3 comments

[ 4.9 ms ] story [ 18.5 ms ] thread
> Use encrypt-then-HMAC. Seriously. Yes really. No other choice is defensible in this age. If you think “oh but GCM” look more closely into its design.

What's the problem with GCM?

There is no problem; it encrypts in counter mode and then adds a MAC. :-)

It's just a specific MAC that has its security properties intended to work with the counter-mode encryption, and lets you use the same key, and basically gets the details right for you. But the motivation for it doing encrypt-then-authenticate instead of vice versa is presumably the same as with separate encryption and HMAC.

Well then what's the alleged problem?