LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three possible orderings of encryption and integrity protection, and what are they called?

The three options are MAC-then-Encrypt, MAC-and-Encrypt, and Encrypt-then-MAC — they differ in what gets MACed and what gets encrypted.

MAC-then-Encrypt, MAC-and-Encrypt, Encrypt-then-MAC

* Encrypt-then-MAC lets the receiver verify before decrypting — the safest ordering. *

Option A: MAC-then-Encrypt (MtE)

  1. Compute $\text{MAC}(m)$
  2. Encrypt both: $E(m \| \text{MAC}(m))$
  • Used by: SSL/TLS (older versions)
  • The MAC is hidden inside the ciphertext

Option B: MAC-and-Encrypt (M&E)

  1. Compute $\text{MAC}(m)$ and $E(m)$ independently
  2. Send both: $E(m) \| \text{MAC}(m)$
  • Used by: SSH
  • The MAC is computed on plaintext but sent alongside ciphertext

Option C: Encrypt-then-MAC (EtM)

  1. Encrypt: $c = E(m)$
  2. Compute MAC on ciphertext: $\text{MAC}(c)$
  3. Send: $c \| \text{MAC}(c)$
  • Used by: IPsec, TLS 1.3 (via AEAD)
  • Considered the safest approach

Why EtM is preferred:

  • The receiver can verify integrity before decrypting — rejecting tampered ciphertexts without wasting computation on decryption
  • Prevents padding oracle attacks (which exploit the decrypt-then-verify pattern in MtE)
  • Provably secure under standard assumptions

Modern best practice: Use AEAD modes (e.g., AES-GCM, ChaCha20-Poly1305) which implement EtM internally as a single operation.

Go deeper:

From Quiz: KRYPTOG / Fundamentals of Cryptography | Updated: Jul 14, 2026