The type of encryption that is used to protect sensitive data in transit over a network is payload encryption and transport encryption. Encryption is the process of transforming or encoding the data or the information into an unreadable or unintelligible form, using a secret key or algorithm, to protect the data or the information from unauthorized access or disclosure. Payload encryption and transport encryption are the two types of encryption that are used to protect sensitive data in transit over a network, which means that the data or the information is being transmitted or communicated from one point to another point over a network, such as the internet, a local area network (LAN), or a wide area network (WAN).
Payload encryption is the type of encryption that encrypts the content or the data of the message or the packet that is being transmitted or communicated over a network, such as the text, the image, or the audio. Payload encryption can protect the confidentiality or the secrecy of the data or the information, as it can prevent or reduce the risk of unauthorized or inappropriate access or disclosure of the data or the information by the third parties or the attackers who intercept or capture the message or the packet over the network.
Transport encryption is the type of encryption that encrypts the header or the metadata of the message or the packet that is being transmitted or communicated over a network, such as the source, the destination, or the protocol. Transport encryption can protect the integrity or the accuracy of the data or the information, as it can prevent or reduce the risk of unauthorized or inappropriate modification or manipulation of the data or the information by the third parties or the attackers who intercept or capture the message or the packet over the network.
B. Authentication Headers (AH) are not the type of encryption that is used to protect sensitive data in transit over a network, but rather the type of protocol or the mechanism that is used to provide the authentication or the verification of the source and the integrity of the data or the information that is being transmitted or communicated over a network, using a cryptographic checksum or a hash. AH can protect the authenticity or the legitimacy of the data or the information, as it can prevent or reduce the risk of spoofing, replay, or alteration of the data or the information by the third parties or the attackers who intercept or capture the data or the information over the network. However, AH does not provide the encryption or the protection of the confidentiality or the secrecy of the data or the information, as it does not encrypt the content or the data of the message or the packet over the network.
C. Keyed-Hashing for Message Authentication (HMAC) is not the type of encryption that is used to protect sensitive data in transit over a network, but rather the type of algorithm or the technique that is used to generate the authentication or the verification code or the value for the data or the information that is being transmitted or communicated over a network, using a secret key and a hash function. HMAC can protect the authenticity or the legitimacy of the data or the information, as it can prevent or reduce the risk of spoofing, replay, or alteration of the data or the information by the third parties or the attackers who intercept or capture the data or the information over the network. However, HMAC does not provide the encryption or the protection of the confidentiality or the secrecy of the data or the information, as it does not encrypt the content or the data of the message or the packet over the network.
D. Point-to-Point Encryption (P2PE) is not the type of encryption that is used to protect sensitive data in transit over a network, but rather the type of encryption that is used to protect sensitive data at rest on a device or a system, such as a point-of-sale (POS) terminal, a card reader, or a mobile device. P2PE is the type of encryption that encrypts the data or the information at the point of capture or entry on the device or the system, and decrypts the data or the information at the point of processing or storage on another device or system, using a secret key or algorithm. P2PE can protect the confidentiality or the secrecy of the data or the information, as it can prevent or reduce the risk of unauthorized or inappropriate access or disclosure of the data or the information by the third parties or the attackers who access or compromise the device or the system.
References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 115; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 172
