Edition August 2024, CCA Support Program Releases 8.2 and 7.5
This edition describes the IBM® CCA Basic Services API for Releases 8.2 and 7.5. The complete functionality of Release 8.2 is available on CEX8C cryptographic coprocessors only. Much of the functionality of CCA 8.2 is also available with CCA 7.5 for the CEX7C. Differences are marked in this publication.
CCA Releases 8.2 and 7.5 offer the following new features and functions:
- Support for CRYSTALS-Kyber Round 2
and 3:
- CRYSTALS-Kyber (768) Round 2
- Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, CSNDKTC, CSNDPKT
- Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
-
CRYSTALS-Kyber(1024) Round 3 and CRYSTALS-Kyber (768) Round 3
- Key management: CSNDPKB, CSNDPKG, CSNDPKI, CSNDPKX, , CSNDKTC, CSNDPKT
- Other services: CSNDPKE, CSNDPKD, CSNDEDH - for hybrid key negotiation support
- CRYSTALS-Kyber (768) Round 2
- Updates for the CSNBDKG2 service:
Derive keys that participate in the M of N MAC Scheme as documented for the CSNBMMS service.
- Updates for the CSNDSYG service:
Extend the service to also produce X‘05’ variable-length AES CIPHER or MAC type keys with the OP, EX, or IM rules.
- Updates for the CSNBMGN and
CSNBMVR services:
Add triple key TDES support for the EMVMACD/X9.19OPT process rules.
- Updates for the CSNDSYI2 service
(CCA Release 8.2 only):
You can use the Symmetric Key Import service to import external keys that have been previously formatted using the PKCS #11 RSA AES key wrap mechanism.
- Updates for the CSNDPKI service
(CCA Release 8.2 only):
You can use the PKA Key Import service to import external keys that have been previously formatted using the RSA AES key wrap mechanism.
The CCA API includes the following new verb:
| Verb | Service name | Category |
|---|---|---|
| CSNBMMS | Multi-MAC Scheme (CSNBMMS) | Managing AES, DES, and HMAC cryptographic keys |
You can use this service to derive M of N MAC verification keys, validate M of N possible MACs over the input data, derive a final MAC key, then generate and return a final MAC.
The following verbs provide new or updated keywords or other updated information:
| Verb | Service name | Release | Category |
|---|---|---|---|
| CSNBDKG2 | Diversified Key Generate2 (CSNBDKG2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDEDH | EC Diffie-Hellman (CSNDEDH) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKGN2 | Key Generate2 (CSNBKGN2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKTB2 | Key Token Build2 (CSNBKTB2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBKTP2 | Key Token Parse2 (CSNBKTP2) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDPKD | PKA Decrypt (CSNDPKD) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDPKE | PKA Encrypt (CSNDPKE) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBRKA | Restrict Key Attribute (CSNBRKA) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDSYG | Symmetric Key Generate (CSNDSYG) | 8.2, 7.5 | Managing AES, DES, and HMAC cryptographic keys |
| CSNDSYI2 | Symmetric Key Import2 (CSNDSYI2) | 8.2 | Managing AES, DES, and HMAC cryptographic keys |
| CSNBMGN | MAC Generate (CSNBMGN) | 8.2, 7.5 | Verifying data integrity and authenticating messages |
| CSNBMVR | MAC Verify (CSNBMVR) | 8.2, 7.5 | Verifying data integrity and authenticating messages |
| CSNBT31X | TR31 Translate (CSNBT31X) | 8.2, 7.5 | TR-31 symmetric key management |
| CSNBT31I | TR31 Key Import (CSNBT31I) | 8.2, 7.5 | TR-31 symmetric key management |
| CSNDPKG | PKA Key Generate (CSNDPKG) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKI | PKA Key Import (CSNDPKI) | 8.2 | Managing PKA cryptographic keys |
| CSNDPKB | PKA Key Token Build (CSNDPKB) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDKTC | PKA Key Token Change (CSNDKTC) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKT | PKA Key Translate (CSNDPKT) | 8.2, 7.5 | Managing PKA cryptographic keys |
| CSNDPKX | PKA Public Key Extract (CSNDPKX) | 8.2, 7.5 | Managing PKA cryptographic keys |
| ACP | Definition | Default |
|---|---|---|
| 00D0 | Allow CSNBKGN2 to generate AES DKYGENKY keys with MMSAUTH1 and MMSAUTH2 and keyform OPEX for CSNBMMS | 0 |
| 00D1 | Allow CSNBDKG2 to derive keys from AES DKYGENKY keys with MMSAUTH1 attribute | 0 |
| 00D2 | Allow CSNBMMS service with KDFFM-DK | 1 |
| 00D3 | Disallow CSNBKGN2 from generating AES MAC keys with PTR2AUTH | 0 |
| 00D4 | Allow CSNDSYG to generate AES CIPHER or MAC keys | 1 |
| 0085 | Disallow ISO-2 PIN block generate | 0 |
| 0086 | Disallow ISO-2 PIN block verify | 0 |
| 0087 | Disallow ISO-2 PIN block translate | 0 |
| 03CB | Permit import of an RSA key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |
| 03CC | Permit import of an ECC key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |
| 03CD | Permit import of an AES key token from a PKCS#11 CKM_RSA_AES_KEY_WRAP object | 0 |