Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
Understand the cryptographic argument for combining encryption and authentication in the correct order.
Three Composition Orders
When combining encryption and a MAC, three orderings exist: Encrypt-then-MAC (EtM), MAC-then-Encrypt (MtE), and Encrypt-and-MAC (E&M). Each has fundamentally different security properties, and only one is provably secure in all settings.
Encrypt-then-MAC Defined
In Encrypt-then-MAC, the plaintext is first encrypted to produce ciphertext, and then the MAC is computed over that ciphertext. The receiver can verify the MAC before ever attempting decryption, which means a tampered message is rejected immediately without revealing information.
All lessons in this course
- Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
- SIV Mode: Nonce-Misuse Resistant AEAD
- AEGIS: High-Speed Authenticated Encryption
- Selecting AEAD for Production Systems