IBM 4767 CCA software releases

This page contains information about the CCA software releases for the IBM 4767.


IBM 4767 Release 5.5.6 for CCA

The IBM 4767 CCA Support Program Release 5.5.6 is now available for download, affective May 3, 2019, by all customers who use the IBM 4767 Model 2 on Linux in an x86 server.

MTM CCA Release 5.5.6 is supported on the following x86 64-bit operating systems:

  • Red Hat Enterprise Linux (RHEL) Server (64-bit) 7.5
  • SUSE Linux Enterprise Server (SLES) from Novell (64-bit) 12.3


Summary of enhancements for Release 5.5.6 are:

This release contains the first release of the new host utility Cryptographic Hardware Initialization and Maintenance (CHIM) for remote initialization and maintenance of IBM Cryptographic Coprocessors.

The CHIM utility is introduced as a future replacement for host utility Cryptographic Node Management (CNM). CHIM's superior advantage is the ability to manage multiple remote IBM Cryptographic Coprocessors.

Other Enhancements include:

1. An AES MAC key in a variable-length symmetric key-token with key usage VERIFY has a new authentication data verification key usage that is defined using the previously reserved key-usage field 2 low-order byte.
   a) Key_Token_Build2 has rule-array keyword group authentication data verification added for an AES MAC key to specify whether the key can be used by Encrypted_PIN_Translate2 to verify authentication data using NIST SP 800-38B CMAC for ISO-4 to ISO-PAN change.|
   b) Key_Token_Parse2 can parse an AES MAC key that has authentication data verification key usage. Either PTR2AUTH or NOP2AUTH is returned if the key has key usage of VERIFY.
   c) Encrypted_PIN_Translate2 can now require the AES MAC VERIFY authentication data key to have key usage PTR2AUTH for it to be used to do an ISO-4 to ISO-4 PAN change. For backward compatibility reasons, a new access control command PTR2 PAN Change Authentication Requires PTR2AUTH Usage (offset X'0395') must be enabled in the active role for the PTR2AUTH key-usage attribute to be required for authentication data verification. If offset X'0395' is not enabled when the Encrypted_PIN_Translate2 verb performs PAN change authentication, a new warning message is returned if the AES MAC authentication key has PTR2AUTH usage that is ignored.

2. The Key_Test2 verb can verify the value of a master key as defined in ANS X9.24 Part 1, that is, using either the NIST SP 800-38B block cipher-based MAC algorithm, called CMAC, or the encrypt zeros method. Rule-array keyword group master-key register class is added to specify the class of master key registers (AES, APKA, PKA, or DES), and rule-array keyword group key or key-part rule is added to specify which register to process (current, new, or old).

3. The Unique_Key_Derive verb has two direction or initiation rule-array keyword groups added, one group for deriving MAC keys, and the other group for deriving data encryption keys. The use of these keywords is to specify the purpose of the key (MAC or data encryption) and whether the key is to be used to send or process a request or to send or process a response.

4. The new DK_PRW_Card_Number_Update2 verb has been added. It updates a PIN reference value or word (PRW) with updated time-sensitive card data (and a newly generated random number), but without changing either the customer PIN, primary account number, or permanent card data for later use by other PIN processes for PIN verification. In addition, the verb can optionally use the specified outbound PIN encryption key to return a new encrypted PIN block together with a new PIN block MAC that can be used to validate the PIN block, a new chip-encrypted PIN block with the specified outbound PIN chip-encryption key, or both. Finally, the verb can optionally test the clear PAN recovered from the input encrypted PIN block by comparing it to the clear PAN provided as input, and report the result in the return_code variable. This verb supersedes DK_PRW_Card_Number_Update.

5. The new DK_Random_PIN_Generate2 verb has been added. It generates a random PIN of a selected length and returns the calculated PIN reference value or word (PRW) for use by other PIN processes to verify the PIN. In addition, this verb can optionally return an encrypted PIN block together with a verifying PIN block MAC, and it can optionally return a chip encrypted PIN block, and it can return the result of a PAN test. This verb supersedes DK_Random_PIN_Generate.

6. The TR31_Key_Import verb is enhanced to import the following:
   a) A key block with a PIN encryption key usage of "P0" and mode of use of "B" is added. A rule-array keyword group key type of PIN encryption key for key usage P0 and mode of use "E", "B" or "D" is added to specify the key type of the CCA key being imported. One of these keywords is required for key usage "P0" and mode of use “"B" (both encrypt and decrypt data), and is optional for mode of use "E" (encrypt data only) and "D"(decrypt data only).
   b) A DES PINVER key from a key block with PIN verification key usage "V0", "V1"“, or "V2" and mode of use "C" (both generate and verify of check/PIN value).

4767 adapter

IBM 4767 Release 5.4.33 for CCA

CCA Release 5.4.33 host software and firmware

The IBM 4767 CCA Support Program Release 5.4.33 is now available for download, affective December 6, 2018, by all customers who use the IBM 4767 Model 2 on Linux in an x86 server. As of January 30, 2019, CCA release 5.4.33 is also for customers who use Windows 2016 Server.

CCA Release 5.4.33 is supported on the following 64-bit operating systems:

  • Red Hat Enterprise Linux (RHEL) Server (64-bit) 7.5
  • SUSE Linux Enterprise Server (SLES) from Novell (64-bit) 12.3
  • Windows 2016 Server (64-bit)

Summary of changes for CCA Release 5.4.33:

  • Three-key (192-bit) Triple-DES keys are added to strengthen security for operations such as data encryption, PIN processing, and key wrapping.
  • Limited ISO Format 4 (ISO-4) AES PIN blocks as defined in the ISO 9564-1 standard.
  • Directed keys, whose objective is to generate and derive many different AES key pairs with different key usages from one key diversification key (KDK).
  • Wrapping and unwrapping DES and TDES keys using an AES Key Block Protection Key (TR-31 key block version ID, or method, “D”) according to ISO 20038.
4767 adapter