Abstract—In current mobile telecommunications systems, the security offered by these networks are limited. In order to be used in use cases that require a high degree of security, such as M2M (financial, voting system), more security guarantees are necessary. Therefore, additional security must be added on top of existing networks. A common way to add security is by the use of composite encryption schemes. Two (2) of these schemes are then compared in terms of performance: an Encrypt-and-MAC composite scheme represented by AES in CTR mode and in CMAC mode and an Encrypt-then-MAC scheme using the EAX mode. These schemes are used in the context of an over the top protocol in SMS networks used in M2M applications. Results show that performance in terms of transaction time is close between the two (2) composite schemes but the Encrypt-then-MAC scheme provides more guarantees. It is also show that online performance is better for the Encrypt-then-MAC composite scheme. Index Terms—Cryptography, AES, AEAD, SMS, GSM I. INTRODUCTION obile communication technology is one of the fastest growing areas, which continues to make significant impacts in the human lives and social development. In the last 20 years, mobile communications has made significant leaps in both capabilities and acceptance. There are over four (4) billion mobile phone users in the world, more than 65% population of the world [1]. Along with this is the rise of mobile commerce, the area of machine-to-machine (M2M) technology applications is also growing quickly. Analysts’ projections show the compounded annual growth rate of M2M technology adoption is at 30% [2]. Along with the general increase in M2M use will be M2M applications that require a high degree of security such as financial, logistics, voting systems, SCADA and potentially other applications. There is a need to provide these transactions with the appropriate security guarantees. Manuscript received December 8, 2010; revised December 29, 2010. This work was supported by the Department of Information Systems and Computer Science of the Ateneo de Manila University. B. Guo and W. Yu are with the Ateneo de Manila University. (B. Guo e-mail: guobao7@hotmail.com; W. Yu e-mail: wyu@ateneo.edu). II. OBJECTIVES OF THE STUDY For particular M2M applications, the security of data transmission security is crucial. Security requirements may vary depending on the type of service and business requirements. For example, remote banking would require privacy, authenticity and integrity while navigation systems would only need authenticity and integrity. It is shown that for these types of M2M applications Encrypt-then-MAC composite schemes provide the most comprehensive amount of security guarantee [3]. The goal of this study is to compare the performance of Encrypt-then-MAC versus Encrypt-and-MAC composite schemes in cryptography when providing the required security guarantees. Another study is done comparing this composite scheme with a PKI-based scheme [13]. We introduce two (2) representative implementations of each scheme (AES-EAX and AES-CMAC-CTR) as representatives of their respective composite scheme then compare them in terms of transaction time. III. SCOPE AND LIMITATIONS In this study we aim to determine the comparative performance of the two mechanisms (Encrypt-and-MAC versus Encrypt-then-MAC composite scheme) for the purposes of securing data traffic using an over-the-top protocol on an SMS network targeted for M2M applications [4]. The hardware, software platform, payload (data to be transmitted) and keys for both mechanisms are kept constant. That is not actually transmitted to enforce the assumption that the network transport layer component is constant. IV. SECURITY AND MOBILE NETWORKS AES algorithm is iterated block cipher. Its block size is 128-bits, and the key sizes are the 128-bits, 192-bits and 256-bits. AES encrypted data block size is the biggest 256bit, but the key size in theory no upper limit [4]. Block ciphers such as AES are used in various modes of operation. These modes of operation provide particular guarantees. There are three general modes of operations: confidentiality mode (i.e. CTR), authentication mode (i.e. M Bao Guo and William Emmanuel Yu Comparison Between Encrypt-and-MAC Composite (CMAC CTR) and Encrypt-then-MAC Composite (AES EAX) Modes of Operation in Cryptography Systems for Use in SMS-based Secure Transmission Proceedings of the International MultiConference of Engineers and Computer Scientists 2011 Vol I, IMECS 2011, March 16 - 18, 2011, Hong Kong ISBN: 978-988-18210-3-4 ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online) IMECS 2011