CCMP
Encyclopedia
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol or CCMP (CCM mode
Protocol) is an encryption
protocol designed for Wireless LAN
products that implement the standards of the IEEE 802.11i
amendment to the original IEEE 802.11
standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM)
of the AES
standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA
, and WEP
, a dated, insecure protocol.
A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five sections. The first is the MAC header which contains the destination and source address of the data packet. The second is the CCMP header which is composed of 8 octets and consists of the packet number(PN), the Ext IV, and the key ID. The packet number is a 48-bit number stored across 6 octets. The PN codes are the first two and last four octets of the CCMP header and are incremented for each subsequent packet. Between the PN codes are a reserved octet and a Key ID octet. The Key ID octet contains the Ext IV (bit 5), Key ID (bits 6-7), and a reserved subfields (bits 0-4). CCMP uses these values to encrypt the data unit and the MIC. The third section is the data unit which is the data being sent in the packet. Lastly are the Message Integrity Code
(MIC) which protects the integrity and authenticity of the packet and the frame check sequence
(FCS) which is used for error detection and correction. Of these sections only the data unit and MIC are encrypted.
Because CCMP is a block cipher mode it is secure against attacks to the 2^128 steps of operation if the key for the encryption is 256 bits or larger. Generic meet-in-the-middle attack
s do exist and can be used to limit the theoretical strength of the key to 2^(n/2) (where n is the number of bits in the key) operations needed.
CCM mode
CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...
Protocol) is an encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
protocol designed for Wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
products that implement the standards of the IEEE 802.11i
IEEE 802.11i
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
amendment to the original IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM)
CCM mode
CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...
of the AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
, and WEP
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
, a dated, insecure protocol.
Technical Details
CCMP uses CCM that combines CTR for data confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU data field and selected portions of the IEEE 802.11 MPDU header. CCMP is based on AES processing and uses a 128-bit key and a 128-bit block size. CCMP uses CCM with the following two parameters:- M = 8; indicating that the MIC is 8 octetsOctet (computing)An octet is a unit of digital information in computing and telecommunications that consists of eight bits. The term is often used when the term byte might be ambiguous, as there is no standard for the size of the byte.-Overview:...
(eight bits). - L = 2; indicating that the Length field is 2 octets.
A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five sections. The first is the MAC header which contains the destination and source address of the data packet. The second is the CCMP header which is composed of 8 octets and consists of the packet number(PN), the Ext IV, and the key ID. The packet number is a 48-bit number stored across 6 octets. The PN codes are the first two and last four octets of the CCMP header and are incremented for each subsequent packet. Between the PN codes are a reserved octet and a Key ID octet. The Key ID octet contains the Ext IV (bit 5), Key ID (bits 6-7), and a reserved subfields (bits 0-4). CCMP uses these values to encrypt the data unit and the MIC. The third section is the data unit which is the data being sent in the packet. Lastly are the Message Integrity Code
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
(MIC) which protects the integrity and authenticity of the packet and the frame check sequence
Frame Check Sequence
A frame check sequence refers to the extra checksum characters added to a frame in a communication protocol for error detection and correction. Frames are used to send upper-layer data and ultimately the user application data from a source to a destination. The data package includes the message...
(FCS) which is used for error detection and correction. Of these sections only the data unit and MIC are encrypted.
Security
CCMP is the standard encryption protocol for use with the WPA2 standard and as such is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services:- Data Confidentiality; ensures only authorized parties can access the information
- Authentication; provides proof of genuineness of the user
- Access control in conjunction with layer management
Because CCMP is a block cipher mode it is secure against attacks to the 2^128 steps of operation if the key for the encryption is 256 bits or larger. Generic meet-in-the-middle attack
Meet-in-the-middle attack
The meet-in-the-middle attack is a cryptographic attack which, like the birthday attack, makes use of a space-time tradeoff. While the birthday attack attempts to find two values in the domain of a function that map to the same value in its range, the meet-in-the-middle attack attempts to find a...
s do exist and can be used to limit the theoretical strength of the key to 2^(n/2) (where n is the number of bits in the key) operations needed.