CEX8S Linux on IBM Z

• Support for ML-DSA and ML-KEM algorithm

• Bug fixes and documentation updates

• Exploitation of new card features:
  • Adds new session APIs
  • Provides FIPS mode support
  • Provides BLS mechanism support

• Creates a new ep11tke user for usage with EP11TKEd

New CCA Services: Multi-Mac Scheme (CSNBMMS)

• The Multi-MAC Scheme callable service is used to derive M of N MAC verification keys, validate M of N possible MACs over the input data, derive a final MAC key, then generate and return a final MAC.

Algorithm updates for Import/ Export of AES K0-B and K1-B key blocks

• Change T31I/T31X to not return an error for import/export to/from K0-B/K1-B keys for TDES and AES

• Change T31I to add the WR_HMAC key usage to imported AES IMPORTER and EXPORTER keys

Updates for Importing RSA AES Key Wrapped Objects

• New keyword and updated support for SYI2

  • Beginning with Release 8.2, Symmetric_Key_Import2 can be used to import external keys that have been previously formatted using the RSA AES key wrap mechanism. The RSA AES key wrap mechanism, denoted CKM_RSA_AES_KEY_WRAP, is a PKCS#11 mechanism based on the RSA public-key cryptosystem and the AES key wrap mechanism.

  • Added keywords CKM-RAKW

• New keywords and updated support for PKI

  • Beginning with Release 8.2, PKA_Key_Import can be used to import external keys that have been previously formatted using the RSA AES key wrap mechanism. The RSA AES key wrap mechanism, denoted CKM_RSA_AES_KEY_WRAP, is a PKCS#11 mechanism based on the RSA public-key crypto system and the AES key wrap mechanism.

  • Added keywords CKM-RAKW, and IKEK-PK

DKYGENKY KMF-MBE/P Support Updated

MGN and MVR added support for 3-key TDES EMVMACD/X9.19OPT

CCA Service Quantum Safe Algorithms R2/R3 Updates:

• Beginning with Release 8.2, CCA supports additional NIST Quantum-Safe algorithm standardization candidate CRYSTALS-Kyber key types and sizes.

  • CRYSTALS-Kyber round 3 support

    • CRYSTALS-Kyber (768), NIST Round 3 with OID: 1.3.6.1.4.1.2.267.8.3.3

    • CRYSTALS-Kyber (1024), NIST Round 3 with OID: 1.3.6.1.4.1.2.267.8.4.4

  • CRYSTALS-Kyber expanded round 2 support

    • CRYSTALS-Kyber (768), NIST Round 2 with OID: 1.3.6.1.4.1.2.267.5.3.3

Updates for TR-31 key block support:

• Support was added to build, send, receive, and use TR-31 key blocks directly in most of the CCA services that utilize symmetric keys.

• A new verb was added to build TR-31 key blocks: TR31 Key Create (CSNBT31C).

• A new key storage was created that can store TR-31 tokens.

A new combined key storage (CMB) is available:

• The combined key storage was designed to support all key types: AES, HMAC, DES, and PKA (ECC, RSA, and QSA).

• Additionally, the CMB key storage supports both CCA and TR31 key token formats.

• Keys can be added to the CMB key storage by creating them directly in the CMB or by migrating existing AES, HMAC, DES, and PKA keys into the CMB from their respective type-specific key stores.

SHA-3 support has been added:

• CCA can now perform the SHA-3 hashing algorithm, specifically for the CSNBOWH, CSNDDSG, and CSNDDSV verbs.

• In addition, SHA-3 requests can be forwarded to the CPACF for processing.

Support for OAEP 2.1 has been added:

• CCA now offers the ability to utilize OAEP version 2.1 in the verbs CSNDPKE and CSNDPKD.

• This update enables the usage of three additional SHA algorithms with OAEP: SHA-224, SHA-384, and SHA-512.

Linux kernels may need additional patches to run well with CEX8S.

If upgrading from CCA 7.3, then the CCA TKE catcher will require further set-up after installation to continue functioning and communicating with the TKE. This is because updating to CCA 8.1 will by default change your catcher connection from TCP to TLS mode.

The TLS functionality of the CCA TKE catcher uses only TLS 1.2 and newer, and requires OpenSSL 1.1 or newer to be installed on the server.

• Key derivation:
  • CSNBDKG supports key derivation to meet the needs of the APN.
  • CSNBRNGL supports encrypting the output under a data-encrypting key.
• MAC generation:
  • CSNBSAE supports generating and verifying MACs and related processing.
  • CSNBMGN and CSNBMVR add new keywords for the TDES-based One Way Function, which is unique to the Australian financial sector.

• "N" TR-31 mode of use is now allowed with B,C,D wrapping: The 'N' Mode of Use is no longer restricted to the A wrapping method. Key usages that allow 'N' Mode of Use with all wrapping methods in verbs CSNBT31X and CSNBT31I are the following:
  • 'B0'
  • 'E0', 'E1', 'E2', 'E3', 'E4', 'E5'
  • 'V0', 'V1', 'V2'
• "B" TR-31 mode of use is now allowed for K0 export: The CSNBT31X verb allows export of an IMPORTER / EXPORTER key as 'K0' Key Usage with 'B' Mode of use.