CCM and GCM

Group password link-message authentication code--CCM Counter with Cbc-mac

The key algorithm composed of CCM is AES encryption algorithm, CTR operation mode and CMAC authentication algorithm, which is used in encryption and Mac algorithm with a key K.

The input to the CCM encryption process consists of three components:

1, the data that will be encrypted and authenticated, that is, the plaintext message p data block

2, will be certified, but do not need to encrypt the relevant data A, such as the protocol first.

3, temporary volume n, as a supplement to the load and related data, the value of each message n is unique to prevent replay attacks and so on.

　　

Generates a large number of Ctri by the counter

galois/counter Mode--gcm galois/counter Mode　

GCM is based on a parallelization design that provides efficient throughput and low-cost, low-latency. The essence is that the message is encrypted in the variant's CTR mode, and the ciphertext result is multiplied with the key and message length information in the GF (2128) domain. The standard also developed a MAC-only working mode, GMAC.

GCM mode uses two functions: the hash function with the key GHash, and the gctr of the CTR mode with the counter increasing by 1 each time.

　　1, GHash

The GHASHH (X) function takes the hash key h and bit string X as input, and the conversion function can be expressed as:

GHASHH (X) = (x1 HM)⊙(x2 hm-1)⊙ ... ⊙(xm-1 H2)⊙(xm h)

This style is ideal for fast implementations, if multiple messages are authenticated using the same hash key, then H2,h3, ... All messages can be authenticated with a single estimate, and the data groupings to be certified (X1,X2,...,XM) can be processed in parallel because each group of calculations is independent of each other.

　　2, GCRT

The INC32 (s) function increases 1 for the right 32 bits of s and takes modulo 232, and the remaining bits are unchanged.

The last encryption generates the MSB, based on the length of the Xn ', and then xn ' xor or produce yn '

　　3, the entire authentication function structure

　　

(1) Make H = E (K, 0128)

(2) Define the grouping J0 as follows

If Len (iv) = 96, make J0 = IV | | 031 | | 1.

If Len (iv) ≠96, make S = 128⌈len (iv)/128⌉-Len (iv)

and make J0 = Ghashh (IV | | 0s+64 | |　　　　[Len (IV) 64]) [S+64+len (IV)]%64 = 0, that is, to make the input meet just the length of the integer group

(3) Make C = GCRTK (Inc32 (J0), P)

(4) Make u = 128⌈len (c)/128⌉-Len (c) v = 128⌈len (a)/128⌉-Len (a)//purpose also to satisfy the packet length

(5) Define the grouping s as follows

S = Ghsashh (A | | 0v | | C | | ou | | [Len (A)]64 | | [Len (C) 64])

(6) Make t = MSBT (GCTRK (J0, S)), here T is the supported Mac length

CCM and GCM