Edition August 2024, CCA Support Program Releases 8.2 and 7.5

This edition describes the IBM® CCA Basic Services API for Releases 8.2 and 7.5. The complete functionality of Release 8.2 is available on CEX8C cryptographic coprocessors only. Much of the functionality of CCA 8.2 is also available with CCA 7.5 for the CEX7C. Differences are marked in this publication.

CCA Releases 8.2 and 7.5 offer the following new features and functions:

  • Support for CRYSTALS-Kyber Round 2 and 3:
    • CRYSTALS-Kyber (768) Round 2
      • Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, CSNDKTC, CSNDPKT
      • Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
    • CRYSTALS-Kyber(1024) Round 3 and CRYSTALS-Kyber (768) Round 3

      • Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, , CSNDKTC, CSNDPKT
      • Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
  • Updates for the CSNBDKG2 service:

    Derive keys that participate in the M of N MAC Scheme as documented for the CSNBMMS service.

  • Updates for the CSNDSYG service:

    Extend the service to also produce X‘05’ variable-length AES CIPHER or MAC type keys with the OP, EX, or IM rules.

  • Updates for the CSNBMGN and CSNBMVR services:

    Add triple key TDES support for the EMVMACD/X9.19OPT process rules.

  • Updates for the CSNDSYI2 service (CCA Release 8.2 only):

    You can use the Symmetric Key Import service to import external keys that have been previously formatted using the PKCS #11 RSA AES key wrap mechanism.

  • Updates for the CSNDPKI service (CCA Release 8.2 only):

    You can use the PKA Key Import service to import external keys that have been previously formatted using the RSA AES key wrap mechanism.

The CCA API includes the following new verb:

Table 1. New verb for CCA Releases 8.2 and 7.5

New verb for CCA Releases 8.2 and 7.5 with entry-point name, category, and long name with link to the verb description.

Verb Service name Category
CSNBMMS Multi-MAC Scheme (CSNBMMS) Managing AES, DES, and HMAC cryptographic keys

You can use this service to derive M of N MAC verification keys, validate M of N possible MACs over the input data, derive a final MAC key, then generate and return a final MAC.

The following verbs provide new or updated keywords or other updated information:

Table 2. Updated verbs for CCA Releases 8.2 and 7.5

Updated verbs for CCA Releases 8.2 and 7.5 with entry-point name, category, and long name with link to the verb description.

Verb Service name Release Category
CSNBDKG2 Diversified Key Generate2 (CSNBDKG2) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNDEDH EC Diffie-Hellman (CSNDEDH) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNBKGN2 Key Generate2 (CSNBKGN2) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNBKTB2 Key Token Build2 (CSNBKTB2) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNBKTP2 Key Token Parse2 (CSNBKTP2) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNDPKD PKA Decrypt (CSNDPKD) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNDPKE PKA Encrypt (CSNDPKE) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNBRKA Restrict Key Attribute (CSNBRKA) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNDSYG Symmetric Key Generate (CSNDSYG) 8.2, 7.5 Managing AES, DES, and HMAC cryptographic keys
CSNDSYI2 Symmetric Key Import2 (CSNDSYI2) 8.2 Managing AES, DES, and HMAC cryptographic keys
CSNBMGN MAC Generate (CSNBMGN) 8.2, 7.5 Verifying data integrity and authenticating messages
CSNBMVR MAC Verify (CSNBMVR) 8.2, 7.5 Verifying data integrity and authenticating messages
CSNBT31X TR31 Translate (CSNBT31X) 8.2, 7.5 TR-31 symmetric key management
CSNBT31I TR31 Key Import (CSNBT31I) 8.2, 7.5 TR-31 symmetric key management
CSNDPKG PKA Key Generate (CSNDPKG) 8.2, 7.5 Managing PKA cryptographic keys
CSNDPKI PKA Key Import (CSNDPKI) 8.2 Managing PKA cryptographic keys
CSNDPKB PKA Key Token Build (CSNDPKB) 8.2, 7.5 Managing PKA cryptographic keys
CSNDKTC PKA Key Token Change (CSNDKTC) 8.2, 7.5 Managing PKA cryptographic keys
CSNDPKT PKA Key Translate (CSNDPKT) 8.2, 7.5 Managing PKA cryptographic keys
CSNDPKX PKA Public Key Extract (CSNDPKX) 8.2, 7.5 Managing PKA cryptographic keys
Table 3. New and updated ACPs for CCA Releases 8.2 and 7.5

New and updated ACPs for CCA Releases 8.2 and 7.5 with ACP offset, command name and default setting.

ACP Definition Default
00D0 Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS 0
00D1 Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute 0
00D2 Allow CSNBMMS service with KDFFM-DK 1
00D3 Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH 0
00D4 Allow CSNDSYG to generate AES CIPHER or MAC keys 1
0085 Disallow ISO-2 PIN block generate 0
0086 Disallow ISO-2 PIN block verify 0
0087 Disallow ISO-2 PIN block translate 0
03CB Permit import of an RSA key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object 0
03CC Permit import of an ECC key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object 0
03CD Permit import of an AES key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object 0