IBM 4754 SECURITY INTERFACE UNIT MODEL 001, IBM 4755 CRYPTOGRAPHIC ADAPTER MODELS 001, 002, AND IBM PERSONAL SECURITY CARD Contents Announcement Letter Number 189-174 dated October 24, 1989 US - Last Revised on October 24, 1989 Brief Description of Announcement, Charges, and Availability The 4754 Security Interface Unit, 4755 Cryptographic Adapter, and Personal Security (TM) card offer new levels of workstation security for Electronic Funds Transfer (EFT) and similar applications. This is accomplished via a compatible set of common cryptographic functions, using the widely accepted Data Encryption Algorithm/Data Encryption Standard (DEA/DES). The IBM Personal Security card, and the signature verification feature, offer improved security in identification, authorization, and access to sensitive data. Purchase Prices: 4754 Model 001 $1,035 4755 Model 001 1,115 4755 Model 002 1,115 See the "Charges" section for a detailed list of features and charges associated with these products. Planned Availability Date: January 26, 1990 NOTE: The 4755 Cryptographic Adapter is a feature of the IBM PC or PS/2 (R) in which it resides. It has been designated as a 4755 machine type to fulfill tracking requirements regarding export licensing outside the United States and Canada. (TM) Trademark of International Business Machines Corporation. (R) Registered trademark of International Business Machines Corporation. Customer Letter Section HIGHLIGHTS o PIN entry/verification o Signature enrollment/verification -- with Signature Verification feature and Cryptographic Adapter o Cryptographic key management/initial key loading functions o Control vector determination of how keys can be used and communicated o User authorization verification o DEA encryption/decryption o Message authentication o Tamper-resistant packaging o 4754 battery backup for secure clock and cryptographic keys o 4755 battery maintenance of keys with power off -- keys erased when 4755 is removed from the workstation DESCRIPTION IBM TRANSACTION SECURITY SYSTEM INTRODUCED The products described in this announcement are part of the IBM Transaction Security System. Among the chief concepts used in the design of the IBM Transaction Security System products is that security is a total system consideration, and that effective systems solutions are necessarily based on a compatible set of formally designed functions implemented from the end user, through the user terminal or workstation, to the host processor. The commonality of cryptographic functions across all components of the system results from using a common cryptographic interface. The interface consists of logical definitions for a large number of cryptographic functions that can be integrated, in full or in subset, in any appropriate device, product, or system. Common requirements exist for security in information systems that demand a high level of control in identification of users, authorization of their need for information, and control of the way they can use that information. This control is accomplished through cryptography. Cryptography is the only known practical method to protect information transmitted through communications networks that use land lines, communications satellites, and microwave facilities. It can also be the most economical way to protect stored data from disclosure. Cryptographic procedures can be used not only to protect the privacy of data, but also the integrity of data. The base for the IBM Transaction Security System cryptographic implementation is the Data Encryption Algorithm (DEA/DES), because of its widespread acceptance. Existing systems utilize key variants to control usage of cryptographic keys. An enhanced key utilization control method is based on Control Vectors (CV). A CV specifies the type of key, how the key may be used, and how it may be communicated within and between cryptographic facilities. Additionally, it specifies in which cryptographic instructions and parameter inputs the key may operate. Thus, CVs provide a strict controlled usage of cryptographic keys within a local system or a remote system. IBM has formally defined a set of mutually compatible cryptographic functions, implemented with a unified application program interface. The functions can be grouped into four primary categories: o Encipher/decipher functions o Message Authentication Code (MAC) and other data integrity functions o Personal Identification Number (PIN) functions o Support functions such as key management These functions are implemented in a set of compatible security microprocessors which are used in building-block components such as the Personal Security card, the 4754 Security Interface Unit, and the 4755 Cryptographic Adapter. The components have been combined in various configurations with software building blocks and standard components to provide cryptographic workstations and a host-supported Network Security Processor. Adherence to a formally defined functional structure in development of IBM security products helps to ensure compatibility among the products, ease implementation of integrated security networks, support current requirements, and accommodate future growth. All of the defined cryptographic functions are raised to a high-level security application program interface (API). The common application interface has been