Quiz Entry - updated: 2026.07.14
What are the three composition approaches for combining encryption and MAC: Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC?
Encrypt-then-MAC is the recommended approach: first encrypt the plaintext, then compute the MAC over the ciphertext.
* Three ways to combine encryption and a MAC — Encrypt-then-MAC (verify before decrypting) is the safe one. *
1. Encrypt-and-MAC (E&M):
C = E(K_E, M)
T = MAC(K_M, M) ← MAC computed over plaintext
Send: (C, T)
- Problem: MAC is computed on plaintext — may leak information about M
- Used by SSH (but with mitigations)
2. MAC-then-Encrypt (MtE):
T = MAC(K_M, M)
C = E(K_E, M || T) ← encrypt message + tag together
Send: C
- Problem: must decrypt before you can verify integrity → vulnerable to padding oracle attacks
- Used by older TLS versions (and led to attacks like BEAST, Lucky13)
3. Encrypt-then-MAC (EtM):
C = E(K_E, M)
T = MAC(K_M, C) ← MAC computed over ciphertext
Send: (C, T)
- Recommended: verify MAC first, only decrypt if valid → prevents processing malicious ciphertext
- Used by IPsec and modern TLS
Tip: "Encrypt-then-MAC" = the gold standard. Check integrity BEFORE decrypting to avoid processing attacker-controlled data.
Go deeper:
Authenticated encryption (Wikipedia) — the composition orders and the attacks that killed the bad ones.