IBM HSM Highlights

Highest cryptographic security available.

Each of IBM’s HSM devices offer the highest cryptographic security available commercially. Federal Information Processing Standards (FIPS) publication 140-2 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The cryptographic processes of each of the IBM HSMs are performed within an enclosure on the HSM that is designed to provide complete physical security.

PCIeCC3

The IBM PCIeCC3 (CEX6S) is validated to FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. See FIPS certification number 3410 (link resides outside IBM) for the certificate. 

The "Payment Card Industry Hardware Security Module" standard, PCI HSM, is issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. The PCI HSM certification process for the IBM CEX6S is in process.

PCIeCC2

The IBM PCIeCC2 is validated to FIPS 140-2 Level 4. See FIPS certification number 3164 (Link resides outside ibm.com) for the certificate. 

The IBM 4767 with IBM Enterprise PKCS#11 firmware is Common Criteria EAL4 Certified (Link resides outside ibm.com). 

The IBM PCIeCC2 hardware with CCA firmware version 5.3 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). The CCA release 5.3 provides sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4767-002 CCA Release 5.3 implementation is compliant with GBIC's security requirements.

PCIeCC

The IBM PCIeCC is also validated to FIPS 140-2 Level 4. See FIPS certification number 1505 (Link resides outside ibm.com) for the certificate. 

crypto2

The IBM HSMs are supported on the following platforms:

IBM Z®
(PCIeCC3, PCIeCC2, and PCIeCC)

IBM Power SystemsTM
(PCIeCC2 and PCIeCC)

x86 servers
(PCIeCC2 and PCIeCC)

Available on multiple platforms.

This table shows the machine type-model (MTM) or feature code (FC) for each version of IBM HSM.

IBM PCIe Cryptographic Coprocessor

  • Version 3 (PCIeCC3)

x86 server MTM

  • N/A

IBM Z feature code (note 1)

  • FC 0893 - Crypto Express5S (CEX6S).
  • Only on z14®

Power Systems feature code

  • N/A

IBM PCIe Cryptographic Coprocessor

  • Version 2 (PCIeCC2)

x86 server MTM

  • MTM 4767-002

IBM Z feature code (note 1)

  • FC 0890 - Crypto Express5S (CEX5S).
  • Only on z14®, z13sTM, and z13®.

Power Systems feature code

  • FC EJ32 (IBM POWER8®, Customer Card Identification Number 4767, without blind-swap cassette custom carrier)
  • FC EJ33 (IBM POWER8®, Customer Card Identification Number 4767, with blind-swap cassette custom carrier)

IBM PCIe Cryptographic Coprocessor

  • Version 1 (PCIeCC)

x86 server MTM

  • MTM 4765-001

IBM Z feature code (note 1)

  • FC 0865 - Crypto Express4S (CEX4S). Excluding z14, z13s, and z13. 
  • FC 0864 - Crypto Express3 (CEX3). Excluding z14, z13s, and z13. 

Power Systems feature code

  • FC EJ27 (not a blind-swap cassette)
  • FC EJ28 (IBM POWER6® generation-3 blind-swap cassette and instruction EC N23386)
  • FC EJ29 (IBM POWER7® generation-4 blind-swap and instruction EC N23597)

Note:

1. FC 0893, FC 0890, FC 0865, and FC 0864 all require FC 3863 - CPACF Enablement (Central Processor Assist for Cryptographic Functions). CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and the Crypto feature through in-kernel cryptography APIs and, for Linux on IBM Z, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Relieves main processor from cryptographic tasks

Relieves main processor from cryptographic tasks.

The IBM HSMs have a PCIe local-bus-compatible interface, and have tamper responding, programmable, cryptographic coprocessors, each containing a CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time-of-day clock, infrastructure firmware, and software. Their specialized hardware performs AES, DES, DES, RSA, ECC, AESKW, HMAC, DES/3DES/AES MAC, SHA-1, SHA-224 to SHA-512, SHA-3, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and any sensitive customer applications.

Customizable to meet special requirements.

The firmware running in the coprocessor together with the software running on your host can be customized to meet any special requirements that your enterprise has. For the PCIeCC2 and PCIeCC, the Cryptographic Coprocessor Toolkit (CCTK) is available for purchase from IBM, subject to the export regulations of the United States Government. The CCTK can enable developers to build applications for the HSM, authenticate programs, and load programs into the HSM. The custom programming toolkit includes a custom software interface reference which describes the function calls that applications running in the HSM use to obtain services from the HSM operating system and from the HSM host system device driver. Another included reference provides the method for extending the CCA host API and the API reference for the user-defined extensions programming environment. Finally, an Interactive Code Analysis Tool (ICAT) is provided that developers can use to debug applications running on the HSM. Frequently a custom contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. Whenever needed, IBM is also able to bid on developing your custom solution or extension.

Secure Administration of HSMs.

For the PCIeCC2 and PCIeCC, IBM offers GUI-based utilities to administer the HSM cards, including loading of initial keys and setup of the access control system. Each of these can use smart cards as part of the administrative process, to carry key parts securely and to identify administrators and allow them to perform sensitive functions. On Intel x86 systems and Power servers running AIX, the CNM (Cryptographic Node Management) utility is provided for free with the HSM software. On IBM Z, the TKE feature is a separate device with an HSM card and smart card readers as well as special software. TKE communicates with IBM Z servers over a network using secure protocols, and can administer many HSM cards in many different servers.

The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient and secure key and certificate management operations. Contact IBM's Crypto Competence Center Copenhagen for details.

Secure Administration of HSMs.

Smart cards on Linux.

For the PCIeCC2 and PCIeCC, IBM provides a Smart Card Utility Program (SCUP), a GUI application for use on Linux, with the Cryptographic Node Management (CNM) application (also GUI based), to manage smart cards with an IBM HSM. Linux users can use SCUP to initialize smart cards that can then be used with CNM to generate and store CCA DES and PKA master key parts on supported smart cards, load CCA master key parts stored on supported smart cards, and log on to CCA using smart card CCA profiles tied to an RSA key pair associated with a particular smart card and user profile. Smart cards are available for purchase from IBM. Additionally, IBM can provide assistance in setting up and configuring SCUP and CNM.

CCA Java Native Interface (JNI).

For the PCIeCC2 and PCIeCC: In addition to support for C and C++ programming languages, the CCA Support Program includes a CCA Java Native Interface (JNI) that application programmers can use to build Java applications that call CCA API functions. On x86 and IBM AIX, the CCA JNI is provided with the IBM CCA installation. The IBM i® Option 35 (CCA Cryptographic Service Provider feature) does not support the CCA JNI, but it does provide language bindings for COBOL, RPG, and CL. CCA for Linux on Z features its own cryptographic JNI.