CEX6S / 4768 CCA

This page provides CCA information for customers of the IBM CEX6S / 4768 HSM.

IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry. Changes and extensions to CCA are described in the "Revision history" section of the IBM CCA Basic Services Reference and Guide.CCA and the 4768 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.



CCA includes These Capabilities:


Cryptographic algorithms, including:

  • Symmetric key algorithms: AES (128/192/256 bit), Triple-DES (112/162 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
  • Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
  • Hashing algorithms: SHA-1, SHA-2 (224 - 512), MD5, RIPEMD-160, MDC
  • HMAC using SHA-1 or SHA-2
  • Hardware-based prime number generator

Financial cryptography support, including:

  • Designed for HSM certification of Payment Card Industry (PCI) PIN Transaction Security standard (PTS)
    • PCI compliant “mode”
      • DES, AES and RSA private key tokens can be compliance tagged
      • Compliance-tag key support for DK functions
      • X9 TR-34 key exchange services with compliance-tag key support
      • PCI HSM Key Restrictions enforced for all tagged keys
      • HSM functions restricted to PCI HSM permitted set for tagged keys
    • Audit log secured by the HSM
    • Migration and Warning Modes to support transition to full compliance mode
      • Determine which functions in your application are not PCI HSM compliant
      • Determine which of your keys are not PCI HSM compliant
    • Non-disruptive secure mode transition
      • Keep Master Keys (MKs)
      • Keep running your application
    • Manufactured in an environment compliant with PCI HSM requirements
    • Firmware that enforces compliance
  • Sophisticated key typing and key usage control
  • PIN processing
  • EMV smart card personalization and transaction processing
  • ATM remote key distribution
  • X.509 certificate native support backed by internal Public Key Infrastructure (PKI)
  • Key derivation
  • TR-31 key block support
  • Derived Unique Key Per Transaction (DUKPT)

Relevant standards that are supported (not a complete list):

  • Designed to meet the requirements of PCI PTS HSM Modular Derived Test Requirements, v3.0, June 2016, PCI Security Standards Council LLC
  • Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
  • Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
  • Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
  • Random number generation: NIST SP 800-90A
  • Hashing and HMAC: NIST FIPS 180, NIST FIPS 198