LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

When applying both encryption and MAC to a message, what is the recommended order of operations?

The classic approach is: compute the MAC (or signature) over the plaintext first, then encrypt everything — known as MAC-then-Encrypt or "authenticate then encrypt."

MAC-then-encrypt message layout: header, encrypted body, MAC trailer

* The MAC covers the plaintext; the body is then encrypted, with the tag carried in the trailer. *

Message structure:

Header Body Trailer
Unencrypted, MAC-protected Encrypted with MAC MAC and/or key info, unencrypted

The classical rule for application-layer crypto:

Compute the MAC or signature over the plaintext, then encrypt.

Why this order?

  • The recipient can decrypt first, then verify integrity over the original plaintext
  • The MAC covers the actual meaningful content, not the ciphertext

Exceptions exist: In IPSec's ESP (Encapsulating Security Payload), part of the trailer is also encrypted, and in SSL 2.0 the MAC was also encrypted — which led to a weak MAC construction vulnerability.

Modern trend: Combined modes like GCM (Galois Counter Mode) and CAESAR competition winners ACORN and AEGIS handle both encryption and authentication in a single pass.

Go deeper:

From Quiz: KRYPTOG / One-Way and Hash Functions | Updated: Jul 14, 2026