Counter with CBC-MAC (CCM)
RFC 3610
Document | Type |
RFC - Informational
(September 2003; No errata)
Was draft-housley-ccm-mode (gen)
|
|
---|---|---|---|
Authors | Doug Whiting , Russ Housley , Niels Ferguson | ||
Last updated | 2015-10-14 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3610 (Informational) | |
Action Holders |
(None)
|
||
Telechat date | |||
Responsible AD | Steven Bellovin | ||
Send notices to | <nicky.ferguson@bris.ac.uk> |
Network Working Group D. Whiting Request for Comments: 3610 Hifn Category: Informational R. Housley Vigil Security N. Ferguson MacFergus September 2003 Counter with CBC-MAC (CCM) Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Counter with CBC-MAC (CCM) is a generic authenticated encryption block cipher mode. CCM is defined for use with 128-bit block ciphers, such as the Advanced Encryption Standard (AES). 1. Introduction Counter with CBC-MAC (CCM) is a generic authenticated encryption block cipher mode. CCM is only defined for use with 128-bit block ciphers, such as AES [AES]. The CCM design principles can easily be applied to other block sizes, but these modes will require their own specifications. 1.1. Conventions Used In This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [STDWORDS]. 2. CCM Mode Specification For the generic CCM mode there are two parameter choices. The first choice is M, the size of the authentication field. The choice of the value for M involves a trade-off between message expansion and the probability that an attacker can undetectably modify a message. Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second Whiting, et al. Informational [Page 1] RFC 3610 Counter with CBC-MAC (CCM) September 2003 choice is L, the size of the length field. This value requires a trade-off between the maximum message size and the size of the Nonce. Different applications require different trade-offs, so L is a parameter. Valid values of L range between 2 octets and 8 octets (the value L=1 is reserved). Name Description Size Encoding ---- ---------------------------------------- ------ -------- M Number of octets in authentication field 3 bits (M-2)/2 L Number of octets in length field 3 bits L-1 2.1. Inputs To authenticate and encrypt a message the following information is required: 1. An encryption key K suitable for the block cipher. 2. A nonce N of 15-L octets. Within the scope of any encryption key K, the nonce value MUST be unique. That is, the set of nonce values used with any given key MUST NOT contain any duplicate values. Using the same nonce for two different messages encrypted with the same key destroys the security properties of this mode. 3. The message m, consisting of a string of l(m) octets where 0 <= l(m) < 2^(8L). The length restriction ensures that l(m) can be encoded in a field of L octets. 4. Additional authenticated data a, consisting of a string of l(a) octets where 0 <= l(a) < 2^64. This additional data is authenticated but not encrypted, and is not included in the output of this mode. It can be used to authenticate plaintext packet headers, or contextual information that affects the interpretation of the message. Users who do not wish to authenticate additional data can provide a string of length zero. The inputs are summarized as: Name Description Size ---- ----------------------------------- ----------------------- K Block cipher key Depends on block cipher N Nonce 15-L octets m Message to authenticate and encrypt l(m) octets a Additional authenticated data l(a) octets Whiting, et al. Informational [Page 2] RFC 3610 Counter with CBC-MAC (CCM) September 2003 2.2. Authentication The first step is to compute the authentication field T. This is done using CBC-MAC [MAC]. We first define a sequence of blocks B_0, B_1, ..., B_n and then apply CBC-MAC to these blocks. The first block B_0 is formatted as follows, where l(m) is encoded in most-significant-byte first order: Octet Number Contents ------------ --------- 0 Flags 1 ... 15-L Nonce N 16-L ... 15 l(m) Within the first block B_0, the Flags field is formatted as follows:Show full document text