Edition August 2024, CCA Support Program Releases 8.2 and 7.5
This edition describes the IBM® CCA Basic Services API for Releases 8.2 and 7.5. The complete functionality of Release 8.2 is available on CEX8C cryptographic coprocessors only. Much of the functionality of CCA 8.2 is also available with CCA 7.5 for the CEX7C. Differences are marked in this publication.
CCA Releases 8.2 and 7.5 offer the following new features and functions:
- Support for CRYSTALS-Kyber Round 2
and 3:
- CRYSTALS-Kyber (768) Round 2
- Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, CSNDKTC, CSNDPKT
- Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
-
CRYSTALS-Kyber(1024) Round 3 and CRYSTALS-Kyber (768) Round 3
- Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, , CSNDKTC, CSNDPKT
- Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
- CRYSTALS-Kyber (768) Round 2
- Updates for the CSNBDKG2 service:
Derive keys that participate in the M of N MAC Scheme as documented for the CSNBMMS service.
- Updates for the CSNDSYG service:
Extend the service to also produce X‘05’ variable-length AES CIPHER or MAC type keys with the OP, EX, or IM rules.
- Updates for the CSNBMGN and
CSNBMVR services:
Add triple key TDES support for the EMVMACD/X9.19OPT process rules.
- Updates for the CSNDSYI2 service
(CCA Release 8.2 only):
You can use the Symmetric Key Import service to import external keys that have been previously formatted using the PKCS #11 RSA AES key wrap mechanism.
- Updates for the CSNDPKI service
(CCA Release 8.2 only):
You can use the PKA Key Import service to import external keys that have been previously formatted using the RSA AES key wrap mechanism.
The CCA API includes the following new verb:
| Verb | Service name | Category |
|---|---|---|
| CSNBMMS | Multi-MAC Scheme (CSNBMMS) | Managing AES, DES, and HMAC cryptographic keys |
You can use this service to derive M of N MAC verification keys, validate M of N possible MACs over the input data, derive a final MAC key, then generate and return a final MAC.
The following verbs provide new or updated keywords or other updated information:
| Verb | Service name | Release | Category |
|---|---|---|---|
| CSNBDKG2 | Diversified Key Generate2 (CSNBDKG2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDEDH | EC Diffie-Hellman (CSNDEDH) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKGN2 | Key Generate2 (CSNBKGN2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKTB2 | Key Token Build2 (CSNBKTB2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKTP2 | Key Token Parse2 (CSNBKTP2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDPKD | PKA Decrypt (CSNDPKD) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDPKE | PKA Encrypt (CSNDPKE) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBRKA | Restrict Key Attribute (CSNBRKA) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDSYG | Symmetric Key Generate (CSNDSYG) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDSYI2 | Symmetric Key Import2 (CSNDSYI2) | 8.2 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBMGN | MAC Generate (CSNBMGN) | 8.2, 7.5 | Verifying data integrity and authenticating messages |
