Counter with CBC-MAC (CCM)
RFC 3610

Document Type RFC - Informational (September 2003; No errata)
Authors Doug Whiting  , Russ Housley  , Niels Ferguson 
Last updated 2015-10-14
Stream ISE
Formats plain text html pdf htmlized bibtex
Stream ISE state (None)
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3610 (Informational)
Action Holders
Telechat date
Responsible AD Steven Bellovin
Send notices to <>
Network Working Group                                         D. Whiting
Request for Comments: 3610                                          Hifn
Category: Informational                                       R. Housley
                                                          Vigil Security
                                                             N. Ferguson
                                                          September 2003

                       Counter with CBC-MAC (CCM)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.


   Counter with CBC-MAC (CCM) is a generic authenticated encryption
   block cipher mode.  CCM is defined for use with 128-bit block
   ciphers, such as the Advanced Encryption Standard (AES).

1.  Introduction

   Counter with CBC-MAC (CCM) is a generic authenticated encryption
   block cipher mode.  CCM is only defined for use with 128-bit block
   ciphers, such as AES [AES].  The CCM design principles can easily be
   applied to other block sizes, but these modes will require their own

1.1.  Conventions Used In This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [STDWORDS].

2.  CCM Mode Specification

   For the generic CCM mode there are two parameter choices.  The first
   choice is M, the size of the authentication field.  The choice of the
   value for M involves a trade-off between message expansion and the
   probability that an attacker can undetectably modify a message.
   Valid values are 4, 6, 8, 10, 12, 14, and 16 octets.  The second

Whiting, et al.              Informational                      [Page 1]
RFC 3610               Counter with CBC-MAC (CCM)         September 2003

   choice is L, the size of the length field.  This value requires a
   trade-off between the maximum message size and the size of the Nonce.
   Different applications require different trade-offs, so L is a
   parameter.  Valid values of L range between 2 octets and 8 octets
   (the value L=1 is reserved).

       Name  Description                               Size    Encoding
       ----  ----------------------------------------  ------  --------
       M     Number of octets in authentication field  3 bits  (M-2)/2
       L     Number of octets in length field          3 bits  L-1

2.1.  Inputs

   To authenticate and encrypt a message the following information is

   1.  An encryption key K suitable for the block cipher.

   2.  A nonce N of 15-L octets.  Within the scope of any encryption key
       K, the nonce value MUST be unique.  That is, the set of nonce
       values used with any given key MUST NOT contain any duplicate
       values.  Using the same nonce for two different messages
       encrypted with the same key destroys the security properties of
       this mode.

   3.  The message m, consisting of a string of l(m) octets where 0 <=
       l(m) < 2^(8L).  The length restriction ensures that l(m) can be
       encoded in a field of L octets.

   4.  Additional authenticated data a, consisting of a string of l(a)
       octets where 0 <= l(a) < 2^64.  This additional data is
       authenticated but not encrypted, and is not included in the
       output of this mode.  It can be used to authenticate plaintext
       packet headers, or contextual information that affects the
       interpretation of the message.  Users who do not wish to
       authenticate additional data can provide a string of length zero.

   The inputs are summarized as:

      Name  Description                          Size
      ----  -----------------------------------  -----------------------
      K     Block cipher key                     Depends on block cipher
      N     Nonce                                15-L octets
      m     Message to authenticate and encrypt  l(m) octets
      a     Additional authenticated data        l(a) octets

Whiting, et al.              Informational                      [Page 2]
RFC 3610               Counter with CBC-MAC (CCM)         September 2003

2.2.  Authentication

   The first step is to compute the authentication field T.  This is
   done using CBC-MAC [MAC].  We first define a sequence of blocks B_0,
   B_1, ..., B_n and then apply CBC-MAC to these blocks.

   The first block B_0 is formatted as follows, where l(m) is encoded in
   most-significant-byte first order:

      Octet Number   Contents
      ------------   ---------
      0              Flags
      1 ... 15-L     Nonce N
      16-L ... 15    l(m)

   Within the first block B_0, the Flags field is formatted as follows:
Show full document text