Which of the following protocols can IPSec use to provide the confidentiality component of the CIA triad?
(Select 2 choices.)

A.
AES

B.
AH

C.
DES

D.
MD5

E.
SHA

Explanation:
Of the choices available, IP Security (IPSec) can use either Advanced Encryption Standard (AES) or Data
Encryption Standard (DES) to provide the confidentiality component of the confidentiality, integrity, and
availability (CIA) triad. The confidentiality component of the CIA triad ensures that transmitted data cannot be
read by an unauthorized party if the data is intercepted before it reaches its destination. Depending on the
amount of confidentiality desired, IPSec can use AES or DES with Encapsulating Security Payload (ESP) in
either transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only the original
payload data and the resultant ESP trailer, leaving the original IP header unencrypted. The following diagram
illustrates the components of an ESP packet in transport mode:

In tunnel mode, ESP uses AES or DES to encrypt the entire packet, including the original IP header, the original
payload data, and the resultant ESP trailer. The following diagram illustrates the components of an ESP packet
in tunnel mode:

IPSec can use Authentication Header (AH) and ESP to provide the integrity component of the CIA triad, not the
confidentiality component. The integrity component of the CIA triad ensures that unauthorized parties have not
modified data as it was transmitted over the network. Data integrity is provided by using algorithms such as
Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to produce checksums on each end of the
connection. If the data generates the same checksum value on each end of the connection, the data was not
modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Data authentication
is provided through various methods, including user name/password combinations, preshared keys (PSKs),
digital certificates, and onetime passwords (OTPs).

CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works