The IBM 4768PCIe Cryptographic Coprocessor is a hardware security module that includes a secure cryptoprocessorimplemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format. The IBM 4768 is validated to FIPS PUB 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. It has achieved PCI-HSM certification. The IBM 4768 data sheet describes the coprocessor in detail. IBM supplies two cryptographic-system implementations:
The PKCS#11 implementation creates a high-security solution for application programs developed for this industry-standard API.
The IBM Common Cryptographic Architecture implementation provides many functions of special interest in the finance industry, extensive support for distributed key management, and a base on which custom processing and cryptographic functions can be added.
Applications may include financial PIN transactions, bank-to-clearing-house transactions, EMV transactions for integrated circuit based credit cards, and general-purpose cryptographic applications using symmetric key algorithms, hashing algorithms, and public key algorithms. The operational keys are generated in the coprocessor and are then saved either in a keystore file or in application memory, encrypted under the master key of that coprocessor. Any coprocessor with an identical master key can use those keys. Performance benefits include the incorporation of elliptic curve cryptography and format preserving encryption in the hardware. IBM supports the 4768 on certain IBM Z mainframes as Crypto Express6S - feature code 0893. The 4768 / CEX6S is part of IBM's support for pervasive encryption and drive to encrypt all data.
