Bookmark and Share
RSS

Recent Posts

HSM Software – A Detailed Example

March 19, 2018

This week, I continue the computer security topic with a focus on software. A good place to start is the software used to support the PCIe Cryptographic Coprocessor Version 2 (PCIeCC2) hardware security module (HSM). Using a specific example is a good way to start the security software journey.

HSM Hardware Tree
Last week, I wrote mainly about an example of security hardware called the HSM. The hardware from IBM is the PCIeCC2, which is a programmable PCIe card that offloads computationally intensive cryptographic processes from the hosting server and performs sensitive tasks unsuitable for less secure general-purpose computers. It’s supported on three different hardware architectures:
  1. IBM Z using Crypto Express5S, or CEX5S is implemented under feature code (FC) 0890
  2. IBM Power using FCs EJ32 or EJ33, depending on the specific required configuration
  3. IBM approved X86 architecture servers using a machine type of 4767, which is a card that sits in a PC slot
What is the Role of the Software?
The HSM hardware is specialized for specific security functions. Hardware is king. The hardware is supported (perhaps you could say driven) by firmware. The firmware supports the king. Then comes the software that provides everything else. The IBM PCIeCC2 makes use of the IBM Common Cryptographic Architecture (CCA) API and security architecture. IBM provides the CCA Support Program that you load into the HSM to perform cryptographic functions common in the finance industry and in internet business applications. You can also add custom functions to the HSM using an available programming toolkit.

What Toolkit?
IBM offers the Cryptographic Coprocessor Toolkit that is used to create or extend the application program that runs within the HSM. It is also used to permit users to create entirely new applications for the HSM or to extend the functionality of IBM's CCA application program in the form of a user-defined extension.  

PCIeCC2 Software Support Summary
Apart from the toolkit, here is a quick summary of the security software that works with the HSM, by platform.

On IBM Z mainframe computers
The PCIeCC2 is available as feature either on z/OS or Linux on IBM Z OSes.
 
Table1.jpg


On IBM Power Systems
The PCIeCC2 is available as feature on IBM POWER8 servers.

Table2.jpg

On select IBM-approved x86 architecture servers
The PCIeCC2 is available as a machine type-model 4767-002 on select IBM-approved x86 architecture servers.

Table3.jpg

Elements Working Together
This is a rich and detailed example of a security system consisting and hardware, firmware and software. Not a simple example but one that exposes a real-world instance.
 
What’s Next?
Next week, I’ll continue the computer security topic with a broader focus on software using the security software categories from IDC's Worldwide Software Taxonomy, 2017 that include:
  1. Identity and access management
  2. Endpoint security
  3. Messaging security
  4. Network security
  5. Web security
  6. Security and vulnerability management software
  7. Other security software
IDC is also tracking database security (management software) and mobile enterprise security software (Platform as a Service) developments.

Posted March 19, 2018| Permalink

comments powered by Disqus