| CSNBMVR | MAC Verify (CSNBMVR) | 8.2, 7.5 | Verifying data integrity and authenticating messages |
| CSNBT31X | TR31 Translate (CSNBT31X) | 8.2, 7.5 | TR-31 symmetric key management |
| CSNBT31I | TR31 Key Import (CSNBT31I) | 8.2, 7.5 | TR-31 symmetric key management |
| CSNDPKG | PKA Key Generate (CSNDPKG) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKI | PKA Key Import (CSNDPKI) | 8.2 | Managing PKA cryptographic keys |
| CSNDPKB | PKA Key Token Build (CSNDPKB) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDKTC | PKA Key Token Change (CSNDKTC) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKT | PKA Key Translate (CSNDPKT) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKX | PKA Public Key Extract (CSNDPKX) | 8.2, 7.5 | Managing PKA cryptographic keys |
| ACP | Definition | Default |
|---|---|---|
| 00D0 | Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS | 0 |
| 00D1 | Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute | 0 |
| 00D2 | Allow CSNBMMS service with KDFFM-DK | 1 |
| 00D3 | Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH | 0 |
| 00D4 | Allow CSNDSYG to generate AES CIPHER or MAC keys | 1 |
| 0085 | Disallow ISO-2 PIN block generate | 0 |
| 0086 | Disallow ISO-2 PIN block verify | 0 |
| 0087 | Disallow ISO-2 PIN block translate | 0 |
| 03CB | Permit import of an RSA key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |
| 03CC | Permit import of an ECC key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |
| 03CD | Permit import of an AES key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |
| ACP | Definition | Default |
|---|---|---|
| 00F0 | Reencipher CKDS2 | 1 |
| 0146 | CKDS Conversion2 - Allow wrapping override keywords | 1 |
| 0147 | CKDS Conversion2 - Convert from enhanced to original | 1 |
| 0148 | PCF CKDS Conversion - Allow wrapping override keywords | 1 |
| 007D | Allow multi-use certificates | 0 |
| 0116 | Access Control Manager - Read role | 1 |
| 02EB | Allow weak wrapping of compliance-tagged keys by DES MK | 0 |
| 0332 | Warn when weak wrap - Master keys | 1 |
| 0333 | Prohibit weak wrapping - Master keys | 0 |
| 0034 | Log Query: System | 0 |
| 0035 | Log Query: CCA | 0 |
| 0036 | Log Query: Set Log Level -4- | 0 |
| 0037 | Log Query: Set Log Level -8- | 0 |
| 003D | TR-34 - Allow expired CRL | 1 |
| 003E | TR-34 - Allow expired KRD Certificate | 1 |
| 0048 | Log Query: Set secure log range | 0 |
| 0049 | Log Query: Secure log clear range inactive | 0 |
| 004A | Log Query: Secure log clear range activate | 0 |
| 004B | Log Query: Secure log clear all inactive | 0 |
| 004C | Log Query: Secure log clear all activate | 0 |
| 0055 | ISO PIN blocks do not check PIN digits | 1 |
| 006E | T31X - Disallow Partial DES Key Export with CV in IBMC01 OB | 0 |
