IBM 4765 CCA software releases

This page contains information about the CCA software releases for the IBM 4765.

IBM 4765 CCA Release 4.4.55

Release 4.4.55 for CCA is available for download effective October 23, 2015. It is for use by customers who use the IBM 4765 Model 1 in an IBM-approved x86 architecture server. This release replaces Release 4.4.20 and Release 4.4.54.

Note: Customers who need a MEPS (Méthode d'Évaluation des Produits Securitaire) certified release should use Release 4.4.20 for CCA.

Hardware. IBM 4765 PCIe Cryptographic Coprocessor can be installed on an IBM-approved x86 architecture server.

Optional hardware. IBM offers optional smart card support in the form of a Smart Card Utility Program (SCUP) and enhanced smart card feature for CNM that can be optionally installed when CNM is installed. For detailed information on smart card support, including how to order the optional smart card hardware, refer to IBM 4765 PCIe Cryptographic Coprocessor Smart Card User Guide (12/2013,PDF,2.19MB).

Software. IBM offers a Common Cryptographic Architecture (CCA) Support Program for certain operating systems. See the IBM PCIe Cryptographic Coprocessor Version 1 Overview page for the list of operating systems supported at no charge or as a separately purchased add-on feature.

With IBM’s cryptographic hardware management solution, it is possible to centrally manage multiple servers with one or more cryptographic coprocessors installed. The Crypto Hardware and Initialization Management (CHIM) solution is available for IBM-approved x86 architecture servers and IBM Power Systems.

To purchase CHIM, contact the IBM Crypto Competence Center at ccc@dk.ibm.com. The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Summary of changes for Release 4.4.55

  • Release 4.4.55 corrects a problem with a non-maskable interrupt (NMI) being detected when the Server has a Xeon Version 2 or Version 3 processor.
  • Support for Release 4.4.55 is added to the IBM AIX operating system of IBM Power Systems.

Summary of changes for Release 4.4.54

Beginning with Release 4.4.54, the IBM CCA Support Program provides support for the following enhancements:

  • Encryption mode ANY-MODE is added to AES key type CIPHER variable-length symmetric key tokens.
  • Type of key to diversify D-SECMSG is added and key-derivation sequence levels DKYL1 and DKYL2 are added to the AES key type DKYGENKY variable-length symmetric key tokens.
  • AES key type SECMSG is added to variable-length symmetric key tokens.
  • Diversified_Key_Generate2 (CSNBDKG2)
    • Two diversification process rule array keywords are added. One is KDFFM-DK (DK version of Key Derivation Function in Feedback Mode). The other is MK-OPTC (EMV Master Key Derivation Option C).
    • A bit length of generated key keyword group is added. The keywords in this group are KLEN128, KLEN192, and KLEN256.
    • Three required commands are added, namely Diversified Key Generate2 (KDFFM-DK) (offset X'02D3'), Allow Generated Key Length Option with KDFFM-DK Keyword (offset X'02D4'), and Diversified Key Generate2 (MK-OPTC) (offset X'02D2').
    • The verb can be used to generate the new AES SECMSG key type.
  • Key_Test2 (CSNBKYT2) has added to its rule array a KVP calculation keyword CMACZERO.
  • Key_Token_Build2 (CSNBKTB2) can build an AES SECMSG key token, and Key_Token_Parse2 (CSNBKTP2) can parse an AES SECMSG key token.
  • PKA_Decrypt (CSNDPKD) and PKA_Encrypt (CSNDPKE)
    • A CSNDPKD recovery method and a CSNDPKE format method rule-array keyword are added. The keyword is PKCSOAEP.
    • A hash method keyword group is added. The keywords in this group are SHA-1 and SHA-256.
    • Three required commands are added to CSNDPKD, namely PKA Decipher Clear Key Disallow PKCS-1.2 (offset x'020A'), PKA Decipher Clear Key Disallow PKCSOAEP (offset X'020C'), and PKA Decipher Clear Key Disallow ZEROPAD (offset X'020B').
    • Four required commands are added to CSNDPKE, namely PKA Encipher Clear Key Disallow MRP (offset X'0208'), PKA Encipher Clear Key Disallow PKCS-1.2 (offset X'0206'), PKA Encipher Clear Key Disallow PKCSOAEP (offset X'0209'), and PKA Encipher Clear Key Disallow ZEROPAD (offset X'0207').
  • MAC_Verify2 (CSNBMVR2) supports a MAC length of 8.
  • DK_PIN_Change (CSNBDPC)
    • A script selection algorithm method rule-array keyword is added. The keyword is AES-CBC.
    • A MAC cipher method rule-array keyword is added. The keyword is CMAC.
    • A MAC length and presentation rule-array keyword is added. The keyword is MACLEN16.
    • The script_key_identifier parameter can identify an operational AES SECMSG key token.
    • The script_MAC_key_identifier parameter can identify an operational AES MAC key token that has a MAC mode of CMAC.

IBM 4765 CCA Release 4.4.20

Release 4.4.20 for CCA is available for download effective April 16, 2014. It is for use by customers who need a MEPS certified release for the IBM 4765 Model 1 in an IBM-approved x86 architecture server. This release replaces Release 4.4.16. Release 4.4.20 is a full standalone package and includes one new financial services verb. See Summary of changes below.

Note: Customers who do not need a MEPS certified release should use Release 4.4.55 for CCA.

Notice to IBM PureFlex™ customers: CCA Release 4.4.20 is generally available for IBM PureFlex customers as a separate add-on feature on the IBM 4765 PCIe Cryptographic Coprocessor. This add-on feature can be purchased for installation on one of the operating systems provided by the IBM Crypto Competence Center. To purchase this add-on feature, contact the IBM Crypto Competence Center at ccc@dk.ibm.com. The Center is located in Denmark, which is in the Central European Time Zone (GMT+1).

Hardware. IBM 4765 PCIe Cryptographic Coprocessor can be installed on an IBM-approved x86 architecture server.

Optional hardware. IBM offers optional smart card support in the form of a Smart Card Utility Program (SCUP) and enhanced smart card feature for CNM that can be optionally installed when CNM is installed. For detailed information on smart card support, including how to order the optional smart card hardware, refer to IBM 4765 PCIe Cryptographic Coprocessor Smart Card User Guide (12/2013, PDF, 2.19 MB).

Software. IBM offers a Common Cryptographic Architecture (CCA) Support Program for certain operating systems. See the IBM PCIe Cryptographic Coprocessor Version 1 Overview page for the list of operating systems supported at no charge or as a separately purchased add-on feature.

Summary of changes for Release 4.4.20

Beginning with Release 4.4.20, the IBM CCA Support Program provides support for the following enhancement:

  • A new financial services verb that is based on the PIN methods of and meets the requirements specified by the German banking Industry Committee, Die Deutsch Kreditwirtschaft, also known as DK. The intellectual property rights regarding the methods and specification belong to the German Banking Industry Committee. The following DK verb is added:
    - DK_Migrate_PIN (CSNBDMP). Creates a PIN reference value or word (PRW) from a single input PIN, without validation by an existing DK PIN block or prw.