IBM 4765

Last updated March 14, 2022

The IBM 4765^[1] PCIe Cryptographic Coprocessor^[2] is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.

The PKCS#11 ^[5] implementation creates a high-security solution for application programs developed for this industry-standard API.
The IBM Common Cryptographic Architecture (CCA) implementation provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be added.

Toolkits for custom application development^[6] are also available.

Applications may include financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and general-purpose cryptographic applications using symmetric key algorithms, hashing algorithms, and public key algorithms.

The operational keys (symmetric or RSA private) are generated in the coprocessor and are then saved either in a keystore file or in application memory, encrypted under the master key of that coprocessor. Any coprocessor with an identical master key can use those keys.

Supported systems

IBM supports the 4765 on IBM Z, IBM POWER Systems, and IBM-approved x86 servers (Linux or Microsoft Windows).^[7]

IBM Z: Crypto Express4S (CEX4S) / Crypto Express3C (CEX3C) - feature code 0865
IBM POWER systems: feature codes EJ27, EJ28, and EJ29
x86: Machine type-model 4765-001

History

As of May 2011, the IBM 4765 superseded the IBM 4764 that was discontinued.

The IBM 4765 has been discontinued on all platforms. The successor to the 4765, the IBM 4767, was introduced on each of the IBM server platforms:

IBM Z, where it is called the Crypto Express5S and is available as feature code 0890
IBM POWER systems, where it is available as feature codes EJ32 / EJ33
x86 servers, where it is called the 4767-002

Related Research Articles

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it has been highly influential in the advancement of cryptography.

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value protects a message's data integrity, as well as its authenticity, by allowing verifiers to detect any changes to the message content.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

There are a number of standards related to cryptography. Standard algorithms and protocols provide a focus for study; standards for popular applications attract a large amount of cryptanalysis.

The IBM 4758 PCI Cryptographic Coprocessor is a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCI board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.

TLS acceleration is a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator.

The Microsoft Windows platform specific Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions.

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

The following outline is provided as an overview of and topical guide to cryptography:

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

The IBM 4764 Cryptographic Coprocessor is a secure cryptoprocessor that performs cryptographic operations used by application programs and by communications such as SSL private key transactions associated with SSL digital certificates.

Crypto++ is a free and open-source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open-source, and non-commercial projects, as well as businesses. Released in 1995, the library fully supports 32-bit and 64-bit architectures for many major operating systems and platforms, including Android, Apple, BSD, Cygwin, IBM AIX and S/390, Linux, MinGW, Solaris, Windows, Windows Phone and Windows RT. The project also supports compilation using C++03, C++11, C++14, and C++17 runtime libraries; and a variety of compilers and IDEs, including Borland Turbo C++, Borland C++ Builder, Clang, CodeWarrior Pro, GCC, Intel C++ Compiler (ICC), Microsoft Visual C/C++, and Sun Studio.

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

Hardware-based encryption is the use of computer hardware to assist software, or sometimes replace software, in the process of data encryption. Typically, this is implemented as part of the processor's instruction set. For example, the AES encryption algorithm can be implemented using the AES instruction set on the ubiquitous x86 architecture. Such instructions also exist on the ARM architecture. However, more unusual systems exist where the cryptography module is separate from the central processor, instead being implemented as a coprocessor, in particular a secure cryptoprocessor or cryptographic accelerator, of which an example is the IBM 4758, or its successor, the IBM 4764. Hardware implementations can be faster and less prone to exploitation than traditional software implementations, and furthermore can be protected against tampering.

The IBM 4767 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4768 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4769 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

References

↑ "IBM HSM 4765/CEX4S/CEX3/FC EJ32/FC EJ33 - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.
↑ "IBM PCI-* Cryptographic Coprocessors" (PDF).
↑ Arnold, T. W.; Buscaglia, C.; Chan, F.; Condorelli, V.; Dayka, J.; Santiago-Fernandez, W.; Hadzic, N.; Hocker, M. D.; Jordan, M. (January 2012). "IBM 4765 cryptographic coprocessor". IBM Journal of Research and Development. 56 (1.2): 10:1–10:13. doi:10.1147/JRD.2011.2178736. ISSN 0018-8646.
↑ "IBM 4765 PCIe Cryptographic Coprocessor" (PDF).
↑ "Cryptsoft". www.cryptsoft.com. Retrieved 2018-04-02.
↑ "IBM 4765 custom programming - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.
↑ "IBM PCIeCC software package - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.

External links

These links point to various relevant cryptographic standards.

ISO 13491 - Secure Cryptographic Devices: https://www.iso.org/standard/61137.html
ISO 9564 - PIN security: https://www.iso.org/standard/68669.html
ANSI X9.24 Part 1: Key Management using Symmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-1-2017
ANSI X9.24 Part 2: Key Management using Asymmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-2-2016
FIPS 140-2: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "IBM HSM 4765/CEX4S/CEX3/FC EJ32/FC EJ33 - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.

[2] "IBM PCI-* Cryptographic Coprocessors" (PDF).

[3] Arnold, T. W.; Buscaglia, C.; Chan, F.; Condorelli, V.; Dayka, J.; Santiago-Fernandez, W.; Hadzic, N.; Hocker, M. D.; Jordan, M. (January 2012). "IBM 4765 cryptographic coprocessor". IBM Journal of Research and Development. 56 (1.2): 10:1–10:13. doi:10.1147/JRD.2011.2178736. ISSN 0018-8646.

[4] "IBM 4765 PCIe Cryptographic Coprocessor" (PDF).

[5] "Cryptsoft". www.cryptsoft.com. Retrieved 2018-04-02.

[6] "IBM 4765 custom programming - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.

[7] "IBM PCIeCC software package - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]