search

commoncriteria / application

Protection Profile for Application Software
The Unlicense
9 stars 3 forks source link

CCM nonce requirements #183

Closed jvdsn closed 1 month ago

jvdsn commented 2 months ago

FCS_SNI_EXT.1 currently states "CCM: Nonce shall be non-repeating and unpredictable;"

I don't think unpredictable nonces are required for CCM. Section 5.3 of SP 800-38C says

The nonce shall be non-repeating in the sense that any two distinct data pairs to be protected by CCM during the lifetime of the key shall be assigned distinct nonces. In effect, the nonce determines an invocation of CCM. The nonce is not required to be random.

Similarly, Section 5 of RFC 3610 states

The main requirement is that, within the scope of a single key, the nonce values are unique for each message. A common technique is to number messages sequentially, and to use this number as the nonce.

As CCM is based on CTR (similar to GCM) I wouldn't expect an unpredictable nonce to be required either.

Perhaps you can verify with your crypto experts?

jmcdaniels commented 1 month ago

Thanks, I have updated the requirement.

https://github.com/commoncriteria/application/commit/2d8a7556dbd975c8c50a30a977a155a4166574ce