What is the primary function of HMAC (Hash-based Message Authentication Code)?

A. Confidentiality
B. Data Integrity and Authentication
C. Availability
D. Anonymity

Answer: B. Data Integrity and Authentication
Explanation:

HMAC Breakdown

•  Data Integrity and Authentication: HMAC combines a cryptographic hash function (like SHA-256) with a secret cryptographic key.  

  • Integrity: If even one bit of the message changes, the resulting hash will not match.  

  •  Authentication: Because the hash is calculated using a secret key known only to the sender and receiver, a matching hash proves the sender is legitimate.  A standard hash (without a key) can be intercepted and replaced by an attacker; an HMAC cannot be easily forged because the attacker lacks the secret key. 

• Confidentiality: HMAC does not encrypt the message.  The message is usually sent in the clear alongside the HMAC "tag." Anyone can read the message, but they cannot alter it without being detected. 

•  Mechanism: It involves hashing the message twice with the secret key using specific inner and outer padding, making it more resistant to certain attacks (like length-extension attacks) than simpler keyed-hash methods.  

Why the other options are incorrect

• A. Confidentiality: HMAC is used for verification, not hiding data.  If you need confidentiality, you must pair HMAC with a symmetric encryption algorithm like AES (often called "Encrypt-then-MAC"). 

• C. Availability: HMAC is a cryptographic integrity check.  It does not protect against system downtime, hardware failure, or DDoS attacks. 

• D. Anonymity: HMAC is an authentication tool.  Its goal is to prove the identity of the sender (or at least the possession of the key), which is the opposite of hiding one's identity. 

The "CISSP Rule of Thumb": A standard Hash provides Integrity. An HMAC provides Integrity + Authentication.  Neither provides Confidentiality.