Breaking Mach-1 with your CAT token

The SVTA CAT (Common Access Token) standard initiative builds a one-size-fits-all token for CDNs. It does pursue efficiency on multiple fronts such as (i) efficient transmission through a compact (schema-less) binary encoding and (ii) efficient processing thanks to native (binary) encoding of integers avoiding string processing costs. Thanks to its expressiveness, it marks strong points for becoming the go-to token for Internet traffic in the future. One aspect in which the proposal remains weak however is the continued use of HMAC. HMAC has been the de-facto default symmetric authentication mechanism for tokens and CAT continues this tradition by mandating its support and using it as base recommendation. Yet, while HMAC algorithms are simpler this doesn’t mean that they are faster. Indeed, CPUs have heavily optimized dedicated instructions for AES. As a consequence the fastest MAC today are not HMAC but CMAC such as LeMAC or Aegis-256×2. In this talk, we evaluate the performance of MAC be they HMAC or CMAC on a variety of server vendors & generations, and with different token lengths in order to showcase the potential benefits of switching away from HMAC. With a little twist, your CAT will soon travel at Mach-4.