Key features of the IBM PCIe Cryptographic Coprocessors

High-end secure coprocessors

The IBM 4769, 4768, and 4767 PCIe Cryptographic Coprocessors are high-end secure coprocessors implemented on a PCIe card with a multi-chip embedded module. They are suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of-sale transaction servers.

Highest level of certification: FIPS PUB 140-2, Level 4

The IBM PCIe Cryptographic Coprocessors are designed to meet Federal Information Processing Standards (FIPS), which are issued by the U.S. National Institute of Standards and Technology (NIST). The cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices.

Performance and architectural improvements

Read the data sheet (PDF, 386 KB)

The IBM 4769 hardware provides significant performance and architectural improvements over its predecessors while enabling future growth. For example, the IBM 4769 can exceed 23,000 PIN translation operations per second. The secure module contains two logical processors constructed from two redundant IBM PowerPC 476 processors per logical processor. It also contains custom symmetric key and hashing engines to perform AES (CBC, ECB, GCM, XTS, CMAC, others), DES and TDES (CBC, ECB, MAC, EMVMAC, X9.19, X9.9, others), hashing (SHA-1, SHA-2(224-512, SHA-3), MD5, RIPEMD-160, MDC-2, MDC-4, PADMDC-2, PADMDC-4) and HMAC. The hardware supports asymmetric algorithms including large number modular math functions for RSA (up to 4096-bit), Elliptic Curve (Prime curves up to 521, Brainpool curves up to 512), Curve 25519, Curve 448 for Elliptic Curve Diffie-Hellman (ECDH), and Signature generation/verification (ECDSA & EdDSA).

Tamper responding design

Each IBM cryptographic coprocessor has a secure module that is protected by a tamper responding design that protects against a wide variety of attacks against the system and immediately destroys all keys and sensitive data if tampering is detected. Other hardware support includes a secure real time clock, hardware random number generator and a prime number generator.

Common Cryptographic Architecture, Enterprise PKCS #11 APIs

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the coprocessor (HSM) to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services. IBM also provides the Enterprise PKCS #11 (EP11) interface to run secure key cryptographic operations using the industry standard PKCS #11 API.

Embedded certificate allows external verification

During the final manufacturing step, the coprocessor generates a unique public/private key pair that is stored in the device. The tamper detection circuitry is activated and remains active throughout the useful life of the coprocessor, protecting this private key as well as other keys and sensitive data. The public key of the coprocessor is certified at the factory by an IBM private key, and the certificate is retained in the coprocessor. These safeguards ensure the HSM is genuine and untampered.

Currently available for select IBM Z and LinuxONE servers

The IBM 4769 is available on select IBM z15® models as the Crypto Express7S (CEX7S) feature. On z/OS, support is provided by ICSF cryptographic services. On Linux on IBM Z, CEX7S support is provided by CCA and by EP11 support programs.

The IBM 4768 is available on select IBM z14® models as the Crypto Express6S (CEX6S) feature. On z/OS, support is provided by ICSF cryptographic services. On Linux on IBM Z, CEX6S support is provided by CCA and by EP11 support programs.

Planned availability for x64 and Power servers

The IBM 4767 is available on select IBM z13® models as the Crypto Express5S (CEX5S) feature. On z/OS, support is provided by ICSF cryptographic services. On Linux on IBM Z, CEX5S support is provided by CCA and by EP11 support programs. On x64 servers, the IBM 4767 is available as MTM 4767-002 with support for specific Windows, SLES, and RHEL releases. On IBM POWER7® servers, it is supported by IBM AIX®, IBM i®, and PowerLinux™ operating systems.