Following gossip, and most important : mail in clear a MAC of the plaintext, as in “ code and MAC individually ” sending $ \operatorname { ENC } ( M ) \mathbin\|\operatorname { MAC } ( M ) \, $, without any farther specification about the MAC, would be very hapless practice : depend on the MAC, that can leak some information about the message $ M $. In particular, for any deterministic MAC ( as HMAC is ) and a fixate winder, identical messages will lead to identical MACs, and are frankincense trivially detected, breaking IND-CPA security .
The other historically used argument for encrypt-then-MAC ( against MAC-then-encrypt ) is that the apparently natural corresponding routine on the meet side is verify-MAC-then-decrypt, implying that decoding will only be carried on ciphertext that passed an integrity test. The adversary frankincense can not observe use of the decoding key on ciphertext that it chooses randomly, since that ciphertext wo n’t pass the MAC test and wo n’t be decrypted. This in turn blocks a number of attacks that submit artificial or adapted ciphertext to a decoding device, and use it ‘s ascertained behavior to deduce useful data, or induce some desire demeanor.
One exemplar of vulnerable decrypt-then-verify-MAC would be an execution where decoding is followed by a padding confirmation, insuring that the last 16-byte engine block of ciphertext ends with 0 to 15 byte ( s ) at 0x00, then ( walking back ) a byte at 0x80 ; and if not aborts the use of the receive ciphertext, entirely performing the MAC check mark if it does. By observing the time of the decoding device, an adversary could then determine if the embroider check fails or succeeds. For block encoding in CBC mode, iterating that apparently minor data escape allows decoding.
Read more: A Few Thoughts on Cryptographic Engineering
other examples can be made, including side-channel attacks by differential power analysis of the decoding, when express valid ciphertext is available to the attacker .
One serious problem with this historic argument for encrypt-then-MAC is that it is technically valid only if there is verify-MAC-then-decrypt on the receiver side. however, it is entirely possible to run decoding and MAC confirmation concurrently even for ciphertext produced with encrypt-then-MAC. And such concurrence is highly desirable, for it avoids scanning the ciphertext twice, which typically would have an impact on performance, at worse would make using crypto airy .
besides, by integrating integrity check with encoding, it is potential to get the integrity function at sizably lower computational cost than that of a MAC. For these reasons, country of the artwork is authenticated encoding, such as AES-GCM-SIV. Thus in modern practice we do not encrypt-then-MAC, and even more rarely verify-MAC-then-decrypt, making this diachronic argument otiose. Authenticated encoding does secrecy, authentication & integrity in one crude, no inevitably with a separate generic MAC .