CCA

IBM CCA provides a comprehensive set of cryptographic functions, including the common AES, TDES, RSA, and ECC functions for data confidentiality and data integrity support.  In addition, CCA features extensive functions for key management and many functions of special interest to the banking and finance industry. Changes and extensions to CCA are described in the "Revision history" section of the IBM CCA Basic Services Reference and Guide.

CCA and the 4769 HSM hardware are designed for certification under the security requirements of the Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device program (also known as PCI-HSM).

CCA and the 4769 HSM hardware have been independently reviewed and approved by the German Banking Industry Committee, Die Deutsche Kreditwirtschaft, also known as DK (formerly ZKA) for use in specific German finance systems.

 

CCA includes these capabilities:

Cryptographic algorithms, including:

  • Symmetric key algorithms: AES (128/192/256 bit), Triple-DES (112/162 bit), DES (56 bit) for data confidentiality, message authentication, key management, financial payment card systems functions, and others
  • Public-key algorithms: RSA (to 4096 bits), Elliptic Curve (NIST Prime curves to 521 bits, Brainpool curves to 512 bits) for digital signatures and key management
  • Hashing algorithms: SHA-1, SHA-2 (224 - 512), MD5, RIPEMD-160, MDC
  • HMAC using SHA-1 or SHA-2
  • Hardware-based prime number generator

 

Financial cryptography support, including:

  • Design elements for PCI-HSM evaluation
    • PCI compliant “mode”
      • AES, RSA, and DES keys can be Compliance Tagged
      • PCI HSM Key Restrictions enforced for all compliance tagged keys
      • HSM functions restricted to PCI HSM permitted set for compliance tagged keys
    • Audit log secured by the HSM
    • Warning Mode to support analysis for transition to full compliance mode
      • Determine which functions in your application are not PCI HSM compliant
      • Determine which of your keys are not PCI HSM compliant
    • Migration Mode to support transition of your current keys to become PCI-HSM compliant tagged keys
    • Non-disruptive secure mode transition
      • Keep Master Keys (MKs)
      • Keep running your application using existing keys
    • Manufactured in an environment compliant with PCI HSM requirements
    • Firmware that enforces compliance
  • Sophisticated key typing and key usage control
  • PIN processing
  • EMV smart card personalization and transaction processing
  • X.509 certificate native support for all public key services backed by internal Public Key Infrastructure (PKI)
  • ATM remote key distribution
  • X9 TR-34 remote key distribution
  • to ATMs or to remote key exchange hosts
  • backed by native X.509 support and optionally secured by trust anchors securely loaded to the HSM-internal PKI (no pre-loaded trust anchors)
  • Key derivation
  • X9 TR-31 key block support
  • Derived Unique Key Per Transaction (DUKPT)

 

Relevant standards that are supported (not a complete list):

  • Designed to meet the requirements of PCI PTS HSM Modular Derived Test Requirements, v3.0, June 2016, PCI Security Standards Council LLC
  • Key management: ANSI X9.24 Part 1, ANSI X9.24 Part 2, ANSI TR-31, ANSI X9.8 / ISO 9564, NIST SP 800-108, NIST SP 800-56A, ANSI X9.63, ANSI X9.102
  • Device security and cryptographic algorithm correctness: FIPS 140, ANSI X9.97, ISO 13491
  • Digital signatures: NIST FIPS 186, ANSI X9.62, PKCS #1, ANSI X9.31, ISO 9796
  • Random number generation: NIST SP 800-90A
  • Hashing and HMAC: NIST FIPS 180, NIST FIPS 198
CCA Diagram