designed to accept cryptographic requests from application programs written for System/370 (TM) host processors and for IBM PC and PS/2 workstations, in a broad range of high-level languages. For some security API requests, single functions are executed in the cryptographic hardware; for others, the hardware executes a series of functions. The security server, a portion of the Work Station Security Services, translates the security API requests via its command processors into commands for the cryptographic hardware. The security server also acquires from the workstation directory the keys and other information required for the cryptographic processing. This functional structure used in the workstation applies as well to the host processor, and its attached Network Security Processor (4753). The security API for the host is the same as for the workstation. The access method, channel driver, routing, dispatching, and task management functions are shared between the host and the 4753. The cryptographic hardware in the 4753 is identical to that in the workstation. (TM) Trademark of International Business Machines Corporation. The IBM cryptographic products are designed to support the following ANSI and ISO standards: SUBJECT ANSI ISO PIN Management X9.8 DIS9546 Message Authentication (Wholesale) X9.9 IS8730 Message Authentication (Retail) X9.19 IS8731 Key Management (Wholesale) * X9.17 IS8732 Encryption of Wholesale X9.23 DIS10126 Finance Messages Data Encryption Algorithm X3.92 Data Encryption Algorithm X3.106 IS8372 Modes of Operation * See "Statement of General Direction." 4754 SECURITY INTERFACE UNIT DESCRIPTION The 4754 Security Interface Unit communicates with the Personal Security card, and provides a secure cryptographic session with the 4755 Cryptographic Adapter installed in the workstation. Operator identification is via an integrated 12-key keypad and via the optional Signature Verification feature. The 4754 employs tamper-resistant packaging and connects to the 4755 Cryptographic Adapter via a supplied cable. In configurations without the 4755 Cryptographic Adapter, the 4754 can perform stand-alone cryptographic functions at a lower performance level. In this configuration, attachment is to a serial (asynchronous) adapter in the workstation. The 4754 is also used as the operator input device for the 4753 Network Security Processor. Indicator lights and an audible tone are provided for operator attention. A battery-driven clock and battery backup for cryptographic keys are provided. Each Security Interface Unit includes, at no additional charge, three Personal Security cards for initial system installation. A Signature Verification feature (#7446) is available to provide an additional level of personal identification. An Operating Guide feature (#8927) is available, including the "Work Station Security Services: Installation and Operating Guide," a set of Work Station Security Services diskettes, including device drivers and utility, and a diagnostic diskette. The Operating Guide is required to install, test, and operate the Security Interface Unit and the Cryptographic Adapter. It may be ordered either with the 4754 (#8927) or by part number. It is recommended that at least one Operating Guide be ordered per equipment location. NOTE: FCC Compliance -- The 4754 is subject to the FCC rules for Class A digital devices and shall comply with appropriate FCC rules before final delivery to the buyer or to centers of distribution. NOTE: The Signature Verification and Operating Guide features are not supported with the 4753 Network Security Processor. 4755 CRYPTOGRAPHIC ADAPTER DESCRIPTION When the Cryptographic Adapter is added to the workstation configuration, a significant increase in cryptographic performance is obtained. The Cryptographic Adapter also performs the signature processing for the Security Interface Unit, giving an additional level of personal identification and authorization. The Cryptographic Adapter may be used alone (without a Security Interface Unit) to provide cryptographic functions when the Personal Security card and signature functions are not required. The Cryptographic Adapter provides the following functions: o DEA encryption/decryption and message authentication o Program validation o Signature processing (with the Signature Verification feature) o A comprehensive set of cryptographic functions The cryptographic microprocessor on the Cryptographic Adapter is an 80186 microprocessor, with ROM (read-only memory), RAM (random access memory), a DEA engine, and other support logic, all integrated into a single encapsulated custom package. This level of integration and the incorporation of intrusion-resistant design techniques, are intended to provide protection against electromagnetic, chemical, and physical attacks on the cryptographic keys and other sensitive data that are stored on the custom module. The Cryptographic Adapter also includes the RS-232 communication interface for the Security Interface Unit, and a socket for plugging the signature processing module. A battery backup system is used to retain cryptographic keys in the secure memory. The memory is erased when the 4755 is removed from the workstation. MODEL DIFFERENCES: o 4754-001 -- Full DEA function o 4755-001 for PC, XT (TM), AT (R) (except XT/370 and AT/370) and