5

Is there any instance of NIST or other encryption standards using AES-CCM to encrypt/authenticate key data? I would like to use CCM over a keywrap function, but cannot find any precedent for this in cryptography standards.

If by design I guarantee that: (1) Nonce data will not be reused (2) The encrypting "transport" key will not be available to users for the encryption/decryption of non-key material

Are there any security vulnerabilities that make CCM a bad choice?

rose
  • 183
  • 4
  • CCM is basically CTR with CBC-MAC. CTR provides confidentiality, and CBC-MAC, authenticity. – forest Jan 07 '19 at 01:57

1 Answers1

1

The Wikipedia article on Key Wrap states:

Goals (3) and (5) are particularly important, given that many widely deployed authenticated encryption algorithms (e.g., AES-CCM) are already sufficient to accomplish the remaining goals.

Which suggests AES-CCM is an adequate, if inefficient, solution.

Iiridayn
  • 293
  • 2
  • 11