Crypto Appendix - Restrictions on CCM8

[randomstuff]

CCM8 is currently listed as approved in the crypto appendix (a previous version had this text: “CCM-8 is included in regard to TLS cipher suite”).

CCM8 use a 64 bit MAC which is quite weak. It's supposed to be OK when used for TLS but it's not OK but not for other protocols in general:

An 8-byte (64-bit) tag would be uncomfortably small in situations where the attacker can brute-force all possible tags. However, when the tag is used for TLS communication, if the attacker makes a wrong guess for the tag, the receiver will immediately close the connection, so each guess requires a new connection. This makes brute force very expensive.

This is not allowed in DTLS without additional safeguard.

RFC9147 (DTLS 1.3):

The AEAD_AES_128_CCM_8 AEAD, as used in TLS_AES_128_CCM_8_SHA256, does not have a limit on the number of records that fail authentication that both limits the probability of forgery by the same amount and does not expose implementations to the risk of denial of service; see Appendix B.3. Therefore, TLS_AES_128_CCM_8_SHA256 MUST NOT be used in DTLS without additional safeguards against forgery. Implementations MUST set usage limits for AEAD_AES_128_CCM_8 based on an understanding of any additional forgery protections that are used.

QUIC:

QUIC can use any of the cipher suites defined in [TLS13] with the exception of TLS_AES_128_CCM_8_SHA256. A cipher suite MUST NOT be negotiated unless a header protection scheme is defined for the cipher suite.

I suggest, to add a note:

** CCM-8 is only approved when using with TLS and must not be used with other protocols (including DTLS or QUIC).

Additional questions:

• Do not allow it for L3?
• Do not allow it at all? Is relevant anyway? Mozilla SSL configuration generator does not list any CCM (not CCM-8) ciphersuite in any configuration (event in "old" mode).

[randomstuff]

Tweaked formulation:

** CCM-8 is only approved when using with TLS and must in general not be used with other protocols (including DTLS or QUIC).

[randomstuff]

ping @danielcuthbert

[unprovable]

Tweaked formulation:

** CCM-8 is only approved when using with TLS and must in general not be used with other protocols (including DTLS or QUIC).

This reads like a much better version! Yeah, you're right, it was just included for TLS because of its ubiquity and the need to require to order all ciphersuites in some situations. This should serve as a way to know to put it at the bottom of the list, so this disclaimer is entirely appropriate!

[randomstuff]

Some context/references (as far as I understand them) below.

CCM-8 uses a (truncated/small) 64-bit MAC tag. If the receiver receives more than 2^7=128 forged packets, it would give a significant advantage to the attacker.

In TLS, the connection is dropped in case of forged packets so v<=1 (but the tag is still comparatively small which might be an issue).

In DTLS (and QUIC?), this is not the case. DTLS is expected to be resilient to invalid (and forged) records and therefore:

Specifically, TLS_AES_128_CCM_8_SHA256 cannot be used [in DTLS] without additional measures to prevent forgery of records, or to mitigate the effect of forgeries.

I'm wondering if some reference would be useful in the note to motivate the restriction.