> Use encrypt-then-HMAC. Seriously. Yes really. No other choice is defensible in this age. If you think “oh but GCM” look more closely into its design.
There is no problem; it encrypts in counter mode and then adds a MAC. :-)
It's just a specific MAC that has its security properties intended to work with the counter-mode encryption, and lets you use the same key, and basically gets the details right for you. But the motivation for it doing encrypt-then-authenticate instead of vice versa is presumably the same as with separate encryption and HMAC.
3 comments
[ 4.9 ms ] story [ 18.5 ms ] threadWhat's the problem with GCM?
It's just a specific MAC that has its security properties intended to work with the counter-mode encryption, and lets you use the same key, and basically gets the details right for you. But the motivation for it doing encrypt-then-authenticate instead of vice versa is presumably the same as with separate encryption and HMAC.