Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ccm]

The Counter with CBC Mac mode, an authenticated encryption mode of operation for a block cipher based on the CTR mode and the CBC-MAC algorithm. .

The CCM mode is an authenticated encryption mode of operation for a block cipher. It takes a block cipher as a primitive, and provides both privacy and integrity services for packet messages.

See the wikipedia page for more information.

51 questions
47
votes
2 answers

How to choose between AES-CCM and AES-GCM for storage volume encryption

We are using the encryption built into Solaris 11 ZFS, which offers the choice between CCM (CBC counter mode) and GCM (Galois counter mode). What are the pros and cons of choosing each of these cipher modes?
ruief
  • 662
  • 1
  • 5
  • 8
18
votes
1 answer

Why does TLS 1.3 support two CCM variants?

One of the important improvements introduced in TLS 1.3 is the pruning of the many previously available cipher suites to only five secure options (for symmetric ciphers), that are each supposed to have distinct advantages. For four of these, the…
AardvarkSoup
  • 283
  • 2
  • 7
10
votes
1 answer

Unique GCM/CCM initial counters without recipient side message counters

I am implementing the encryption layer for a communication protocol. The bulk encryption method used is either AES-CCM or AES-GCM. Due to implementation details, encryption of packets is usually, but not necessarily, performed by the sender in the…
Henrick Hellström
  • 10,556
  • 1
  • 32
  • 59
10
votes
1 answer

AES cache-timing attacks and nonce-based operation modes

As I understand it, AES cache-timing attacks exploit the execution time variations due to cache hits/misses, especially the ones depending on the SBox look-up tables which are key-related. To mount such an attack, does an attacker need to have…
Raoul722
  • 3,003
  • 3
  • 23
  • 42
8
votes
2 answers

Picking a nonce in the context of CCM (CTR with CBC-MAC) mode

After having read the RFC 3610: Counter with CBC-MAC (CCM) and the Wikipedia article on CTR mode, I'm not sure how a nonce should be picked. The RFC says: A nonce N of 15-L octets. Within the scope of any encryption key K, the nonce value MUST…
Sebi
  • 281
  • 4
  • 12
6
votes
1 answer

Security of authenticated encryption modes GCM & CCM

I have two questions for Clarification for AE mode choice criteria GCM : it appears to be actually the most popular and widely used AE mode of operation. however it is also well-known to be highly sensitive (more than other AE modes ?) to IV…
william_fr
  • 653
  • 5
  • 15
6
votes
2 answers

Are tags longer than 128 bit possible for AES-256-CCM and AES-256-GCM?

I have an existing application that uses AES-256-CBC for encrypting data blocks, and HMAC-SHA-256 on the plaintext for eliminating duplicate data blocks. For performance reasons, I would like to move to AES-256-CCM and using the resulting…
Aron
  • 63
  • 4
6
votes
1 answer

What is the purpose of the "Explicit Nonce" in TLS for AES-GCM and AES-CCM?

TLS uses an explicit (secret) 32-bit nonce in combination with the 64-bit sequence number to create the IV for AES-GCM and the nonce for AES-CCM. However, I wonder why TLS needs the explicit nonce. In general, the sequence number is used to prevent…
budderick
  • 435
  • 3
  • 11
5
votes
1 answer

AES - CCM, why not use CMAC inside instead of CBC-MAC?

I was reading up on AES-CMAC when I learned that this basically is an improved and more robust version of CBC-MAC, with the ability to safely have variable-length messages. Difference between CBC-MAC and CMAC The AES-CCM uses AES in counter-mode,…
Martin Aa S
  • 105
  • 4
4
votes
1 answer

Authenticated Encryption with smallest Overhead (Input and Output)

I'm searching for the authenticated encryption algorithm that produces/requires the least overhead in total. This includes the authentication tag that it produces and the additional input that has to be sent along the message for a secure use of the…
budderick
  • 435
  • 3
  • 11
4
votes
1 answer

Difference between AES-CCM and AES-CCM*

I'm trying to understand the different between AES-CCM and AES-CCM* (as defined in IEEE Std 802.15.4™‐2011, Annex B). I see that there are more restrictions on L and M and also M=0 is allowed: L = 2 M = [0,4,8,16] Is it correct that the max…
moti
  • 171
  • 3
4
votes
1 answer

Security of integrity protection with HMAC vs AEAD

I'd like to know how the security of the integrity protection compares between: HMAC-SHA-256 with an 32 byte tag or a truncated 16 byte tag AES-GCM with a 16 byte tag AES-CCM with a 16 byte tag or with a 8 byte tag Assuming that no side-channel…
Ludwig
  • 41
  • 2
3
votes
1 answer

Attacking AES/CCM with random IV

A cryptosystem is using AES-128 in CCM mode with random IV. Suppose an attacker capable of: asking the cryptosystem to encrypt a single plaintext as many times as he wants; and asking the cryptosystem if any ciphertext is valid (ie, if it decrypts…
Bruno Reis
  • 323
  • 1
  • 10
3
votes
1 answer

An example of CCM - AES Mode

I need to test if my AES-CCM implementation works correctly, but I don't find any example to test that. Could you please help me and provide test vectors / other value-inserted examples? In case there are none, I'd like to ask for the ciphertext of…
user6652926
  • 183
  • 1
  • 7
3
votes
1 answer

Birthday attack on AES-CCM with 32-bit Authentication Tag

I would like to use AES-CCM with a very small Authentication Tag length of 32 bits. Thus, I have a question about the vulnerability to birthday attacks. How vulnerable is CCM to birthday attacks? Jonsson explains that the adversary does not gain…
budderick
  • 435
  • 3
  • 11
1
2 3 4