June 18, 2002
RSA Laboratories has collaborated with Hifn and MacFergus to design a new authenticated encryption mode: Counter with CBC MAC, or simply CCM. CCM provides both authentication and encryption. CCM is a modern construction, building on traditional mechanisms. RSA Laboratories has submitted CCM to the National Institute of Standards and Technology (NIST) for consideration as a standard mode for use with the Advanced Encryption Standard (AES). All of the submissions are available at the NIST Proposed Modes Web page.
CCM was designed initially for use with packet-oriented security protocols. As such it includes provisions to authenticate the packet header and the payload, while encrypting only the payload. However, CCM can also be used for encrypting files, messages and other data. CCM uses a single cryptographic key to provide authentication and encryption.
Traditionally, two different cryptographic algorithms are used for authentication and encryption, each requiring its own key. For example, authentication might be provided by HMAC-MD5 and encryption by Triple-DES. Since completely different mechanisms are used, there is no synergy between them. CCM uses a block cipher to provide authentication and encryption. It was designed with AES in mind.
NIST has received a number of other submissions of authenticated encryption modes. Details of these submissions are available on the NIST Proposed Modes web page. The biggest difference between CCM and these other submission is patent status. CCM is intended to be unencumbered by patents, and the authors of CCM have not, and will not, apply for patents on CCM.
CCM has the following properties:
Small implementation size. CCM uses only the encryption operation of the underlying block cipher. CCM does not use decryption operations. As a result, CCM implementations are smaller than many alternatives.
Packet header authentication. CCM was designed for the packet environment. It can authenticate an arbitrary packet header, then authenticate and encrypt the packet payload.
Single key. CCM uses a single key for all cryptographic operations. As a result, CCM implementations only compute one key schedule. AES-CCM is slightly faster than the straightforward application of AES-CBC-MAC for authentication and AES-CTR for encryption since only one AES key schedule is needed.
Packet overhead. CCM increases the packet size by adding an initialization vector and an integrity check value. This is the same overhead associated with other authenticated encryption modes.
Cryptographic confidence. CCM has a mathematical proof. The proof shows that CCM provides a level of confidentiality and integrity comparable to other authenticated encryption modes.
At least one implementation of CCM is freely available. Doug Whiting, one of the CCM co-authors, did the first CCM implementation. His code makes use of the open source AES implementation from Brian Gladman, and it is available here.