NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Current Modes

First Part: Five Confidentiality Modes

In Special Publication 800-38A, five confidentiality modes are specified for use with any approved block cipher, such as the AES algorithm. The modes in SP 800-38A are updated versions of the ECB, CBC, CFB, and OFB modes that are specified in FIPS Pub. 81; in addition, SP 800-38A specifies the CTR mode.

NIST has developed a proposal to extend the domain of the CBC mode with a version of "ciphertext stealing." Eventually, NIST expects to incorporate into a new edtion of SP 800-38A some form ociphertext stealing for CBC mode; the remaining technical material that is specified in the 2001 edition is expected to remain valid.


Back to Top

Second Part: An Authentication Mode

The CMAC authentication mode is specified in Special Publication 800-38B for use with any approved block cipher. CMAC stands for cipher-based message authentication code (MAC), analogous to HMAC, the hash-based MAC algorithm.

CMAC is an essentially the One-Key CBC-MAC (OMAC) algorithm submitted by Iwata and Kurosawa. OMAC is an improvement of the XCBC algorithm, submitted by Rogaway and Black, which itself is an improvement of the CBC-MAC algorithm. XCBC efficiently addresses the security deficiencies of CBC-MAC; OMAC efficiently reduces the key size of XCBC.


Back to Top

Third Part: An Authenticated Encryption Mode

Special Publication 800-38C specifies the CCM mode of the AES algorithm. CCM combines the counter mode for confidentiality with the cipher block chaining technique for authentication. The specification is intended to be compatible with the use of CCM within a draft amendment to the IEEE 802.11 standard for wireless local area networks.

There were many public comments on the earlier draft of the document; NIST briefly described its responses to the most significant comments.


Back to Top

Fourth Part: A High-Throughput Authenticated Encryption Mode

Special Publication 800-38D specifies the Galois/Counter Mode (GCM) of the AES algorithm. GCM combines the counter mode for confidentiality with an authentication mechanism that is based on a universal hash function. GCM was designed to faciliate high-throughput hardware implementations; software optimizations are also possible, if certain lookup tables can be precomputed from the key and stored in memory.

The document includes discussion of two significant security issues that were raised in public comments: the unusual risks of using short tags (Ferguson), and the critical importance of the requirement for the uniqueness of the IVs (Joux).


Back to Top

Future Parts:

In the future, NIST intends to recommend at least one additional mode: the AES Key Wrap (AESKW). AESKW is intended for the authenticated encryption ("wrapping") of specialized data, such as cryptographic keys, without using a nonce, for distribution or storage. AESKW invokes the block cipher about twelve times per block of data. The design provides security properties that may be desired for high assurance applications; the tradeoff is relatively inefficient performance compared to other modes.