Don't use encryption without message authentication

Question

The text is taken from the famous answer: Lessons learned and misconceptions regarding encryption and cryptology: Don't use encryption without message authentication

Alternatively, you can apply your own message authentication, as follows. First, encrypt the message using an appropriate symmetric-key encryption scheme (e.g., AES-CBC). Then, take the entire ciphertext (including any IVs, nonces, or other values needed for decryption), apply a message authentication code (e.g., AES-CMAC, SHA1-HMAC, SHA256-HMAC), and append the resulting MAC digest to the ciphertext before transmission. On the receiving side, check that the MAC digest is valid before decrypting. This is known as the encrypt-then-authenticate construction. (See also: 1, 2.) This also works fine, but requires a little more care from you.

Is it really correct? If an attacker changes a ciphertext, he can just generate a new MAC for that ciphertext and append that instead of a previous MAC. No? Shouldn't you use MAC on a plain text?

Answer 1

A MAC uses a key, which the attacker is assumed not to know. The attacker cannot "generate a new MAC".

There are some protocols which use as sort-of-a-MAC a hash value (thus without any key) appended to the plaintext, and then encrypted with the plaintext. Here, the MAC is not the hash value, but the combination of the hash and the encryption (in other words, the encryption key is reused for the MAC). This is a poor way to do a MAC, a very poor one if the encryption uses RC4 or a block cipher in CTR mode (exact reason is left as an exercise)(though very weak, I have seen it deployed in production, for nothing less than an online banking solution !).

A lot of confusion has been produced by this kind of homemade pseudo-MAC schemes. A good MAC algorithm is HMAC.

Even with a good MAC algorithm, the combination of symmetric encryption and a MAC is subject to subtleties, which is what the passage you quote is about. There is some discussion in this question.