Movatterモバイル変換

CCM mode

From Wikipedia, the free encyclopedia

Authenticated encryption mode for block ciphers

CCM mode (counter with cipher block chaining message authentication code;counter withCBC-MAC) is amode of operation for cryptographicblock ciphers. It is anauthenticated encryption algorithm designed to provide bothauthentication andconfidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.^[1]^[2]

Thenonce of CCM must be carefully chosen to never be used more than once for a givenkey.This is because CCM is a derivation ofcounter (CTR) mode and the latter is effectively astream cipher.^[3]

Encryption and authentication

[edit]

As the name suggests, CCM mode combinescounter (CTR) mode for confidentiality withcipher block chaining message authentication code (CBC-MAC) for authentication. These two primitives are applied in an "authenticate-then-encrypt" manner: CBC-MAC is first computed on the message to obtain amessage authentication code (MAC), then the message and the MAC are encrypted using counter mode. The main insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-)initialization vector used in the authentication. Aproof of security^[4] exists for this combination, based on the security of the underlying block cipher. The proof also applies to a generalization of CCM for anyblock size, and for any size ofcryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction).

CCM mode was designed byRuss Housley, Doug Whiting andNiels Ferguson. At the time CCM mode was developed, Russ Housley was employed byRSA Laboratories.

A minor variation of CCM, called CCM*, is used in theIEEE 802.15.4 standard, used as theMAC layer inZigbee . CCM* includes all of the features of CCM. It allows a choice of MAC lengths down to 0 (which disables authentication and becomes encryption-only).^[5]

Performance

[edit]

CCM requires two block cipher encryption operations on each block of an encrypted-and-authenticated message, and one encryption on each block of associated authenticated data.

According toCrypto++ benchmarks, AES CCM requires 28.6cycles per byte on anIntel Core 2 processor in 32-bit mode.^[6]

Notable inefficiencies:

CCM is not an "on-line"authenticated encryption with associated data (AEAD), in that the length of the message (and associated data) must be known in advance.
In the MAC construction, the length of the associated data has a variable-length encoding, which can be shorter than machine word size. This can cause pessimistic MAC performance if associated data is long (which is uncommon).
Associated data is processed after message data, so it is not possible to pre-calculate state for static associated data.

Patents

[edit]

The catalyst for the development of CCM mode was the submission ofoffset codebook (OCB) mode for inclusion in theIEEE 802.11i standard. Opposition was voiced to the inclusion of OCB mode because of a pendingpatent application on thealgorithm. Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard.

While the inclusion of OCB mode was disputed based on theseintellectual property issues, it was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore, Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents.

Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of the IEEE 802.11i standard, and OCB mode was relegated to optional component status, before eventually being removed altogether.

Use

[edit]

CCM mode is used inIEEE 802.11i (asCCMP, the CCM encryption protocol forWPA2),IPsec,^[7] andTLS 1.2,^[8] as well asBluetooth Low Energy (as ofBluetooth 4.0).^[9] It is available for TLS 1.3, but not enabled by default inOpenSSL.^[10]

References

[edit]

^Dworkin, Morris (May 2004).Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality(PDF) (Technical report). NIST Special Publications.NIST.doi:10.6028/NIST.SP.800-38C. 800-38C.
^Whiting, D.; Housley, R.; Ferguson, N. (September 2003).Counter with CBC-MAC (CCM).IETF.doi:10.17487/RFC3610.RFC 3610.
^Housley, Russ (December 2005)."rfc4309".IETF: 3.AES CCM employs counter mode for encryption. As with any stream cipher, reuse of the same IV value with the same key is catastrophic.
^Jonsson, Jakob (2003)."On the Security of CTR + CBC-MAC"(PDF).Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 2595. pp. 76–93.doi:10.1007/3-540-36492-7_7.ISBN 978-3-540-00622-0.
^"Annex B: CCM* mode of operation".IEEE Standard for Local and metropolitan area networks--Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)(PDF).IEEE Standards. 2011-09-05. p. 229. Retrieved2015-12-18.
^"Crypto++ 5.6.0 Benchmarks".Crypto++. Retrieved6 September 2015.
^RFC 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
^RFC 6655 AES-CCM Cipher Suites for Transport Layer Security (TLS)
^"Bluetooth Low Energy Security". Archived fromthe original on 2016-04-02. Retrieved2017-04-20.
^Caswell, Matt (2017-05-04)."Using TLS1.3 With OpenSSL".OpenSSL blog. Retrieved2024-10-11.

External links

[edit]

RFC 3610: Counter with CBC-MAC (CCM)
RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
RFC 6655: AES-CCM Cipher Suites for Transport Layer Security (TLS)
A Critique of CCM (by the designer of OCB)

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics,Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97,89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Modn Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

v t e Cryptographic hash functions andmessage authentication codes
List Comparison Known attacks
Common functions	MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2
SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)
Other functions	BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool
Password hashing/ key stretching functions	Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt
General purpose key derivation functions	HKDF KDF1/KDF2
MAC functions	CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC
Authenticated encryption modes	CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB
Attacks	Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack
Design	Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction
Standardization	CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA
Utilization	Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category