You generally have two options when it comes to authenticated encryption: use a specialized AEAD mode, in which the details of authentication are settled by the mode itself, or use "generic composition" --- encrypt securely, MAC securely, and safely combine the two operations. Specialized AEAD modes are preferable. But if you're going to do generic composition, the best current practice is encrypt-then-MAC.
Even if you encrypt-then-MAC, you can still forget to authenticate parameters (a good reason not to use generic composition). But if you MAC and then encrypt, you concede to attackers the ability to target the cipher's decryption operation directly with chosen-ciphertext attacks. Those attacks are powerful and have repeatedly broken TLS; they're also the most common form of attack on other cryptosystems (every padding oracle attack is a variant of them).
https://www.dropbox.com/s/f4gpc7shjal1nta/Screenshot%202015-...
https://cseweb.ucsd.edu/~mihir/papers/oem.pdf
You generally have two options when it comes to authenticated encryption: use a specialized AEAD mode, in which the details of authentication are settled by the mode itself, or use "generic composition" --- encrypt securely, MAC securely, and safely combine the two operations. Specialized AEAD modes are preferable. But if you're going to do generic composition, the best current practice is encrypt-then-MAC.
Even if you encrypt-then-MAC, you can still forget to authenticate parameters (a good reason not to use generic composition). But if you MAC and then encrypt, you concede to attackers the ability to target the cipher's decryption operation directly with chosen-ciphertext attacks. Those attacks are powerful and have repeatedly broken TLS; they're also the most common form of attack on other cryptosystems (every padding oracle attack is a variant of them).
I wrote a bunch about this here:
http://sockpuppet.org/blog/2013/07/22/applied-practical-cryp...