CEX8S / 4770 Overview
Overview of the IBM CEX8S - 4770 Cryptographic Coprocessor.
IBM 4770 Crypto Card
Available as IBM Z® feature CEX8S, IBM Power Systems™ features EPG4, EPG5, and EPG6, and x64 MTM 4770-001.
An IBM PCIe Cryptographic Coprocessor is a high-performance hardware security module (HSM) suitable for high-security processing and high-speed cryptographic operations. The IBM 4770 Cryptographic Coprocessor is the latest generation and fastest of IBM's PCIe hardware security modules (HSMs). Its predecessors are the IBM 4769, IBM 4768, IBM 4767, and IBM 4765.
The IBM 4770 is designed for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the IBM 4770, refer to the IBM 4770 Data Sheet (PDF, 383 KB)
Security Certifications
FIPS 140-2 Level 4 – Highest cryptographic security level available.
FIPS 140 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The IBM 4770 is verified by NIST at FIPS 140-2 Level 4 (certificate number 4558 [link resides outside of ibm.com]), the highest level of certification currently achievable for commercial cryptographic devices.
PCI HSM
PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. PCI HSM is one of the standards in the PCI PIN Transaction Security (PTS) device group. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (link resides outside of ibm.com).
The IBM 4770 is pending certification PCI HSM certification on IBM Z.
Available on IBM Z
- IBM Z
IBM Z Mainframe
The IBM 4770 is available on IBM Z® mainframes running either z/OS® or Linux® on IBM Z® operating systems as:
- IBM Z® mainframes (z16®) as FC 0851 (CEX8S).
- IBM Z® mainframes (z17®) as FC 0908 (two CEX8S per feature) or FC 0909 (one CEX8S per feature).
Reliability, Availability, and Serviceability (RAS)
Hardware has also been designed to support the highest level of RAS requirements that enables the secure module to self-check at all times. This is achieved by running a pair of PowerPC processors in lock step and comparing the result from each cycle by cycle. Also all interfaces, registers, memory, cryptographic engines, and buses are protected at all times using parity, ECC (Error Correcting Codes), or CRC. Power on self-tests that are securely stored inside the secure module verify the hardware and firmware loaded on the module is secure and reliable at every power on. Then, the built-in RAS features check it continuously in real time.
Embedded Certificate
During the final manufacturing step, the coprocessor generates a unique public/private key pair which is stored in the device. The tamper detection circuitry is activated at this time and remains active throughout the useful life of the coprocessor, protecting this private key as well as other keys and sensitive data. The public key of the coprocessor is certified at the factory by an IBM private key and the certificate is retained in the coprocessor. Subsequently, the private key of the coprocessor is used to sign the coprocessor status responses which, in conjunction with a series of public key certificates, demonstrate that the coprocessor remains intact and is genuine.
Tamper Responding Design
The IBM 4770 HSM is validated by NIST to meet the FIPS 140-2 Level 4 requirements by protecting against attacks that include probe penetration or other intrusion into the secure module, side-channel attacks, power manipulation, and temperature manipulation. From the time of manufacture, the hardware is self-protecting by using tamper sensors to detect probing or drilling attempts. If the tamper sensors are triggered, the HSM destroys critical keys and certificates, and is rendered permanently inoperable. Note therefore that the HSM must be maintained at all times within the temperature, humidity, and barometric pressure ranges specified. Refer to the environmental requirements section below.
Technical Specifications
| Physical characteristics | |
| Card type | Half-height, half-length PCIe x4 card PCI Local Bus Specification 2.2 PCIe specification 1.1 |
| Voltage | +3.3 VDC ± 10% 23.44 W max |
| Required | 25 W min |
| System
requirements This section describes requirements for the system in which the CEX8S is installed. |
|
| Hardware | The CEX8S can be installed in IBM Z® mainframes (currently z16® and z17®). |
| Environmental
requirements From the time of manufacture, the IBM CEX8S cryptographic card must be shipped, stored, and used within the following environmental specifications. Outside of these specifications, the CEX8S tamper sensors can be activated and render the CEX8S permanently inoperable. |
|
| Shipping: The card should be shipped in original IBM packaging (electrostatic discharge bag with desiccant and thermally insulated box with gel packs). | |
| Temp | -34°C to +60°C |
| Pressure | min 550 mbar (maximum altitude 16 000 feet) |
| Humidity | 5% to 100% RH |
| Storage: The card should be stored in electrostatic discharge bag with desiccant. | |
| Temp | +1°C to +60°C |
| Humidity | 5% to 80% RH |
| Pressure | min 700 mbar (maximum altitude 10 000 feet) |
| Operation: (ambient in system) | |
| Temp | +5°C to +35°C |
| Humidity | 8% to 85% RH |
| Pressure / Altitude (maximum) | min 700 mbar (maximum altitude 10 000 feet) |
| Airflow (minimum) | 300 LFM (air velocity over the secure module) |