PS/2 Models 25, 30, and 30 286 -- Full DEA function o 4755-002 for PS/2 Micro Channel (TM) versions -- Full DEA function (TM) Trademark of International Business Machines Corporation. (R) Registered trademark of International Business Machines Corporation. MODEL CHANGES: None. MAXIMUM: One Cryptographic Adapter and one Security Interface Unit per workstation. FIELD INSTALLATION: Field Installable. COMPATIBILITY: May be used in conjunction with Financial Branch System Services (FBSS) Version 2 Release 1.1. or Release 2.0, or equivalent. PREREQUISITES: o The 4754 requires either a 4755 Cryptographic Adapter or a serial adapter in the workstation, or may be attached to the 4753 Network Security Processor. o Signature processing requires Signature Verification (#7446) and a 4755 Cryptographic Adapter in the workstation. o The 4755 requires an available full-length slot. o IBM PC-DOS Version 3.3 or Version 4.0, or equivalent, is required to operate the workstation. o The Work Station Security Services program, including device drivers and utility, is required to operate the Security Interface Unit and the Cryptographic Adapter. o A validated license from the US Government is required prior to export of these products from the US, except to Canada. CUSTOMER SETUP: Yes. PERSONAL SECURITY CARD DESCRIPTION IBM's new Personal Security card can provide many critical functions in a total system security solution. Its ability to securely hold cryptographic keys and perform PIN verification functions, and its ability to store an individual's signature references, enhance both offline and online user verification. It can provide end users with an authorization profile for their workstations, eliminating the need to sign on with a host processor to obtain the authorization. The card can also be used as an effective portable cryptographic processor, a device for securely transporting cryptographic keys from a central security location to another network node, as well as a logging device for the card holder's transactions. The Personal Security card is designed for high-security applications. It is a standard size chip card package, containing a single chip security microprocessor, with 10 kilobytes of ROM, 256 bytes of RAM, and 8 kilobytes of nonvolatile EEPROM (electrically erasable programmable read-only memory), used for both secure data areas and extensions to the microcode in the ROM. The Personal Security card provides a broad set of commands and permits the institution to select which commands are active, and the characteristics of each. This is accomplished by storing certain configuration information in the EEPROM. o Command configuration data defines the features and parameters of each command. o Command authorization flags, associated with each of four levels of authorization or "users," define which commands are available to each user. o Global configuration data defines overall card characteristics. A User Profile is associated with each user. It contains the following information: o User ID -- comparable to that used for computer "log-on" o PIN -- a secret Personal Identification Number o Authority level -- relative to other users o User command authorization flags -- access control to allowed functions o PIN failure count and limit -- control the number of invalid attempts to access the card o User day of week and time limits -- define when the card may be used o User expiration date o User flags -- determine the identification method required, that is, PIN or signature In addition, there is space for an institution-loaded table of up to 16 "holiday" dates. On these dates, a majority of the card functions can be disabled. Each card has a serial number stored in the EEPROM during manufacturing and two programmable ID fields. They are a DEVICE ID, used to distinguish it from all other cards used by the institution, and an APPLICATION ID, used to identify the application for which the card has been configured. Block commands are provided, which allow customers to define and manipulate their own data areas on the card. The data blocks are stored in the card EEPROM memory. This provides the capability to utilize the Personal Security card for many different applications. For example, this capability is used to store the signatures used in the signature verification application. STATEMENT OF GENERAL DIRECTION IBM currently plans to enhance the IBM Transaction Security System products by providing follow-on extensions consisting of software and microcode changes. These extensions are planned to be implemented through changes to the 4755 Cryptographic Adapter, and to the security servers in the Network Security Processor Control Program, the Work Station Security Services program, and the Network Security Processor MVS Support Program. These planned enhancements include the following: SYSTEMS SUPPORT EXTENSIONS IBM's currently planned follow-on includes: o Support for the IBM Transaction Security System workstation products under the OS/2 (R) Standard Edition and Extended Edition operating system. o Host software extensions to provide IBM Transaction Security System functions and the security API to the Network Security Processor for the IBM System/88. (R) Registered trademark of International Business Machines Corporation. PRODUCT EXTENSIONS The IBM products in