CEX7S / 4769 CCA
This page provides CCA information for customers of the IBM CEX7S / 4769 HSM.
IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry.
CCA and the 4769 HSM hardware are designed for certification under the security requirements of the Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device program (also known as PCI-HSM).
CCA and the 4769 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.
CCA Includes These Capabilities:
Cryptographic algorithms, including:
- Symmetric key algorithms: AES (128/192/256 bit), Triple-DES (112/162 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
- Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits, Edwards curves 25519 and 448, secp256k1) for digital signatures and key management
- Variety of signature formatting methods including RSA-PSS
- CRYSTALS-Dilithium-6,5 (Round 2)
- Hashing algorithms: SHA-1, SHA-2 (224 - 512), MD5, RIPEMD-160, MDC
- HMAC using SHA-1 or SHA-2
- Hardware-based prime number generator and pseudorandom number generation (PRNG) support
- Format preserving encryption algorithms:
- Feistel-based Format Preserving Encryption (FF1, FF2, FF2.1)
- AES-DUKPT key derivation
- Format Preserving Counter Mode (FPCM) as defined in x9.24 Part 2
- Feistel-based Format Preserving Encryption (FF1, FF2, FF2.1)
Financial cryptography support, including:
- Design elements for PCI-HSM evaluation
- PCI compliant “mode”
- AES, RSA, and DES keys can be Compliance Tagged
- PCI HSM Key Restrictions enforced for all compliance tagged keys
- HSM functions restricted to PCI HSM permitted set for compliance tagged keys
- Audit log secured by the HSM
- Warning Mode to support analysis for transition to full compliance mode
- Determine which functions in your application are not PCI HSM compliant
- Determine which of your keys are not PCI HSM compliant
- Migration Mode to support transition of your current keys to become PCI-HSM compliant tagged keys
- Non-disruptive secure mode transition
- Keep Master Keys (MKs)
- Keep running your application using existing keys
- Manufactured in an environment compliant with PCI HSM requirements
- Firmware that enforces compliance
- PCI compliant “mode”
- Sophisticated key typing and key usage control
- VDSP - Visa Data Secure Platform point-to-point encryption (P2PE) with standard Visa format-preserving encryption (FPE)
- Support for core banking functions including DES, TDES and AES protected customer PIN processing and PIN verification along with full ISO-4 PIN block support and AES-protected EMV messages
- PIN processing
- PIN Translation between ISO formats including ISO-4
- AES based PIN processing
- AES-DUKPT for PIN services
- EMV smart card personalization and transaction processing
- X.509 certificate native support for all public key services backed by internal Public Key Infrastructure (PKI)
- ATM remote key distribution
- TR-31 support for AES, TDES and HMAC key import/export
- X9 TR-34 remote key distribution
- To ATMs or to remote key exchange hosts
- Backed by native X.509 support and optionally secured by trust anchors securely loaded to the HSM-internal PKI (no pre-loaded trust anchors)
- Key derivation
- X9 TR-31 key block support
- DES, Triple DES and AES Derived Unique Key Per Transaction (DUKPT)