SY0-501 Question #142: Real Exam Question with Answer & Explanation

Question

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement?

Options

• AHMAC
• BPCBC
• CCBC
• DGCM
• ECFB

Explanation

IPSec ESP can be configured for integrity-only (no confidentiality) by using a null encryption cipher combined with an integrity/authentication algorithm. HMAC provides message authentication without encryption, satisfying the integrity-without-confidentiality requirement.

Common mistakes.

• B. PCBC (Propagating Cipher Block Chaining) is a block cipher mode of operation that encrypts data, providing confidentiality rather than integrity-only protection, and is not used in standard IPSec implementations.
• C. CBC (Cipher Block Chaining) is an AES encryption mode that provides confidentiality by chaining cipher blocks, not integrity-only protection, and would violate the no-confidentiality requirement.
• D. GCM (Galois/Counter Mode) is an authenticated encryption mode that provides both confidentiality AND integrity simultaneously, failing the requirement to exclude confidentiality protection.
• E. CFB (Cipher Feedback) is an AES mode of operation that encrypts data to provide confidentiality, not integrity-only protection, making it unsuitable for this use case.

Concept tested. IPSec ESP integrity-only mode using HMAC

Reference. https://docs.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-cfg-ipsec-encrypt.html

No community discussion yet for this question.