| 006F | T31I Disallow Partial DES Key Import with CV in IBMC01 OB | 0 |
| 0070 | Public Infrastructure Certificate | 1 |
| 0071 | PIC Signature Algorithm SHA+RSA | 0 |
| 0072 | PIC Signature Algorithm ECDSA | 0 |
| 0073 | PIC Signature Algorithm RSASSA_PSS | 0 |
| 0076 | PIC Signature Algorithm SHA-1 | 0 |
| 0077 | PIC Signature Algorithm SHA-224 | 0 |
| 0078 | PIC Signature Algorithm SHA-256 | 0 |
| 0079 | PIC Signature Algorithm SHA-384 | 0 |
| 007A | PIC Signature Algorithm SHA-512 | 0 |
| 007B | PIC: Create x509 certificate | 0 |
| 007C | Public Infrastructure Certificate - PK10SNRQ | 0 |
| 00CF | Restrict PIN Messages | 0 |
| 00EF | Allow ECC Private Key Export - CSNDPKT service ECC-AES1 | 0 |
| 013F | Remote Key Export - include RKX in default wrap config | 0 |
| 014D | T31X - Permit version A TR-31 key blocks | 1 |
| 014E | T31X - Permit version B TR-31 key blocks | 1 |
| 014F | T31X - Permit version C TR-31 key blocks | 1 |
| 015B | TR31 Import - Permit C0 to MAC/MACVER:AMEX-CSC | 1 |
| 017D | TR31 Import - Permit HMAC MAC | 1 |
| 0182 | T31X - Permit DES MAC/MACVER: CVV-KEYA to C0:G/C/V | 0 |
| 0183 | T31X - Permit DES MAC/MACVER:ANY-MAC to C0:G/C/V | 1 |
| 0184 | T31X - Permit DES DATA to C0:G/C/V | 1 |
| 0185 | T31X - Permit DES ENCIPHER/DECIPHER/CIPHER to D0:E/D/B | 1 |
| 0186 | T31X - Permit DES DATA to D0:E/D/B | 1 |
| 0187 | T31X - Permit DES EXPORTER/OKEYXLAT to K0:E | 1 |
| 0188 | T31X - Permit DES IMPORTER/IKEYXLAT to K0:D | 0 |
| 0189 | T31X - Permit DES EXPORTER/OKEYXLAT to K1/K4:E | 0 |
| 018A | T31X - Permit DES IMPORTER/IKEYXLAT to K1/K4:D | 0 |
| 018B | T31X - Permit DES MAC/DATA/DATAM to M0:G/C | 0 |
| 018C | T31X - Permit DES MACVER/DATAMV to M0:V | 1 |
| 018D | T31X - Permit DES MAC/DATA/DATAM to M1:G/C | 1 |
| 018E | T31X - Permit DES MACVER/DATAMV to M1:V | 1 |
| 018F | T31X - Permit DES MAC/DATA/DATAM to M3:G/C | 1 |
| 0190 | T31X - Permit DES MACVER/DATAMV to M3:V | 1 |
| 0191 | T31X - Permit DES OPINENC to P0:E | 1 |
| 0192 | T31X - Permit DES IPINENC to P0:D | 1 |
| 0193 | T31X - Permit DES PINVER:NO-SPEC to V0 | 0 |
| 0194 | T31X - Permit DES PINGEN:NO-SPEC to V0 | 0 |
| 0195 | T31X - Permit DES PINVER:NO-SPEC/IBM-PIN/IBM-PINO to V1 | 1 |
| 0196 | T31X - Permit DES PINGEN:NO-SPEC/IBM-PIN/IBM-PINO to V1 | 1 |
| 0197 | T31X - Permit DES PINVER:NO-SPEC/VISA-PVV to V2 | 1 |
| 0198 | T31X - Permit DES PINGEN:NO-SPEC/VISA-PVV to V2 | 1 |
| 0199 | T31X - Permit DES DKYGENKY:DKYL0 + DMAC to E0:N/X | 0 |
| 019A | T31X - Permit DES DKYGENKY:DKYL0 + DMV to E0:N/X | 0 |
| 019B | T31X - Permit DES DKYGENKY:DKYL0 + DALL to E0:N/X | 0 |
| 019C | T31X - Permit DES DKYGENKY:DKYL1 + DMAC to E0:N/X | 0 |
| 019D | T31X - Permit DES DKYGENKY:DKYL1+DMV to E0:N/X | 0 |
| 019E | T31X - Permit DES DKYGENKY:DKYL1+DALL to E0:N/X | 0 |
| 019F | T31X - Permit DES DKYGENKY:DKYL0+DDATA to E1:N/X | 0 |
| 01A0 | T31X - Permit DES DKYGENKY:DKYL0+DMPIN to E1:N/X | 0 |
