Table of Contents
Advertisement
AES hardware accelerator (AES)
Suspend/resume operations in GMAC
In GMAC mode, the sequence described for the GCM applies except that only the header
phase can be interrupted.
23.4.12
AES counter with CBC-MAC (CCM)
Overview
The AES counter with cipher block chaining-message authentication code (CCM)
algorithm allows encryption and authentication of plaintext, generating the corresponding
ciphertext and tag (also known as message authentication code). To ensure confidentiality,
the CCM algorithm is based on AES in counter mode. It uses cipher block chaining
technique to generate the message authentication code. This is commonly called CBC-
MAC.
Note:
NIST does not approve this CBC-MAC as an authentication mode outside the context of the
CCM specification.
CCM chaining is specified in NIST Special Publication 800-38C, Recommendation for Block
Cipher Modes of Operation - The CCM Mode for Authentication and Confidentiality. A typical
message construction for CCM is given in
16-byte
boundaries
[a]
B0
[a]
4-byte boundaries
flags
Nonce (N)
Len(N)
Zero padding
The structure of the message is:
•
16-byte first authentication block (B0), composed of three distinct fields:
–
–
–
•
16-byte blocks (B) associated to the Associated Data (A).
This part of the message is only authenticated, not encrypted. This section has a
672/1450
Figure 122. Message construction in CCM mode
Len(A)
32
Associated data (A)
0
16
Q
MAC (T)
Q: a bit string representation of the octet length of P (Len(P))
Nonce (N): a single-use value (that is, a new nonce must be assigned to each
new communication) of Len(N) size. The sum Len(N) + Len(P) must be equal to
15 bytes.
Flags: most significant octet containing four flags for control information, as
specified by the standard. It contains two 3-bit strings to encode the values t (MAC
length expressed in bytes) and Q (plaintext length such that Len(P) < 2
The counter blocks range associated to Q is equal to 2
value of Q is 8, the counter blocks used in cipher must be on 60 bits.
Figure
122.
Len(P)
Plaintext (P)
Authenticated & encrypted ciphertext (C)
Decrypt and compare
RM0453 Rev 5
Len(C)
0
8Q-4
, that is, if the maximum
RM0453
Len(T)
Enc
(T)
MSv42159V2
8q
bytes).
Advertisement
Chapters
Table of Contents
Need help?
Do you have a question about the STM32WL5 Series and is the answer not in the manual?
Questions and answers