Exam SY0-501 topic 1 question 242 discussion

AES is encryption; it is meant to maintain confidentiality. Encryption does not maintain integrity by itself: an attacker who can access encrypted data can modify the bytes, thereby impacting the cleartext data (though the encryption makes the task a bit harder for the attacker, it is not as infeasible as is often assumed). To get integrity, you need a MAC, and HMAC is a nice MAC algorithm. In many situations where encryption is mandated, integrity must also be maintained, so, as a general rule, AES "alone" is not sufficient.

Terribly formed question. Jason Dion told me on the test, whenever you see integrity, go with a hashing algorithm, I'll go with HMAC to be on the safe side.

I would select (D). Most modern systems use a type of counter mode called Galois/counter mode (GCM). Symmetric algorithms do not natively provide message integrity. The Galois function addresses this by combining the ciphertext with a type of message authentication code (GMAC), similar to an HMAC. Where CBC is only considered secure when using a 256-bit key, GCM can be used with a 128-bit key to achieve the same level of security. COM501B - The Official CompTIA Security+ Study Guide (SY0-501) Lesson 4: Explaining Basic Cryptography Concepts

Like a lot of the 501 questions, this one is flawed as well. I believe CompTIA is looking for a certain answer without fully considering how they ask the questions. I've found this throughout the test bank. I believe they are looking for HMAC as the answer because it provides integrity but chose a faulty scenario for the question. I'd answer the question on the test using answer A: HMAC.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html esp-md5-hmac ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended). esp-sha-hmac ESP with the SHA (HMAC variant) authentication algorithm. I found this, I don't know how much it helps.

2. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. (https://en.wikipedia.org/wiki/Galois/Counter_Mode) The mode of operation that uses GCM as a stand-alone message authentication code is denoted as GMAC. (https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf)

1. AES supports all the modes listed under DES, but tends to use the much lowerlatency mode called Galois/Counter Mode (GCM). GCM starts with CTR mode, but adds a special data type known as a Galois field to add integrity. (Mike Meyer’s CompTIA Security+ p. 82) AES-GCM is what’s known as an authenticated encryption mode. It combines a cipher (AES in CTR mode) with a message authentication code generated by an algorithm called GMAC. AES-GCM is fast, secure (if used properly), and standard. Authenticated means it protects both the privacy and the integrity of messages. If a message’s encrypted data is modified in transit, AES-GCM will detect this on decryption so the altered message can be discarded. (https://www.zerotier.com/aes-gmac-ctr-siv/)

I see same question on different sites and its GMAC instead of HMAC in the options. I wonder whats going on.

A. HMAC -keyed-hash message authentication code (HMAC)-based HOTP supports integrity

HMAC is integrity but no encryption, GCM is integrity with encryption CBC/GCM and CFB are encryption with no integrity PCBC is nothing, never heard of it So the question is not right for the answers, but for integrity only, the answer has to HMAC

For integrity we have to use MAC algorithm. I think the question of mode is just bad formed like so many others

Sorry D

GCM provides data integrity. Answer should be C

Another site is showing A. GMAC, not HMAC B. PCBC C. CBC D. GCM E. CFB https://en.wikipedia.org/wiki/Galois/Counter_Mode Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources. The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can be used as an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length.

AES(Advanced Encryption Standard) AES 8 confidentiality modes (ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, and FF3), One authentication mode (CMAC), Five combined modes for confidentiality and authentication (CCM, GCM, KW, KWP, and TKW) HMAC Hash-based message authentication code (HMAC) is a mechanism for calculating a message authentication code involving a hash function in combination with a secret key. This can be used to verify the integrity and authenticity of a a message.

Correction - meant to say (C) CBC is best choice.

The Question asks "Which of the following AES modes." Not (A) or (B) or (D ) HMAC, PCBC, and GCM are not AES modes. The 5 modes of AES: ECB mode: Electronic Code Book mode CBC mode: Cipher Block Chaining mode CFB mode: Cipher FeedBack mode OFB mode: Output FeedBack mode CTR mode: Counter mode So there are only two valid AES modes listed, (C) CBC and (E) CFB. The Question says the administrator wants "ESP with INTEGRITY protection, but NOT confidentiality." But ESP itself provides CONFIDENTIALITY, AUTHENTICITY, and data INTEGRITY. So how can the admistrator use ESP without confidentiality? The whole purpose of each of the 5 AES modes is CONFIDENTIALITY. Of the 2 provided choices, CBC provides the weakest confidentiality - but does not eliminate it. So no answer can be correct. (E) CBC is closest - but still wrong. (I spent about 2 hours researching numerous websites to try to determine how ESP used AES modes, and if CBC or CFB was the weaker. Maybe I didn't look in the right place.)