TLS AES-CCM Tag Lengths

TL;DR

AES-CCM in TLS requires careful configuration of tag lengths to balance security and performance. Shorter tags are faster but less secure, while longer tags offer better protection against forgery attacks at the cost of speed. This guide explains how to check and adjust these settings.

Understanding AES-CCM Tag Lengths

AES-CCM (Counter with CBC-MAC) is a common encryption mode used in TLS (Transport Layer Security). A crucial part of AES-CCM is the authentication tag. This tag verifies that the encrypted data hasn’t been tampered with.

• Tag Length: The length of this tag, measured in bytes, directly impacts security and performance.
• Security: Longer tags make forgery attacks exponentially harder. A 128-bit (16-byte) tag is generally recommended for strong security.
• Performance: Shorter tags are faster to compute but provide less protection.

Checking Current Tag Lengths

How you check the current tag length depends on your TLS implementation (e.g., OpenSSL, GnuTLS, etc.). Here’s how to do it with OpenSSL:

1. Using openssl s_client: Connect to a server and examine the cipher suite in use.

   openssl s_client -connect example.com:443

   Look for a line like “Cipher Suite: TLS_AES_128_CCM_SHA256”. This tells you AES-128-CCM is being used, but not the tag length directly.

2. Configuration Files (OpenSSL): Check your OpenSSL configuration file (openssl.cnf) for settings related to CCM ciphers.

   grep -i "ccm" /etc/ssl/openssl.cnf

   This might reveal specific tag length configurations, though it’s not always explicit.

3. Wireshark: Capture TLS traffic with Wireshark and analyze the Handshake protocol.
   • Filter for “tls.handshaketype == 2” (Client Hello).
   • Examine the cipher suites offered by the client.
   • Look at the Server Hello to see which suite was selected.
   • The tag length is often implied within the chosen cipher suite, but may not be directly visible.

Adjusting Tag Lengths (OpenSSL Example)

Modifying tag lengths usually involves recompiling OpenSSL with specific configuration options or using a TLS configuration tool.

1. Recompilation: This is the most reliable but complex method.
   • Download the OpenSSL source code.
   • Configure OpenSSL during compilation to enable specific CCM tag lengths. The exact flags depend on your version, but you might use options like -DOPENSSL_NO_CCM or similar to disable certain lengths if needed.
   • Rebuild and install OpenSSL.
2. TLS Configuration Tools: Some tools allow you to configure TLS settings without recompiling.
   • openssl ciphers command: You can list available cipher suites with their associated tag lengths (though this doesn’t directly *set* the length).

     openssl ciphers -v 'TLS_AES_128_CCM_*'

3. Server Configuration: The server typically dictates the supported cipher suites, including those with specific tag lengths. Configure your web server (e.g., Apache, Nginx) to prioritize ciphers with longer tags.
   • For example, in Nginx, you might adjust the ssl_ciphers directive.

Best Practices

• Use at least a 128-bit (16-byte) tag: This is the recommended minimum for strong security.
• Prioritize longer tags in your cipher suite selection: Configure your server to prefer ciphers with larger authentication tags.
• Regularly review and update your TLS configuration: Keep your OpenSSL version up-to-date and monitor for new vulnerabilities.
• Test thoroughly after making changes: Ensure that your TLS configuration is working as expected and doesn’t introduce any compatibility issues.