Features

• Cryptographic support via the IBM Common Cryptographic Architecture (CCA) API supporting:
  • DES, and triple-DES data confidentiality
  • DES message authentication and RSA digital signatures
  • SHA-1, MD5, RIPEMD160, and MDC-2 and MDC-4 hashing
  • DES and RSA key management, RSA keys to 2048 bit-length
  • SET Secure Electronic Transaction services
  • Key diversification for smart card applications
  • Finance-industry PIN processing and related services, now including ANSI X9.24 Unique Key Per Transaction support
  • Custom extensions using the UDX toolkit
• Supported on personal computers with Windows 2000, Windows 2000 Advanced Server, and Windows NT, and on IBM pSeries (RS/6000) systems with AIX
• Application development with a common API for AIX, Windows NT and 2000, OS/400, z/OS and OS/390
• Note: Integrated implementations are available for:
  • IBM OS/400 (iSeries - AS/400)
  • For general information on iSeries (AS/400) products and features refer to the iSeries Home Page.
  • For specific information on how to install, setup, and use the 4758 PCI Cryptographic Coprocessor on iSeries refer to the AS/400 Information Center
  • IBM z/OS and OS/390 (zSeries - S/390)
    • For general information on zSeries (S/390) security functions and features refer to the zSeries Home Page.

The CCA Support Programs provide a comprehensive, integrated family of services that employ the major capabilities of the IBM Coprocessors. Two versions are available:

• Release 2.x, which supports the IBM Models 002 and 023 on Windows NT and Windows 2000, and AIX, with these additional capabilities:
  • Triple-DES data encryption
  • Faster RSA operations
  • PIN support in the SET service used by acquirers.

CCA provides the usual DES and RSA functions for data confidentiality and data integrity support. In addition, CCA features extensive support for distributed key management and many functions of special interest to the finance industry. The latest level is 2.53 (full release) for Models 002 and 023. Other changes and extensions to the support program are described in the "Revision History" section of the CCA Basic Services Reference and Guide Release 2.53 for the IBM 4758 002/023 manual. The CCA software has been independently reviewed and certified by the German ZKA industry organization for use in specific finance systems. Also, IBM believes the CCA software can be operated compliant with the intent of the FIPS 140-1 cryptographic module standard. Capabilities include:

• Cryptographic-quality random-number generation using the Coprocessor hardware to seed a FIPS PUB 140-1 compliant random number generator.
• Secure import and export of DES keys encrypted using either RSA or triple-DES along with the CCA control vector key-typing technique and carefully architected key management operations enables a strong, distributed key management implementation.
• Local keys securely held in one of two ways:
  • A modest number of RSA private keys can be retained within the secure Coprocessor.
  • An unlimited number of private keys and DES keys can be held external to the Coprocessor encrypted (wrapped) by the triple-length DES master key.
The master key can be randomly generated within the Coprocessor, or the master key can be inserted in parts by two or more trusted individuals.
• Protection of keys is assured through triple encryption or retention of the keys within the Coprocessor's secure module. Generation options permit the secure storage of valuable RSA keys at a single node or backing them up on additional node(s). With the CCA architecture and its control vector technology, you can enable extensive control of key usage in distributed cryptographic systems. Approximately 75 to 150 Coprocessor-generated RSA private keys can be retained within the secure Coprocessor to guarantee that the value of the key cannot be disclosed nor transported to another site. With the CCA master key architecture, an unlimited number of DES and RSA keys can be securely held external to the Coprocessor. Externally stored keys can be managed either by CCA or by application programs.
• Cloning of a master key enables back-up and/or redundant Coprocessors to process the same master-key encrypted local keys. Master key cloning operates with the access control system ensuring a secure, controlled process through an m-of-n key-shares design.
• SET services support e-Commerce applications in merchant and acquirer credit card transaction processing. With Release 2.x, encrypted PIN block support is added consistent with this latest addition to the SET standards.
• ATM and POS PIN-processing is supported through six services. PIN generation and verification services support several popular PIN-generation algorithms including customer-selected PIN options. A variety of PIN-block formats are processed with support for secure re-encryption and re-formatting of PIN blocks. Release 2.41 supports ANSI X9.24 Unique Key Per Transaction PIN block encryption. Additional services support the card validation value/code processes for the protection of card transactions.
• Digital signature generation and validation using RSA supports several different hash-formatting methods including ISO-9796 and PKDS #1 standards. Support of the SHA-1 and MD5 algorithms is provided. And with the New Models 002 and 023, large blocks are hashed using the hardware SHA-1 hashing engine within the Coprocessor. The modular-exponentiation hardware engine supports keys up to 2048 bits in length. Using the CCA services and the FIPS 140-1 certified hardware, you have a high-security, flexible base on which to implement PKI solutions.
• DES data encryption/decryption supports CBC and ANSI X9.23 "last block" padding rules. Release 2.x supports triple-DES.
• Message Authentication Code (MAC) generation is supported using the DES algorithm and rules defined in the ANSI X9.9-1 and the ANSI X9.19 algorithms for single- and double-length keys. In multi-node systems, you can use the CCA control vector architecture to prevent the MAC receiver from generating a fraudulent MAC code.
• Derived key support is available for dynamically creating DES keys from a key generating key in support of protocols such as used with EMV smart cards. Through use of the UDX toolkit, you or your software vendor can extend CCA to support the many special derived-key operations needed in modern smart card systems.
• Custom programming of the Coprocessor is supported through services offered by IBM and through customer programming employing toolkits that are available on a limited basis under custom contract.

The API for the Release 2.x CCA Support Program offered with the IBM 4758 Models 2 and 23 differs in certain details from the Release 1.31 support for IBM 4758 Models 1 and 13. API details for Release 2.x are quite similar to current CCA support on the S/390. Application programs designed to work with the CCA Support Program Release 1.31 may require modifications to run with Release 2.x. The DES internal key token and RSA key token data structures have changed in the version of the CCA Support Program for the Models 2 and 23. Other changes and extensions to the support program are described in the "Revision History" section of the CCA Basic Services Reference and Guide Release 2.41 for the IBM 4758 002/023. manual.

Performance Demonstration Program
A sample program is available that you can compile and run to obtain performance information for your system. This program may also serve as a starting point in your efforts to benchmark the CCA offerings for the IBM Coprocessor models. The program will operate with CCA Release 2.x installations on AIX and Windows NT systems.