Date: Wed, 11 Jul 2001 09:06:47 -0400 From: madodelatptdprolog.net Subject: [VOICENWS] IBM PCI Crytographic Coprocessors: More Info From: "Timothy Sipples" Here's some more information on the IBM PCI Cryptographic Coprocessors: 1. The IBM official announcement letter is 100-002. (You can find IBM announcement letters at the following web site: http://www.ibmlink.ibm.com/ibmlink Click on the "Public Entry" button, then select Announcements.) 2. The IBM list price on the PCI Cryptographic Coprocessor (4758 Model 23) is $2690. An optional battery for the card is $50. (Again, these are intended for high security and/or high volume transactions, such as popular e-commerce web sites.) The software is available at no extra charge. This price is quite reasonable if you're purchasing a server designed to handle secure transactions and communications. By offloading the work from the main processor, you can perhaps buy a less powerful server and still perform more work. 3. These adapters meet the FIPS Pub 140-1 standard for commercial cryptographic devices. The Model 23 meets level 3 of the standard, and the Model 2 meets level 4 of the standard. You can view a copy of the FIPS 140-1 standard here: http://csrc.nist.gov/publications/fips/fips140-1/fips1401.pdf In layperson's terms, both these adapters have been physically "hardened," so that they are tamper-proof. If someone gains unauthorized access to the PCI adapter itself, any encryption keys stored on the adapter will be erased. Level 4 offers more rigorous tamper protections than level 3. IBM's 4758 is the first device to achieve the full level 4 FIPS 140-1 certification. The U.S. Treasury Bureau of the Public Debt uses the IBM 4758 adapter. (When you buy U.S. savings bonds, the 4758 adapter is involved in helping secure the transaction.) 4. The Model 13 (FIPS 140-1 level 3) is $1700 list, and the Model 1 (FIPS 140-1 level 4) is $2000. These earlier models (still available) have less powerful processors but can still do plenty of computation. Refer to IBM announcements 199-279 and 197-142 for the capabilities of these adapters. 5. There are export restrictions on some of this technology, depending on the key length (and encryption strength). The 4758 adapter can be ordered with the appropriate capabilities. (With changes to U.S. law, export of these products is now easier.) 6. There's an open source Linux device driver for the IBM 4758 PCI Cryptographic Coprocessor Adapter. Visit this web site for more information: http://oss.software.ibm.com/developerworks/opensource/4758 And here's one for OpenBSD: http://www.citi.umich.edu/projects/ibm4758.html 7. Here's some information on an "attack" against the IBM 4758 (along with IBM's response): http://www.cl.cam.ac.uk/~mkb23/research.html While obviously this information will not be useful to everyone, I thought some of you might want to learn more about the rich security features available for eComStation and OS/2 Warp using this PCI adapter. Be prepared for some really dense reading (particularly at that last web site). :-) If anyone has any follow-up reports on experiences with the IBM 4758, I think we'd all be very interested. - - - - - Timothy F. Sipples IBM WebSphere & Business Connect Software (Chicago, IL) and IBM Consultant to the U.S. Bureau of Transportation Statistics (Wash., DC) ----------- To unsubscribe yourself from this list, send the following message to majormajoratos2voice.org unsubscribe news end If you have an announcement you would like posted to the VOICE News list, please send it to submitatos2voice.org. Please include a valid reply address and a real contact name. If you wish to comment on this post, please reply to feedbackatos2voice.org