2023 News

Cryptocards news and updates from 2023.

November 30, 2023 | HSM CEX8S / 4770 | CCA 8.1 Release for Linux on IBM Z

CCA 8.1 is now available for CEX8S Linux on IBM Z customers. CCA for Linux on IBM Z details are available on the CEX8S Linux on Z Software page. There is also a new CCA 8.1 Application Programmer’s Guide.

New functions and features:

  • Updates for TR-31 key block support:

    • Support was added to build, send, receive, and use TR-31 key blocks directly in most of the CCA services that utilize symmetric keys.

    • A new verb was added to build TR-31 key blocks: TR31 Key Create (CSNBT31C).

    • A new key storage was created that can store TR-31 tokens.

  • A new combined key storage (CMB) is available:

    • The combined key storage was designed to support all key types: AES, HMAC, DES, and PKA (ECC, RSA, and QSA).

    • Additionally, the CMB key storage supports both CCA and TR31 key token formats.

    • Keys can be added to the CMB key storage by creating them directly in the CMB or by migrating existing AES, HMAC, DES, and PKA keys into the CMB from their respective type-specific key stores.

  • SHA-3 support has been added:

    • CCA can now perform the SHA-3 hashing algorithm, specifically for the CSNBOWH, CSNDDSG, and CSNDDSV verbs.

    • In addition, SHA-3 requests can be forwarded to the CPACF for processing.

  • Support for OAEP 2.1 has been added:

    • CCA now offers the ability to utilize OAEP version 2.1 in the verbs CSNDPKE and CSNDPKD.

    • This update enables the usage of three additional SHA algorithms with OAEP: SHA-224, SHA-384, and SHA-512.

June 15, 2023 | HSM CEX7S / 4769 | CCA 7.3 CHIM Update

A CCA CHIM update for 7.3 is now available for CEX7S customers on IBM's CCA download site.

New functions and features:

The re-encipher function in CHIM was modified as follows:
  • Reencipher function will recognize and properly process a larger variety of operational key types
  • Reencipher function will generate a report of individual problems encountered during the reencipher process
  • Reencipher function will continue processing remaining operational keys after an error is encountered and logged in the report

March 31, 2023 | HSM CEX8S / 4770 | CCA 8.0 Release for Linux on IBM Z

CCA 8.0 is now available for CEX8S Linux on IBM Z customers. CCA for Linux on IBM Z details are available on the CEX8S Linux on Z Software page.
New functions and features:
  • CCA has added support for CRYSTALS-Dilithium Round 3 and CRYSTALS-Kyber Round 2 quantum-safe algorithms.
  • Using CCA, you can build a hybrid quantum safe key exchange scheme. In this scheme, the CCA services support a mechanism where no data is exposed outside of the cryptographic coprocessor that is input to the final key derivation.
  • The CCA TKE catcher now supports the use of a TLS connection in addition to the standard plain TCP connection for communication with a Trusted Key Entry (TKE) workstation.
  • Support for the Australian Payment Network (APN) (based on standard AS2805.5.4)
    • Key derivation:
      • CSNBDKG supports key derivation to meet the needs of the APN.
      • CSNBRNGL supports encrypting the output under a data-encrypting key.
    • MAC generation:
      • CSNBSAE supports generating and verifying MACs and related processing.
      • CSNBMGN and CSNBMVR add new keywords for the TDES-based One Way Function, which is unique to the Australian financial sector.
  • A new verb Encrypted PIN Verify2 (CSNBPVR2) is provided that performs PIN verification by comparing two encrypted PIN blocks.
  • The verbs CSNDDSG and CSNDDSV can now exploit the Schnorr Digital Signature Algorithm (SDSA). You can use this enhancement to sign and verify Europay MasterCard Visa (EMV) certificates. For this purpose, a new keyword EC-SDSA is provided which supports the ECC curves secp256r1 and secp521r1.
  • To support key exchange with applications that use the PKCS #11 standard, two services, CSNDPKT and CSNDSYX, have been enhanced to allow key translation from a CCA token format to the PKCS #11 object format.
  • For processing with TR-34 functions, users can now optionally check the expiration dates of the certificate revocation list (CRL) and the key receiving device (KRD) certificate. For this purpose, new return codes, new ACPs, and new keywords of the TR-34 verbs are provided.
  • Enhancements are available for TR-31 symmetric key management:
    • "N" TR-31 mode of use is now allowed with B,C,D wrapping: The 'N' Mode of Use is no longer restricted to the A wrapping method. Key usages that allow 'N' Mode of Use with all wrapping methods in verbs CSNBT31X and CSNBT31I are the following:
      • 'B0'
      • 'E0', 'E1', 'E2', 'E3', 'E4', 'E5'
      • 'V0', 'V1', 'V2'
    • "B" TR-31 mode of use is now allowed for K0 export: The CSNBT31X verb allows export of an IMPORTER / EXPORTER key as 'K0' Key Usage with 'B' Mode of use.