Performance Comparison of Message Authentication Code (MAC) Algorithms for the Internet Protocol Security (IPSEC)

The cryptographic algorithms employed in Internet security must be able to handle packets which may vary in size over a large range. Most of the cryptographic hash algorithms process messages by partitioning them into large blocks. Due to this fact the messages have to be prepared by padding the required amount of zero bits to get an integer number of blocks. This process contributes a considerable overhead when the short messages are more dominant in the message stream. Hashed Message Authentication Code-Secure Hash Algorithm-1 (HMAC-SHA-1) [1] has been recommended for message authentication in several network security protocols. The MAC based block cipher CBC-MAC-DES [2] has been included in the international standards for data integrity and authentication. However, after selecting the Advanced Encryption Standard (AES) algorithm, the use of DES merits reevaluation as Rijndael [3] shows good performance in both hardware and software and it has better security features than DES. CBC-MAC is likely to be standardized as an AES mode of operation. In this paper we will analyze the hardware and software performance of Hashed Message Authentication Code (HMAC) and Cipher Block Chaining Message Authentication Code (CBC-MAC) in the context of the traffic characteristics of the Internet. Studying the behavior of IP packet size of the Internet messages allows the estimation of actual performance of these authentication functions. The probability density function (PDF) of the IP packet size is approximated as one of four models, each having different accuracy level. The PDF is then used to determine the rate at which authentication can be executed on average, based on the results of previous hardware and software implementation performance data for the hash and encryption algorithms.