CCM mode
Encyclopedia
CCM mode is a mode of operation
for cryptographic block cipher
s. It is an authenticated encryption
algorithm designed to provide both authentication
and confidentiality
. CCM mode is only defined for block ciphers with a block length of 128 bits. In RFC 3610, it is defined for use with AES
.
used in the authentication. A proof of security exists for this combination, based on the security of the underlying block cipher. The proof also applies to a generalization of CCM for any size
block cipher, and for any size cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction).
CCM mode was designed by Russ Housley
, Doug Whiting and Niels Ferguson
. At the time CCM mode was developed, Russ Housley was employed by RSA Laboratories
.
A minor variation of the CCM, called CCM*, is used in the ZigBee
standard. CCM* includes all of the features of CCM and additionally offers encryption-only and integrity-only capabilities.
for inclusion in the IEEE 802.11i
standard. Opposition was voiced to the inclusion of OCB mode because of a pending patent
application on the algorithm
. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard.
While the inclusion of OCB mode was disputed based on these intellectual property
issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.
Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status.
Block cipher modes of operation
In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
for cryptographic block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s. It is an authenticated encryption
Authenticated encryption
Authenticated Encryption is a block cipher mode of operation which simultaneously provides confidentiality, integrity and authenticity assurances on the data. It became readily apparent that securely compositing a confidentiality mode with an authentication mode could be error prone and difficult...
algorithm designed to provide both authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
. CCM mode is only defined for block ciphers with a block length of 128 bits. In RFC 3610, it is defined for use with AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
.
Encryption and authentication
As the name suggests, CCM mode combines the well-known counter mode of encryption with the well-known CBC-MAC mode of authentication. The key insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-)initialization vectorInitialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
used in the authentication. A proof of security exists for this combination, based on the security of the underlying block cipher. The proof also applies to a generalization of CCM for any size
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
block cipher, and for any size cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction).
CCM mode was designed by Russ Housley
Russ Housley
Russ Housley is the current Chair of the Internet Engineering Task Force , since March 2007.Apart from his IETF work, he is a security systems consultant, working under the company name Vigil Security LLC, which he founded in 2002....
, Doug Whiting and Niels Ferguson
Niels Ferguson
Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books...
. At the time CCM mode was developed, Russ Housley was employed by RSA Laboratories
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
.
A minor variation of the CCM, called CCM*, is used in the ZigBee
ZigBee
ZigBee is a specification for a suite of high level communication protocols using small, low-power digital radios based on an IEEE 802 standard for personal area networks. Applications include wireless light switches, electrical meters with in-home-displays, and other consumer and industrial...
standard. CCM* includes all of the features of CCM and additionally offers encryption-only and integrity-only capabilities.
Performance
CCM requires two block cipher encryption operations per each block of encrypted and authenticated message and one encryption per each block of associated authenticated data.Patents
The catalyst for the development of CCM mode was the submission of OCB modeOCB mode
OCB mode is a mode of operation for cryptographic block ciphers.-Encryption and authentication:It was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher...
for inclusion in the IEEE 802.11i
IEEE 802.11i
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
standard. Opposition was voiced to the inclusion of OCB mode because of a pending patent
Patent
A patent is a form of intellectual property. It consists of a set of exclusive rights granted by a sovereign state to an inventor or their assignee for a limited period of time in exchange for the public disclosure of an invention....
application on the algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard.
While the inclusion of OCB mode was disputed based on these intellectual property
Intellectual property
Intellectual property is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law...
issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.
Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status.
External links
- RFC 3610: Counter with CBC-MAC (CCM)
- RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
- A Critique of CCM (by the designer of OCB)