How to use this document
Read an overview of the information in each section of this document.
For encryption, CCA supports Advanced Encryption Standard (AES), Data Encryption Standard (DES), public key cryptography (PKA or RSA), and elliptic curve cryptography (ECC). These are very different cryptographic systems. Additionally, CCA provides APIs for generating and verifying Message Authentication Codes (MACs), Hashed Message Authentication Codes (HMACs), hashes, and PINS, as well as other cryptographic functions.
IBM CCA programming includes the following chapters:
- Programming with the IBM Common Cryptographic Architecture describes the programming considerations for using the CCA verbs. It also explains the syntax and parameter definitions used in verbs. Information about concurrency is also provided.
- Running CCA verbs in PCI-HSM 2016 compliance mode describes the support for compliance-tagged tokens introduced with CCA 6.0 It gives links to further related information in this document, and discusses the new warning mode to aid installations in detecting migration concerns.
- Using AES, DES, and HMAC cryptography and verbs gives an overview of AES, DES, and HMAC cryptography, and provides general guidance information on how these verbs use different key types and key forms.
- Introducing PKA cryptography and using PKA verbs introduces Public Key Algorithm (PKA) support and describes programming considerations for using the CCA PKA and ECC verbs, such as the PKA key token structure and key management.
- Introduction to TR-31 symmetric key management introduces TR-31 support and how CCA uses an IBM-defined optional block in a TR-31 key block.
- Understanding and managing master keys provides information about master key management.
CCA verbs includes the following topics:
- Using CCA nodes and resource control verbs describes using the CCA resource control verbs.
- Managing AES, DES, and HMAC cryptographic keys describes the verbs for generating and maintaining DES and AES cryptographic keys, the Random Number Generate verb (which generates 8-byte random numbers), the Random Number Generate Long verb (which generates up to 8192 bytes of random content), and the Secure Sockets Layer (SSL) security protocol. This chapter also describes utilities to build DES and AES tokens, generate and translate control vectors, and describes the PKA verbs that support DES and AES key distribution.
- Protecting data describes the verbs for enciphering and deciphering data.
- Verifying data integrity and authenticating messages describes the verbs for generating and verifying Message Authentication Codes (MACs), generating and verifying Hashed Message Authentication Codes (HMACs), generating Modification Detection Codes (MDCs), and generating hashes (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD5, RIPEMD-160).
- Key storage mechanisms describes the use of key storage, key tokens, and associated verbs.
- Financial services describes the verbs for use in support of
finance-industry applications. This includes several categories.
- Verbs for generating, verifying, and translating personal identification numbers (PINS).
- Verbs that generate and verify VISA card verification values and American Express® card security codes.
- Verbs to support smart card applications using the EMV (Europay MasterCard Visa) standards.
- Financial services for DK PIN methods describes the verbs for PIN methods and requirements for financial services specified by the German Banking Industry Committee, Deutsche Kreditwirtschaft (DK).
- TR-34 symmetric key management describes the verbs used to manage TR-34 key blocks and TR-34 functions.
- TR-31 symmetric key management describes the verbs used to manage TR-31 key blocks and TR-31 functions.
- Using digital signatures describes the verbs that support using digital signatures to authenticate messages.
- Managing PKA cryptographic keys describes the verbs that generate and manage PKA keys.
- Utility verbs describes the utility verb CSNBXEA which is provided for code conversion.
Reference information includes the following information:
- Return codes and reason codes explains the return and reason codes returned by the verbs.
- Key token formats describes the formats for AES, DES internal, external, and null key tokens, for PKA public, private external, and private internal key tokens containing Rivest-Shamir-Adleman (RSA) information, PKA null key tokens, ECC key tokens, HMAC key tokens, Transaction Validation Values (TVVs), and trusted blocks.
- Key forms and types used in the Key Generate verb describes the key forms and types used by the Key Generate verb.
- Managing control vectors contains a table of the default control vector values that are associated with each key type and describes the control information for testing control vectors, mask array preparation, selecting the key-half processing mode, and an example of using the Control Vector Translate verb.
- Key type vectors introduces a DK key type vector (KTV) which is used to define how to generate or derive the intended AES variable-length symmetric key.
- PIN formats and algorithms describes the PIN notation, formats, extraction rules, and algorithms.
- Cryptographic algorithms and processes describes various ciphering and key verification algorithms, as well as the formatting of hashes and keys.
- Access control points and verbs lists the access control points and their corresponding verbs.
- Access control data structures documents the data structures that are used in the access control system.
- Using verbs and applications in PCI-HSM 2016 compliance mode informs about how to manage keys, verbs and applications that should apply the PCI-HSM 2016 compliance standard.
- AES-DUKPT reference presents information about the use of AES keys with derived unique key per transaction (DUKPT) processing.
- Sample verb call routines contains sample verb call routines, both in C and Java, that illustrates the practical application of CCA verb calls.
- Initial system set-up tips includes tips to help you set up your system for the first time.
- CCA installation instructions includes RPM installation, configuration, and uninstallation instructions.
- Coexistence of CEX8C and previous CEX*C features includes information about using various versions of CEX*C features in the same system, and other restrictions.
- Utilities describes the ivp.e and panel.exe utilities.
- Security API command and sub-command codes contains an alphabetical list of security API command and sub-command codes returned by the output rule-array for option STATDIAG of the Cryptographic Facility Query verb.
- The content of openCryptoki support has been moved into the following document: openCryptoki - An Open Source Implementation of PKCS #11
- List of abbreviations contains definitions of abbreviations used in this publication.