Should CCM be used instead of HMAC?

[drewbug]

Would it be possible or worthwhile from a performance or storage space perspective to use the on-board AES coprocessor's CCM abilities to perform authentication instead of the HMAC?

[nordic-auko]

Good question! It would make more sense from a storage perspective than a performance one, considering that the MAC is generated only once per firmware image. Potentially you could save up to 4 kBytes of code space. 1 kByte (1 flash page) would still have to be used for the secret key though.

Given that the softdevice blocks use of the AES-CCM mode hardware and doesn't provide an API for it, it would probably be easier to run CMAC than CCM. You can use the timeslot API to schedule direct access to the crypto hardware, or disable the softdevice altogether, but it does add complexity. There is an ECB API though, which can be used as the cipher for CMAC.

From what I've read, a SHA-256 based HMAC is regarded as a better choice than AES-based MACs, but the relatively low frequency of firmware updates makes for example collision attacks unlikely. I haven't looked into how much code size can be reduced by switching.