From this popular Crypto.SE thread, the general feeling is that Encrypt-Then-MAC is the most secure. From the first answer, the poster says that Encrypt-And-MAC provides integrity of the plaintext. If I'm transferring classified data between two parties, then this plaintext integrity should prevent malicious modifications, right? Assuming there are no known-plaintext attacks feasible in this scenario, is Encrypt-And-MAC secure? The thread seems to recommend against it, although I can't see why it would be considered insecure.
Asked
Active
Viewed 471 times
0
-
But if I use a cipher in CTR mode, wouldn't that prevent padding oracle attacks? I think they only apply to CBC. – Evan Su Jan 30 '21 at 18:03
-
Hint: What happens if you use HMAC as your MAC and send the same message twice? – SEJPM Jan 30 '21 at 19:11
-
@SEJPM I was going to write it :), it leaks information about the plaintext. Hide it. – kelalaka Jan 30 '21 at 19:12
-
Wouldn't the HMAC be the same both times? Would that lead to known-plaintext attacks? – Evan Su Jan 30 '21 at 19:37
-
If it's actually classified and not just confidential, then you'll need to follow the regulations set forth by the relevant authorities! – forest Feb 21 '21 at 22:55
-
Not that high level :) If it was, then I'd probably know enough crypto not to ask this question . – Evan Su Feb 21 '21 at 23:01