FIGURE 11.11
CCM CBC block.
0 1 13 14 15
Flag (0x1)
|
Nonce
|
Counter (i)
|
FIGURE 11.12
CCM counter block.
To create a message authentication code, AES-CCM uses a variation of CBC mode. Instead of using an IV, an initial CBC block is appended to the begin- ning of the message before it is encrypted. As seen in Figure 11.11, the initial CBC block consists of a flag, the packet nonce, and the length of the payload. To encrypt the payload and the message authentication code, AES-CCM uses CTR mode. With this mode, n counter blocks are created, where n is the number of blocks needed to match the size of the message plus one block for the message authentication code (AES uses 128-bit block sizes). The first block is used for encrypting the message authentication code and the remaining blocks are used to encrypt the payload. As seen in Figure 11.12, the counter block consists of a flag, the packet nonce, and the block number i, where i
goes from 0 to n.
The message authentication code is created by encrypting the initial CBC block and plaintext payload. Figure 11.13 illustrates the message authenti- cation code creation and subsequent encryption of the message authentica- tion code.
The first step in creating the message authentication code is to extract the plaintext payload from the PDU and append the initial CBC block to the beginning of it. This is then encrypted using AES in CBC mode with the TEK from the SA of the connection. The last 128 bits (size of one AES block) of the encrypted output is selected to represent the message authentication code.
The sender will perform this process and then encrypt the message authen- tication code with the message. The receiver will decrypt the message and message authentication code and then perform the same process on
GMH
|
Plaintext payload
|
CRC
(optional)
|
FIGURE 11.13
AES-CCM message authentication creation and encryption.
the message. The receiver will then compare the message authentication code it created with the one received. If they are the same, the message is authenticated, if not the message is discarded.
Encryption of the message authentication code is accomplished by encrypt- ing counter block 0 using AES in CTR mode with the TEK from the SA of the connection. This encrypted block is then XORed with the message authentication code to produce the encrypted version.
Payload encryption is accomplished by first encrypting counter blocks 1 through n with AES in CTR mode using the same TEK used to encrypt the message authentication code. The plaintext payload is then extracted from the PDU and XORed with the encrypted counter blocks. This produces the ciphertext payload, as shown in Figure 11.14.
GMH
|
PN
|
Ciphertext payload
|
Encrypted message authentication code
|
CRC
(optional)
|
EC bit set
EKS bits indicate TEK used
CRC updated for new payload
Do'stlaringiz bilan baham: |