Thanks for the additional information, Jeff. I'd really like to go with GCM, but the ZigBee IP spec requires CCM.
Regards, Paul -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Saturday, April 21, 2012 7:12 PM To: openssl-users@openssl.org Subject: Re: Making AES-CCM available as a TLS-negotiated cipher suite Hi Paul, On Wed, Apr 18, 2012 at 2:01 PM, Muschick, Paul <paul.musch...@itron.com> wrote: > So, it’s ironic that only after I post to the mailing list, I solve my > first problem. For visitors from the future, to fully add a new cipher > suite, you can’t forget to add your cipher’s EVP_CIPHER* accessor > function (generated by the BLOCK_CIPHER_custom macro) to SSL_library_init() > in ssl_algs.c. > > Now that that’s done, my client and server are negotiating the desired > cipher suite, but I’m getting the error > SSL_R_CIPHER_OR_HASH_UNAVAILABLE. It seems that CCM is defined as not > using AEAD, but the flavor of CCM I’m trying to enable uses AEAD, > specifically AEAD_AES_128_CCM as defined in section 5.3 of RFC 5116. > > Could someone tell me for sure that, while GCM is an AEAD algorithm, > CCM is not? > > My confusion lies in the fact I’m not familiar with encryption, plus > one of my reference documents, “AES-CCM ECC Cipher Suites for TLS” > (http://tools.ietf.org/html/draft-mcgrew-tls-aes-ccm-ecc-01), talks > about CCM and AEAD in the same breath. > > Also, RFC 5116 “An Interface and Algorithms for Authenticated Encryption” > (http://tools.ietf.org/html/rfc5116#page-14) defines 2 AEAD algorithms > for AES-CCM. Is that not the same CCM as OpenSSL already supports? If your heart is not set on CCM, consider using GCM or EAX mode. Both are superior to CCM. CCM has a spotted history. It is cryptographically sound, but 802.11's adoption was hasty way back when. It lead to adoption and standardization elsewhere. Its unfortunate since there were better AEAD modes available around the time. http://www.cryptopp.com/wiki/AEAD_Comparison Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
