Basics of AES-CCM, Encryption, and Authentication

Make it to the Right and Larger Audience


Basics of AES-CCM, Encryption, and Authentication

It is just a quite note about security bascis such as what is AES-CCM, key, etc. There are lots of valuable resources online for details.

Encryption has possibly many modes of operation such as ECB, CBC, CTR. Refer to Wiki Mode of Operation.

In ECB (Electronic Codebook) mode, raw message is chopped into several blocks of plaintext. Each plaintext is block encrypted using the same key. On the other end, each ciphered text block is decrypted to get the original plaintext.  This mode is seldom used in reality but is fundamental to understand other modes. One drawback is if plaintext is the same, cyphertext is also the same so it doesn’t hide raw data well. Another drawback is using both encryption and decryption which adds hardware complexity. This is especially important in low power and low cost system design.

CBC, Cipher Block Chaining, resolves the 1st issue with chain-type connection. But it still needs both encrypter and decrypter. It actually introduces another draw back that encryption and descryption can not be done in parallel since it needs previous block encryption/description result to process the current block.

CTR, Counter mode, resolves all these issues. Encryption and decryption can be processed in parallel. description function is actually not needed and it is done through encryption logic.

So above is about encryption and the goal is to hide raw plaintext from interpreted by attackers. Authentication is different and its goal is to make sure the message received is indeed what the sender sent. We mentioned above that CBC has drawbacks for encryption. But CBC is widely used for authentication and is called CBC-MAC, Wiki CBC-MAC page. Message is chopped into blocks, labeled as m1, m2, …, mx.  Message blocks are chain encrypted as below. The end result is called MAC, Message Authentication Code. MAC is sent with ciphertext blocks to receiver. On receiver side, ciphertext is decrypted to generate plaintext. Then MAC is re-calculated on receiver side and the result is compared with the received MAC. If there is a mismatch, authentication fails and the message can be discarded.


CCM is just a combination of CBC-MAC for authentication and CTR mode for encryption.

AES-CCM means the “block cipher encryption/decryption” in CCM is AES. There are many algorithms for block encryption and AES, Advanced Encryption Standard, is widely used. Its key length can be 128, 196, and 256 bits. Its block side is normally 128 bits.


We can take a look of a real example of using AES-CCM. The follow diagrams are from Guide to Bluetooth Security.

Bluetooth supports two types of encryption. One adopts AES-CCM. As can be seen, a big deal of the diagram is really about how to get the security key on both transmitter and receiver sides.

The other type, the legacy type, is called E0 encryption algorithm. Note that similar to CCM or CTR, the encryption doesn’t operate on text directly. It generates a block of “keystream” which is then XOR-ed with text, plaintext or ciphertext.

Again a big deal of the flow chart is about where the security key comes from. As a matter of fact, key exchange is a complicated process, part of pairing process in bluetooth. For more details of bluetooth pairing, refer to Guide to Bluetooth Security.


Author brief is empty

Contact Us

Thanks for helping us better serve the community. You can make a suggestion, report a bug, a misconduct, or any other issue. We'll get back to you using your private message ASAP.



Forgot your details?