PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

GCM mode for CMAC

Feb 28, 2018 08:58
Joakim Nordell


I just found out that GCM mode is not supported when you'd like to generate a CMAC, only variants of ECB modes are supported. They are considered unsafe in many forums. Are there any plans to add GCM support for CMAC?

Regards Joakim Nordell

Feb 28, 2018 18:03
Ron Eldor

Hi Joakim,
I am not sure I understand your request. GCM MAC is by definition GMAC, not CMAC. In addition, what is the variants of ECB mode you are referring to? There is only one variant of ECB mode.
Mbed TLS supports different modes of AES, which are implemented internally using ECB, for every 16 bytes. This This is perfectly fine, as ECB cipher on 16 bytes is identical to AES128 operation on 16 bytes ( AES block size). ECB mode for a buffer larger than 16 bytes is in fact not secure.
Mbed TLS Team member

Mar 2, 2018 08:43
Joakim Nordell

Thanks for your reply. I realize this may be off topic in this forum. My idea was that all items in the enum mbedtls_cipher_type_t can be used with mbedtls_cipher_info_from_type() mbedtls_cipher_setup() mbedtls_cipher_cmac_starts() ...and so on. The info text to the enum sais: * \brief An enumeration of supported (cipher, mode) pairs. ... That is why I call GCM a mode. What I'd like to do, is generating a secure MAC of more than 16 bytes of data used in an authentication protocol. From different security forums I got the impression that ECB is not secure, compare to GCM.

Regards Joakim Nordell