IIBA-CCA Exam - Topic 6 Question 1 Discussion

SSL and its successor TLS are cryptographic protocols designed to provide secure communications over untrusted networks. The encryption capability comes from the TLS protocol suite, which defines how two endpoints negotiate security settings, authenticate, exchange keys, and protect data as it travels between them. During the TLS handshake, the endpoints agree on a cipher suite, establish shared session keys using secure key exchange methods, and then use symmetric encryption and integrity checks to protect application data against eavesdropping and tampering. Because TLS specifies these mechanisms and the sequence of steps, it is accurate to say that encryption capability is provided by protocols.

Certificates are important but they are not the encryption mechanism itself. Digital certificates primarily support authentication and trust by binding a public key to an identity and enabling verification through a trusted certificate authority chain. Certificates help prevent impersonation and man-in-the-middle attacks by allowing clients to validate the server's identity, and in mutual TLS they can validate both parties. However, certificates alone do not define how encryption is negotiated or applied; TLS does.

Passwords are unrelated to transport encryption; they are an authentication secret and do not provide session encryption for network traffic. ''Controls'' is too general: SSL/TLS is indeed a security control, but the question asks specifically what provides the encryption capability. That capability is implemented and standardized by the SSL/TLS protocols, which orchestrate key establishment and encrypted communication.