IBM 4764 PCI-X Cryptographic Coprocessor

Release 3.30 for CCA

Release 3.30 is available for download by all customers who use the IBM 4764 Model 001 in an IBM System x™ server (IBM ServerProven model only). Release 3.30 replaces Release 3.25, which replaces Release 3.24.

For information on software updates, see below.

Release 3.30.04
Release 3.30.04 was the initial release for Release 3.30. This release is no longer available and has been replaced with Release 3.30.05 or later.

Release 3.30.05
Release 3.30.05 is a full standalone package. It is a maintenance release.

Release 3.30.05 or later fixes a problem with the MDC_Generate (CSNBMDG) verb. It was discovered that, under certain specific conditions, earlier releases produced incorrect MDC hash values.

Release 3.30.06
Release 3.30.06 is a maintenance release. It is not a full standalone package and must be installed after installing Release 3.30.05.

Release 3.30.06 or later fixes a problem with the Clear_PIN_Generate_Alternate (CSNBCPA) verb. It was discovered that generating an ISO-1 PIN that has a PIN length that is odd sometimes produces an incorrect PIN.

Download the fix package (ZIP, 759KB) and follow the instructions provided in the file Installing-3.30.06-CCA-HOWTO.txt.

New Java program language support
Application programmers who have Release 3.30.05 or later installed can now build Java applications to use with the Common Cryptographic Architecture (CCA) Support Program. See building Java applications to use with the CCA API.

CNM utility support for JAVA SE Version 1.6.0_13 or later
With Java Platform, Standard Edition (Java SE) Version 1.6.0_13 or later installed, users of the CNM utility can get a Java exception.This problem occurs when using CNM to open the Master Key->Part session or the Primary DES Key-Encrypting Key session. See building Java applications to use with the CCA API.

Release 3.30 overview
IBM offers a Common Cryptographic Architecture (CCA) Support Program that is licensed internal code for the IBM PCI-X Cryptographic Coprocessor. It provides device drivers, utilities and access method support, in addition to providing support for:

  • Strong DES key management with extensive key separation
  • Triple and single DES data encryption
  • Message authentication (MAC) and financial PIN processing
  • RSA operations (previously up to 2048 bits for key generation and digital signature operations)
  • Programmable - Customer / User Defined Functions (UDX)
  • Access controls to manage definable roles

Here are some of the most notable enhancements to the CCA API that are part of Release 3.30:

  • New AES (Advanced Encryption Standard) support, with AES key lengths of 128, 192, and 256 bits, including:
     1. An enhanced version of the Master_Key_Process (CSNBMKP) verb to manage the new 256-bit AES master-key used to encrypt and decrypt keys in AES internal key tokens.
     2. New Symmetric_Algorithm_Decipher (CSNBSAD) and Symmetric_Algorithm_Encipher (CSNBSAE) verbs to decrypt and encrypt data using AES keys.
     3. A new AES key-storage dataset to store internal AES key tokens, separate from the DES and PKA key-storage datasets.
     4. New AES key-storage verbs to manage the AES key-storage dataset:
    • AES_Key_Record_Create (CSNBAKRC)
    • AES_Key_Record_Delete (CSNBAKRD)
    • AES_Key_Record_List (CSNBAKRL)
    • AES_Key_Record_Read (CSNBAKRR)
    • AES_Key_Record_Write (CSNBAKRW)
  • The addition of ISO/DIS 9564-1 Format 3 PIN-block support (ISO-3). ISO-3 is identical to ISO-0, except that it uses random pad digits ranging from X'A' through X'F' instead of only X'F' pad digits.
  • The addition of 4096-bit RSA key support (from 2048-bit) for RSA-CRT and RSA-PUBL keys.
  • New Random_Number_Generate_Long (CSNBRNGL) verb, which allows the length of the random number to be specified, from 1 to 8192 bytes long.
  • The addition of support for the Red Hat Enterprise Linux 5.2 operating system.
  • The addition of the SHA-256 hashing method to the Digital_Signature_Generate (CSNDDSG) verb when using the X9.31 digital-signature-hash formatting method.
  • Corrections to the MDC_Generate (CSNBMDG) verb to prevent it from producing incorrect MDC hash values under certain specific conditions. It was discovered that, under certain specific conditions, Release 3.30.04 or earlier produced incorrect MDC hash values. For a detailed description of these condtions and corrective action instructions, see the MDC_Generate (CSNBMDG) section of the Basic Services Reference and Guide. (PDF, 7.69MB)

If you have any additional questions, contact Crypto support.