and applications to address today’s business challenges and lead tomorrow's transformation.

Learn more

IBM Security Key Lifecycle Manager for z/OS

IBM Security Key Lifecycle Manager for z/OS manages encryption keys for storage. It simplifies deployment and helps minimize the risk of loss or breach of sensitive information, while maintaining availability of data at rest natively on IBM System z mainframe environments. The solution centralizes and automates the encryption key management process, reduces the number of encryption keys and consolidates encryption key management. It facilitates compliance for regulatory standards that require strong hardware encryption such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).

Learn more

IBM LinuxONE Emperor II

Digital is transforming the industry. To be competitive, enterprises must deliver trusted services to their clients while accelerating value. This requires an open source platform that speeds your developers' creative genius and a highly secure cloud infrastructure that provides instantaneous data delivery any day of the year, whether you have thousands, or millions, of simultaneous users. We have the answer: IBM® LinuxONE™ Emperor™ II, an open enterprise Linux server that operates at lightning fast speed, extreme scale and the highest level of security to deliver exceptional digital experiences and even change the world.

Learn more

IBM LinuxONE Rockhopper II

Your business growth is dependent on delivering exceptional and trusted digital experiences – so you can capture new markets and disrupt your competition. IBM LinuxONE Rockhopper II™ is designed to provide a superior data and cloud platform with pervasive encryption, high availability, and performance at scale. All of this is packaged in an affordable enterprise Linux server that fits right into your cloud data center – whether you are a startup or an established bank.

Learn more