IBM Cryptographic HSM Highlights

Edit online

IBM Cryptographic HSM Highlights

Highest cryptographic security available

Each of IBM’s HSM devices offer the highest cryptographic security available commercially. Federal Information Processing Standards (FIPS) publication 140-2 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The cryptographic processes of each of the IBM HSMs are performed within an enclosure on the HSM that is designed to provide complete physical security.

IBM CEX7S / 4769

The IBM 4769 is validated by NIST to FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices.

The "Payment Card Industry Hardware Security Module" standard, PCI HSM, is issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. The IBM CEX7S with CCA 7.x has PCI HSM certification.

https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4079

IBM CEX6S / 4768

The IBM 4768 is validated to FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. The IBM CEX6S with CCA 6.0 has PCI HSM certification.

IBM CEX5S / 4767

The IBM 4767 is validated to FIPS 140-2 Level 4.

The IBM 4767 with IBM Enterprise PKCS#11 firmware is Common Criteria EAL4 Certified (Link resides outside ibm.com).

The IBM 4767 hardware with CCA firmware version 5.3 meets the requirements of the German Banking Industry Committee (GBIC) (Link resides outside ibm.com). The CCA release 5.3 provides sophisticated state-of-the-art protections for handling sensitive information like PIN data, cryptographic key data and account data. The HSM IBM Model 4767-002 CCA Release 5.3 implementation is compliant with GBIC's security requirements.

IBM 4765

The IBM 4765 (no longer sold by IBM) is validated to FIPS 140-2 Level 4.

The IBM HSMs are Supported on the Following Platforms:

IBM Z®

(CEX7S (4769), CEX6S (4768), and CEX5S(4767))

IBM Power Systemsᵀᴹ

(FC EJ32/EJ33 (4767) and FC EJ27/EJ28/EJ29 (4765))

x64 servers

(MTM 4769-001 and MTM 4767-002)

Available on Multiple Platforms

This table shows the machine type-model (MTM) or feature code (FC) for each version of IBM HSM.

IBM 4769

x64 server MTM
  • MTM 4769-001
IBM Z feature code (note 1)
  • FC 0898 / 0899 - Crypto Express7S (CEX7S).
  • Only on z15ᵀᴹ
Power Systems feature code
  • FC EJ35 (IBM POWER10® and POWER9®, CCIN C0AF, without blind-swap cassette custom carrier)
  • FC EJ37 (IBM POWER10® and POWER9®, CCIN C0AF, with blind-swap cassette custom carrier)

IBM 4768

x64 server MTM
  • N/A
IBM Z feature code (note 1)
  • FC 0893 - Crypto Express6S (CEX6S).
  • Only on z14®
Power Systems feature code
  • N/A

IBM 4767

(no longer sold by IBM)

x64 server MTM
  • MTM 4767-002
IBM Z feature code (note 1)
  • FC 0890 - Crypto Express5S (CEX5S).
  • Only on z14®, z13sᵀᴹ, and z13®.
Power Systems feature code
  • FC EJ32 (IBM POWER8®, CCIN 4767, without blind-swap cassette custom carrier)
  • FC EJ33 (IBM POWER8®, CCIN 4767, with blind-swap cassette custom carrier)

IBM 4765

(no longer sold by IBM)

x86 server MTM

  • MTM 4765-001

IBM Z feature code (note 1)
  • FC 0865 - Crypto Express4S (CEX4S). Excluding z14, z13s, and z13.
  • FC 0864 - Crypto Express3 (CEX3). Excluding z14, z13s, and z13.
Power Systems feature code
  • FC EJ27 (not a blind-swap cassette)
  • FC EJ28 (IBM POWER6® generation-3 blind-swap cassette and instruction EC N23386)
  • FC EJ29 (IBM POWER7® generation-4 blind-swap and instruction EC N23597)

Note: 1. FC 0898, FC 0899, FC 0893, FC 0890, FC 0865, and FC 0864 all require FC 3863 - CPACF Enablement (Central Processor Assist for Cryptographic Functions). CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and the Crypto feature through in-kernel cryptography APIs and, for Linux on IBM Z, the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

Relieves Main Processor From Cryptographic Tasks

The IBM HSMs have a PCIe local-bus-compatible interface, and have tamper responding, programmable, cryptographic coprocessors, each containing a CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time-of-day clock, infrastructure firmware, and software. Their specialized hardware performs AES, DES, DES, RSA, ECC, AESKW, HMAC, DES/3DES/AES MAC, SHA-1, SHA-224 to SHA-512, SHA-3, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and any sensitive customer applications.

Customizable to Meet Special Requirements

The firmware running in the coprocessor together with the software running on your host can be customized to meet any special requirements that your enterprise has. For the IBM 4769 and IBM 4767, the Cryptographic Coprocessor Toolkit (CCTK) is available for purchase from IBM, subject to the export regulations of the United States Government. The CCTK can enable developers to build applications for the HSM, authenticate programs, and load programs into the HSM. The custom programming toolkit includes a custom software interface reference which describes the function calls that applications running in the HSM use to obtain services from the HSM operating system and from the HSM host system device driver. Another included reference provides the method for extending the CCA host API and the API reference for the user-defined extensions programming environment. Finally, an Interactive Code Analysis Tool (ICAT) is provided that developers can use to debug applications running on the HSM. Frequently a custom contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. Whenever needed, IBM is also able to bid on developing your custom solution or extension.

Secure Administration of HSMs

For the IBM 4769 and IBM 4767, IBM offers GUI-based utilities to administer the HSM cards, including loading of initial keys and setup of the access control system. Each of these can use smart cards as part of the administrative process, to carry key parts securely and to identify administrators and allow them to perform sensitive functions. On Intel x64 systems and Power servers running AIX, the Smart Card Utility Program (SCUP), Cryptographic Hardware Initialization and Maintenance (CHIM), and/or CNM (Cryptographic Node Management - 4767 only) utilities are provided with the HSM software. On IBM Z, the TKE feature is a separate device with an HSM card and smart card readers as well as special software. TKE communicates with IBM Z servers over a network using secure protocols, and can administer many HSM cards in many different servers.

The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient and secure key and certificate management operations. Contact IBM's Crypto Competence Center Copenhagen for details.

Smart Cards on Linux

For the 4769 and 4767, IBM provides the SCUP and CHIM applications to manage smart cards with an IBM HSM. SCUP and CHIM run on x64 systems with Linux and can target IBM HSMs installed in x64 and Power systems running AIX. Customers can use SCUP to initialize smart cards that can then be used with CHIM to generate and store CCA master key parts on supported smart cards, load CCA master key parts stored on supported smart cards, and log on to CCA using smart card CCA profiles tied to an RSA key pair associated with a particular smart card and user profile. Smart cards are available for purchase from IBM.

CCA Java Native Interface (JNI)

For the IBM 4769 and 4767: In addition to support for C and C++ programming languages, the CCA Support Program includes a CCA Java Native Interface (JNI) that application programmers can use to build Java applications that call CCA API functions. On Intel x64 and IBM AIX, the CCA JNI is provided with the IBM CCA installation. The IBM i® Option 35 (CCA Cryptographic Service Provider feature) does not support the CCA JNI, but it does provide language bindings for COBOL, RPG, and CL. CCA for Linux on Z features its own cryptographic JNI.