Encryption and authentication modes

dj at deadhat.com dj at deadhat.com
Wed Jul 14 13:22:49 EDT 2010 

> What's the current state of affairs regarding combined encryption and
> authentication modes?
>
> I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
> couldn't find test vectors), but I later came across CCM and EAX.  CCM
> has the advantage of being NIST-reviewed.  EAX can do streaming (but
> that's less useful when doing authentication).  Neither seems to be
> widely implemented.  But both offer a considerable reduction in
> per-message overhead when compared to the HMAC-SHA1/AES combination.
>
> Are there any other alternatives to consider?  Are there any traps I
> should be aware of when implementing CCM?
>
> --
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>

CCM is widely implemented. It's a matter of where you look.

Down at the MAC layer, AES-CCM has proved popular in wireless packet
communication because it is well adapted for separating the treatment of
the header as plaintext AAD from the packet body as ciphertext. Also it is
relatively efficient to implement in hardware since it relies only on a
single AES encrypt block cipher and the birthday resistance of the
ciphertext MAC reduces on-air per packet overhead. This is the why for
example that you see AES-CCM in wireles USB, 802.11, 802.16 and WiMAX
management protocols.

A couple of years after 802 went for AES-CCM, AES-GCM became the
802.3/ethernet choice since it is more parallelizable and so can be
implemented for 10Gbps+ links where CCM becomes trickier. The per packet
overhead is higher, but bandwidth on wires is cheap.

I don't think you can really implement CCM except in the context of a more
detailed specification for a protocol. CCM is a flexible specification and
protocols that use it must nail down a number of parameters and field
sizes in order to be interoperable. It's not so easy to just plug it in
which makes is less convenient for the more pluggable software based
protocols higher up the stack.

Some technically good candidates for standards adoption, E.G. OCB met
resistance due to licensing issues.

DJ

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list