With the purchase of an IBM PCIeCC HSM, you also receive IBM’s Common Cryptographic Architecture (CCA). CCA includes these capabilities:
Cryptographic algorithms, including:
- Symmetric key algorithms: AES (128-256 bit), Triple-DES (112, 192 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
- Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
- Hashing algorithms: SHA-1, SHA-2 (224-512), MD5, RIPEMD-160, MDC
- HMAC using SHA-1 or SHA-2
- Hardware-based prime number generator
Financial cryptography support, including:
- Sophisticated key typing and key usage control
- PIN processing
- EMV smart card personalization and transaction processing
- ATM remote key distribution
- Key derivation
- TR-31 key block support
Relevant standards that are supported (not a complete list):
- Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
- Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
- Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
- Random number generation: NIST SP 800-90A
- Hashing and HMAC: NIST FIPS 180, NIST FIPS 198
Custom programming support:
- UDX (User Defined eXtensions) toolkit allows adding custom functions to the CCA API
- Toolkit also allows developing your own custom firmware in place of IBM CCA or EP11
The IBM CCA Support Program (known as ICSF on IBM Z® running z/OS®) provides a comprehensive, integrated family of services that employs the major capabilities of the IBM coprocessors.
CCA provides the usual AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. Other changes and extensions to the Support Program are described in the "Revision history" section of the CCA Basic Services Reference and Guide (PDF, 7,1 MB).
The CCA software has been independently reviewed and certified by two regional banking organizations.
- It has been reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.
- It has been approved under the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") scheme used by the Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks. See the 4765 Releases page for details.