this announcement, provide a significant level of new security-related capabilities for the System/370 attached or stand-alone PC and PS/2 workstations. IBM currently plans to provide follow-on releases of the 4755 Cryptographic Adapter and associated microcode and software to support the product extensions described below. Unless otherwise noted, those extensions applying to workstations require that the workstation have the 4755 Cryptographic Adapter feature installed to take advantage of the function. BIOS EXTENSION (TRUSTED WORKSTATION): This planned Cryptographic Adapter enhancement will provide greater logical deterrents to attacks against workstation resources. Planned functions include: o Restricted "boot" After the initial loading of encrypted files and programs, IPL may be accomplished only from encrypted files on the fixed disk. o File/program encryption Workstations may be provided with a secure access control mechanism by using encrypted software and data and by controlling access to the keys that decipher the software and data. CUSTOMER-DESIGNED FUNCTIONS: o Chaining of commands (4753) This planned capability permits an application to execute several existing commands using a single request. No intermediate results appear in the clear. This is expected to enhance the transaction processing rate of a Network Security Processor. o User-defined functions This planned capability permits customer implementation of unique and/or proprietary cryptographic algorithms. ANSI X9.17 KEY MANAGEMENT: Additional planned functions and utilities will provide cryptographic support for DEA key distribution under the ANSI X9.17 standard and the equivalent ISO 8732 standard. This is in addition to the comprehensive set of key management commands implemented in the initial release. ALTERNATIVE HOST ATTACHMENT: o The 4753 Network Security Processor is planned to be offered with a 4Mb token-ring LAN host attachment. IBM and OEM systems with token-ring LAN capability may attach the IBM 4753. These planned enhancements and business plans are subject to change based on IBM's business judgement. PUBLICATIONS The following publication is shipped with the Operating Guide (feature #8927). Additional copies will be available by March 1990. o Work Station Security Services Installation and Operating Guide (SA34-2141) The following publications will be available by April 1990. To order, contact your IBM representative. o Programming Guide and Reference (SC31-2934) o General Information Manual and Planning Guide (GA34-2137) NOTE: Limited copies of the two publications immediately above will be available by November 1989. For information, contact: IBM Corporation Department 04Y/204-3 1001 W.T. Harris Blvd., West Charlotte, NC 28257 The following publication will be available by July 1990. To order, contact your IBM representative. o Security Guide (GA34-2138) System library subscription service (SLSS) is not available. EDUCATION SUPPORT For information regarding education, contact: IBM Corporation Department 04Y/204-3 1001 W.T. Harris Blvd., West Charlotte, NC 28257 SCHEDULE Planned availability is January 26, 1990, for the 4754 Model 001, 4755 Models 001 and 002, and the Personal Security card. TECHNICAL INFORMATION SPECIFIED OPERATING ENVIRONMENT PHYSICAL SPECIFICATIONS: o 4754 Width -- 140mm (5.5 inches) Depth -- 216mm (8.5 inches) Height -- 64mm (2.5 inches) Weight -- 2kg (4.5 pounds) o 4755 The 4755 occupies a full-length slot in the PC or PS/2 in which it is installed. OPERATING ENVIRONMENT: o Temperature -- 15.6 (degs) to 32.2 (degs) C (60 (degs) to 90 (degs) F) o Relative humidity -- 8 to 80 (percent) MACHINE REQUIREMENTS: The 4754 and 4755 are designed to operate in a normal office environment. The 4754 connects to an IBM PC (except XT/370 and AT/370), or PS/2 for workstation operations, or to the 4753 Network Security Processor. A cable with appropriate connector (specify code 9309 for a 9-pin connector; 9325 for a 25-pin connector) is provided for attachment to the workstation or the 4753. The 4755 must be installed in the workstation. The Work Station Security Services program is shipped on diskettes with the Operating Guide. Minimum recommended memory configuration is 640 kilobytes. PROGRAMMING REQUIREMENTS: IBM Personal Computer DOS Version 3.3 or Version 4.0, or equivalent, is required. The functions provided by the Work Station Security Services program, including device drivers and utility, are required for workstation operation. They are not required for a 4754 attached to a 4753 Network Security Processor. PLANNING INFORMATION CUSTOMER RESPONSIBILITIES: The 4754 and 4755 are designated as customer setup. Installation is performed by the customer, using the Operating Guide (feature #8927 or part number). It is recommended that at least one Operating Guide be ordered for each equipment location. It is not required when the 4754 is used with a 4753 Network Security Processor. CABLE ORDERS: A 2-meter (6.5-foot) cable is supplied with the 4754 for attachment to the workstation or 4753. A specify code is used to request the proper cable-connector configuration (9309 for 9-pin connector; 9325 for 25-pin connector). INSTALLABILITY: Installation time for the 4754 Security Interface Unit is approximately 30 minutes. Installation time for the 4755 Cryptographic Adapter