Complete Communications Engineering

The CCMP encryption protocol is based on the Advanced Encryption Standard (AES) encryption algorithm using the Counter Mode with CBC-MAC (CCM) mode of operation. The CCM mode combines Counter (CTR) mode privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication. These modes have been used and studied for a long time and have well-understood cryptographic properties. They provide good security and performance in either hardware or software.

What is CCMP?

CCM is a generic authenticate-and-encrypt block cipher mode. CCM is only defined for use with 128-bit block ciphers, such as AES. For the generic CCM mode there are two parameter choices. The first choice is M, the size of the authentication field. The choice of the value for M involves a trade-off between message expansion and the probability that an attacker can undetectably modify a message. Valid values are 4, 6, 8, 10, 12, 14, and 16 octets. The second choice is L, the size of the length field. This value requires a trade-off between the maximum message size and the size of the Nonce. Different applications require different trade-offs, so L is a parameter. Valid values of L range between 2 octets and 8 octets (the value L=1 is reserved). M Number of octets in authentication field 3 bits (M-2)/2; L Number of octets in length field 3 bits L-1.

CCMP employs the AES encryption algorithm using the CCM mode of operation. The CCM mode combines Counter Mode (CTR) for confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC) for authentication and integrity. The AES algorithm is defined in FIPS PUB 197. All AES processing used within CCMP uses AES with a 128 bit key and a 128 bit block size. CCM is a generic mode that can be used with any block oriented encryption algorithm. CCMP must use the AES algorithm with with a 128 bit key and 128 bit block size. CCM provides other parameters (K, M and L) that must have the values: K=16, M=8 and L=2. CCM requires a fresh temporal key (TK) for every session. CCM also requires a unique nonce value for each frame protected by a given TK, and CCMP uses a 48-bit packet number (PN) for this purpose. Reuse of a packet number (PN) with the same TK voids all security guarantees.

VOCAL’s embedded software libraries include a complete range of ETSI / ITU / IEEE compliant algorithms, in addition to many other standard and proprietary algorithms. Our software is optimized for execution on ANSI C and leading DSP architectures (TI, ADI, AMD, ARM, MIPS, CEVA, LSI Logic ZSP, etc.). These libraries are modular and can be executed as a single task under a variety of operating systems or standalone with its own microkernel.

VOCAL also provides hardware/firmware implementations of CCMP in the form of FPGA/PLD/ASIC Cores.

Further information on CCMP is also available: