Supported platforms by IBM HSM

CEX6S (FC 0893) on IBM Z. PCIeCC3 HSM
CEX5S (FC 0890) on IBM Z. PCIeCC2 HSM. FC EJ32/EJ33 on Power. HSM 4767 on x8.
CEX4S (FC 0865)/CEX3C (FC 0864) on IBM Z. PCIeCC HSM. FC EJ27/EJ28/EJ29 on Power. HSM 4765 on x86.

IBM PCIe Cryptographic Coprocessor Version 3

The IBM PCIe Cryptographic Coprocessor Version 3 (PCIeCC3) is the latest generation of IBM's PCIe hardware security modules (HSMs). It is redesigned for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC3 (also referred to as the Crypto Express6S, or CEX6S), refer to the IBM 4768 Data Sheet (PDF, 474 KB).

The PCIeCC3 is described more fully here.

FIPS 140 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The IBM CEX6S is validated by NIST (certificate number 3410) at FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices.

PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (link resides outside of ibm.com).

The PCIeCC3 is available on IBM Z® mainframes (z14® only):

The PCIeCC3 is available as feature code (FC) 0893 (Crypto Express6S, or CEX6S) on IBM Z mainframes (z14 only), either on z/OS® or Linux® on IBM Z operating systems.

  • On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the z Systems CEX5S cryptographic hardware feature through the use of callable services that comply with IBM's Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF) licensed program provide cryptographic services using the CCA security API.
  • On Linux on Z, IBM offers a CCA API for the CEX6S and a PKCS #11 (EP11) API to the user. The CCA API shipped with the CEX6S is an enhanced version of the CCA API shipped with the CEX5S, CEX4S, or CEX3.
Crypto

IBM CEX6S / PCIeCC3 Highlights

The IBM PCIeCC3 is an HSM, a programmable PCIe card that offloads computationally intensive cryptographic processes from the hosting server and performs sensitive tasks unsuitable for less secure general-purpose computers. It is a key product for enabling secure Internet business transactions, and is suited for a wide variety of secure cryptographic applications. It features:

  • A high-end secure coprocessor implemented on a PCIe card with a multi-chip embedded module
  • Foundation for secure applications, such as high assurance digital signature generation or financial transaction processing
  • Custom software options
  • Hardware to perform symmetric and hashing algorithms, including AES (CBC, ECB, GCM, XTS, CMAC, others), DES and TDES (CBC, ECB, MAC, EMVMAC, X9.19, X9.9, others), hashing (SHA-1, SHA-2 (224-512), MD5, RIPEMD-160, MDC-2, MDC-4, PADMDC-2, PADMDC-4) and HMAC
  • Hardware to support asymmetric algorithms including large number modular math functions for RSA (up to 4096-bit) Elliptic Curve (Prime Curves to 521 and Brainpool Curves up to 512)
  • Standards-compliant hardware random number generator
  • Hardware-based prime number generator
  • Secure code loading that enables updating of the functionality while installed in application systems
  • IBM Common Cryptographic Architecture (CCA) API and security architecture
  • Maximum flexibility and maximum trust while operating in physical environments that have minimum physical security
  • Suitable for high-security processing and high-speed cryptographic operations
  • Visa Data Secure Platform (DSP) Point-to-Point Encryption (P2PE) including Visa FPE encryption, decryption, and translation
  • Tamper-responding programmable secure hardware validated to meet FIPS 140-2 Level 4 certification, the highest level of security
  • Improved performance and new streamlined secure boot load engine, which enables faster firmware loading as well as future performance improvements and improves the adaptability of the design to processor architecture changes.
IBM CEX6S / PCIeCC3 Highlights

Software

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the HSM to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit through IBM consulting services.

IBM also provides EP11, which is specifically designed for customers seeking support for open standards and enhanced security. The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 for secure key cryptography.

The IBM CEX6S HSM is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of sale transaction servers, Internet business and Webserving applications, Public Key Infrastructure applications, smart card applications, and custom proprietary solutions. Applications can benefit from the strong security characteristics of the HSM and the opportunity to offload computationally intensive cryptographic processing.

The increased overall performance, especially in public-key algorithms, and new streamlined secure boot load engine highlight the improvements over the previous generations of IBM HSM.

IBM PCIe Cryptographic Coprocessor Version 2

The IBM PCIe Cryptographic Coprocessor Version 2 (PCIeCC2) is designed for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC2, refer to the IBM 4767 Data Sheet (PDF, 262 KB).

The PCIeCC2 is described more fully here.

Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The PCIeCC2 cryptographic processes are performed within an enclosure on the HSM and are validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification achievable for commercial cryptographic devices. See FIPS certification number 3164 (Link resides outside ibm.com) on the Computer Security Resource Center website for the certification.

The IBM 4767 with IBM Enterprise PKCS#11 firmware is Common Criteria EAL4 Certified (Link resides outside ibm.com).

The IBM PCIeCC2 hardware with CCA firmware version 5.3 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). The CCA release 5.3 provides sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4767-002 CCA Release 5.3 implementation is compliant with GBIC's security requirements.

The PCIeCC2 is available on IBM Z mainframes (z14, z13s™, and z13® only), on x86 servers, and IBM Power Systems®:

Crypto
  • IBM Z mainframe computers

    The PCIeCC2 is available as feature code (FC) 0890 (Crypto Express5S, or CEX5S) on IBM Z mainframes (z14, z13s, and z13 only), either on z/OS or Linux on Z operating systems.

    • On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the IBM Z CEX5S cryptographic hardware feature through the use of callable services that comply with IBM's Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF) licensed program provide cryptographic services using the CCA security API.
    • On Linux on Z, IBM offers a CCA API for the CEX5S and a PKCS #11 (EP11) API to the user. The CCA API shipped with the CEX5S is an enhanced version of the CCA API shipped with the CEX4S or CEX3.
  • x86 servers.

    The PCIeCC2 is available as a machine type-model 4767-002 on x86 servers that meet the criteria on either Microsoft® Windows Server®, SUSE® (a Micro Focus Company) Linux Enterprise Server (SLES), or Red Hat® Enterprise Linux® (RHEL) 64-bit operating systems. IBM offers a Common Cryptographic Architecture (CCA) Support Program for the IBM 4767 PCIe Cryptographic Coprocessor, at no charge, to the user. CCA for the 4767 is an enhanced version of the CCA Support Program shipped with the IBM 4765 PCIe Cryptographic Coprocessor.

  • IBM Power Systems.

    The PCIeCC2 is available as FC EJ32, Customer Card Identification Number 4767 (without blind-swap cassette custom carrier) and as FC EJ33, Customer Card Identification Number 4767 (with blind-swap cassette custom carrier) on IBM POWER8® servers, either on IBM AIX®, IBM i, or PowerLinux™ (RHEL, SLES, or Ubuntu®) operating systems.

IBM 4767 / PCIeCC2 Highlights

The IBM PCIeCC2 is an HSM, a programmable PCIe card that offloads computationally intensive cryptographic processes from the hosting server and performs sensitive tasks unsuitable for less secure general-purpose computers. It is a key product for enabling secure Internet business transactions, and is suited for a wide variety of secure cryptographic applications. It features:

  • A high-end secure coprocessor implemented on a PCIe card with a multi-chip embedded module
  • Foundation for secure applications, such as high assurance digital signature generation or financial transaction processing
  • Custom software options
  • Hardware to perform symmetric and hashing algorithms, including AES (CBC, ECB, GCM, XTS, CMAC, others), DES and TDES (CBC, ECB, MAC, EMVMAC, X9.19, X9.9, others), hashing (SHA-1, SHA-2  (224-512), MD5, RIPEMD-160, MDC-2, MDC-4, PADMDC-2, PADMDC-4) and HMAC
  • Hardware to support asymmetric algorithms including large number modular math functions for RSA (up to 4096-bit) Elliptic Curve (Prime Curves to 521 and Brainpool Curves up to 512)
  • Standards-compliant hardware random number generator
  • Hardware-based prime number generator
  • Secure code loading that enables updating of the functionality while installed in application systems
  • IBM Common Cryptographic Architecture (CCA) API and security architecture
  • IBM Enterprise PKCS #11 (EP11)
  • Maximum flexibility and maximum trust while operating in physical environments that have minimum physical security
  • Suitable for high-security processing and high-speed cryptographic operations
  • Visa Data Secure Platform (DSP) Point-to-Point Encryption (P2PE) including Visa FPE encryption, decryption, and translation
  • Tamper-responding programmable secure hardware that meets FIPS 140-2 Level 4, the highest level of security
IBM 4767 / PCIeCC2 Highlights

Certifications

Software

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the HSM to perform cryptographic functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services.

