Quick answer: Cryptography on the Security+ SY0-701 exam covers symmetric vs asymmetric encryption, hashing, PKI, TLS, certificate types, and key exchange. Master objective 1.4 with these 12 practice questions and explanations—focusing on real-world application, not rote memorization.
Why Cryptography Is the Hardest Domain
Cryptography is often cited as the most challenging domain for Security+ candidates. Why? Because it blends abstract math, protocol mechanics, and operational decisions into a single objective (1.4). You aren't just memorizing algorithms—you're applying them to network designs, certificate management, and secure communications. A single misunderstanding can cascade across multiple questions.
This guide breaks down the core concepts you need for the SY0-701 exam, then tests your knowledge with 12 practice questions. Each question includes a detailed explanation to reinforce why the correct answer is right—and why the distractors are wrong.
Symmetric vs Asymmetric Encryption
Symmetric encryption uses one shared key for both encryption and decryption. It’s fast and efficient for bulk data encryption (e.g., AES, 3DES, ChaCha20). The critical weakness is key distribution: how do you securely share that single key with the recipient? If intercepted, the encryption is useless.
Asymmetric encryption uses a mathematically linked key pair: a public key (shared openly) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key, and vice versa. This solves key distribution but is computationally slower. Common algorithms include RSA, ECC, and Diffie-Hellman.
On the exam: You’ll see questions asking which encryption type is best for specific scenarios. Symmetric for high-speed bulk encryption (e.g., encrypting a hard drive). Asymmetric for secure key exchange or digital signatures. Hybrid approaches combine both (e.g., TLS uses asymmetric to exchange a symmetric session key).
Hashing: Integrity, Not Confidentiality
Hashing creates a fixed-length digest from any input data. It’s a one-way function—you cannot reverse the hash to recover the original data. Hashing ensures integrity, not confidentiality. If the data changes, the hash changes.
Common hash algorithms in Security+ scope:
- SHA-2 (SHA-256, SHA-512) — current standard, still secure
- SHA-3 — newer, NIST-approved, but less common in practice
- MD5 — broken, never use for security
- SHA-1 — deprecated, collision attacks demonstrated
On the exam: You’ll be asked to identify which algorithm is used for integrity verification (e.g., file downloads, password storage). Remember: hashing is also used in digital signatures as part of the signing process.
PKI: The Infrastructure Behind Trust
Public Key Infrastructure (PKI) is the framework that manages digital certificates and public-key encryption. It includes:
- Certificate Authority (CA) — issues and revokes certificates
- Registration Authority (RA) — verifies identity before certificate issuance
- Certificate Revocation List (CRL) — list of revoked certificates
- Online Certificate Status Protocol (OCSP) — real-time revocation checking
PKI enables trust by binding a public key to an entity (person, server, device). Without PKI, you can’t verify who owns a key. The exam will test your understanding of CA hierarchy (root vs intermediate), certificate validation, and revocation methods.
TLS: Securing Network Communications
Transport Layer Security (TLS) is the protocol that encrypts data in transit—web traffic, email, VoIP. It uses a handshake process:
- Client sends supported cipher suites
- Server selects and sends its certificate (public key)
- Client verifies the certificate against a trusted CA
- Client generates a pre-master secret, encrypts with server’s public key
- Both derive symmetric session keys
- Encrypted communication begins
On the exam: Know that TLS uses asymmetric encryption for the handshake and symmetric encryption for the session. Understand the difference between TLS 1.2 and 1.3 (TLS 1.3 removes weaker algorithms, reduces round trips). Recognize that SSL is deprecated and should not be used.
Certificate Types and Their Uses
Digital certificates come in several flavors, each serving a specific purpose:
- Domain Validation (DV) — verifies domain control only; low assurance
- Organization Validation (OV) — verifies domain + organization identity; medium assurance
- Extended Validation (EV) — rigorous vetting; high assurance (used for financial sites)
- Wildcard — covers a domain and all subdomains (e.g.,
*.example.com) - Self-signed — not issued by a CA; used for testing or internal networks; no trust chain
- Code signing — validates software publisher identity; ensures code hasn’t been tampered
- Email (S/MIME) — signs and encrypts email messages
- Root — top-level CA certificate; self-signed; must be trusted by clients
On the exam: Expect scenario-based questions—e.g., “Which certificate type should be used for a public e-commerce site?” (EV or OV). Also know that wildcard certificates cannot be used for multiple unrelated domains.
