• Registered: 2020-11-24
  • Posts: 42

Topic: Nonce size limit for AES-CCM

It appears that the maximum nonce size for AES-CCM is 13.  Why is this limit in place?  Can it be increased to at least 16?

Share

  • Registered: 2015-10-07
  • Posts: 430

Re: Nonce size limit for AES-CCM

Hi stroebeljc,

The AES CCM IV range 7-13 bytes is defined in the NIST 800-38C
https://nvlpubs.nist.gov/nistpubs/Legac … 00-38c.pdf

The AES CCM algorithm appears that it could handle up to 16-bytes, but it would break compatibility with the specification. I believe the intent of limiting the IV is to reduce the maximum number of bytes that can be encrypted before having to re-key.

Thanks,
David Garske, wolfSSL

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 349

Re: Nonce size limit for AES-CCM

Hello @stroebeljc

From https://tools.ietf.org/html/rfc3610#section-2

Valid values of L range between 2 octets and 8 octets
   (the value L=1 is reserved).

A nonce N of 15-L octets

So the nonce length must be between 7 and 13 octets (21 and 39 bits).

Hence in  wolfssl/wolfcrypt/aes.h:

    CCM_NONCE_MIN_SZ = 7,
    CCM_NONCE_MAX_SZ = 13,

embhorn's Website

Share

  • Registered: 2020-11-24
  • Posts: 42

Re: Nonce size limit for AES-CCM

Awesome, thanks!
It's interesting that the methods wc_AesCcmEncrypt and wc_AesCcmDecrypt use hard coded values rather than the enumerations for the nonce size checking.

Regards,
John

Share