is approximately 30 minutes. PROBLEM DETERMINATION: The "Work Station Security Services: Installation and Operating Guide" and the associated diagnostic diskette (part of feature #8927) will assist the customer in isolating a defective machine or feature. The failing unit can then be replaced on-site. PACKAGING: PRODUCT SHIP GROUP Security Interface Unit Safety Flyer Personal Security cards (3) Notice to Users Cryptographic Adapter Safety Flyer Notice to Users ACCESSORIES AND/OR SUPPLIES: The following supplies can be purchased from IBM Authorized Supplies Dealers, IBM Authorized Distributors, or from IBM Direct Response Operations (DRO). Call IBM DRO at 1-800-IBM-2468. Mail orders should be sent to: IBM Corporation IBM Direct Response Operations One Culver Road Dayton, NJ 08810 PART NO. DESCRIPTION 41F9938 Battery, lithium for Security Interface Unit 41F9952 Pen tip, replacement for signature verification pen (minimum order -- package of six tips) 41F9970 Personal Security card * * This is the standard Personal Security card (order via MSORDER). For personalizing or volume quantities, request a special bid. SECURITY, AUDITABILITY AND CONTROL User management is responsible for evaluation, selection and implementation of security features, administrative procedures and appropriate controls in application systems and communications facilities. TERMS AND CONDITIONS VOLUME PURCHASE DISCOUNT: Volume purchasing is available under the Volume Procurement Amendment (VPA) to Agreement for Purchase of IBM Machines. The announced products are included in Category H of the Workstations and Related I/O Exhibit. Customers with an existing VPA commitment may order the announced products as additional quantities to, or as direct substitutes for, any other machines in the same category subject to availability. For further information regarding volume orders, contact your IBM marketing representative. IBM CREDIT CORPORATION FINANCING: Term leases and installment payment plans are available for commercial and state and local government customers. ELIGIBLE MACHINE UNDER ALTERNATIVE CERTIFICATION FOR IBM MACHINES: No. WARRANTY PERIOD: 1 year for the 4754 and 4755; 3 months for the Personal Security card WARRANTY SERVICE: o 4754 -- IBM On-Site Exchange (IOE) o 4755 -- The Warranty Service is the same as the IBM machine on which the 4755 is installed. Warranty on the 4755 will be determined by proof of the date of purchase. The customer is responsible to provide proof at the time of service. IBM MAINTENANCE AGREEMENT: o 4754 -- IBM On-Site Exchange (IOE) o 4755 -- The Maintenance Agreement is the same as the IBM machine on which the 4755 is installed. IBM HOURLY SERVICE RATE CLASSIFICATION: One. IBM Warranty Service, Maintenance Service, or IBM Hourly Service may be obtained by calling 800 IBM-SERV. IBM Hourly Service is available at the applicable rate and terms, including element exchange price if applicable. MID-RANGE SYSTEM AMENDMENT: The announced product is an eligible machine for the Mid-Range System Amendment to the IBM Maintenance Agreement. A revised exhibit will be available at a later date. Eligible Discount Percent Types Three-Year Five-Year 4754 17% 22% CORPORATE SERVICE AMENDMENT: The announced product is an eligible machine for the Corporate Service Amendment to the IBM Maintenance Agreement. A revised exhibit will be available at a later date. Discount Percent Option Three-Year Five-Year Network 25% 30% EXTENDED MAINTENANCE OPTION: The announced product is an eligible machine for the Extended Maintenance Option Amendment to the IBM Maintenance Agreement. A revised exhibit will be available at a later date. PRODUCT AVAILABILITY STATUS: New product available. FIELD INSTALLABLE FEATURES/MODEL CONVERSIONS: Yes. CUSTOMER SETUP: Customer setup allowance is two days. IBM setup is available at the applicable IBM Hourly Service rate and terms. LICENSED INTERNAL CODE: No. A program license agreement applies for the Work Station Security Services device drivers and utility. EDUCATIONAL ALLOWANCE: A 15% educational allowance is available to qualifying institutions in accordance with the Educational Allowance Amendment. The educational allowance may not be added to any other discount or allowance. CHARGES PRODUCT CHARGES Model/ Purchase Description Type Feat# Part# Price Security Interface Unit 4754 001 $1,035 Cryptographic Adapter 4755 001 1,115 Cryptographic Adapter 4755 002 1,115 Signature Verification 7446 42F0002 1,205 feature of 4754 Operating Guide 8927 35 -- 3.5-inch media 9335 42F0026 -- -- 5.25-inch media 9525 42F0046 -- Cable supplied with 4754 -- 9-pin connector 9309 41F9948 -- -- 25-pin connector 9325 41F9949 -- Personal Security card * 41F9970 30 (accessory) *For volume quantities and personalizing, request a special bid. The Operating Guide may be ordered as a field-installable feature of the 4754 or by part number. NOTE: The 4755 Cryptographic Adapter is a feature of the IBM PC or PS/2 in which it resides. It has been designated as a 4755 machine type to fulfill tracking requirements regarding export licensing outside the United States and Canada. MAINTENANCE AND USE CHARGES: Minimum Maintenance Feature Charge Type Model Number Annual 4754 001 -- $85 7446 30 BILLABLE EXCHANGE PRICE: Billable Feature Exchange Type Model Number Price 4754 001 -- $1,035 7446 1,205