Filter
Top Products
Revision History CCA Release 2.54
Eighth Edition, Revised, CCA Support Program, Release 2.41
This revised Release 2.41 manual incorporates additional information concerning
access controls (see “CCA Access-Control” on page 2-2) and other minor editorial
changes.
Eighth Edition, CCA Support Program, Release 2.41
The major items changed, extended, or added in Release 2.41 include:
The Key_Export, Key_Import, Data_Key_Export, and Data_Key_Import now
require the exporter or importer key to have unique key-halves when importing
or exporting a key with unequal halves. You can regress to less-secure
operation which does not enforce the restriction by activating an additional
access control command point.
The Key_Part_Import verb has been modified in two ways:
– For double-length keys, unless a new access-control point is enabled in the
governing role, the previously accumulated key-value and the resulting
key-value must both have equal (“replicated”) key-halves or both have
unequal key-halves. This test is ignored if the previously accumulated key
has all key bits other than parity bits set to zero. This increases security by
guaranteeing that the strength of the key is not modified when combining
the new key part.
“Replicated key-half” means that the first part (half) and the last half of a
double-length DES key have equal values and thus performs as though the
key were single length.
– Additional keywords are added to the rule_array that permit enforcing
separation between individuals who can update the accumulated key and
one who can make the key operational (that is, switch off the control-vector
key-part bit). Note that the Cryptographic Node Management utility is not
updated to take advantage of this extension.
The Encrypted_PIN_Generate verb (CSNBEPG) has be extended to include
support of the 3624 PIN-calculation method through use of the IBM-PIN
keyword.
The Encrypted_PIN_Verify verb (CSNBPVR) has be extended to optionally
enforce ensuring that PINs are four digits in length when using the VISA-PVV
calculation method through the use of the VISAPVV4 keyword.
Host-side key-caching, which has been performed since Release 2.10, can be
switched off using an environment variable. This can be important where a key
can be updated by one process, and used by one or more other concurrent
processes. See “Host-side Key Caching” on page 1-7.
Fixes have been applied to the Diversified_Key_Generate,
Encrypted_PIN_Translate and Encrypted_PIN_Verify verbs. The control vector
checking is corrected to properly account for non-default control-vector values.
The Encrypted_PIN_Translate verb now returns reason code 154 instead of 43.
In Windows NT and 2000 environments, the code is repaired to permit
multi-threaded support of multiple Coprocessors.
New drivers are supplied for AIX which support 32-bit and 64-bit environments.
The Cryptographic Node Management utility (CNM) is modified to prohibit use
of key lengths greater than 1024-bits when performing master-key cloning. You
xviii IBM 4758 CCA Basic Services, Release 2.54, February 2005