I have recently learned that Encrypt-then-MAC is recommended when using symmetri
ID: 648380 • Letter: I
Question
I have recently learned that Encrypt-then-MAC is recommended when using symmetric encryption.
I have two closely related questions related to that, which is why I am posting them as one:
Looking at the different kinds of available MACs (UMAC, HMAC, etc.), does it matter which one I use? Meaning: does the choice of MAC depend on the cipher, or the mode of the cipher, or anything else? Or is it more a matter of personal preference which kind of MAC I use?
Am I assuming correctly that I can transmit a MAC together with the related ciphertext? Meaning: is it safe to append the MAC to the ciphertext upon transmission, or is there another way I should prefer (separate transport over secure channel, or something like that)?
Explanation / Answer
There are no specific requirements for the choice of cipher and MAC in the Encrypt-then-MAC construction, except that both should individually achieve their respective security goals (typically semantic security and existential unforgeability).
Indeed, this is the major advantage of Encrypt-then-MAC over other constructions like MAC-then-Encrypt or Encrypt-and-MAC, which do require the cipher and MAC to satisfy additional properties in order to be secure. (For example, Encrypt-and-MAC may be horribly insecure if the MAC leaks information about the plaintext.)
The MAC may be, and usually is, transmitted alongside the ciphertext, often appended to it. If the MAC is of a type that requires a nonce input, this will also need to be sent alongside it. Using the Encrypt-then-MAC construction ensures that this leaks no information about the plaintext, even if the MAC is not privacy-preserving, since the MAC is computer over the ciphertext.