| 01A1 | T31X - Permit DES DKYGENKY:DKYL0+DALL to E1:N/X | 0 |
| 01A2 | T31X - Permit DES DKYGENKY:DKYL1+DDATA to E1:N/X | 0 |
| 01A3 | T31X - Permit DES DKYGENKY:DKYL1+DMPIN to E1:N/X | 0 |
| 01A4 | T31X - Permit DES DKYGENKY:DKYL1+DALL to E1:N/X | 0 |
| 01A5 | T31X - Permit DES DKYGENKY:DKYL0+DMAC to E2:N/X | 0 |
| 01A6 | T31X - Permit DES DKYGENKY:DKYL0+DALL to E2:N/X | 0 |
| 01A7 | T31X - Permit DES DKYGENKY:DKYL1+DMAC to E2:N/X | 0 |
| 01A8 | T31X - Permit DES DKYGENKY:DKYL1+DALL to E2:N/X | 0 |
| 01A9 | T31X - Permit DES DATA/MAC/CIPHER/ENCIPHER to E3:N/G/E/X | 0 |
| 01AA | T31X - Permit DES DKYGENKY:DKYL0+DDATA to E4:N/X | 1 |
| 01AB | T31X - Permit DES DKYGENKY:DKYL0+DALL to E4:N/X | 1 |
| 01AC | T31X - Permit DES DKYGENKY:DKYL0+DEXP to E5:N/X | 0 |
| 01AD | T31X - Permit DES DKYGENKY:DKYL0+DMAC to E5:N/X | 0 |
| 01AE | T31X - Permit DES DKYGENKY:DKYL0+DDATA to E5:N/X | 0 |
| 01AF | T31X - Permit DES DKYGENKY:DKYL0+DALL to E5:N/X | 1 |
| 01B0 | T31X - Permit DES PINGEN to V0:N and DES PINVER to V1/V2:N | 0 |
| 01B1 | Public Infrastructure Manage | 1 |
| 01B2 | PIM: Load Root Certificate | 0 |
| 01B3 | PIM: Activate Root Certificate | 0 |
| 01B6 | PIM: Delete Certificate | 0 |
| 01B7 | PIM: Signature Algorithm SHA+RSA | 0 |
| 01B8 | PIM: Signature Algorithm ECDSA | 0 |
| 01B9 | PIM: Signature Algorithm RSASSA_PSS | 0 |
| 01BA | PIM: Signature Algorithm SHA-1 | 0 |
| 01BB | PIM: Signature Algorithm SHA-224 | 0 |
| 01BC | PIM: Signature Algorithm SHA-256 | 0 |
| 01BD | PIM: Signature Algorithm SHA-384 | 0 |
| 01BE | PIM: Signature Algorithm SHA-512 | 0 |
| 01BF | PIM: Load Sub-CA Certificate | 0 |
| 01CF | T31X - Permit AES DKYGENKY:DUKPT BDK to B0:X | 1 |
| 01D0 | T31X - Permit AES CIPHER to D0:E/D/B | 1 |
| 01D1 | T31X - Permit AES MAC: CMAC to M6:G/C/V | 1 |
| 01D2 | T31X - Permit AES PINPROT to P0:E/D | 1 |
| 01D3 | T31X - Permit AES EXPORTER to K0:E | 1 |
| 01D4 | T31X - Permit AES EXPORTER to K1:E | 1 |
| 01D5 | T31X - Permit AES EXPORTER to K4:E | 1 |
| 01D6 | T31X - Permit AES IMPORTER to K0:D | 1 |
| 01D7 | T31X - Permit AES IMPORTER to K1:D | 1 |
| 01D8 | T31X - Permit AES IMPORTER to K4:D | 1 |
| 01D9 | T31X - Permit AES DKYGENKY:D-ALL/DMAC to E0:X | 1 |
| 01DA | T31X - Permit AES DKYGENKY:D-ALL/DCIPHER to E1:X | 1 |
| 01DB | T31X - Permit AES DKYGENKY:D-ALL/D-MAC to E2:X | 1 |
| 01DC | T31X - Permit AES CIPHER to E3/E/B,DKYGENKY:D-ALL/DCIP to E3:X | 1 |
| 01DD | T31X - Permit AES DKYGENKY:D-ALL/D-CIPHER to E4:X | 1 |
| 01DE | T31X - Permit AES DKYGENKY:D-MAC to E5:X | 1 |
| 01DF | TR-34 Key Receive - Allow wrapping override keywords | 1 |
| 01E0 | T31I - Permit D0:E/D/B to AES CIPHER:ENC/DEC/ENC+DEC | 1 |
| 01E1 | T31I - Permit M6:G/C/V to AES MAC:CMAC+GENONLY/GEN/VER | 1 |
| 01E2 | T31I - Permit P0:E/D to AES PINPROT:ENC/DEC+CBC+ISO-4 | 1 |
| 01E3 | T31I - Permit K0:E to AES EXPORTER | 1 |
| 01E4 | T31I - Permit K0:D to AES IMPORTER | 1 |
| 01E5 | T31I - Permit K1/K4:E to AES EXPORTER:EXPTT31D+VARDRV-D | 1 |
