When sending a message securely, we aim to achieve the following property (see CIA Triad):
- Confidentiality: no one else can read the message
- Integrity: No one can tamper with the message
To accomplish these goals, we often combine (symmetric) encryption for confidentiality and MACs for integrity, and an important design decision is the order in which techniques are applied.
MAC-then-Encrypt (MtE)
In this approach, a MAC is computed on the plaintext, and then both the plaintext and MAC tag are encrypted together. As a result, tampering can only be detected after decryption.
Encrypt-then-MAC (EtM) – Best Practice
Encrypt-then-MAC is usually considered a more secure approach. It means that receiver verifies the MAC before decryption, and decryption is never performed on a malicious payload.
Encrypt-and-MAC (EaM)
In an Encrypt-and-MAC method, the message is encrypted and a MAC is computed separately on the plaintext. The receivers verify the MAC and decrypted message separately.
This method is also generally considered less secure than Encrypt-then-MAC.