ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A DevOps team has multiple AWS Lambda functions that call a private API Gateway endpoint. Each request is signed with AWS Signature Version 4, which relies on an HMAC-SHA256 calculation over the request and the caller's secret access key. A security auditor asks whether this mechanism alone can be used to prove that a specific function unquestionably originated a given request (non-repudiation). Which explanation BEST addresses the auditor's concern?
It cannot be trusted because HMACs are inherently susceptible to replay attacks, which undermine both integrity and non-repudiation.
It guarantees integrity and authentication but not non-repudiation, because any party holding the shared secret key could have produced the same HMAC.
It encrypts the request for confidentiality only and does not assure integrity or identify the sender.
It provides full non-repudiation since the receiver can verify the signature using the sender's public key without knowing the secret key.
Hash-based Message Authentication Codes (HMACs) are calculated with a key that is shared between the sender and the receiver. Because both parties (and anyone who compromises the shared key) can generate a valid HMAC, the recipient cannot later prove to a third party which specific entity created the message. Therefore, an HMAC strongly protects message integrity and provides mutual authentication, but it does not provide non-repudiation. True non-repudiation requires an asymmetric mechanism-such as a digital signature-where only the sender possesses the private signing key. Options stating that HMAC supplies non-repudiation or confidentiality are incorrect. The claim that HMAC is inherently weak against replay attacks is also incorrect; replay protection depends on additional measures such as nonces or timestamps rather than on the HMAC algorithm itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an HMAC, and how does it ensure integrity?
Open an interactive chat with Bash
Why doesn't an HMAC provide non-repudiation?
Open an interactive chat with Bash
How do nonces or timestamps prevent replay attacks specifically with HMAC?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .