Fixes for the 4758 CCA

Back to Mike's Homepage
Back to the DESCRACK website

On 5th February, Version 2.41 of the CCA was made available on IBM's website. Version 2.41 includes fixes specifically designed to prevent the attack described on this website, and some of the related weaknesses described in my paper "Attacks on Cryptoprocessor Transaction Sets".

The major modification to the transaction set is the separation of duty between confidentiality and integrity assurance for clear loading of symmetric keys. The old modes of operation for Key_Part_Import were FIRST, MIDDLE, and LAST. New modes of operation ADD and COMPLETE have been created. The party responsible for testing the integrity of a key (using Key_Test) can now use the COMPLETE mode, which does not permit modification of the key being tested. Several changes have been made to the semantics of Key_Part_Import, and the symmetric key inport and export commands to prevent type changes between replicate and non-replicate keys during import, and to prevent export of non-replicate keys under replicate keys. Extra access control points have been created which disable the fixes in order to permit upgrade to version 2.41 for reasons other than security.

The CCA is a much safer product now that no single individual can damage the integrity of the key material. The attack described on the descrack website no longer works, as the specification level faults it relied on have been addressed. Note that some of the security-related fixes in release 2.41 relate to implementation faults; these were not exploited by the attacks described on this site, and have no direct connection with them, but presumably came to light as a consequence of the closer examination of the CCA code that followed the publicity.


Mike Bond, 18th Feb 2002