CompTIA Security+ Exam: AES Modes of Operation for Integrity-Only IPSec Solution

AES Modes of Operation for Integrity-Only IPSec Solution

Prev Question Next Question

Question

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection.

Which of the following AES modes of operation would meet this integrity-only requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

A.

The correct answer is A. HMAC.

IPSec provides a framework for secure communication over the internet by encrypting and authenticating IP packets. The Encapsulating Security Payload (ESP) protocol is one of the two protocols in the IPSec framework, the other being the Authentication Header (AH) protocol. ESP provides confidentiality, integrity, and authentication protection to IP packets.

In this scenario, the administrator wants to configure an IPSec solution that provides integrity protection but not confidentiality protection. This means that the solution should ensure that the data has not been tampered with or modified during transmission, but it does not need to be encrypted.

ESP can provide both confidentiality and integrity protection using encryption algorithms such as AES in various modes of operation. However, to meet the requirement of integrity-only protection, the AES mode of operation used should not provide confidentiality protection.

Option A. HMAC (Hash-based Message Authentication Code) is not an encryption algorithm but a method for verifying the authenticity of a message. HMAC uses a cryptographic hash function to calculate a message authentication code (MAC) that is appended to the message. The receiver recalculates the MAC using the same hash function and compares it to the MAC received to verify the authenticity and integrity of the message.

Options B, C, E: PCBC (Propagating Cipher Block Chaining), CBC (Cipher Block Chaining), and CFB (Cipher Feedback) are modes of operation that provide both confidentiality and integrity protection by encrypting the data with AES. Therefore, they do not meet the requirement of integrity-only protection.

Option D: GCM (Galois Counter Mode) is a mode of operation that provides both confidentiality and integrity protection using AES encryption and a hash function. Therefore, it also does not meet the requirement of integrity-only protection.

Therefore, option A. HMAC is the correct answer as it provides integrity protection without encryption.