4755 Cryptographic Adapter

@D77F.ADF IBM Cryptographic Adapter (thx to SuperVinx)

189-174 IBM 4754 Security Interface Unit Model 001, IBM 4755 Cryptographic Adapter Models 001, 002, and IBM Personal Security Card
ZG92-0260 4755-003/004/005/013/014 Cryptographic Adapter

CSUTMSTR.BOO 4753 Network Security Processor Model 14 Installation and Service Manual

Overview
Cryptographic Adapter
Jumper Settings
ADF Sections


Overview

The cryptographic microprocessor on the Cryptographic Adapter is an 80186 CPU with ROM, RAM, a DEA engine, and other support logic, all integrated into a single encapsulated custom package.

This level of integration and the incorporation of intrusion-resistant design techniques, are intended to provide protection against electromagnetic, chemical, and physical attacks on the cryptographic keys and other sensitive data that are stored on the custom module.

The Cryptographic Adapter also includes the RS-232 communication interface for the Security Interface Unit, and a socket for plugging the signature processing module. A battery backup system is used to retain cryptographic keys in the secure memory. The memory is erased when the 4755 is removed from the workstation.

4755 Versions

  • -002 (DES) 31F1716 / 34F1684 PS/2
  • -004 (DES) 31F1786 PS/2
  • -014 (DES/PKA) 31F1790 PS/2
  • -005 (DES) 17G7547 RS/6000

All photos and illustrations that we have seen so far resemble the outline below (with the exception of jumper CD8). It seems possible that any differences between versions are in the circuitry inside the "Silver Shield" (sounds like a Super Hero). Stirring things up even more is the later addition of a ability to use custom encryption. No idea, I suspect it is inside the Silver Shield. EPROM? Flash? Only The Shadow knows... -LFO

The 475x Product Line

The IBM Transaction Security System (TSS, product family 475x) is an integrated hardware and software implementation of common cryptographic functions. Together with the software support package SECIWS, TSS is designed to improve security at PC workstations, communication channels between workstations and between workstations and host processors (source).

The 4753 NSP uses the 3172 chassis, with a 1S1P 95 planar and Type 2 (H or L) or Type 4 "P" (P66) complex upgrade. IBM lists the 3172 (-003?) documentation.

Further, the Cryptographic Adapter is found in a number of financial systems, the 37xx in particular. Additionally, the 4755 can enable a PS/2 to connect securely to S/370, RS/6000, and AS/400 systems. I have seen a picture of a 4755-014 in an AS/400 "book" as well.

The 4755 does not communicate anything over the DE9, instead it provides "in-stride" encryption of the data to be transmitted over the Token Ring network. So, any fantasies of doing a "direct connect" with a 4755 to 4755 is just that.

We don't have the Workstation drivers or the 4753 Control Program.


Cryptographic Adapter [P] [P] [P] (photos from UMMR, "Wormetti" @ VCF and SuperVinx)

BT1 Battery outline
CD1 DE9 male connector (RS-232 to 4754)
CD2,3 Daughterboard pin headers
CD4 3-pin Memory Retain jumper
CD5 2-pin Service jumper
CD6 3-pin Ext. battery jumper
CD7 2-pin Tamper Test jumper
ZM3 DIP-24 ROM socket
ZM5 41F9867 PAL
ZM7 Intel N82530-6 SSC
ZM10 31F1681
ZM17-20 32Kx8 SRAM
ZM21 Secure module (metal can)
? 6.0? MHz osc (for SSC?)

BT1 Outline and solder pads for a PCB mounted battery (a large coin cell, reminiscent of the one on an 8573-P75 -LFO). Replaced by a power lead with a 2-pin connector attached to a cylindrical battery (IBM P/N 49F4906). 3 V, 1400 or 1500 mAh, CR12600SE or compatible - identified as "Lithium", cell says MnO2-Li (Lithium Manganese oxide). Different termination methods available:
   CR12600SE is a normal battery (button positive, flat negative)
   CR12600SET has tabs
   CR12600SEP has pins

CD2,3 Headers for Signature Verification module. This module REQUIRES the 4754 Security Interface Unit to be attached to the DE9 port on the 4755. From my hurried reading of some documentation, the "pen" (attached to 4754) looks for selected movements when someone signs with the "pen". No digitizer pad is used. -LFO

ZM3 Cryptographic adapter ROM (P/N 11H0381 for 4753 at Control Program Version 3.00 and P/N 41H6783 for Version 3.10)
   SWAG: The ROM is just for setting up the card's resources on the MCA bus. Not sure if the Control Program internals changed from ver 3.00 to 3.10, or if the 4755 hardware changed, or IBM did it "just because". -LFO

ZM10 is a TI "special sauce" chip, note the "CF" prefix.

