When designing secure protocols, remember this: if you perform a cryptographic operation before verifying the MAC on a message, trouble will follow. The Vaudenay Attack is a prime example of this. The optimal way is to follow the “encrypt-then-authenticate” method. The SSH plaintext recovery attack is another clever demonstration of the doom principle, highlighting the need to decrypt the message before verifying the MAC. These examples showcase how violating this principle can lead to disastrous consequences. Keep an eye out for this pattern in protocol design, as it always spells trouble in the end. Stay vigilant!
https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html