In SSL/TLS, what ensures the integrity of the message?

A.  Digital Certificate

B.  Symmetric Encryption

C.  Hash Function

D.  Asymmetric Encryption

Correct Answer: C

Explanation:

A. Digital Certificate
A digital certificate is an electronic "passport" used to prove the Identity of a server or user.

The Role: It contains the entity's public key and is digitally signed by a trusted Certificate Authority (CA).

The Distinction: While the certificate ensures you are talking to the correct person (Authentication), it does not check if the individual data packets sent during the session have been tampered with. It secures the "who," not the "what."

B. Symmetric Encryption
Symmetric encryption (like AES) is the primary workhorse of an SSL/TLS session, used to encrypt the actual bulk data being transmitted.

The Goal: It provides Confidentiality. It ensures that if an attacker intercepts the data, they cannot read it.

The Limitation: Symmetric encryption alone does not prevent a "bit-flipping" attack. An attacker could potentially alter encrypted data without knowing what it says, causing the decrypted message to be corrupted or malicious. Encryption hides the data; it doesn't verify its original state.

C. Hash Function
A hash function (such as SHA-256) is a one-way mathematical algorithm that produces a fixed-length string (a digest) representing the original data.

Why it's the Answer: In SSL/TLS, a Message Authentication Code (MAC) or HMAC is created by hashing the message. If even a single bit of the message changes during transit, the resulting hash at the receiving end will not match the original. This mismatch alerts the system that the data has been altered, thus ensuring Integrity.

The Mechanism: This process ensures that the message received is exactly what was sent, protecting against unauthorized modification.

D. Asymmetric Encryption
Asymmetric encryption (like RSA or Diffie-Hellman) is used during the initial SSL/TLS Handshake.

The Purpose: Its primary job is to securely exchange the "Session Key" (the symmetric key) between the client and the server.

The Scope: Like symmetric encryption, asymmetric encryption is designed for confidentiality and authentication. While it is used to sign hashes to create digital signatures, the underlying mechanism that actually detects data changes is the hash function itself.

Key Takeaway for the CISSP Exam

The SSL/TLS Toolset:

• Asymmetric Encryption: Secure Key Exchange & Authentication.
• Symmetric Encryption: Bulk Data Confidentiality.
• Hashing/HMAC: Message Integrity (detecting unauthorized changes).
• Digital Certificates: Trust and Identity verification.