Wednesday, November 2, 2016


We are confused about CMAC and CCM. Especially what does mean AES-CMAC or AES-CCM? They are defined in the following specfications.
  • NIST 800-38B CMAC
  • NIST 800-38C CCM
  • RFC 4493 AES-CMAC
  • RFC 3610 Counter with CBC-MAC (CCM)
After I read them. I made conclusion that:
  • CMAC is used for authentication.
  • CCM is used for authentication and confidentiality.
  • CBC-MAC, CMAC, and CCM have some differences.

I draw the below picture to explain their relationships.

  • MAC - Message Authentication Code
  • HMAC - Hash-Based MAC
  • CBC-MAC - Cipher Block Chaining MAC
  • CMAC - Cipher-Based MAC
  • CBC - Cipher Block Chaining
  • CCM - Counter with CBC-MAC
  • ECB - Electronic Code Book

MAC is a short piece of information used to authetnicate a message. There are two types of MAC, hash function based MAC and cipher based MAC.

The implementations of  hash function based MAC, abbreviated HMAC, are HMAC-MD5, HMAC-SHA1, and HMAC-SHA256. The postfix (e.g -MDB, -SHA1, or -SHA256)  is the hash function used in the MAC.

CBC-MAC is a cipher based MAC. CMAC is variation of CBC-MAC that has security deficiencies. AES-CMAC and TDEA CMAC are implementation of CMAC.

ECB, CBC, and CCM are block cipher modes. CCM is an adaption of CBC and is counter with CBC-MAC. AES-CCM is only one implementation of CCM.

In conclusion,

  1. AES-CMAC is a MAC, implemented by AES algorithm for authentication. 
  2. AES-CCM is an AES cipher with CCM mode for authenticatino and confidentiality.