Cryptographic Algorithms – Impact On Application Performance

The importance of security is often realized only after an application’s security is breached. One of the reasons why security is not enforced is it’s impact on application performance. Adding security makes my application slow is a very common excuse for not securing applications. While security features is a generic term, and can mean a number of things right from firewalls to identity management and more, in this article we will concentrate on the cryptographic implications. We will study the impact of using various kinds of cryptographic algorithms on performance.

Measuring performance of cryptography

Let us first categorize our areas of measurement into various types of functionalities. We normally need to perform some of the following cryptographic operations:

• Confidentiality – Encrypt/Decrypt data to provide for confidentiality. This can be classified further into symmetric key cryptography (same key being used at both ends) and asymmetric key cryptography (public key is used at one end, and a different private key is used at the other end)
• Integrity – Message digests are computed and are used to detect alterations made to the original message so as to prevent tampering.
• Non-repudiation – To ensure that the original sender can prove (or cannot deny!) that she was the creator/sender of a message, it can be digitally signed.

Hence, our measurement of speeds of cryptographic operations would be restricted to these three categories. The exercise was done using NetBeans 6.0 on Windows Vista with 2 GB RAM and 110 GB hard disk.

Before we get into more hands-on experiences, let us first review the numbers that famous security expert Bruce Schneier has quoted in his classic “Applied Cryptography”:

Now, let us try doing the measurements ourselves.

Message digest performance tests

Summary of observations

• Regardless of the message digest size (and therefore the perceived complexity of the algorithm) the amount of time it takes for computing message digests remains more or less the same.
• The size of the input text does not make any difference.

Symmetric key encryption and decryption performance tests

Note: This test includes run-time symmetric key generation, encryption of plain text into cipher text and decryption of cipher text back into plain text.

Summary of observations

• Regardless of the algorithm (and therefore the perceived complexity of the algorithm) the amount of time it takes for encryption and decryption remains more or less the same.
• The size of the input text does not make any difference.

Asymmetric key encryption and decryption performance tests

Note: This test includes run-time symmetric key generation, encryption of plain text into cipher text and decryption of cipher text back into plain text.

Summary of observations

• Time taken is certainly more than what symmetric key encryption algorithms require.
• The size of the input text does make a difference. The more the plain text, the higher is the time taken for encryption and decryption.

As we can see, message digest algorithms are the fastest. No encryption is involved here. Symmetric key encryption algorithms are much faster than asymmetric key algorithms. Asymmetric key algorithms perform worse as the size of the plain text increases.

About the author : Atul Kahate is Head – Technology Practice, Oracle Financial Services Consulting (formerly i-flex solutions limited). He has authored 16 books on Information Technology, 2 on cricket, and over 1500 articles on both of these in various newspapers/journals. His site can be visited at www.atulkahate.com and he can be reached via email at [email protected].