| 01E6 | T31I - Permit AES K1/K4:D to AES IMPORTER:IMPTT31D+VARDRV-D | 1 |
| 01E7 | T31I - Permit E0:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC | 1 |
| 01E8 | T31I - Permit E1:X to AES DKYGENKY:DKYL0/L1/L2+D-SECMSG+SMPIN | 1 |
| 01E9 | T31I - Permit E2:X to AES DKYGENKY:DKYL0/L1/L2+D-MAC+GEN+CMAC | 1 |
| 01EA | T31I - Permit E3:X to AES DKYGENKY:D-CIPHER+ENC+DEC+CBC | 1 |
| 01EB | T31I - Permit E3:E/B to AES CIPHER:ENCRYPT/ENC+DEC | 1 |
| 01EC | T31I - Permit E4:X to AES DKYGENKY:DKYL0/L1/L2+D-CIPHER+ENC+DEC | 1 |
| 01ED | T31I - Permit E5:X to AES DKYGENKY:DKYL0/L1/L2/D-MAC+GEN+CMAC | 1 |
| 01EE | PKA Key Translate - allow COMP-TAG | 1 |
| 01EF | PKA Key Translate - allow COMP-CHK | 1 |
| 01F0 | TR-34 Bind-Begin | 1 |
| 01F1 | TR-34 Bind-Begin - allow BINDCR | 1 |
| 01F2 | TR-34 Bind-Begin - allow UNBINDCR | 1 |
| 01F3 | TR-34 Bind-Begin - allow REBINDCR | 1 |
| 01F4 | TR-34 Begin-Complete | 1 |
| 01F5 | TR-34 Begin-Complete - allow BINDKRDC | 1 |
| 01F6 | TR-34 Begin-Complete - allow BINDRV | 1 |
| 01F7 | TR-34 Begin-Complete - allow UNBINDRV | 1 |
| 01F8 | TR-34 Begin-Complete - allow REBINDRV | 1 |
| 01F9 | TR-34 Key Distribution | 1 |
| 01FA | TR-34 Key Distribution - allow 2PASSCRE | 1 |
| 01FB | TR-34 Key Distribution - allow 1PASSCRE | 1 |
| 01FC | TR-34 Key Receive | 1 |
| 01FD | TR-34 Key Receive - allow 2PASSRCV | 1 |
| 01FE | TR-34 Key Receive - allow 1PASSRCV | 1 |
| 01FF | Permit X.509 without PKI root validation | 1 |
| 0203 | Retained Key Delete | 1 |
| 0204 | PKA Key Generate - Clone | 1 |
| 0205 | PKA Key Generate - Clear RSA Key | 1 |
| 0206 | PKA Encrypt - Disallow PKCS-1.2 | 0 |
| 0207 | PKA Encrypt - Disallow ZEROPAD | 0 |
| 0208 | PKA Encrypt - Disallow MRP | 0 |
| 0209 | PKA Encrypt - Disallow PKCSOAEP | 0 |
| 020A | PKA Decrypt - Disallow PKCS-1.2 | 0 |
| 020B | PKA Decrypt - Disallow ZEROPAD | 0 |
| 020C | PKA Decrypt - Disallow PKCSOAEP | 0 |
| 020D | T31X - Permit HMAC MAC to M7:G/V/C | 1 |
| 020E | PKA Key Generate - Clear CRYSTALS-Kyber keys | 1 |
| 0259 | Clear Pending Change Buffer | 0 |
| 027F | PKA Key Generate - Clear CRYSTALS-Dilithium keys | 1 |
| 02AB | CCA Device Certificate Delete, Auth (Smart Card) | 0 |
| 02AC | TKE CA Certificate Exp Delete (Smart Card) | 0 |
| 02AD | T31X Permit EXPORTER to K0/K1:B | 0 |
| 02AE | T31X Permit IMPORTER to K0/K1:B | 0 |
| 02BA | Remote Key Export - Allow wrapping override keywords | 0 |
| 02BB | Key Generate2 - DK PIN key set | 0 |
| 02BC | Key Generate2 - DK PIN print key | 0 |
| 02BD | Key Generate2 - DK PIN admin1 key set PINPROT | 0 |
| 02BE | Key Generate2 - DK PIN admin1 key set MAC | 0 |
| 02BF | Key Generate2 - DK PIN admin2 key set MAC | 0 |
| 02C0 | DK Random PIN Generate | 0 |
| 02C1 | DK PIN Verify | 0 |
| 02C2 | DK PIN Change | 0 |
| 02C3 | DK PRW Card Number Update | 0 |
| 02C4 | DK PRW CMAC Generate | 0 |
| 02C5 | DK PAN Modify in Transaction | 0 |
| 02C6 | DK Deterministic PIN Generate | 0 |
| 02C7 | DK PAN Translate | 0 |
