IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only

CCA 8.4 for Linux on IBM Z

By Richard Kisley posted 13 hours ago

  

Authors: Rumeel Jessamy, Richard Kisley, Jimmy Hill, Jim Cox, Mike Miele

This article introduces the updates for the Common Cryptographic Architecture (CCA) 8.4 for Linux on IBM Z.

Audience:

Users of CCA for payment or cryptography applications on 

  • CCA for Linux on IBM Z,

  • IBM Z17, as well as the IBM Z16, IBM Z15, and IBM Z14, which receive function updates as applicable when new firmware is applied and the new CCA library is used.

What is CCA?

CCA is both an Architecture and a set of APIs.  It provides:

  • Crypto algorithms and secure key management

  • Specialized functions for banking and payment network interoperability

  • A common API and architecture for all IBM z, Cognitive and x64/x86 server platforms

  • Over 156 APIs with more than 1000 options, from ASC X9 TR-31 key support to ASC X9 TR-34 mutually authenticated RSA/certificate based TDES and AES key exchange, as well as traditional PIN-secured transaction processing and other support for core banking functions and major payment network key derivation and cryptograms.

What are the updates?

The last CCA update for Linux and CCA firmware on IBM Z was: CCA 8.2 for CEX8S on IBM Z16 with Linux.

This update (CCA 8.4) adds support for the following features, described in more detail below:

  • ML-DSA key generation and digital signatures

  • ML-KEM key generation and key encapsulation

  • RSA up to 8192-bit Modulus key generation, digital signatures, encrypt & decrypt

ML-DSA 

  • Generate Pure ML-DSA and HashML-DSA (SHA512 prehash) keys.

  • Use with CSNDDSG/CSNDDSV verbs for signature generation and verification.

  • Signatures are now non-deterministic by default, with an optional deterministic mode via the DETER rule useful for known answer tests.

  • New CONTEXT and RAWSEED rules support context strings and known-answer testing.

For more info, please see the following:

ML-KEM

  • Generate ML-KEM X’06’ keys for secure key encapsulation.

  • CSNDPKE/CSNDPKD verbs allow generating and decrypting 32-byte shared keys.

  • New “Key Format” rules (CLEAR, AES-KB, AES-ENC) define how keys are returned.

  • RAWSEED rule supports testing with known random components.

RSA 8192-bit Modulus

  • RSA tokens now support up to 8192-bit modulus across multiple types.

  • RSA public key certificates supported in key management, symmetric key services, digital signature, encryption/decryption, and PKI services.

Find out more

For more info, please see the following

0 comments
0 views

Permalink

https://community.ibm.com/community/user/blogs/richard-kisley1/2025/10/10/cca-84-for-linux-on-ibm-z