CCM mode wrongly allows IV of more than 13 bytes.

[YuaaCindy]

Hello. I am using sjcl's latest version. Sjcl successfully encrypts using CCM mode with an IV of 1049 bytes. However, according to the Wycheproof test suite, this is forbidden :

"AES-CCM is only defined for nonces of size 7 .. 13. No other nonce sizes should be used."

I've checked the source code in ccm.js. It seems that it only limits the lower limit of 7 of IV's length and ignores the upper limit of 13. Allowing encryption with such IV is dangerous, which could leak the key.

[bleichenbacher-daniel]

I've checked the source code in ccm.js. It seems that it only limits the lower limit of 7 of IV's length and ignores the upper limit of 13. Allowing encryption with such IV is dangerous, which could leak the key.

I looked into this issue recently and as much as I tried I can not imagine a way that the key leaks as a result of this bug.

What the library is doing is to truncate long IVs to 13 bytes. It truncates it to even fewer bytes when for long plaintexts when the maximal allowed plaintext size for a given IV is smaller than the actual plaintext size.

I think to analyze this bug one has to look at two distinct cases:

(1) If the user constructs an IV, e.g. by joining a random session IV with a message counter, then the truncation potentially leads to an IV reuse and plaintext disclosure. According to https://eprint.iacr.org/2024/1339.pdf CCM has better resistance than GCM with respect to IV reuse, since GCM just leaks the authentication key and CCM does not.

(2) If the user uses a random IV then the main issues are incompatible encryptions (i.e. plaintext encrypted with sjcl cannot be decrypted with other libraries) and potentially underestimating the probability of IV collisions.