Features

Edit online

Cryptographic Coprocessors provide cryptographic processing capability and a means to securely store cryptographic keys. You can use the Coprocessors with IBM i TLS or with IBM i application programs written by you or an application provider. Cryptographic functions supported include encryption for keeping data confidential, message digests and message authentication codes for ensuring that data has not been changed, and digital signature generation and verification. In addition, the Coprocessors provide basic services for financial PIN, EMV, and SET applications.

Note: The IBM® 4767 Cryptographic Coprocessor is no longer available but it is still supported.

IBM 4770 and 4769 Cryptographic Coprocessors

The primary benefit of the IBM Cryptographic Coprocessors is their provision of a secure environment for executing cryptographic functions and managing cryptographic keys. Master keys are stored in a battery backed-up, tamper-resistant hardware security module (HSM). The HSM is designed to meet Federal Information Processing Standard (FIPS) PUB 140 security requirements.

You can use the Coprocessors with IBM i TLS or with IBM i application programs written by you or an application provider. The 4770 Cryptographic Coprocessor offers improved performance over the 4769.

TLS application features

Establishment of Transport Layer Security (TLS) sessions requires computationally intensive cryptographic processing. When the Cryptographic Coprocessors are used with IBM i, TLS can offload this intensive cryptographic processing, and free the system CPU for application processing. The Cryptographic Coprocessors also provide hardware-based protection for the private key that is associated with the system's TLS digital certificate.

The 4770 and 4769 Cryptographic Coprocessor can be used with TLS in several different ways. First, through Digital Certificate Manager the Cryptographic Coprocessors can be used to create and store a private key in the FIPS 140 certified HSM for use by TLS. Secondly, the Cryptographic Coprocessors can be used to create a private key, encrypt it with the master key (all performed within the HSM), and then store the encrypted private key by using the system software in a keystore file. This enables a given private key to be used by multiple Cryptographic Coprocessor cards. Master keys are always stored in the FIPS 140 certified hardware module. Lastly, if private keys created via Digital Certificate Manager are not created using the Cryptographic Coprocessors, TLS can still use the Cryptographic Coprocessors for offload by simply varying the device description on. This accelerator mode of operation does not provide secure key storage, but it does process RSA cryptographic operations at a much higher rate than in the other two modes.

IBM i CCA application features

You can use your Cryptographic Coprocessor to provide a high-level of cryptographic security for your applications. To implement IBM i applications using the facilities of a Cryptographic Coprocessor you or an applications provider must write an application program using a security application programming interface (SAPI) to access the security services of your Cryptographic Coprocessor. The SAPI for the Cryptographic Coprocessor conforms to the IBM Common Cryptographic Architecture (CCA) and is supplied by IBM i Option 35 CCA Cryptographic Service Provider (CCA CSP).

With IBM i the Cryptographic Coprocessor SAPI supports application software that is written in ILE C, RPG, and Cobol. Application software via the SAPI can call on CCA services to perform a wide range of cryptographic functions, including Tripe-Data Encryption Standard (T-DES), RSA, ECC, MD5, SHA, and RIPEMD-160 algorithms. Basic services supporting financial PIN, EMV2000 (Europay, MasterCard, Visa) standard, and SET (Secure Electronic Transaction) block processing are also available. In support of an optional layer of security the Cryptographic Coprocessor provides a role-based access control facility, which allows you to enable and control access to individual cryptographic operations that are supported by the Coprocessor. The role-based access controls define the level of access that you give to your users.

The SAPI is also used to access the key management functions of the Coprocessor. Key-encrypting keys and data encryption keys can be defined. These keys are generated in the Cryptographic Coprocessor and encrypted under the master key so that you can store these encrypted keys outside of your Coprocessor. You store these encrypted keys in a keystore file, which is an IBM i database file. Additional key management functions include the following:

Create keys using cryptographically secure random-number generator.
Import and export encrypted T-DES, RSA, ECC, and AES keys securely.
Clone a master key securely.

Multiple Cryptographic Coprocessor cards can be used to meet your performance capacity and/or high-availability requirements. See Manage multiple Cryptographic Coprocessors for more information.

Security APIs for the 4770 Cryptographic Coprocessor are documented in the IBM PCIe Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release 8.x. You can find these and other publications in the IBM PCIe Cryptographic Coprocessor documentation library.

Security APIs for the 4769 Cryptographic Coprocessor are documented in the IBM PCIe Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release 7.x. You can find these and other publications in the IBM PCIe Cryptographic Coprocessor documentation library.

Security APIs for the 4767 Cryptographic Coprocessor are documented in the IBM PCIe Cryptographic Coprocessor CCA Basic Services Reference and Guide, Release 5.6x. You can find these and other publications in the IBM PCIe Cryptographic Coprocessor documentation library.