The IBM 4765. PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.
The IBM 4765 is validated to FIPS PUB 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. The IBM 4765 data sheet describes the coprocessor in detail.
IBM supplies two cryptographic-system implementations:
- The PKCS#11 implementation creates a high-security solution for application programs developed for this industry-standard API.
- The IBM Common Cryptographic Architecture (CCA) implementation provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be added.
Toolkits for custom application development are also available.
Applications may include financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit (chip) based credit cards, and general-purpose cryptographic applications using symmetric key algorithms, hashing algorithms, and public key algorithms.
The operational keys (symmetric or RSA private) are generated in the coprocessor and are then saved either in a keystore file or in application memory, encrypted under the master key of that coprocessor. Any coprocessor with an identical master key can use those keys.
- IBM Z: Crypto Express4S (CEX4S) / Crypto Express3C (CEX3C) - feature code 0865
- IBM POWER systems: feature codes EJ27, EJ28, and EJ29
- x86: Machine type-model 4765-001
As of May 2011, the IBM 4765 superseded the IBM 4764 that was discontinued.
The IBM 4765 has been discontinued on all platforms. The successor to the 4765, the IBM 4767, was introduced on each of the IBM server platforms:
- IBM Z, where it is called the Crypto Express5S and is available as feature code 0890
- IBM POWER systems, where it is available as feature codes EJ32 / EJ33
- x86 servers, where it is called the 4767-002
- "IBM HSM 4765/CEX4S/CEX3/FC EJ32/FC EJ33 - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.
- "IBM PCI-* Cryptographic Coprocessors" (PDF).
- Arnold, T. W.; Buscaglia, C.; Chan, F.; Condorelli, V.; Dayka, J.; Santiago-Fernandez, W.; Hadzic, N.; Hocker, M. D.; Jordan, M. (January 2012). "IBM 4765 cryptographic coprocessor". IBM Journal of Research and Development. 56 (1.2): 10:1–10:13. doi:10.1147/JRD.2011.2178736. ISSN 0018-8646.
- "IBM 4765 PCIe Cryptographic Coprocessor" (PDF).
- "Cryptsoft". www.cryptsoft.com. Retrieved 2018-04-02.
- "IBM 4765 custom programming - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.
- "IBM PCIeCC software package - United States". www.ibm.com. 2018-03-19. Retrieved 2018-04-02.
These links point to various relevant cryptographic standards.
ISO 13491 - Secure Cryptographic Devices: https://www.iso.org/standard/61137.html
ISO 9564 - PIN security: https://www.iso.org/standard/68669.html
ANSI X9.24 Part 1: Key Management using Symmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-1-2017
ANSI X9.24 Part 2: Key Management using Asymmetric Techniques: https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-2-2016