CCM mode (counter with cipher block chaining message authentication code; counter with CBC-MAC) is a mode of operation for cryptographic

block cipher In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...

s. It is an authenticated encryption algorithm designed to provide both

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicat ...

and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits. The

nonce Nonce may refer to: * Cryptographic nonce, a number or bit string used only once, in security engineering * Nonce word, a word used to meet a need that is not expected to recur * The Nonce, American rap duo * Nonce orders, an architectural term ...

of CCM must be carefully chosen to never be used more than once for a given key. This is because CCM is a derivation of counter (CTR) mode and the latter is effectively a stream cipher.

Encryption and authentication

As the name suggests, CCM mode combines counter (CTR) mode for confidentiality with cipher block chaining message authentication code (CBC-MAC) for authentication. These two primitives are applied in an "authenticate-then-encrypt" manner: CBC-MAC is first computed on the message to obtain a message authentication code (MAC), then the message and the MAC are encrypted using counter mode. The main insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-) initialization vector used in the authentication. A proof of security exists for this combination, based on the security of the underlying block cipher. The proof also applies to a generalization of CCM for any block size, and for any size of cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction). CCM mode was designed by Russ Housley, Doug Whiting and

Niels Ferguson Niels T. Ferguson (born 10 December 1965, Eindhoven) is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protoco ...

. At the time CCM mode was developed, Russ Housley was employed by RSA Laboratories. A minor variation of CCM, called CCM*, is used in the

ZigBee Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and ...

standard. CCM* includes all of the features of CCM and additionally offers encryption-only capabilities.

Performance

CCM requires two block cipher encryption operations on each block of an encrypted-and-authenticated message, and one encryption on each block of associated authenticated data. According to

Crypto++ Crypto++ (also known as CryptoPP, libcrypto++, and libcryptopp) is a free and open-source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open-source, and ...

benchmarks, AES CCM requires 28.6 cycles per byte on an Intel Core 2 processor in 32-bit mode. Notable inefficiencies: * CCM is not an "on-line" authenticated encryption with associated data (AEAD), in that the length of the message (and associated data) must be known in advance. * In the MAC construction, the length of the associated data has a variable-length encoding, which can be shorter than machine word size. This can cause pessimistic MAC performance if associated data is long (which is uncommon). * Associated data is processed after message data, so it is not possible to pre-calculate state for static associated data.

Patents

The catalyst for the development of CCM mode was the submission of offset codebook (OCB) mode for inclusion in the

IEEE 802.11i IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networ ...

standard. Opposition was voiced to the inclusion of OCB mode because of a pending

patent A patent is a type of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a limited period of time in exchange for publishing an sufficiency of disclosure, enabling disclo ...

application on the

algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific problems or to perform a computation. Algorithms are used as specifications for performing ...

. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard. While the inclusion of OCB mode was disputed based on these

intellectual property Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. There are many types of intellectual property, and some countries recognize more than others. The best-known types are patents, cop ...

issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore, Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents. Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status, before eventually being removed altogether.

Use

CCM mode is used in

(as CCMP, the CCM encryption protocol for

WPA2 Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The All ...

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

, and

TLS TLS may refer to: Computing * Transport Layer Security, a cryptographic protocol for secure computer network communication * Thread level speculation, an optimisation on multiprocessor CPUs * Thread-local storage, a mechanism for allocating vari ...

1.2, as well as Bluetooth Low Energy (as of Bluetooth 4.0). It is available for TLS 1.3, but not enabled by default in

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HT ...

References

External links

* : Counter with CBC-MAC (CCM) * : Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) * : AES-CCM Cipher Suites for Transport Layer Security (TLS)
A Critique of CCM
(by the designer of OCB) {{Cryptography navbox , block , hash Block cipher modes of operation Authenticated-encryption schemes

Encryption and authentication

Performance

Patents

Use

See also

References

External links