IBM also provides EP11, which is specifically designed for customers seeking support for open standards and enhanced security. The EP11 library provides an interface very similar to the industry-standard PKCS #11 API. Existing applications using PKCS #11 will benefit from using EP11 for secure key cryptography.

The IBM 4767 HSM is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of sale transaction servers, Internet business and Webserving applications, Public Key Infrastructure applications, smart card applications, and custom proprietary solutions. Applications can benefit from the strong security characteristics of the HSM and the opportunity to offload computationally intensive cryptographic processing.

IBM PCIe Cryptographic Coprocessor Version 1

The IBM PCIe Cryptographic Coprocessor Version 1 (PCIeCC) is designed to provide security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the PCIeCC, refer to the IBM 4765 Specification Sheet (PDF, 232 KB).

The PCIeCC is described more fully here.

IBM's HSM devices offer the highest cryptographic security available. Federal Information Processing Standards (FIPS) are issued by the U.S. National Institute of Standards and Technology (NIST). The PCIeCC cryptographic processes are performed within an enclosure on the HSM that is validated to FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. See FIPS certification number 1505 (Link resides outside ibm.com) on the Computer Security Center Resource website for the certification.

The PCIeCC is supported on IBM Z mainframe computers (excluding z14, z13s, and z13), on select IBM POWER Systems, and on select IBM-approved x86 architecture servers:

Crypto
  • IBM Z mainframe computers.

    The PCIeCC is supported as feature code (FC) 0865 (Crypto Express4S, or CEX4S), and as FC 0864 (Crypto Express3, or CEX3C) on IBM Z mainframes either on z/OS or  Linux on Z operating systems.

    • On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the IBM Z CEX4S / CEX3C cryptographic hardware feature through the use of callable services that comply with IBM's Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF) licensed program provide cryptographic services using the CCA security API.
    • On Linux on Z, IBM offers a CCA API for the CEX4S / CEX3C and a PKCS #11 (EP11) API to the user.
  • Select IBM-approved x86 servers.

    The PCIeCC is supported as an IBM Z machine type-model 4765-001 on select IBM-approved x86 servers.  IBM offers a Common Cryptographic Architecture (CCA) Support Program for the IBM 4765 PCIe Cryptographic Coprocessor, at no charge, to the user for SUSE (a Micro Focus Company) Linux Enterprise Server (SLES) 11 Service Pack 3 (32-bit) and Service Pack 2.

  • IBM Power Systems.

    The PCIeCC is supported on IBM AIX® and IBM i as the following hardware feature codes:

    • FC EJ27, IBM POWER6® or IBM POWER7®, no custom carrier
    • FC EJ28, IBM POWER6 custom carrier
    • FC EJ29, IBM POWER7 custom carrier

IBM 4765 / PCIeCC Highlights

The IBM PCIeCC is an HSM that provides a high-security, high-throughput cryptographic subsystem. It is suited for a wide variety of secure cryptographic applications. It features:

  • A PCIe card with a multi-chip embedded module intended to be a high-end secure coprocessor
  • Suitable for high-security processing and high-speed cryptographic operations
  • Tamper-responding programmable secure hardware that meets FIPS 140- 2 Level 4 certification, the highest level of security
  • Hardware to perform AES, DES, TDES, random number generation, SHA-1, SHA-256, MD5, HMAC, and large number modular math functions for RSA (up to 4096- bit), ECC Prime Curve and other public-key cryptographic algorithms
  • IBM Common Cryptographic Architecture (CCA Support Program)
  • Custom software options
  • Secure code loading that enables updating of the functionality while installed in application systems
  • Foundation for secure applications, such as high-assurance digital signature generation or financial transaction processing
  • Maximum flexibility, maximum trust with minimum physical security

 

FIPS VALIDATED 140-2

Software

IBM provides the Common Cryptographic Architecture (CCA) Support Program that you can load into the IBM 4765 to perform cryptographic functions, including data confidentiality, message integrity, digital signature generation and verification, message hashing, PIN processing, key distribution, smart card support, generation of high-quality random numbers, refined key typing, and other functions common in the finance industry and in Internet business applications. You can also add custom functions to the HSM using an available programming toolkit or through IBM consulting services.

The IBM 4765 is suited to applications requiring high-speed cryptographic functions for data encryption and digital signing, secure storage of signing keys, or custom cryptographic applications. Applications can benefit from the strong security characteristics of the IBM 4765 HSM and the opportunity to offload computationally intensive cryptographic processing.