Explain me this please:
I encrypted 1 byte plain text by AES-CCM with 8 byte MAC. Result is 9 byte long.
I thought that AES is a 16 byte block cipher, so the result must be 24 bytes long, but it isn't.
It is definitely not a bug in my code, because examples in RFC 3610 are very similar to my case (31 byte data + 8 byte MAC results in 39 byte output).
CCM is an authenticated mode that combines CTR mode for encryption and a CBC-MAC for authentication. Since encryption is done using the streaming mode CTR, the ciphertext will be exactly as long as the plaintext.
The nonce (Initialization Vector) must be unique for CCM mode, otherwise it is possible to lose confidentiality on all messages that use the same nonce with the same key. In order encrypt something, you will either need to use a globally known message counter as the nonce or generate a random nonce and hope that you haven't generated it before (very slim chance for 128-bit block ciphers). The nonce is not supposed to be secret, so you can prepend it to the ciphertext. The full length of the ciphertext would be:
nonceLength + plaintextLength + tagLength
Another problem of CCM mode is the use of CBC-MAC, which is regarded as severely broken nowadays.
