Release 4.4.55 for CCA is available for download effective October 23, 2015. It is for use by customers who use the IBM 4765 in an IBM-approved x86 server. This release replaces Release 4.4.20 and Release 4.4.54.
Note: Customers who need a MEPS (Méthode d'Évaluation des Produits Securitaire) certified release should use Release 4.4.20 for CCA.
Hardware. The IBM 4765 PCIe Cryptographic Coprocessor can be installed on an IBM-approved x86 server.
Optional hardware. IBM offers optional smart card support in the form of a Smart Card Utility Program (SCUP) and enhanced smart card feature for CNM that can be optionally installed when CNM is installed. For detailed information on smart card support, including how to order the optional smart card hardware, refer to IBM 4765 PCIe Cryptographic Coprocessor Smart Card User Guide (PDF, 2.9 MB).
Software. IBM offers a Common Cryptographic Architecture (CCA) Support Program for certain operating systems. See the IBM 4765 Overview page for the list of operating systems supported at no charge or as a separately purchased add-on feature.
With IBM’s cryptographic hardware management solution, it is possible to centrally manage multiple servers with one or more cryptographic coprocessors installed. The Crypto Hardware and Initialization Management (CHIM) solution is available for IBM-approved x86 servers and IBM Power Systems.
To purchase CHIM, contact the IBM Crypto Competence Center at the CCC website. The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).
Summary of changes for Release 4.4.55
- Release 4.4.55 corrects a problem with a non-maskable interrupt (NMI) being detected when the Server has a Xeon Version 2 or Version 3 processor.
- Support for Release 4.4.55 is added to the IBM AIX operating system of IBM Power Systems.
Summary of changes for Release 4.4.54
Beginning with Release 4.4.54, the IBM CCA Support Program provides support for the following enhancements:
- Encryption mode ANY-MODE is added to AES key type CIPHER variable-length symmetric key tokens.
- Type of key to diversify D-SECMSG is added and key-derivation sequence levels DKYL1 and DKYL2 are added to the AES key type DKYGENKY variable-length symmetric key tokens.
- AES key type SECMSG is added to variable-length symmetric key tokens.
- Diversified_Key_Generate2 (CSNBDKG2)
- Two diversification process rule array keywords are added. One is KDFFM-DK (DK version of Key Derivation Function in Feedback Mode). The other is MK-OPTC (EMV Master Key Derivation Option C).
- A bit length of generated key keyword group is added. The keywords in this group are KLEN128, KLEN192, and KLEN256.
- Three required commands are added, namely Diversified Key Generate2 (KDFFM-DK) (offset X'02D3'), Allow Generated Key Length Option with KDFFM-DK Keyword (offset X'02D4'), and Diversified Key Generate2 (MK-OPTC) (offset X'02D2').
- The verb can be used to generate the new AES SECMSG key type.
- Key_Test2 (CSNBKYT2) has added to its rule array a KVP calculation keyword CMACZERO.
- Key_Token_Build2 (CSNBKTB2) can build an AES SECMSG key token, and Key_Token_Parse2 (CSNBKTP2) can parse an AES SECMSG key token.
- PKA_Decrypt (CSNDPKD) and PKA_Encrypt (CSNDPKE)
- A CSNDPKD recovery method and a CSNDPKE format method rule-array keyword are added. The keyword is PKCSOAEP.
- A hash method keyword group is added. The keywords in this group are SHA-1 and SHA-256.
- Three required commands are added to CSNDPKD, namely PKA Decipher Clear Key Disallow PKCS-1.2 (offset x'020A'), PKA Decipher Clear Key Disallow PKCSOAEP (offset X'020C'), and PKA Decipher Clear Key Disallow ZEROPAD (offset X'020B').
- Four required commands are added to CSNDPKE, namely PKA Encipher Clear Key Disallow MRP (offset X'0208'), PKA Encipher Clear Key Disallow PKCS-1.2 (offset X'0206'), PKA Encipher Clear Key Disallow PKCSOAEP (offset X'0209'), and PKA Encipher Clear Key Disallow ZEROPAD (offset X'0207').
- MAC_Verify2 (CSNBMVR2) supports a MAC length of 8.
- DK_PIN_Change (CSNBDPC)
- A script selection algorithm method rule-array keyword is added. The keyword is AES-CBC.
- A MAC cipher method rule-array keyword is added. The keyword is CMAC.
- A MAC length and presentation rule-array keyword is added. The keyword is MACLEN16.
- The script_key_identifier parameter can identify an operational AES SECMSG key token.
- The script_MAC_key_identifier parameter can identify an operational AES MAC key token that has a MAC mode of CMAC.