FIPS PUB 140-2 Certified Electronics and Cryptographic Algorithms
The rigorous FIPS PUB 140-2 Security Requirements for Cryptographic Modules is the benchmark standard by which cryptographic
implementations are measured. The evaluations cover the encapsulated
processing subsystem and its specialized cryptographic hardware, code
loading, tamper detection and response mechanisms, and the cryptographic
algorithms: DES, triple-DES, RSA, DSS, and SHA-1.
The IBM PCI-X Cryptographic Coprocessor has been certified by NIST for IBM System x, IBM System p, IBM System i, and IBM System z.
Coprocessor Models and Features The IBM 4764 Model 001 operates on a 3.3-volt PCI-X bus and has two
batteries to power the tamper-sensing electronics when no system power is
supplied.
Cryptographic Software Support Options IBM supplies support program code for the IBM CCA cryptographic implementation.
IBM Common Cryptographic Architecture (CCA) provides extensive support of DES and RSA based processes including
many functions of special interest in the finance industry. You can extend the CCA implementation through custom programming described below.
Standard capabilities include PIN processing, Secure Electronic
Transaction services, data encryption and hashing techniques, and
RSA-based public-key cryptography.
Release 3.x supports the 4764-001 installed on the IBM System x server with 32-bit SUSE Linux Enterprise Server 9 or 32-bit Windows Server 2003, Standard Edition, and supports the 4764 coprocessor features on System p with AIX, on System i with i5/OS, and on System z9 with Linux. Note that the ICSF component of z/OS and OS/390 provides support comparable to Release 3.x on the IBM System p, IBM System i and IBM System z servers.
The United States Bureau of Export Administration classifies both
Support Programs and the coprocessors as 'Retail Cryptographic
Implementations'. Thus, IBM can export these hardware and software
products to essentially all customers. (Export restrictions remain in effect
for a certain few countries and organizations.)
Custom Programming
Minting of electronic money and electronic postage are examples of
critical functions that must run in a highly trustworthy environment. Using toolkits available from IBM under custom contract, you can implement
your own applications for the coprocessor, or extend IBM's CCA
application. You can make a fast start on your custom application
development when you extend CCA using its flexible access-control
system and many existing services.
IBM will issue you a unique identifier and certify your code-signing key so
that you can sign your own custom coprocessor software. You develop
your software using conventional IBM or Microsoft C-language compilers
and use the toolkit-provided debugging programs. You or your customers
can then load coprocessor software in a normal server environment. Using
the PKI-based outbound authentication capabilities of the coprocessor's
control program, you can securely administer the coprocessor
environment, even from remote locations. Auditors can inspect the
coprocessor's digitally signed status response to confirm that the
coprocessor remains untampered and running uniquely identified software.
|