Key Exchange: How Keys Get Shared
Key exchange is the mechanism two parties use to agree on a shared secret over an insecure channel. The most common methods:
- Diffie-Hellman (DH) — allows two parties to compute a shared secret without transmitting it directly. Vulnerable to man-in-the-middle without authentication.
- Elliptic Curve Diffie-Hellman (ECDH) — same concept but uses elliptic curve cryptography for smaller keys and faster performance.
- RSA Key Exchange — the client encrypts a pre-master secret with the server’s public key. Still used but less forward secrecy than ECDHE.
- Ephemeral variants (DHE, ECDHE) — generate temporary keys for each session, providing perfect forward secrecy (PFS). If the server’s long-term key is compromised, past sessions remain secure.
On the exam: Questions often ask which key exchange provides perfect forward secrecy. The answer is always an ephemeral variant (DHE or ECDHE). Also know that RSA key exchange does not provide PFS.
12 Security+ Cryptography Practice Questions (SY0-701 Objective 1.4)
Question 1
A security analyst needs to ensure that a file downloaded from a website has not been modified during transmission. Which cryptographic concept should be used?
- A) Symmetric encryption
- B) Hashing
- C) Asymmetric encryption
- D) Digital signature
Show Answer
**Correct Answer: B) Hashing**Hashing provides integrity verification. The website can publish the hash of the file; the user computes the hash after download and compares. If they match, the file hasn’t been altered. Symmetric encryption provides confidentiality, not integrity. A digital signature provides both integrity and authentication but is overkill for simple integrity checks.
Question 2
Which of the following key exchange methods provides perfect forward secrecy (PFS)?
- A) RSA
- B) Diffie-Hellman
- C) ECDHE
- D) Pre-shared key
Show Answer
**Correct Answer: C) ECDHE**ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) generates a temporary key pair for each session. If the server’s long-term private key is compromised, past session keys remain secure. RSA key exchange does not provide PFS. Standard Diffie-Hellman can provide PFS if ephemeral (DHE), but ECDHE is the specific elliptic curve variant. Pre-shared keys are static.
Question 3
A company wants to deploy a certificate on its public-facing web server. Which certificate type provides the highest level of user trust?
- A) Self-signed
- B) Domain Validation
- C) Extended Validation
- D) Wildcard
Show Answer
**Correct Answer: C) Extended Validation**EV certificates require rigorous vetting of the organization’s legal identity. Browsers display the organization name in the address bar, increasing user trust. DV only verifies domain control. Self-signed certificates offer no trust chain. Wildcard certificates cover subdomains but don’t provide higher assurance.
Question 4
An administrator is configuring TLS for a web server and needs to ensure the most secure cipher suite is selected. Which algorithm should be avoided?
- A) AES-256-GCM
- B) ChaCha20-Poly1305
- C) RC4
- D) ECDHE
Show Answer
**Correct Answer: C) RC4**RC4 is a stream cipher with known vulnerabilities and is deprecated. AES-256-GCM and ChaCha20-Poly1305 are modern, secure authenticated encryption algorithms. ECDHE is a key exchange method, not a cipher.
Question 5
What is the primary purpose of a Certificate Revocation List (CRL)?
- A) To issue new certificates
- B) To validate a certificate’s digital signature
- C) To list certificates that are no longer valid before their expiration
- D) To store public keys for all users
Show Answer
**Correct Answer: C) To list certificates that are no longer valid before their expiration**A CRL is a list of revoked certificates published by a CA. It allows relying parties to check whether a certificate has been revoked (e.g., due to key compromise or employee departure). Option A describes the CA’s role. Option B is part of certificate validation but not CRL’s purpose. Option D describes a public key repository.
Question 6
Which of the following best describes the use of a digital signature?
