A software developer wants to ensure the authenticity and integrity of an API request but does not require non-repudiation. Which cryptographic method should be used?
HMAC verifies authenticity and integrity without non-repudiation.
Why this answer
HMAC uses a shared secret key combined with a cryptographic hash function to produce a fixed-size authentication tag. This ensures both authenticity (the request came from a party knowing the key) and integrity (the data has not been altered) without providing non-repudiation, because the same key is shared between sender and receiver, so the receiver could also have generated the tag.
Exam trap
ISC2 often tests the distinction between authentication/integrity (HMAC) and non-repudiation (digital signatures), leading candidates to incorrectly choose digital signatures when non-repudiation is explicitly not required.
How to eliminate wrong answers
Option A is wrong because a digital signature using RSA provides non-repudiation (the sender cannot deny signing) and is computationally heavier than necessary when non-repudiation is not required. Option B is wrong because symmetric encryption with CBC mode provides confidentiality, not authenticity or integrity; CBC mode alone does not prevent an attacker from modifying ciphertext blocks. Option D is wrong because Elliptic Curve Diffie-Hllman (ECDH) is a key exchange protocol used to establish a shared secret over an insecure channel, not a method for authenticating or verifying the integrity of an API request.