Reputation: 45
AES-CCM additional authenticated data length l(a)
I implemented AES-CCM according to RFC-3610 and am wondering why the length of the additional authenticated data l(a) needs to be protected by the MAC.
Upvotes: 0
Views: 1040
Answers (1)
Reputation: 3519
Standard caveat: don't write your own encryption and use it. Use trusted libraries written by professional crypto people. There are ones for almost any language/ runtime you need or that should compile for it.
as to your question :
CBC-MAC by default only works on fixed length messages. If an attacker knows a tag t on message m and and t' on message m', they can forge a tag on a third message that was not actually sent. In fact this is 
If you prepend the length, its safer, though you can still get messages that are prefix's of each other and run into a similar problem. Hence one of the reasons a nonce is also prepended.
Upvotes: 1
Related Questions
- Extend encrypted message with AES 128 mbedtls
- AES CTR 256 Encryption Mode of operation on OpenSSL
- C# AES Encryption in CFB Where Plaintext Length Equals Encrypted Length
- AES/CCM Encryption and Plaintext Length Exceeds Maximum Message Length
- For AES128 using CCCrypt() can the key be longer than 128 bits?
- AES CBC mode in C
- Crypto++ output data length
- CQ Basic Authentication
- CCM-AES from Linux Kernel
- Length of Encrypted Text using AES-256-CBC