CCM mode
CCM mode (counter with cipher block chaining message authentication code; counter with
The nonce of CCM must be carefully chosen to never be used more than once for a given key. This is because CCM is a derivation of
Encryption and authentication
As the name suggests, CCM mode combines
CCM mode was designed by Russ Housley, Doug Whiting and Niels Ferguson. At the time CCM mode was developed, Russ Housley was employed by RSA Laboratories.
A minor variation of CCM, called CCM*, is used in the Zigbee standard. CCM* includes all of the features of CCM. It allows a choice of MAC lengths down to 0 (which disables authentication and becomes encryption-only).[5]
Performance
CCM requires two block cipher encryption operations on each block of an encrypted-and-authenticated message, and one encryption on each block of associated authenticated data.
According to
Notable inefficiencies:
- CCM is not an "on-line" authenticated encryption with associated data (AEAD), in that the length of the message (and associated data) must be known in advance.
- In the MAC construction, the length of the associated data has a variable-length encoding, which can be shorter than machine word size. This can cause pessimistic MAC performance if associated data is long (which is uncommon).
- Associated data is processed after message data, so it is not possible to pre-calculate state for static associated data.
Patents
The catalyst for the development of CCM mode was the submission of
While the inclusion of OCB mode was disputed based on these intellectual property issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore, Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.
Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status, before eventually being removed altogether.
Use
CCM mode is used in
See also
References
- . 800-38C.
- .
- ^ Housley, Russ (December 2005). "rfc4309". IETF: 3.
AES CCM employs counter mode for encryption. As with any stream cipher, reuse of the same IV value with the same key is catastrophic.
- ^ Jakob Jonsson, On the Security of CTR + CBC-MAC
- IEEE Standards. 2011-09-05. p. 229. Retrieved 2015-12-18.
- ^ "Crypto++ 5.6.0 Benchmarks". Crypto++. Retrieved 6 September 2015.
- RFC 4309Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
- RFC 6655AES-CCM Cipher Suites for Transport Layer Security (TLS)
- ^ "Bluetooth Low Energy Security". Archived from the original on 2016-04-02. Retrieved 2017-04-20.
- ^ Caswell, Matt (2017-05-04). "Using TLS1.3 With OpenSSL". OpenSSL blog. Retrieved 2018-12-29.
External links
- RFC 3610: Counter with CBC-MAC (CCM)
- RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
- RFC 6655: AES-CCM Cipher Suites for Transport Layer Security (TLS)
- A Critique of CCM (by the designer of OCB)