When applying both encryption and MAC to a message, what is the recommended order of operations?
The classic approach is: compute the MAC (or signature) over the plaintext first, then encrypt everything — known as MAC-then-Encrypt or "authenticate then encrypt."
* The MAC covers the plaintext; the body is then encrypted, with the tag carried in the trailer. *
Message structure:
| Header | Body | Trailer |
|---|---|---|
| Unencrypted, MAC-protected | Encrypted with MAC | MAC and/or key info, unencrypted |
The classical rule for application-layer crypto:
Compute the MAC or signature over the plaintext, then encrypt.
Why this order?
- The recipient can decrypt first, then verify integrity over the original plaintext
- The MAC covers the actual meaningful content, not the ciphertext
Exceptions exist: In IPSec's ESP (Encapsulating Security Payload), part of the trailer is also encrypted, and in SSL 2.0 the MAC was also encrypted — which led to a weak MAC construction vulnerability.
Modern trend: Combined modes like GCM (Galois Counter Mode) and CAESAR competition winners ACORN and AEGIS handle both encryption and authentication in a single pass.
Go deeper:
Authenticated encryption (Wikipedia) — MAC-then-Encrypt vs Encrypt-then-MAC vs Encrypt-and-MAC, and why modern AEAD modes (GCM) combine both.