CEX5S / 4767 CCA

This page provides CCA information for customers of the IBM CEX5S / 4767 HSM.

IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry. Changes and extensions to CCA are described in the "Revision history" section of the IBM CCA Basic Services Reference and Guide. CCA and the 4767 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.



CCA Includes These Capabilities:


Cryptographic algorithms, including:

  • Symmetric key algorithms: AES (128-256 bit), Triple-DES (112, 192 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
  • Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
  • Hashing algorithms: SHA-1, SHA-2 (224-512), MD5, RIPEMD-160, MDC • HMAC using SHA-1 or SHA-2
  • Hardware-based prime number generator

Financial cryptography support, including:

  • Sophisticated key typing and key usage control
  • PIN processing
  • EMV smart card personalization and transaction processing
  • ATM remote key distribution
  • Key derivation
  • TR-31 key block support
  • Derived Unique Key Per Transaction (DUKPT)

Relevant standards that are supported (not a complete list):

  • Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
  • Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
  • Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
  • Random number generation: NIST SP 800-90A
  • Hashing and HMAC: NIST FIPS 180, NIST FIPS 198Custom programming support: • UDX (User Defined eXtensions) toolkit allows adding custom functions to the CCA API
  • Toolkit also allows developing your own custom firmware in place of IBM CCA or EP11

The IBM CCA Support Program (known as ICSF on IBM Z® running z/OS®) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.

CCA provides the usual AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide (PDF, 6MB).

The CCA software has been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.