IBM 4767 CCA software releases

This page contains information about the CCA software releases for the IBM 4767.


IBM 4767 Release 5.5.12 for CCA

The IBM 4767 CCA Support Program Release 5.5.12 is now available for download, effective November 11, 2019, by all customers who use the IBM 4767 Model 2 on Linux on x64 servers.


MTM CCA Release 5.5.12 is supported on the following 64-bit operating systems: 

  • Red Hat Enterprise Linux (RHEL) Server 7.6 and 7.7
  • SUSE Linux Enterprise Server (SLES)
  • Windows Server 2019
     

Summary of enhancements for Release 5.5.12 are: 

1. Optional control is added to the Encrypted_PIN_Translate2 verb for when it is used to reformat an outbound ISO Format 4 PIN block into an ISO Format 1 PIN block. This optional control includes a new required command and a new RFMT4TO1 key-usage attribute added to AES PINPROT keys. 

  • Required command PTR2 Permit ISO-4 to ISO-1 Only with RFMT4TO1 (offset X'0394') is added to the Encrypted_PIN_Translate2 verb. When reformatting an ISO-4 PIN-block to an ISO-1 PIN-block and offset X'0394' is enabled in the active role, the verb requires the outbound AES PINPROT key to have key usage of RFMT4TO1. Refer to the Required commands section of the Encrypted_PIN_Translate2 verb.
  • An AES PINPROT key in a Version X'05' variable-length symmetric key-token has a new RFMT4TO1 attribute added to its key-usage field 2 low-order byte (KUF2 LOB).
  • Keyword RFMT4TO1 is added to the Key_Token_Build2 verb for setting KUF2 HOB of an AES PINPROT key to have RFMT4TO1 key usage.
  • Support is added to the Key_Token_Parse2 verb to parse an AES PINPROT key that has RFMT4TO1 key usage.

2. For the Encrypted_PIN_Translate2 verb, an additional plaintext PAN field format option has been added for the message used to generate or verify the CMAC contained in the authentication_data variable for authenticated PAN change. In releases before Release 5.5.12, the format for the Old PAN and the New PAN contained in the message is ASCII characters, one character for each PAN digit (that is, Old PAN = input_PAN_data and New PAN = output_PAN_data). Beginning with Release 5.5.12, the verb uses the PAN format specified by ISO 9564-1 when keyword PANAUTI4 is specified in the rule array. If PANAUTI4 is specified, the format of the Old PAN and the New PAN in the message. Otherwise, the format is ASCII characters (either by default or when keyword PANAUTAS is specified in the rule array).

3. Required command Disallow ISO-1 PIN Format Usage (offset X'032F') is added to the Encrypted_PIN_Translate2 verb. When offset X'032F' is enabled in the active role, the verb cannot use an ISO-1 PIN-block.


Restrictions
 
Scenario: Installing/Uninstalling the CCA host software on Microsoft Windows Server 2019 results in an immediate fatal application error.
Resolution: Installing/Uninstalling the CCA host software on Microsoft Windows Server 2019 must run in Windows 8 compatibility mode.  This can be achieved by performing one of the two common options prior to launching the CCA host installer:

  1. Right click on the CCA host installer.  Click Properties.  Check the compatibility mode checkbox and select "Windows 8".
  2. Set the environment variable, __COMPAT_LAYER=WINSRV08SP1

Scenario: Create a smart card profile using the CHIM tool.  Insert CA smart card instead of required TKE card and press "Ok" dialog in quick succession.  After pressing the "Ok" dialog, the system freezes.
Resolution: Avoid the scenario by inserting the required TKE card instead of an incorrect CA smart card when creating a smart card profile.
 
Scenario: ACP 0x032F is missing from CHIM and CNM tools.
Resolution: The user can toggle any valued ACP using the CHIM tool.


IBM 4767 Release 5.5.6 for CCA

The IBM 4767 CCA Support Program Release 5.5.6 is now available for download, affective May 3, 2019, by all customers who use the IBM 4767 Model 2 on Linux in an x64 server.

MTM CCA Release 5.5.6 is supported on the following x64 operating systems:

  • Red Hat Enterprise Linux (RHEL) Server (64-bit) 7.5
  • SUSE Linux Enterprise Server (SLES)


Summary of enhancements for Release 5.5.6 are:

This release contains the first release of the new host utility Cryptographic Hardware Initialization and Maintenance (CHIM) for remote initialization and maintenance of IBM Cryptographic Coprocessors.

The CHIM utility is introduced as a future replacement for host utility Cryptographic Node Management (CNM). CHIM's superior advantage is the ability to manage multiple remote IBM Cryptographic Coprocessors.