| 02C8 | DK Regenerate PRW | 0 |
| 02CD | Diversified Key Generate2 - DALL | 0 |
| 02CE | DK Migrate PIN | 0 |
| 02D2 | Diversified Key Generate2 - MK-OPTC | 0 |
| 02D3 | Diversified Key Generate2 - KDFFM-DK | 0 |
| 02D4 | Diversified Key Generate2 - Allow length option for KDFFM-DK | 0 |
| 02D5 | Encrypted PIN Translate Enhanced | 0 |
| 02D6 | DM load role | 0 |
| 02D7 | DM load profile | 0 |
| 02D8 | DM load role cos | 0 |
| 02D9 | DM load profile cos | 0 |
| 02DA | DM delete role | 0 |
| 02DB | DM delete profile | 0 |
| 02DC | DM delete role cos | 0 |
| 02DD | DM delete profile cos | 0 |
| 02E0 | CFC:COMPIMPR | 0 |
| 02E1 | CFC:COMPIMPR cos | 0 |
| 02E2 | CFC:COMP-SET | 0 |
| 02E3 | CFC:COMP-SET cos | 0 |
| 02E4 | CFC:COMP-RMV | 0 |
| 02E5 | CFC:COMP-RMV cos | 0 |
| 02E6 | CFC:COMP-RMV imprint mode | 0 |
| 02E7 | CFC:COMPMIGB | 0 |
| 02E8 | CFC:COMPMIGB cos | 0 |
| 02E9 | CFC:COMPMIGE | 0 |
| 02EA | CFC:COMPMIGE cos | 0 |
| 02EC | IGN_RKA_DATAXMAC | 0 |
| 02ED | CMD_RKA_DATAXCIP | 0 |
| 02EE | CMD_PKT_INTUSCHG | 1 |
| 02EF | CMD_PKT_EXTUSCHG | 0 |
| 02F0 | PUB_X_MACDPUB | 0 |
| 02F1 | RSAPRV_X_MACDPUB | 0 |
| 02F2 | ECCPRV_X_MACDPUB | 0 |
| 02F3 | X509_X_MACDPUB | 0 |
| 02F4 | ALLOW_SHA1_X509 | 0 |
| 02F5 | Authenticated Key Export - SETSNKEY | 1 |
| 02F6 | Authenticated Key Export - DRVTXKEY | 1 |
| 02F7 | Authenticated Key Export - EXPTSK | 1 |
| 02F8 | Key Translate2 - COMP-TAG | 1 |
| 02F9 | Key Translate2 - COMP-CHK | 1 |
| 030D | Key Encryption Translate - CBC to ECB | 1 |
| 030E | Key Encryption Translate - ECB to CBC | 1 |
| 0334 | Key Translate2 - Translate fixed to variable payload | 0 |
| 0335 | Unique Key Derive - K3IPEK | 0 |
| 033B | Digital Signature Verify - PKCS-PSS allow not exact salt length | 0 |
| 033C | Digital Signature Generate - PKCS-PSS allow small salt | 0 |
| 033E | CKM_RAKW - Allow RSA2048 to wrap stronger keys (e.g.,AES-128,192,256) | 0 |
| 0382 | T31X - Permit Version D TR-31 Key Blocks | 1 |
| 0383 | T31X - Permit AES KDKGENKY: KDKTYPEA to 11:X | 0 |
| 0384 | T31X - Permit AES KDKGENKY: KDKTYPEB to 10:X | 0 |
| 0385 | T31X - Permit DKYGENKY:DKYL0+DMPIN to 12 | 0 |
| 0393 | Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 RFMT1TO4 | 0 |
| 039E | T31X - Permit DES OPINENC/IPINENC to P0:B | 1 |
| 03B0 | Encrypted PIN Verify2 – REFPIN | 1 |
| 03B1 | Encrypted PIN Verify2 - TRUNCPIN | 1 |
| 03B2 | Symmetric Algorithm Encipher - Allow A28MACGN and A28MACVR | 1 |
| 03B3 | Symmetric Algorithm Encipher - Allow A28OWFCL | 1 |
| 03B4 | Symmetric Algorithm Encipher - Allow A28OWFEC | 1 |
| 03B5 | Random Number Generate Long - TDES-CBC | 1 |
| 03B6 | PKA Key Translate - From CCA RSA to CKM-RAKW format | 0 |
| 03B7 | PKA Key Translate - From CCA ECC to CKM-RAKW format | 0 |
| 03B8 | Symmetric Key Export - AES, CKM-RAKW | 0 |
| 03B9 | Diversified Key Generate - A28OWFEC | 1 |
| 03BA | Diversified Key Generate - A28OWFCL | 1 |
| 03BB | Diversified Key Generate - A28XOREC | 1 |
