An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement?
A. HMAC
B. PCBC
C. CBC
D. GCM
E. CFB
How To Pass SY0-601 Exam?CompTIA SY0-601 PDF dumps.High quality SY0-601 pdf and software. VALID exam to help you pass. |
 |
Answer is A but is typo – should be GMAC.
As per RFC 4543: https://tools.ietf.org/html/rfc4543
This memo describes the use of the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to provide
data origin authentication, but not confidentiality, within the IPsec
Encapsulating Security Payload (ESP) and Authentication Header (AH).
Awful question with awful answers.
Update:
The Question asks “Which of the following AES modes.”
Not (A) or (B) or (D ) HMAC, PCBC, and GCM are not AES modes.
The 5 modes of AES:
ECB mode: Electronic Code Book mode
CBC mode: Cipher Block Chaining mode
CFB mode: Cipher FeedBack mode
OFB mode: Output FeedBack mode
CTR mode: Counter mode
So there are only two valid AES modes listed, (C) CBC and (E) CFB.
The Question says the administrator wants “ESP with INTEGRITY protection, but NOT
confidentiality.”
But ESP itself provides CONFIDENTIALITY, AUTHENTICITY, and data INTEGRITY.
So how can the admistrator use ESP without confidentiality? The whole purpose of each of
the 5 AES modes is CONFIDENTIALITY. Of the 2 provided choices, CBC provides the weakest
confidentiality – but does not eliminate it. So no answer can be correct.
(E) CBC is closest – but still wrong.
(I spent about 2 hours researching numerous websites to try to determine how ESP used AES modes, and if CBC or CFB was the weaker. Maybe I didn’t look in the right place.)
Correction – meant to say (C) CBC is best choice.
HMAC is not an AES mode of operation. The question asks “which of the following AES modes of operation.” No AES mode provides integrity. So I guess HMAC is best answer. It provides integrity.