Other Enhancements include:

1. An AES MAC key in a variable-length symmetric key-token with key usage VERIFY has a new authentication data verification key usage that is defined using the previously reserved key-usage field 2 low-order byte.
   a) Key_Token_Build2 has rule-array keyword group authentication data verification added for an AES MAC key to specify whether the key can be used by Encrypted_PIN_Translate2 to verify authentication data using NIST SP 800-38B CMAC for ISO-4 to ISO-PAN change.|
   b) Key_Token_Parse2 can parse an AES MAC key that has authentication data verification key usage. Either PTR2AUTH or NOP2AUTH is returned if the key has key usage of VERIFY.
   c) Encrypted_PIN_Translate2 can now require the AES MAC VERIFY authentication data key to have key usage PTR2AUTH for it to be used to do an ISO-4 to ISO-4 PAN change. For backward compatibility reasons, a new access control command PTR2 PAN Change Authentication Requires PTR2AUTH Usage (offset X'0395') must be enabled in the active role for the PTR2AUTH key-usage attribute to be required for authentication data verification. If offset X'0395' is not enabled when the Encrypted_PIN_Translate2 verb performs PAN change authentication, a new warning message is returned if the AES MAC authentication key has PTR2AUTH usage that is ignored.

2. The Key_Test2 verb can verify the value of a master key as defined in ANS X9.24 Part 1, that is, using either the NIST SP 800-38B block cipher-based MAC algorithm, called CMAC, or the encrypt zeros method. Rule-array keyword group master-key register class is added to specify the class of master key registers (AES, APKA, PKA, or DES), and rule-array keyword group key or key-part rule is added to specify which register to process (current, new, or old).

3. The Unique_Key_Derive verb has two direction or initiation rule-array keyword groups added, one group for deriving MAC keys, and the other group for deriving data encryption keys. The use of these keywords is to specify the purpose of the key (MAC or data encryption) and whether the key is to be used to send or process a request or to send or process a response.

4. The new DK_PRW_Card_Number_Update2 verb has been added. It updates a PIN reference value or word (PRW) with updated time-sensitive card data (and a newly generated random number), but without changing either the customer PIN, primary account number, or permanent card data for later use by other PIN processes for PIN verification. In addition, the verb can optionally use the specified outbound PIN encryption key to return a new encrypted PIN block together with a new PIN block MAC that can be used to validate the PIN block, a new chip-encrypted PIN block with the specified outbound PIN chip-encryption key, or both. Finally, the verb can optionally test the clear PAN recovered from the input encrypted PIN block by comparing it to the clear PAN provided as input, and report the result in the return_code variable. This verb supersedes DK_PRW_Card_Number_Update.

5. The new DK_Random_PIN_Generate2 verb has been added. It generates a random PIN of a selected length and returns the calculated PIN reference value or word (PRW) for use by other PIN processes to verify the PIN. In addition, this verb can optionally return an encrypted PIN block together with a verifying PIN block MAC, and it can optionally return a chip encrypted PIN block, and it can return the result of a PAN test. This verb supersedes DK_Random_PIN_Generate.

6. The TR31_Key_Import verb is enhanced to import the following:
   a) A key block with a PIN encryption key usage of "P0" and mode of use of "B" is added. A rule-array keyword group key type of PIN encryption key for key usage P0 and mode of use "E", "B" or "D" is added to specify the key type of the CCA key being imported. One of these keywords is required for key usage "P0" and mode of use “"B" (both encrypt and decrypt data), and is optional for mode of use "E" (encrypt data only) and "D"(decrypt data only).
   b) A DES PINVER key from a key block with PIN verification key usage "V0", "V1"“, or "V2" and mode of use "C" (both generate and verify of check/PIN value).

4767 adapter

IBM 4767 Release 5.4.33 for CCA

CCA Release 5.4.33 host software and firmware

The IBM 4767 CCA Support Program Release 5.4.33 is now available for download, affective December 6, 2018, by all customers who use the IBM 4767 Model 2 on Linux in an x64 server. As of January 30, 2019, CCA release 5.4.33 is also for customers who use Windows 2016 Server.

CCA Release 5.4.33 is supported on the following 64-bit operating systems:

  • Red Hat Enterprise Linux (RHEL) Server (64-bit) 7.5
  • SUSE Linux Enterprise Server (SLES)
  • Windows 2016 Server (64-bit)

Summary of changes for CCA Release 5.4.33:

  • Three-key (192-bit) Triple-DES keys are added to strengthen security for operations such as data encryption, PIN processing, and key wrapping.
  • Limited ISO Format 4 (ISO-4) AES PIN blocks as defined in the ISO 9564-1 standard.
  • Directed keys, whose objective is to generate and derive many different AES key pairs with different key usages from one key diversification key (KDK).
  • Wrapping and unwrapping DES and TDES keys using an AES Key Block Protection Key (TR-31 key block version ID, or method, “D”) according to ISO 20038.
4767 adapter