| 03BC | KPI2 - Allow TR-31 clear key import | 1 |
| 03C1 | T31C - Permit TR-31 AES creation | 1 |
| 03C2 | T31C - Permit TR-31 DES creation | 1 |
| 03C3 | T31C - Permit TR-31 HMAC creation | 1 |
| 03C4 | T31C - Permit TR-31 internal key creation | 1 |
| 03C5 | T31C - Permit TR-31 external key creation | 1 |
| 03C6 | T31C - Permit TR-31 internal/external key pair creation | 1 |
| 03C7 | T31C - Permit TR-31 KB Version A creation | 1 |
| 03C8 | T31C - Permit TR-31 KB Version B creation | 1 |
| 03C9 | T31C - Permit TR-31 KB Version C creation | 1 |
| 03CA | T31C - Permit TR-31 KB Version D creation | 1 |
| 03D0 | KPIT - Allow TR-31 AES load “FIRST” Minpart1 | 0 |
| 03D1 | KPIT - Allow TR-31 AES load “FIRST” Minpart2+ | 0 |
| 03D2 | KPIT - Allow TR-31 AES Add 2nd and later key parts | 0 |
| 03D3 | KPIT - Allow TR-31 AES Clearing Key Part Reg | 0 |
| 03D4 | KPIT - Allow TR-31 DES load “FIRST” Minpart1 | 0 |
| 03D5 | KPIT - Allow TR-31 DES load “FIRST” Minpart2+ | 0 |
| 03D6 | KPIT - Allow TR-31 DES Add 2nd and later key parts | 0 |
| 03D7 | KPIT - Allow TR-31 DES Clearing Key Part Reg Note | 0 |
| 03D8 | KPIT - Allow TR-31 HMAC load “FIRST” Minpart1 | 0 |
| 03D9 | KPIT - Allow TR-31 HMAC load “FIRST” Minpart2+ | 0 |
| 03DA | KPIT - Allow TR-31 HMAC Add 2nd and later key parts | 0 |
| 03DB | KPIT - Allow TR-31 HMAC Clearing Key Part Reg | 0 |
| 03DC | KPIT - Allow TR-31 AES Complete | 0 |
| 03DD | KPIT - Allow TR-31 DES Complete | 0 |
| 03DE | KPIT - Allow TR-31 HMAC Complete | 0 |
| 03DF | T31X - Permit DES KEYGENKY:DUKPT, AES DKYGENKY:DUKPT to B1 | 1 |
| 03E0 | T31X - Permit DES DKYGENKY, AES KDKGENKY to B3 | 1 |
| 03E1 | T31X - Permit CIPHER:XLATE to D3 | 1 |
| 03E2 | T31X - Permit SECMSG:SMPIN to P0 | 1 |
| 03E3 | T31X - Permit SECMSG:SMKEY to K0 | 1 |
| 03E4 | T31X - Permit DES DKYGENKY:DKYL0+DMAC to F0:X | 0 |
| 03E5 | T31X - Permit DES DKYGENKY:DKYL0+DMV to F0:X | 0 |
| 03E6 | T31X - Permit DES DKYGENKY: DKYL0+DALL to F0:X | 0 |
| 03E7 | T31X - Permit DES MAC to M6 | 1 |
| 03E8 | T31I - Permit B1 to DES KEYGENKY:DUKPT and AES DKYGENKY:DUKPT | 1 |
| 03E9 | T31I - T31I - Permit B3 to DES DKYGENKY and AES KDKGENKY | 1 |
| 03EA | T31I - Permit D3 to CIPHER:XLATE | 1 |
| 03EB | T31I - Permit F0:X to DES DKYGENKY:DKYL0+DMAC | 0 |
| 03EC | T31I - Permit F0:X to DES DKYGENKY:DKYL0+DMV | 0 |
| 03ED | T31I - Permit F1:X to DES DKYGENKY:DKYL0+DMPIN | 0 |
| 03EE | T31I - Permit F1:X to DES DKYGENKY:DKYL0+DDATA | 0 |
| 03EF | T31I - Permit F2:X to DES DKYGENKY:DKYL0+DMAC | 0 |
| 03F0 | T31I - Permit M6 to DES MAC | 1 |
| 03F1 | PKA Encrypt - Disallow PKOAEP2 | 0 |
| 03F2 | PKA Decrypt - Disallow PKOAEP2 | 0 |
| 03F3 | SKY - Allow K0 for secmsg key identifier | 1 |
| 03F4 | SPN - Allow P0 for secmsg key identifier | 1 |
| 03F5 | T31X - Permit DES DKYGENKY:DKYL0+DDATA to F1:X | 0 |
| 03F6 | T31X - Permit DES DKYGENKY:DKYL0+DMPIN to F1:X | 0 |
| 03F7 | T31X - Permit DES DKYGENKY:DKYL0+DALL to F1:X | 0 |
