Browse Prior Art Database

Counter with CBC-MAC (CCM) (RFC3610)

IP.com Disclosure Number: IPCOM000019595D
Original Publication Date: 2003-Sep-01
Included in the Prior Art Database: 2003-Sep-23
Document File: 27 page(s) / 64K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Whiting: AUTHOR [+3]

Abstract

Counter with CBC-MAC (CCM) is a generic authenticated encryption block cipher mode. CCM is defined for use with 128-bit block ciphers, such as the Advanced Encryption Standard (AES).

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 7% of the total text.

Network Working Group D. Whiting

Request for Comments: 3610 Hifn

Category: Informational R. Housley

Vigil Security

N. Ferguson

MacFergus

September 2003

Counter with CBC-MAC (CCM)

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

Counter with CBC-MAC (CCM) is a generic authenticated encryption

block cipher mode. CCM is defined for use with 128-bit block

ciphers, such as the Advanced Encryption Standard (AES).

1. Introduction

Counter with CBC-MAC (CCM) is a generic authenticated encryption

block cipher mode. CCM is only defined for use with 128-bit block

ciphers, such as AES [AES]. The CCM design principles can easily be

applied to other block sizes, but these modes will require their own

specifications.

1.1. Conventions Used In This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

document are to be interpreted as described in [STDWORDS].

2. CCM Mode Specification

For the generic CCM mode there are two parameter choices. The first

choice is M, the size of the authentication field. The choice of the

value for M involves a trade-off between message expansion and the

probability that an attacker can undetectably modify a message.

Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second

Whiting, et al. Informational [Page 1]

RFC 3610 Counter with CBC-MAC (CCM) September 2003

choice is L, the size of the length field. This value requires a

trade-off between the maximum message size and the size of the Nonce.

Different applications require different trade-offs, so L is a

parameter. Valid values of L range between 2 octets and 8 octets

(the value L=1 is reserved).

Name Description Size Encoding

---- ---------------------------------------- ------ --------

M Number of octets in authentication field 3 bits (M-2)/2

L Number of octets in length field 3 bits L-1

2.1. Inputs

To authenticate and encrypt a message the following information is

required:

1. An encryption key K suitable for the block cipher.

2. A nonce N of 15-L octets. Within the scope of any encryption key

K, the nonce value MUST be unique. That is, the set of nonce

values used with any given key MUST NOT contain any duplicate

values. Using the same nonce for two different messages

encrypted with the same key destroys the security properties of

this mode.

3. The message m, consisting of a string of l(m) octets where 0 <=

l(m) < 2^(8L). The length restriction ensures that l(m) can be

encoded in a field of L octets.

4. Additional authenticated data a, consisting of a string of l(a)

octets where 0 <= l(a) < 2^64. This additional data is

authenticated but not encrypted, and is not included in the

output of this mode. It can be used to authenticate plaintext

packet headers, or contextua...