IBM Crypto Education Community - Group home

Authors: Richard Kisley, Jim Cox, Mike Miele, Jimmy Hill, Gregg Arquero, John Craig, Brandon Johnson, Igar Shepelev

This article describes the updates for the Common Cryptographic Architecture (CCA) firmware releases 8.2 for CEX8S and 7.5 for CEX7S, for IBM z16, CCA firmware release 7.5 for CEX7S on IBM z15, and CCA firmware release 7.5 for 4769 on IBM Power, IBM iSeries, x86.

With APAR OA64883, ICSF shipped new functionality in support of CCA Releases 8.2 and 7.5 for z16 and CCA Release 7.5 for z15. This APAR is available on ICSF FMID’s HCR77D1 - HCR77E0.

Audience:

Users of CCA for payment or cryptography applications on 

• ICSF for IBM z16 with CEX8S/CEX7S and IBM z15 with CEX7S
• 4769 for IBM Power, IBM iSeries and x64/x86

What is CCA?

CCA is both an Architecture and a set of services.  It provides:

• Crypto algorithms and secure key management
• Specialized functions for banking and payment network interoperability
• A common set of service interfaces and architecture for all IBM z, Cognitive and x64/x86 server platforms
• Over 156 services with more than 1000 options, from ASC X9 TR-31 key support to ASC X9 TR-34 mutually authenticated RSA/certificate based TDES and AES key exchange, as well as traditional PIN-secured transaction processing and other support for core banking functions and major payment network key derivation and cryptograms.

What are the updates?

This update adds support the following features:

• TR-31 Import / Export of AES K0-B and K1-B Key Blocks
• Import RSA AES Key Wrapped Objects
• CCA Service Quantum Safe Algorithms R2/R3 Updates
• New CCA service: Multi-MAC Scheme (CSNBMMS)
• RSA-OAEP v2.1 updates
• 4769 Release of CCA 7.5 (for Power, IBM i, x86)
• New Access Control Points (ACPs)

Support requirements:

• ICSF exploitation APAR OA64883 on FMIDs HCR77D1 - HCR77E0

TR-31 Import / Export of AES K0-B and K1-B Key Blocks

The CCA releases 8.2, 7.5, 6.7, and 5.7 add the ability to import, via the TR-31 Key Import (CSNBT31I) service, TR-31 key blocks with algorithm ‘A’, mode of use ‘B’ , and key usage ‘K0’ or ‘K1’. The result is a CCA variable-length symmetric IMPORTER or EXPORTER AES token. The Key Export to TR-31 (CSNBT31X) service can be also be used to export a CCA variable-length symmetric IMPORTER or EXPORTER AES token to a TR-31 key block with algorithm ‘A’, mode of use ‘B’ , and key usage ‘K0’ or ‘K1’.

Import RSA AES Key Wrapped Objects

Beginning with Release 8.2, CCA supports importing external keys that have been previously formatted using the RSA AES key wrap mechanism. The RSA AES key wrap mechanism, denoted CKM_RSA_AES_KEY_WRAP, is a PKCS#11 mechanism based on the RSA public-key cryptosystem and the AES key wrap mechanism.  The service supports single-part key wrapping and key unwrapping. The RSA AES key wrap mechanism can wrap and unwrap a single-part target key of any length and type using an RSA key.  Note: Since just the key-material is wrapped and not the key-usage, compliance tagged key tokens are not supported.

For importing (unwrapping), the RSA AES key wrap mechanism:

1. unwraps the temporary AES key from the first part of the object with the private RSA key using CKM_RSA_PKCS_OAEP (PKOAEP2),
2. unwraps the target key from the second part with the temporary AES key using CKM_AES_KEY_WRAP_PAD (RFC5649),
3. returns the newly unwrapped target key as a CCA token.

Symmetric Key Import2 (CSNDSYI2) can be used to import an AES token from a CKM_RSA_AES_KEY_WRAP-wrapped object. A new ACP was added to control CKM_RSA_AES_KEY_WRAP support in CSNDSYI2:

• (0x03CD) SYI2 - Permit import of AES key from CKM_RAKW object.

PKA Key Import (CSNDPKI) can be used to import RSA and ECC tokens from CKM_RSA_AES_KEY_WRAP-wrapped objects. For RSA keys, private section types X’30’, X’31’, and X’08’ are supported. For ECC keys, private section type X’20’ is supported. Two new ACPS were added to control CKM_RSA_AES_KEY_WRAP support in CNSDPKI:

• (0x03CB) PKI - Permit import of RSA key from CKM_RAKW object.

• (0x03CC) PKI - Permit import of ECC key from CKM_RAKW object.

CCA service Quantum Safe Algorithms R2/R3 Updates

Beginning with Release 8.2, CCA supports additional NIST Quantum-Safe algorithm standardization candidate CRYSTALS-Kyber key types and sizes.

• CRYSTALS-Kyber round 3 support
  • CRYSTALS-Kyber (768), NIST Round 3 with OID: 1.3.6.1.4.1.2.267.8.3.3
  • CRYSTALS-Kyber (1024), NIST Round 3 with OID: 1.3.6.1.4.1.2.267.8.4.4
• CRYSTALS-Kyber expanded round 2 support
  • CRYSTALS-Kyber (768), NIST Round 2 with OID: 1.3.6.1.4.1.2.267.5.3.3
• The following CCA callable services support CRYSTALS-Kyber expanded round 2 and round 3
  • PKA Key Management Services:
    • PKA Key Token Build (CSNDPKB),
    • PKA Key Generate (CSNDPKG)
    • and others.
  • Services
    • PKA Encrypt (CSNDPKE)
    • PKA Decrypt (CSNDPKD)
    • ECC Diffie-Hellman (CSNDEDH)

Notes:

• Key label support for CRYSTALS-Kyber expanded round 2 and round 3 keys requires a large common record (KDSRL) format PKDS.
• CRYSTALS-Dilithium Round 3 and Round 2 (with hardware acceleration) is available from prior releases of CCA for CEX8S on IBM Z16.

New CCA service: Multi-MAC Scheme (CSNBMMS)

This release includes a new service, CSNBMMS, that is part of a comprehensive M of N 'multi' MAC scheme:

• Use case example:  consider a business need to change the personal account number (PAN) associated with a customer personal identification number (PIN). For security reasons the service needs to verify certain input data before allowing the PAN change to occur. Consider further that the data verification must happen at multiple parties that are separate business entities and cryptographic trust and verification is needed. For performance and security strength a PKI solution is not desirable.
• Solution: An M of N multi-MAC scheme where derivation of the MAC generation keys is tightly controlled through a Key Management System (KMS) and the M of N scheme parameters are input parameters to the key derivation process - binding the keys to the parameters.
• The Multi-MAC Scheme (CSNBMMS) callable service is used to derive M of N MAC verification keys, validate M of N possible MACs over the input data, derive a final MAC key, then generate and return a final MAC.
• Since the values of M, N, and the MAC identifier counter c are used in derivation processing, the values of the keys used for creating the input MACs directly depend on using the correct values when computing the individual MACs, binding the derived keys to the scheme parameters.
• Later when the service where the PAN change is requested, the final MAC verification key is passed along with the input data.  At this point the PAN change is allowed or disallowed based on the final MAC verification.

OAEP 2.1

The Optimal Asymmetric Encryption Padding (OAEP) v2.1 algorithm was recently introduced to the PKA Encrypt (CSNDPKE) and PKA Decrypt (CSNDPKD) services with CCA Release 8.1. This releases extends the OAEP 2.1 support to the CEX7S. 

Additionally with this release, the Mask Generation Function (MGF) and hash algorithms can now be specified independently when using the OAEP 2.1 algorithm in CSNDPKE and CSNDPKD. The SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms are supported.

New Access Control Points (ACPs)

ACPs are controlled through the TKE (IBM Z) or CHIM (IBM Power or x86) HSM Management tools.  Please note:

• The CCA card changes behavior the first time that a client uses TKE with the CEX7S/CEX8S on IBM Z.
• When a TKE has been used with a card, the CCA firmware will NOT change any ACP values for any domain on that card without TKE or SE requesting that change.  This includes load of new firmware. 

The ACPs in the table below are new with CCA 8.2 for the CEX8S. 

4769 Release of CCA 7.5

The IBM 4769 is available as a machine type-model 4769-001 on x64/x86 servers on supported RHEL 64 bit operating systems, as well as on IBM Power Systems and IBM i. 

CCA 7.5 for IBM 4769 is now available on the following systems:

Supported Systems & O/S’s

• x64 RHEL. : RHEL 8.9, 9.3
• Power 10 AIX : 7.3, 7.2
• Power 9 iSeries : V7R3, V7R4
• Power 10 iSeries : V7R5

This CCA release shares the CCA release 7.5 updates listed above, as well as major updates to the Crypto Hardware Initialization & Maintenance (CHIM) utility.

CHIM Updates:

• Zone support - You can now enroll host HSMs into zones.
  • This ensures that the smartcards providing key parts that will be loaded to the target HSM are enrolled in the same zone as the target HSM (managed by the zone CA smartcard). Zone management is an extra layer of security allowing the zone administrator to control the smartcard population. The cryptographic binding occurs on multiple dimensions, with zone membership also an important part of session key establishment prior to key part load.
• Group compare - from the main device group panel, use the ‘Compare Group’ pull down. This option generates a report that compares the secondary HSMs in your group to the primary HSM, and shows any differences.
• Secure key entry for master key parts using a smart card reader PIN pad.
• Better cosign command panel - more detail is shown to help you better understand who can cosign a command. This update also provides a way for CHIM to remember both the issuer and cosigner smart cards. This saves the users from swapping smart cards extensively during sessions.
• Fixes and improvements that include multiple performance and interface enhancements.

For more info, please see the following

• IBM PCIe Cryptographic Coprocessors
• ICSF Application Programmer’s guide
• Common Cryptographic Architecture Programmer's Guide