Edition March 2023, CCA Support Program Releases 8.0 and 7.4
This edition describes the IBM® CCA Basic Services API for Releases 7.4 and 8.0.
CCA Releases 7.4 and 8.0 offer the following new features and functions:
- Support for the Australian Payment Network (APN) (based on standard AS2805.5.4)
Key derivation:
- CSNBDKG supports key derivation to meet the needs of the APN.
- CSNBRNGL supports encrypting the output under a data-encrypting key.
MAC generation:
- CSNBSAE supports generating and verifying MACs and related processing.
- CSNBMGN and CSNBMVR add new keywords for the TDES-based One Way Function, which is unique to the Australian financial sector.
- A new verb Encrypted PIN Verify2 (CSNBPVR2) is provided that performs PIN verification by comparing two encrypted PIN blocks.
- The verbs CSNDDSG and CSNDDSV can now exploit the Schnorr Digital Signature Algorithm (SDSA). You can use this enhancement to sign and verify Europay MasterCard Visa (EMV) certificates. For this purpose, a new keyword EC-SDSA is provided which supports the ECC curves secp256r1 and secp521r1.
- To support key exchange with applications that use the PKCS #11 standard, two services, CSNDPKT and CSNDSYX, have been enhanced to allow key translation from a CCA token format to the PKCS #11 object format.
- For processing with TR-34 functions, users can now optionally check the expiration dates of the certificate revocation list (CRL) and the key receiving device (KRD) certificate. For this purpose, new return codes, new ACPs, and new keywords of the TR-34 verbs are provided.
| Verb | Service name |
|---|---|
| CSNBPVR2 | Encrypted PIN Verify2 (CSNBPVR2) |
| Verb | Service name |
|---|---|
| CSNBDDK | Diversify Directed Key (CSNBDDK) |
| CSNBPTR2 | Encrypted PIN Translate2 (CSNBPTR2) |
| CSNBDPC | DK PIN Change (CSNBDPC) |
| CSNBDPV | DK PIN Verify (CSNBDPV) |
| CSNBSAE | Symmetric Algorithm Encipher (CSNBSAE) |
| CSNBSAD | Symmetric Algorithm Decipher (CSNBSAD) |
| CSNBDKG2 | Diversified Key Generate2 (CSNBDKG2) |
| CSNBDKG | Diversified Key Generate (CSNBDKG) |
| CSNBRNGL | Random Number Generate Long (CSNBRNGL) |
| CSNDPKB | PKA Key Token Build (CSNDPKB) |
| CSNDPKG | PKA Key Generate (CSNDPKG) |
| CSNDDSG | Digital Signature Generate (CSNDDSG) |
| CSNDDSV | Digital Signature Verify (CSNDDSV) |
| CSNDPKT | PKA Key Translate (CSNDPKT) |
| CSNDSYX | Symmetric Key Export (CSNDSYX) |
| CSNDT34B | TR-34 Bind-Begin (CSNDT34B) |
| CSNDT34C | TR-34 Bind-Complete (CSNDT34C) |
| CSNDT34D | TR-34 Key Distribution (CSNDT34D) |
| CSNDT34R | TR-34 Key Receive (CSNDT34R) |
CCA Release 8.0 offers the following new features and functions:
- Enhancements are available for TR-31 symmetric key management:
- "N" TR-31 mode of use is now allowed with B,C,D wrapping: The 'N' Mode of Use is no longer restricted to the A wrapping method.
Key usages that allow 'N' Mode of Use with all wrapping methods in verbs CSNBT31X and
CSNBT31I are the following:
- 'B0'
- 'E0', 'E1', 'E2', 'E3', 'E4', 'E5'
- 'V0', 'V1', 'V2'
- "B" TR-31 mode of use is now allowed for K0 export: The CSNBT31X verb allows export of an IMPORTER / EXPORTER key as 'K0' Key Usage with 'B' Mode of use.
- "N" TR-31 mode of use is now allowed with B,C,D wrapping: The 'N' Mode of Use is no longer restricted to the A wrapping method.
Key usages that allow 'N' Mode of Use with all wrapping methods in verbs CSNBT31X and
CSNBT31I are the following:
- Using CCA, you can build a hybrid quantum safe key exchange scheme. In this scheme, the CCA services support a mechanism where no data is exposed outside of the cryptographic coprocessor that is input to the final key derivation.
- Multiple CCA services for
generating and managing public/private key pairs now support CRYSTALS-Dilithium Round 3 and CRYSTALS-Kyber Round 2 quantum-safe algorithms.
Therefore, the following verbs provide new or changed keywords:
Table 3. Updated verbs for CCA Release 8.0 Verb Service name Services supporting CRYSTALS-Dilithium Round 3 CSNDPKB PKA Key Token Build (CSNDPKB) CSNDPKG PKA Key Generate (CSNDPKG) CSNDPKI PKA Key Import (CSNDPKI) CSNDPKX PKA Public Key Extract (CSNDPKX) CSNBKTC Key Token Change (CSNBKTC) CSNDPKT PKA Key Translate (CSNDPKT) CSNDDSG Digital Signature Generate (CSNDDSG) CSNDDSV Digital Signature Verify (CSNDDSV) Services supporting CRYSTALS-Kyber Round 2 CSNDPKB PKA Key Token Build (CSNDPKB) CSNDPKG PKA Key Generate (CSNDPKG) CSNDPKI PKA Key Import (CSNDPKI) CSNDPKX PKA Public Key Extract (CSNDPKX) CSNDKTC PKA Key Token Change (CSNDKTC) CSNDPKT PKA Key Translate (CSNDPKT) CSNDPKE PKA Encrypt (CSNDPKE) CSNDPKD PKA Decrypt (CSNDPKD) CSNDEDH EC Diffie-Hellman (CSNDEDH) - The CCA TKE catcher now supports the use of a TLS connection (as the default) in addition to the legacy plain TCP connection for communication with a Trusted Key Entry (TKE) workstation. This means that further setup is required after installation to continue the communication between the catcher and the TKE. You can either set back the catcher mode to TCP mode and then restart the catcher daemon. Or you can complete the TLS mode setup. This edition provides instructions for setting up and enabling both the TLS and the TCP connection in TKE catcher configuration for a TLS connection.
The information from openCryptoki support has been moved to the IBM-provided openCryptoki documentation called openCryptoki - An Open Source Implementation of PKCS #11.