AES CCM and AES CCM 8 key usage limits

[Julien00859]

Hello there,

The section 5.5: Limit on Key Usage gives limits for AES GCM and Chacha and references the AEAD-LIMITS study to justify the values.

Nor the TLS spec, nor the AEAD-LIMITS papers give limits for AES CCM and AES CCM 8 key usage. What would be the number of messages we can safely encrypt with both ciphers before rekeying?

While searching online to find the limit, I found the following ietf draft Usage Limits on AEAD Algorithms which mandates a limit of 2^31 message encryption (given that each message is 1500 bytes) with TLS for both CCMs. Is this limit correct?

While at it, the TLS spec mandates a maximum of 2^23.5 message encryption for AES GCM but the Usage Limits on AEAD Algorithms draft mandates 2^32.5. What is the actual limit?

By the way, the AEAD-LIMITS link seems down, I got a PHP/MySQL error when I attempt to open the link. I could retrieve the original PDF using the Wayback Machine.

Regards, Julien

[tomato42]

(given that each message is 1500 bytes)

no, TLS record layer allows messages (records) of 2^14 bytes see section 5.1 of RFC 8446; while it may be sent over multiple IP packets, which typically will be limited to 1500 bytes because Ethernet frames are usually that size, that doesn't influence how the data is encrypted for AEAD: a single IV is used to encrypt the whole 2^14 bytes

[Julien00859]

Does this explain why on the TLS 1.3 side it mandates 2^23.5 messages (16kiB long messages) and on the Usage-Limits-on-AEAD-Algoritms it mandates 2^32.5 messages (1.5kB long messages)?

[tomato42]

Table 2 in that draft is an example:

If the messages exchanged in the protocol are at most a common Internet MTU of around 1500 bytes,

emphasis on if

[seanturner]

WRT the reference I believe this version (https://eprint.iacr.org/2024/051.pdf) is the same minus the date on the 1st page. See #1337.

[ekr]

Closing this, as I believe it is addressed.