CCM mode (Counter with CBC-MACIn cryptography, a Cipher Block Chaining Message Authentication Code, abbreviated CBC-MAC, is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block...
) is a
mode of operationIn cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to...
for cryptographic
block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s. It is an
authenticated encryptionAuthenticated Encryption is a term used to describe encryption systems which simultaneously protect confidentiality and authenticity of communications...
algorithm designed to provide both
authenticationAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
and
privacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
. CCM mode is only defined for block ciphers with a block length of 128 bits. In RFC 3610, it is defined for use with
AESIn cryptography, the Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with...
.
As the name suggests, CCM mode combines the well-known counter mode of encryption with the well-known CBC-MAC mode of authentication. The key insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-)
initialization vectorIn cryptography, an initialization vector is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go...
used in the authentication.
CCM mode (Counter with CBC-MACIn cryptography, a Cipher Block Chaining Message Authentication Code, abbreviated CBC-MAC, is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block...
) is a
mode of operationIn cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to...
for cryptographic
block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s. It is an
authenticated encryptionAuthenticated Encryption is a term used to describe encryption systems which simultaneously protect confidentiality and authenticity of communications...
algorithm designed to provide both
authenticationAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
and
privacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
. CCM mode is only defined for block ciphers with a block length of 128 bits. In RFC 3610, it is defined for use with
AESIn cryptography, the Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with...
.
Encryption and authentication
As the name suggests, CCM mode combines the well-known counter mode of encryption with the well-known CBC-MAC mode of authentication. The key insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-)
initialization vectorIn cryptography, an initialization vector is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go...
used in the authentication. A
proof of security exists for this combination, based on the security of the underlying block cipher. In fact, the proof also applies to a generalization of CCM for any
sizeIn modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
block cipher, and in fact, for any size cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction).
CCM mode was designed by
Russ HousleyRuss Housley is the current Chair of the Internet Engineering Task Force , since March 2007.Apart from his IETF work, he is a security systems consultant, working under the company name Vigil Security LLC, which he founded in 2002....
, Doug Whiting and
Niels FergusonNiels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books...
. At the time CCM mode was developed, Russ Housley was employed by
RSA LaboratoriesRSA, The Security Division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
.
A minor variation of the CCM, called CCM*, is used in the
ZigBeeZigBee is a specification for a suite of high level communication protocols using small, low-power digital radios based on the IEEE 802.15.4-2003 standard for wireless personal area networks , such as wireless headphones connecting with cell phones via short-range radio...
standard. CCM* includes all of the features of CCM and additionally offers encryption-only and integrity-only capabilities.
Performance
CCM requires two block cipher encryption operations per each block of encrypted and authenticated message and one encryption per each block of associated authenticated data.
Patents
The catalyst for the development of CCM mode was the submission of
OCB modeOCB mode is a mode of operation for cryptographic block ciphers.-Encryption and authentication:It was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher...
for inclusion in the
IEEE 802.11iIEEE 802.11i-2004 or 802.11i is an amendment to the original IEEE 802.11 standard specifying security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with a detailed Security clause, in the process deprecating the broken WEP...
standard. Opposition was voiced to the inclusion of OCB mode because of a pending
patentA patent is a set of exclusive rights granted by a state to an inventor or their assignee for a limited period of time in exchange for a public disclosure of an invention....
application on the
algorithmIn mathematics, computing, linguistics, and related subjects, an algorithm is an effective method for solving a problem using a finite sequence of instructions. Algorithms are used for calculation, data processing, and many other fields....
. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard.
While the inclusion of OCB mode was disputed based on these
intellectual propertyIntellectual property is a number of distinct types of legal monopolies over creations of the mind, both artistic and commercial, and the corresponding fields of law...
issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.
Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status.
External links
- A Critique of CCM
- RFC 3610: Counter with CBC-MAC (CCM)
- RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)