CCM is one of the supported [AEAD algorithms][]. Applications which use this mode must adhere to certain restrictions when using the cipher API:
- The authentication tag length must be specified during cipher creation by
setting the
authTagLength
option and must be one of 4, 6, 8, 10, 12, 14 or 16 bytes. - The length of the initialization vector (nonce)
N
must be between 7 and 13 bytes (7 ≤ N ≤ 13
). - The length of the plaintext is limited to
2 ** (8 * (15 - N))
bytes. - When decrypting, the authentication tag must be set via
setAuthTag()
before callingupdate()
. Otherwise, decryption will fail andfinal()
will throw an error in compliance with section 2.6 of [RFC 3610][]. - Using stream methods such as
write(data)
,end(data)
orpipe()
in CCM mode might fail as CCM cannot handle more than one chunk of data per instance. - When passing additional authenticated data (AAD), the length of the actual
message in bytes must be passed to
setAAD()
via theplaintextLength
option. Many crypto libraries include the authentication tag in the ciphertext, which means that they produce ciphertexts of the lengthplaintextLength + authTagLength
. Node.js does not include the authentication tag, so the ciphertext length is alwaysplaintextLength
. This is not necessary if no AAD is used. - As CCM processes the whole message at once,
update()
can only be called once. - Even though calling
update()
is sufficient to encrypt/decrypt the message, applications must callfinal()
to compute or verify the authentication tag.
const crypto = require('crypto');
const key = 'keykeykeykeykeykeykeykey';
const nonce = crypto.randomBytes(12);
const aad = Buffer.from('0123456789', 'hex');
const cipher = crypto.createCipheriv('aes-192-ccm', key, nonce, {
authTagLength: 16
});
const plaintext = 'Hello world';
cipher.setAAD(aad, {
plaintextLength: Buffer.byteLength(plaintext)
});
const ciphertext = cipher.update(plaintext, 'utf8');
cipher.final();
const tag = cipher.getAuthTag();
// Now transmit { ciphertext, nonce, tag }.
const decipher = crypto.createDecipheriv('aes-192-ccm', key, nonce, {
authTagLength: 16
});
decipher.setAuthTag(tag);
decipher.setAAD(aad, {
plaintextLength: ciphertext.length
});
const receivedPlaintext = decipher.update(ciphertext, null, 'utf8');
try {
decipher.final();
} catch (err) {
console.error('Authentication failed!');
return;
}
console.log(receivedPlaintext);