| 03F8 | T31X - Permit DES DKYGENKY:DKYL0+DMAC to F2:X | 0 |
| 03F9 | T31X - Permit DES DKYGENKY:DKYL0+DALL to F2:X | 0 |
| 03FA | T31X - Permit DES DATA/MAC/CIPHER/ENCIPHER to F3:N/G/E/X | 0 |
| 03FB | T31X - Permit DES DKYGENKY:DKYL0+DDATA to F4:X | 0 |
| 03FC | T31X - Permit DES DKYGENKY:DKYL0+DALL to F4:X | 1 |
| 03FD | T31X - Permit AES DKYGENKY:D-ALL/DMAC to F0:X | 1 |
| 03FE | T31X - Permit AES DKYGENKY:DALL/DCIPHER to F1:X | 1 |
| 03FF | T31X - Permit AES DKYGENKY:D-ALL/DMAC to F2:X | 0 |
| 0500 | T31X - Permit AES CIPHER, DKYGENKY:DALL/DCIPHER to F3:E/B/X | 1 |
| 0501 | T31X - Permit AES DKYGENKY:DALL/DCIPHER to F4:X | 1 |
| 0502 | T31I - Permit F3:N/E/D/B/G/X to DES ENCIPHER | 1 |
| 0503 | T31I - Permit F4:X to DES DKYGENKY:DKYL0+DDATA | 1 |
| 0504 | T31I - Permit F0:X to AES DKYGENKY:DKYL0+DMAC+GENERATE+CMAC | 1 |
| 0505 | T31I - Permit F1:X to AES DKYGENKY:DKYL0+DSECMSG+SMPIN+ANY-USE | 1 |
| 0506 | T31I - Permit F2:X to AES DKYGENKY:DKYL0+D-MAC+GENERATE+CMAC | 1 |
| 0507 | T31I - Permit F3:X to AES DKYGENKY:D-CIPHER+ENCRYPT+DECRYPT+CBC | 1 |
| 0508 | T31I - Permit F3:E/B to AES CIPHER:ENCRYPT/ENCRYPT+DECRYPT | 1 |
| 0509 | T31I - Permit F4:X to AES DKYGENKY:DKYL0+D-CIPHER+ENC+DEC+CBC | 1 |
| ACP | Definition | Default |
|---|---|---|
| 003D | TR-34 - Allow expired CRL | 1 |
| 003E | TR-34 - Allow expired KRD Certificate | 1 |
| 02AD | T31X Permit EXPORTER to K0/K1:B | 0 |
| 02AE | T31X Permit IMPORTER to K0/K1:B | 0 |
| 0143 | Symmetric token wrapping - internal enhanced method version 3 | 1 |
| 0145 | Symmetric token wrapping - external enhanced method version 3 | 1 |
| 0080 | Diversify Directed Key | 0 |
| 0081 | Diversify Directed Key - Allow KDFFM DERIVE | 0 |
| 0082 | Diversify Directed Key - Allow KDFFM GENERATE | 0 |
| 0083 | PKA Encrypt - Allow CRYSTALS-Kyber keys | 1 |
| 0084 | PKA Decrypt - Allow CRYSTALS-Kyber keys | 1 |
| 03B0 | Encrypted PIN Verify2 – REFPIN | 1 |
| 03B1 | Encrypted PIN Verify2 - TRUNCPIN | 1 |
| 03B2 | Symmetric Algorithm Encipher - Allow A28MACGN and A28MACVR | 1 |
| 03B3 | Symmetric Algorithm Encipher - Allow A28OWFCL | 1 |
| 03B4 | Symmetric Algorithm Encipher - Allow A28OWFEC | 1 |
| 03B5 | Random Number Generate Long - TDES-CBC | 1 |
| 03B6 | PKA Key Translate - From CCA RSA to CKM-RAKW format | 0 |
| 03B7 | PKA Key Translate - From CCA ECC to CKM-RAKW format | 0 |
| 03B8 | Symmetric Key Export - AES, CKM-RAKW | 0 |
| 03B9 | Diversified Key Generate - A28OWFEC | 1 |
| 03BA | Diversified Key Generate - A28OWFCL | 1 |
| 03BB | Diversified Key Generate - A28XOREC | 1 |
| 00E1 | DUKPT - PIN Verify, PIN Translate | 1 |
| 020E | PKA Key Generate - Clear CRYSTALS-Kyber keys | 0 |
| 02B2 | Authentication Parameter Generate - Clear | 1 |
| 033E | CKM_RAKW - Allow RSA2048 to wrap stronger keys (e.g.,AES-128,192,256) | 0 |
| 035D | ECC Diffie-Hellman - Allow Hybrid QSA Scheme | 1 |
| 039F | General ISO PIN Error Security | 0 |
| 03A0 | Encrypted PIN Translate - Translate PIN Check Mode | 0 |