Counter Mode Cipher Block Chaining Message Authentication Code Protocol (Counter Mode CBC-MAC Protocol) or CCM mode Protocol (CCMP) is an
authenticated encryption
Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
protocol
Protocol may refer to:
Sociology and politics
* Protocol (politics)
Protocol originally (in Late Middle English, c. 15th century) meant the minutes or logbook taken at a meeting, upon which an agreement was based. The term now commonly refers to ...
designed for
Wireless LAN
A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building ...
products that implements the standards of the
IEEE 802.11i amendment to the original
IEEE 802.11
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of medium access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer com ...
standard. CCMP is a data cryptographic encapsulation mechanism designed for data
confidentiality
Confidentiality involves a set of rules or a promise sometimes executed through confidentiality agreements that limits the access to or places restrictions on the distribution of certain types of information.
Legal confidentiality
By law, la ...
,
integrity
Integrity is the quality of being honest and having a consistent and uncompromising adherence to strong moral and ethical principles and values.
In ethics, integrity is regarded as the honesty and Honesty, truthfulness or of one's actions. Integr ...
and
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
. It is based upon the Counter Mode with CBC-MAC (
CCM mode
CCM mode (counter with cipher block chaining message authentication code; counter with CBC-MAC) is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and con ...
) of the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES) standard.
It was created to address the vulnerabilities presented by
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is an obsolete, and insecure security algorithm for 802.11 wireless networks. It was introduced as part of the original IEEE 802.11 standard ratified in 1997. The intention was to provide a level of security and pr ...
(WEP), a dated, insecure protocol.
Technical details
CCMP uses
CCM that combines
CTR mode for data confidentiality and
cipher block chaining message authentication code (CBC-MAC) for authentication and integrity. CCM protects the integrity of both the
MPDU data field and selected portions of the IEEE 802.11 MPDU header. CCMP is based on AES processing and uses a 128-bit key and a 128-bit block size. CCMP uses CCM with the following two parameters:
* M = 8; indicating that the MIC is 8
octets
Octet may refer to:
Music
* Octet (music), ensemble consisting of eight instruments or voices, or composition written for such an ensemble
** String octet, a piece of music written for eight string instruments
*** Octet (Mendelssohn), 1825 compos ...
(eight bytes).
* L = 2; indicating that the Length field is 2 octets.
A CCMP
Medium Access Control Protocol Data Unit (MPDU) comprises five sections. The first is the MAC header which contains the destination and source address of the data packet. The second is the CCMP header which is composed of 8 octets and consists of the packet number (PN), the Ext IV, and the key ID. The packet number is a 48-bit number stored across 6 octets. The PN codes are the first two and last four octets of the CCMP header and are incremented for each subsequent packet. Between the PN codes are a reserved octet and a Key ID octet. The Key ID octet contains the Ext IV (bit 5), Key ID (bits 6–7), and a reserved subfield (bits 0–4). CCMP uses these values to encrypt the data unit and the MIC. The third section is the data unit which is the data being sent in the packet. The fourth is the
message integrity code (MIC) which protects the integrity and authenticity of the packet. Finally, the fifth is the
frame check sequence
A frame check sequence (FCS) is an error-detecting code added to a frame in a communication protocol. Frames are used to send payload data from a source to a destination.
Purpose
All frames and the bits, bytes, and fields contained with ...
(FCS) which is used for error detection and correction. Of these sections only the data unit and MIC are encrypted.
Security
CCMP is the standard encryption protocol for use with the
Wi-Fi Protected Access II
Wi-Fi Protected Access (WPA) (Wireless Protected Access), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer n ...
(WPA2) standard and is much more secure than the
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is an obsolete, and insecure security algorithm for 802.11 wireless networks. It was introduced as part of the original IEEE 802.11 standard ratified in 1997. The intention was to provide a level of security and pr ...
(WEP) protocol and
Temporal Key Integrity Protocol
Temporal Key Integrity Protocol (TKIP ) is a security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as an interim solution to replace Wired Equivalent Privac ...
(TKIP) of
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) (Wireless Protected Access), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer n ...
(WPA). CCMP provides the following security services:
* Data confidentiality; ensures only authorized parties can access the information
* Authentication; provides proof of genuineness of the user
* Access control in conjunction with layer management
Because CCMP is a block cipher mode using a 128-bit key, it is secure against attacks to the 2
64 steps of operation. Generic
meet-in-the-middle attack
The meet-in-the-middle attack (MITM), a known-plaintext attack, is a generic space–time tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary ...
s do exist and can be used to limit the theoretical strength of the key to 2
''n''/2 (where ''n'' is the number of bits in the key) operations needed.
Known attacks
References
{{DEFAULTSORT:Ccmp
Cryptographic protocols
Wireless networking
IEEE 802.11
Secure communication
Key management