CCM mode

Last updated February 19, 2024

CCM mode (counter with cipher block chaining message authentication code; counter with CBC-MAC ) is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.^[1]^[2]

Encryption and authentication

As the name suggests, CCM mode combines counter (CTR) mode for confidentiality with cipher block chaining message authentication code (CBC-MAC) for authentication. These two primitives are applied in an "authenticate-then-encrypt" manner: CBC-MAC is first computed on the message to obtain a message authentication code (MAC), then the message and the MAC are encrypted using counter mode. The main insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-)initialization vector used in the authentication. A proof of security ^[4] exists for this combination, based on the security of the underlying block cipher. The proof also applies to a generalization of CCM for any block size, and for any size of cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction).

CCM mode was designed by Russ Housley, Doug Whiting and Niels Ferguson. At the time CCM mode was developed, Russ Housley was employed by RSA Laboratories.

A minor variation of CCM, called CCM*, is used in the Zigbee standard. CCM* includes all of the features of CCM. It allows a choice of MAC lengths down to 0 (which disables authentication and becomes encryption-only).^[5]

Performance

CCM requires two block cipher encryption operations on each block of an encrypted-and-authenticated message, and one encryption on each block of associated authenticated data.

According to Crypto++ benchmarks, AES CCM requires 28.6 cycles per byte on an Intel Core 2 processor in 32-bit mode.^[6]

Notable inefficiencies:

CCM is not an "on-line" authenticated encryption with associated data (AEAD), in that the length of the message (and associated data) must be known in advance.
In the MAC construction, the length of the associated data has a variable-length encoding, which can be shorter than machine word size. This can cause pessimistic MAC performance if associated data is long (which is uncommon).
Associated data is processed after message data, so it is not possible to pre-calculate state for static associated data.

Patents

The catalyst for the development of CCM mode was the submission of offset codebook (OCB) mode for inclusion in the IEEE 802.11i standard. Opposition was voiced to the inclusion of OCB mode because of a pending patent application on the algorithm. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard.

While the inclusion of OCB mode was disputed based on these intellectual property issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore, Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.

Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status, before eventually being removed altogether.

Use

CCM mode is used in IEEE 802.11i (as CCMP, the CCM encryption protocol for WPA2), IPsec,^[7] and TLS 1.2,^[8] as well as Bluetooth Low Energy (as of Bluetooth 4.0).^[9] It is available for TLS 1.3, but not enabled by default in OpenSSL.^[10]

Related Research Articles

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use. It is comparable in many respects to the European Union's NESSIE project and to the Advanced Encryption Standard process run by National Institute of Standards and Technology in the U.S.

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

Counter Mode Cipher Block Chaining Message Authentication Code Protocol or CCM mode Protocol (CCMP) is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol.

NSA Suite B Cryptography was a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and most classified information.

Offset codebook mode is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla. The OCB2 version was proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

EAX mode (encrypt-then-authenticate-then-translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

Institute of Electrical and Electronics Engineers (IEEE) standardization project for encryption of stored data, but more generically refers to the Security in Storage Working Group (SISWG), which includes a family of standards for protection of stored data and for the corresponding cryptographic key management.

IEEE 802.1AE is a network security standard that operates at the medium access control layer and defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the IEEE 802.1 working group.

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

↑ Dworkin, Morris (May 2004). Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality (PDF) (Technical report). NIST Special Publications. NIST. doi: 10.6028/NIST.SP.800-38C . 800-38C.
↑ Whiting, D.; Housley, R.; Ferguson, N. (September 2003). Counter with CBC-MAC (CCM). IETF. doi: 10.17487/RFC3610 . RFC 3610.
↑ Housley, Russ (December 2005). "rfc4309". IETF: 3. AES CCM employs counter mode for encryption. As with any stream cipher, reuse of the same IV value with the same key is catastrophic.
↑ Jakob Jonsson, On the Security of CTR + CBC-MAC
↑ "Annex B: CCM* mode of operation". IEEE Standard for Local and metropolitan area networks--Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) (PDF). IEEE Standards. 2011-09-05. p. 229. Retrieved 2015-12-18.
↑ "Crypto++ 5.6.0 Benchmarks". Crypto++. Retrieved 6 September 2015.
↑ RFC 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
↑ RFC 6655 AES-CCM Cipher Suites for Transport Layer Security (TLS)
↑ "Bluetooth Low Energy Security". Archived from the original on 2016-04-02. Retrieved 2017-04-20.
↑ Caswell, Matt (2017-05-04). "Using TLS1.3 With OpenSSL". OpenSSL blog. Retrieved 2018-12-29.

External links

RFC 3610: Counter with CBC-MAC (CCM)
RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
RFC 6655: AES-CCM Cipher Suites for Transport Layer Security (TLS)
A Critique of CCM (by the designer of OCB)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[NIST_SP800-38C-1] Dworkin, Morris (May 2004). Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality (PDF) (Technical report). NIST Special Publications. NIST. doi: 10.6028/NIST.SP.800-38C . 800-38C.

[RFC3610-2] Whiting, D.; Housley, R.; Ferguson, N. (September 2003). Counter with CBC-MAC (CCM). IETF. doi: 10.17487/RFC3610 . RFC 3610.

[3] Housley, Russ (December 2005). "rfc4309". IETF: 3. AES CCM employs counter mode for encryption. As with any stream cipher, reuse of the same IV value with the same key is catastrophic.

[4] Jakob Jonsson, On the Security of CTR + CBC-MAC

[ieee802154-5] "Annex B: CCM* mode of operation". IEEE Standard for Local and metropolitan area networks--Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) (PDF). IEEE Standards. 2011-09-05. p. 229. Retrieved 2015-12-18.

[6] "Crypto++ 5.6.0 Benchmarks". Crypto++. Retrieved 6 September 2015.

[7] RFC 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)

[8] RFC 6655 AES-CCM Cipher Suites for Transport Layer Security (TLS)

[9] "Bluetooth Low Energy Security". Archived from the original on 2016-04-02. Retrieved 2017-04-20.

[10] Caswell, Matt (2017-05-04). "Using TLS1.3 With OpenSSL". OpenSSL blog. Retrieved 2018-12-29.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]