Features
- Cryptographic support via the IBM Common Cryptographic Architecture (CCA) API supporting:
- DES and triple-DES data confidentiality
- DES and triple-DES message authentication including ISO 16609 CBC mode triple-DES support
- RSA digital signatures with keys up to 2048 bits
- SHA-1, SHA-224, SHA-256, MD5, RIPEMD-160, MDC-2 and MDC-4 hashing
- DES and RSA key management, RSA keys to 2048 bit-length
- SET™ (Secure Electronic Transaction) services
- Key diversification for smart card applications
- EMV secure key and PIN messaging services
- Finance-industry PIN processing and related services, including ANSI X9.24 Derived Unique Key Per
Transaction (DUKPT) support using single and double length keys
- Custom extensions using the UDX toolkit
- ATM remote key loading
- Supported on IBM System x™ server with 32-bit SUSE LINUX Enterprise Server 9 or 32-bit Windows Server 2003, Standard
Edition.
- Application development with a common API for Linux, Windows Server 2003, AIX, i5/OS, z/OS and OS/390
- Note: Integrated implementations are available for:
- IBM AIX (System p™)
- For general information on System p products and features, refer to the System p home page.
- IBM i5/OS (System i™)
- IBM z/OS and OS/390, and Linux on System z9 (System z™)
Description
The IBM CCA Support Program provides a comprehensive, integrated family
of services that employs the major capabilities of the IBM coprocessors.
CCA provides the usual DES and RSA functions for data confidentiality
and data integrity support. In addition, CCA features extensive support for
distributed key management and many functions of special interest to the
finance industry. Other changes and extensions to the Support Program
are described in the "Revision History" section of the CCA Basic Services
Reference and Guide. The CCA software has been independently reviewed
and certified by the German ZKA industry organization for use in specific
finance systems. Also, IBM believes the CCA software can be operated
compliant with the intent of the FIPS 140-2 cryptographic module
standard. Capabilities include:
- ATM Remote Key Loading is a method of secured transport of DES keys from a Tamper
Resistant Security Module (TRSM) to an ATM or other remote device using asymmetric
techniques.
- Cryptographic-quality random-number generation using the coprocessor hardware to seed a FIPS PUB 140-2 compliant random
number generator.
- Secure import and export of DES keys encrypted using either RSA or triple-DES along with the CCA control vector key-typing
technique and carefully architected key management operations
enables a strong, distributed key management implementation.
- Local keys securely held in one of two ways:
- A modest number of RSA private keys can be retained within the secure coprocessor.
- An unlimited number of private keys and DES keys can be held external to the coprocessor encrypted (wrapped) by the
triple-length DES master key. The master keys are secured
within the coprocessor.
The master key can be randomly generated within the coprocessor,
or the master key can be inserted in parts by two or more trusted
individuals. Active master keys can be securely cloned to
additional coprocessor cards using an m-of-n secret splitting
technique. See “Cloning of a master key” below for more
information.
- Protection of keys is assured through triple-DES encryption or retention of the keys within the coprocessor's secure module.
Generation options permit the secure storage of valuable RSA keys
at a single node or backing them up on additional node(s). With the
CCA architecture and its control vector technology, you can enable
extensive control of key usage in distributed cryptographic
systems. Approximately 75 to 150 coprocessor-generated RSA
private keys can be retained within the secure coprocessor to
guarantee that the value of the key cannot be disclosed or
transported to another site. With the CCA master key architecture,
an unlimited number of DES and RSA keys can be securely held
external to the coprocessor. Externally stored keys can be managed
either by CCA or by application programs.
- Cloning of a master key enables back-up and/or redundant coprocessors to process the same master-key encrypted local keys.
Master key cloning operates with the access control system
ensuring a secure, controlled process through a cryptographically
protected m-of-n key-shares design.
- SET services support e-Commerce applications in merchant and acquirer credit card transaction processing.
- ATM and POS PIN-processing is supported through six services. PIN generation and verification services support several popular
PIN-generation algorithms including customer-selected PIN
options. A variety of PIN-block formats are processed with support
for secure re-encryption and re-formatting of PIN blocks. ANSI
X9.24 Derived Unique Key Per Transaction (DUKPT) PIN block
encryption is supported, using both single-length and double-length
keys. Additional services support the card validation value/code
processes (CVV/CVC) for the protection of card transactions.
- Digital signature generation and validation using RSA supports several different
hash-formatting methods including ISO-9796 and PKCS #1 standards. Support of the
SHA-1, SHA-224, SHA-256 and MD5 algorithms is provided. The modular-exponentiation
hardware engine supports keys up to 2048 bits in length. Using the CCA services and the
FIPS 140-2 certified hardware, you have a high-security, flexible base on which to
implement PKI solutions.
- DES and triple-DES data encryption/decryption supports CBC and ANSI X9.23 "last block" padding rules.
- Message Authentication Code (MAC) generation is supported using the DES algorithm
and rules defined in the ANSI X9.9-1 and the ANSI X9.19 algorithms for single- and
double-length keys. ISO-16609 CBC Mode TDES MAC is also supported. In multi-node
systems, you can use the CCA control vector architecture to prevent the MAC receiver from
generating a fraudulent MAC code.
- Derived key support is available for dynamically creating DES keys from a key generating key in support of protocols such as
used with EMV smart cards. Through use of the UDX toolkit, you
or your software vendor can extend CCA to support the many
special derived-key operations needed in modern smart card
systems.
- EMV Secure Messaging is supported with functions that create secure messages to send keys and PINs to EMV smart cards.
- Custom programming of the coprocessor is supported through services offered by IBM and through customer programming
employing toolkits that are available on a limited basis under
custom contract.
The API for the Release 3.x CCA Support Program offered with the IBM
4764 Model 1 is quite similar to CCA support on the IBM 4758 Model 2
and Model 23. Changes and extensions to the support program are
described in the "Revision History" section of the CCA Basic Services
Reference and Guide manual.
|