Topic: Nonce size limit for AES-CCM

It appears that the maximum nonce size for AES-CCM is 13.  Why is this limit in place?  Can it be increased to at least 16?


Re: Nonce size limit for AES-CCM

Hi stroebeljc,

The AES CCM IV range 7-13 bytes is defined in the NIST 800-38C … 00-38c.pdf

The AES CCM algorithm appears that it could handle up to 16-bytes, but it would break compatibility with the specification. I believe the intent of limiting the IV is to reduce the maximum number of bytes that can be encrypted before having to re-key.

David Garske, wolfSSL


Re: Nonce size limit for AES-CCM

Hello @stroebeljc


Valid values of L range between 2 octets and 8 octets
   (the value L=1 is reserved).

A nonce N of 15-L octets

So the nonce length must be between 7 and 13 octets (21 and 39 bits).

Hence in  wolfssl/wolfcrypt/aes.h:

    CCM_NONCE_MAX_SZ = 13,

Re: Nonce size limit for AES-CCM

Awesome, thanks!
It's interesting that the methods wc_AesCcmEncrypt and wc_AesCcmDecrypt use hard coded values rather than the enumerations for the nonce size checking.