IBM 4768 explained

The IBM 4768^[1] PCIe Cryptographic Coprocessor is a hardware security module (HSM)^[2] that includes a secure cryptoprocessor implemented on a high security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4768^[3] is validated to FIPS PUB 140-2 Level 4,^[4] the highest level of certification achievable for commercial cryptographic devices. It has achieved PCI-HSM certification.^[5] The IBM 4768 data sheet^[6] describes the coprocessor in detail.

IBM supplies two cryptographic-system implementations:

• The PKCS#11^[7] implementation creates a high-security solution for application programs developed for this industry-standard API.
• The IBM Common Cryptographic Architecture (CCA) implementation provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be added.

Applications may include financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and general-purpose cryptographic applications using symmetric key algorithms, hashing algorithms, and public key algorithms.

The operational keys (symmetric or RSA private) are generated in the coprocessor and are then saved either in a keystore file or in application memory, encrypted under the master key of that coprocessor. Any coprocessor with an identical master key can use those keys. Performance benefits include the incorporation of elliptic curve cryptography (ECC) and format preserving encryption (FPE) in the hardware.

IBM supports the 4768 on certain IBM Z mainframes as Crypto Express6S (CEX6S) - feature code 0893.^[8] The 4768 / CEX6S is part of IBM's support for pervasive encryption^{[9] [10] [11]} and drive to encrypt all data.^[12]

In September 2019 the successor IBM 4769 was announced.

References

1. Web site: PCleCC3 Overview IBM. 2018-03-20. www.ibm.com. en-US. 2018-04-18.
2. News: Understanding Hardware Security Modules (HSMs). Smirnoff. Peter. 2018-04-18. en-us.
3. Web site: IBM z14 / Pervasive Encryption. 2017-08-03. www.ibm.com. en-US. 2018-04-18.
4. Web site: Certificate Detail - Cryptographic Module Validation Program CSRC. csrc.nist.gov. 11 October 2016 .
5. Web site: PCI Security Standards - PCI-HSM certification for IBM 4768. PCI Security Standards Council. 2018-07-24.
6. Web site: IBM 4768 Data Sheet. https://web.archive.org/web/20180724213734/http://www-03.ibm.com/security/cryptocards/pciecc3/pdf/4768_PCIe_Data_Sheet.pdf. dead. July 24, 2018. 9 November 2020 .
7. Web site: Cryptsoft. www.cryptsoft.com. 2018-04-18.
8. Web site: IBM z14 Hardware Overview. .
9. Enabling pervasive encryption through IBM Z stack innovations - IBM Journals & Magazine. IBM Journal of Research and Development. March 2018 . 62 . 2/3 . 2:1–2:11 . en-US. 2018-04-18. 10.1147/JRD.2018.2795898. Jordan . M. . Sardino . N. . McGrath . M. . Zoellin . C. . Morris . T. E. . Carranza Lewis . C. . Vance . G. . Naylor . B. . Pickel . J. . Almeida . M. S. . Wierbowski . D. . Meyer . C. . Buendgen . R. . Zagorski . M. . Schoone . H. . Voss . K. .
10. News: IBM z14: Enforcing Data As The New Perimeter, Enabling Scale For The Cloud. 2017-07-17. Brian D. Colwell. 2018-04-24. en-US. 2018-02-11. https://web.archive.org/web/20180211165858/https://briandcolwell.com/2017/07/ibm-z14-enforcing-data-as-the-new-perimeter-enabling-scale-for-the-cloud/.html. dead.
11. Web site: SHARE : Blogs : Blockchain Through the Prism of Pervasive Encryption: Part II. event.share.org. 2018-04-24.
12. Web site: IBM Processor Claims New Level of Data Encryption. www.eetimes.com. 2018-04-24.

External links

These links point to various relevant cryptographic standards.

ISO 13491 - Secure Cryptographic Devices: https://www.iso.org/standard/61137.html

ISO 9564 - PIN security: https://www.iso.org/standard/68669.html

ANSI X9.24 Part 1: Key Management using Symmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-1-2017

ANSI X9.24 Part 2: Key Management using Asymmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-2-2016

FIPS 140-2: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

Payment Card Industry (PCI) PIN Transaction Security (PTS): Hardware Security Module (HSM) Modular Security Requirements: search this site: https://www.pcisecuritystandards.org/document_library