ZM17-20 M5M5256BFP-12, HM62256LFP-12T or compatible 32Kx8 SRAM

ZM21 Metal shield seems to be held on with tabs soldered to the PCB. The solder side has no apparent large holes for mounting pegs or twisted tab ends.


Jumper Settings

Note: Position 1 - pin 1 and center pin; Position 2 - pin 2 and center pin.

CD4 - Battery Retain (default "1") Lose or Retain cryptographic adapter RAM:
Position 1 - memory contents lost if cryptographic adapter is unplugged.
Position 2 - memory contents retained if cryptographic adapter unplugged.

If CD4 is not installed, memory contents are lost if you unplug the cryptographic adapter or if you switch off the power.

Note: Install a jumper to prevent inconsistent results from memory content loss.

CD5 - Service Switch (default "closed") Determines if the service switch was set to ON since the service switch flag last reset. (service switch flag reset when security officer uses operations utility to reset switch or when a cryptographic adapter is reinitialized.)

Note: The toggle switch is mounted on an MCA slot filler. In this illustration, Slot 6 is actually empty.

CD6 - External Battery (default "1") Currently ignored; but a jumper MUST be installed.

CD7 - Tamper Test (default "open") Manufacturing test point; Open for normal operations.

CD8 - FEPROM Program (default "1") Erase or Change the code in the loadable shield:
Position 1 - erase or change code.
Position 2 - cannot erase or change code.

Note: This jumper is not present on some boards (not even the solder pads). These (older?) adapters probably aren't capable of erasing/modifying the EPROM contents.


AdapterId D77F IBM Cryptographic Adapter

Interrupt Level
   9 highest, then in decreasing order 3, 4, and 7. Change if it is in conflict with another assignment
     <"INT 7">, 9, 3, 4

I/O Address
   Change if it is in conflict with another assignment
     <"9280-928F>, 9290-929F

Arbitration Level
   Level 1 highest priority, higher levels decrease in priority. Change if it is in conflict with another assignment
     <"Level 6">, 1, 2, 3, 5, 7

Burst Enable (Burst Mode DMA)
   ON - Adapter attempts to do 8 or 16 transfers per arbitration cycle.
   OFF - Single byte or word transfers occur for each arbitration cycle.
     <"ON">, OFF

Burst Transfer Count
   Number of possible transfers before adapter releases channel when preempted.
     <"8">, 16

Note: Use 16 only with PS/2's that use the default transfer cycle.

Word Transfer Enable
   Adapter operates in ON (Word) or OFF (Byte) mode.
     <"ON">, OFF

DMA Slave Selection
   IO ADDR forces I/O address of adapter to be valid during I/O cycle.
   ARB LVL selection made on decode of I/O cycle, arbitration level, and valid status.
     <"IO ADDR">, ARB LVL

Note: Most PS/2s support either, but some models don't support ARB LVL. In general, use IO ADDR on PS/2s. The RISC System/6000 only supports ARB LVL.

ROM Address
   Change if it is in conflict with another assignment
     <"0C8000-0C9FFF">, 0CA000-0CBFFF, 0CC000-0CDFFF, 0CE000-0CFFFF, 0D0000-0D1FFF, 0D2000-0D3FFF, 0D4000-0D5FFF, 0D6000-0D7FFF, 0D8000-0D9FFF, 0DA000-0DBFFF, 0DC000-0DDFFF, 0DE000-0DFFFF, 0C0000-0C1FFF, 0C2000-0C3FFF, 0C4000-0C5FFF, 0C6000-0C7FFF

Content created and/or collected by:
Louis F. Ohland, Peter H. Wendt, David L. Beem, William R. Walsh, Tatsuo Sunagawa, Tomáš Slavotínek, Jim Shorney, Tim N. Clarke, Kevin Bowling, and many others.

Ardent Tool of Capitalism is maintained by Tomáš Slavotínek.
Last update: 24 Mar 2024 - Changelog | About | Legal & Contact