LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three composition approaches for combining encryption and MAC: Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC?

Encrypt-then-MAC is the recommended approach: first encrypt the plaintext, then compute the MAC over the ciphertext.

Encrypt-and-MAC, MAC-then-Encrypt, Encrypt-then-MAC compared

* Three ways to combine encryption and a MAC — Encrypt-then-MAC (verify before decrypting) is the safe one. *

1. Encrypt-and-MAC (E&M):

C = E(K_E, M)
T = MAC(K_M, M)    ← MAC computed over plaintext
Send: (C, T)
  • Problem: MAC is computed on plaintext — may leak information about M
  • Used by SSH (but with mitigations)

2. MAC-then-Encrypt (MtE):

T = MAC(K_M, M)
C = E(K_E, M || T)    ← encrypt message + tag together
Send: C
  • Problem: must decrypt before you can verify integrity → vulnerable to padding oracle attacks
  • Used by older TLS versions (and led to attacks like BEAST, Lucky13)

3. Encrypt-then-MAC (EtM):

C = E(K_E, M)
T = MAC(K_M, C)    ← MAC computed over ciphertext
Send: (C, T)
  • Recommended: verify MAC first, only decrypt if valid → prevents processing malicious ciphertext
  • Used by IPsec and modern TLS

Tip: "Encrypt-then-MAC" = the gold standard. Check integrity BEFORE decrypting to avoid processing attacker-controlled data.

Go deeper:

From Quiz: KRYPTOG / Symmetric Cryptography | Updated: Jul 14, 2026