- A) Encrypts the entire message to ensure confidentiality
- B) Provides non-repudiation and integrity
- C) Replaces the need for a certificate
- D) Speeds up symmetric key exchange
Show Answer
**Correct Answer: B) Provides non-repudiation and integrity**A digital signature uses the sender’s private key to sign a hash of the message. The recipient verifies with the sender’s public key. This proves the message came from the claimed sender (non-repudiation) and hasn’t been altered (integrity). It does not encrypt the message or replace certificates.
Question 7
An organization uses a single symmetric key to encrypt all data at rest. What is the primary security risk?
- A) The key is too short
- B) If the key is compromised, all data is exposed
- C) The encryption is too slow
- D) The key cannot be shared
Show Answer
**Correct Answer: B) If the key is compromised, all data is exposed**Symmetric encryption uses one key for both encryption and decryption. If that key is stolen or leaked, an attacker can decrypt all data encrypted with it. Key length (A) is a separate concern. Symmetric encryption is fast, not slow (C). The key can be shared, but that’s the challenge (D).
Question 8
During a TLS handshake, what is the purpose of the server sending its certificate?
- A) To prove the server’s identity to the client
- B) To provide the client with a symmetric key
- C) To encrypt the client’s request
- D) To establish a hash for integrity
Show Answer
**Correct Answer: A) To prove the server’s identity to the client**The server’s certificate contains its public key and is signed by a trusted CA. The client verifies the certificate against its trust store, confirming the server’s identity. The symmetric key is derived later in the handshake (B). Encryption occurs after the handshake (C). Hashing is used in the handshake but not the certificate’s primary purpose (D).
Question 9
Which of the following is a one-way cryptographic function used to verify data integrity?
- A) AES
- B) RSA
- C) SHA-256
- D) Diffie-Hellman
Show Answer
**Correct Answer: C) SHA-256**SHA-256 is a hash function—one-way, fixed-length output. AES is symmetric encryption. RSA is asymmetric encryption. Diffie-Hellman is a key exchange protocol.
Question 10
A security engineer needs to issue a certificate that will be valid for *.company.com. Which certificate type should be selected?
- A) Subject Alternative Name (SAN)
- B) Wildcard
- C) Extended Validation
- D) Self-signed
Show Answer
**Correct Answer: B) Wildcard**A wildcard certificate covers a domain and all its subdomains (e.g., mail.company.com, www.company.com). SAN certificates can list multiple specific domains but don’t use wildcards. EV is about validation level, not domain coverage. Self-signed isn’t for public use.
Question 11
What is the primary advantage of using ECC over RSA for asymmetric encryption?
- A) ECC is more widely supported
- B) ECC provides equivalent security with smaller key sizes
- C) ECC is faster for decryption
- D) ECC is quantum-resistant
Show Answer
**Correct Answer: B) ECC provides equivalent security with smaller key sizes**ECC achieves the same security level as RSA with much smaller keys (e.g., 256-bit ECC ≈ 3072-bit RSA). This reduces computational overhead and storage. It is not more widely supported (A). Speed depends on implementation (C). Neither is quantum-resistant (D).
Question 12
Which PKI component is responsible for verifying an applicant’s identity before a certificate is issued?
- A) Certificate Authority (CA)
- B) Registration Authority (RA)
- C) Certificate Revocation List (CRL)
- D) Validation Authority (VA)
Show Answer
**Correct Answer: B) Registration Authority (RA)**The RA performs identity verification and forwards the request to the CA for certificate issuance. The CA issues the certificate. CRL lists revoked certificates. VA is not a standard PKI term (OCSP responder is the correct term for online validation).
Final Takeaway
Cryptography on the Security+ exam isn’t about memorizing algorithm names—it’s about understanding when and why each tool is used. Symmetric for speed, asymmetric for key exchange, hashing for integrity, PKI for trust. Practice applying these concepts to real-world scenarios, and the questions will become predictable.
Ready for more? Courseiva offers free Security+ practice questions with detailed explanations for every SY0-701 objective. Test your knowledge and identify weak areas before exam day.