

Encrypt-then-HMAC is the only credible choice. Here's why - marshray
http://www.ietf.org/mail-archive/web/tls/current/msg10584.html

======
dlitz
> Use encrypt-then-HMAC. Seriously. Yes really. No other choice is defensible
> in this age. If you think “oh but GCM” look more closely into its design.

What's the problem with GCM?

~~~
geofft
There is no problem; it encrypts in counter mode and then adds a MAC. :-)

It's just a specific MAC that has its security properties intended to work
with the counter-mode encryption, and lets you use the same key, and basically
gets the details right for you. But the motivation for it doing encrypt-then-
authenticate instead of vice versa is presumably the same as with separate
encryption and HMAC.

~~~
dlitz
Well then what's the alleged problem?

