Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsSecurity Engineering and Cryptography
CAS-004Free — No Signup

Security Engineering and Cryptography

Practice CAS-004 Security Engineering and Cryptography questions with full explanations on every answer.

103questions

Start practicing

Security Engineering and Cryptography — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographySecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Practice Security Engineering and Cryptography questions

10Q20Q30Q50Q

All CAS-004 Security Engineering and Cryptography questions (103)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security architect is designing a new authentication system for a high-security environment. The system must support passwordless authentication while providing strong protection against phishing attacks. Which of the following protocols best meets these requirements?

2

A security engineer is reviewing a PKI deployment where the root CA is kept offline. The issuing CA signs certificates for internal applications. Recently, a subordinate CA was compromised, and the engineer needs to revoke all certificates issued by that CA. Which of the following is the most efficient method to revoke these certificates?

3

A company requires a cryptographic hash function for integrity verification of large files. The solution must be resistant to length extension attacks and provide high performance. Which of the following is the best choice?

4

An organization is implementing IPsec VPNs between sites. The security team wants to ensure data integrity and authentication but is less concerned about confidentiality for this particular link. Which IPsec protocol and mode should they use?

5

A security analyst is configuring a TPM 2.0 for a new fleet of laptops. The requirement is to ensure that only authorized operating systems can boot and that any tampering with the boot process is detected. Which TPM feature should be used?

6

An organization wants to implement a privileged access management (PAM) solution to manage administrative credentials. They require that administrators request temporary access to privileged accounts and that these credentials are automatically rotated after each use. Which PAM approach best meets these requirements?

7

A web server is configured to use TLS 1.3. Which of the following is a key security benefit of TLS 1.3 over earlier versions?

8

A security engineer is selecting an asymmetric encryption algorithm for a system that must provide non-repudiation and long-term security (at least 20 years). The system has limited computational resources. Which of the following is the best choice?

9

A company is deploying IoT sensors that require secure firmware updates over the air (OTA). To ensure integrity and authenticity of the firmware, which of the following should be implemented?

10

Which of the following certificate types is most appropriate for an organization that needs to validate the identity of individuals for email encryption and signing?

11

During a security assessment, an analyst discovers that an HSM used for key generation is FIPS 140-2 Level 2 compliant. The organization requires a higher level of physical security to prevent tampering. Which upgrade would best address this requirement?

12

A security administrator is hardening SSH access to a jump host. The requirement is to allow only key-based authentication and restrict the use of weak cryptographic algorithms. Which of the following configurations accomplishes this?

13

An organization is implementing a PKI with a three-tier hierarchy (root CA, intermediate CA, issuing CA). The security team wants to ensure that certificate revocation information is available quickly and efficiently. Which TWO mechanisms should they implement? (Select TWO.)

14

A company is migrating from RSA to elliptic curve cryptography for digital signatures. They require a signature algorithm that provides at least 128 bits of security strength and is resistant to quantum computing attacks in the foreseeable future. Which TWO algorithms meet these requirements? (Select TWO.)

15

A security engineer is evaluating hardware security modules (HSMs) for key management. The HSM must support key generation, storage, and cryptographic operations without exposing private keys. Additionally, the solution must comply with FIPS 140-2 Level 3. Which THREE features are essential for this requirement? (Select THREE.)

16

A security architect is designing a new web application that must meet strict data confidentiality and integrity requirements. The application will run in a cloud environment and must support low-latency operations. The architect is considering cipher suites for TLS 1.3. Which combination of algorithms would best meet these requirements?

17

An organization is implementing a PKI to issue certificates for internal applications. The security team wants to minimize the risk of compromise to the root CA. Which of the following is the BEST practice to protect the root CA?

18

A company is migrating its internal services to use SSH key-based authentication instead of passwords. The security policy requires using the strongest supported algorithms. The SSH server supports the following key exchange algorithms: diffie-hellman-group14-sha256, ecdh-sha2-nistp384, curve25519-sha256. Which algorithm should the administrator choose to meet the policy?

19

A security auditor is reviewing the cryptographic controls of a financial application that processes transactions. The application uses digital signatures with RSA 4096 and SHA-256. The auditor recommends migrating to a stronger algorithm due to concerns about long-term security and quantum resistance. Which of the following would be the MOST appropriate replacement?

20

An organization is deploying a new IoT device that must securely update its firmware over the air (OTA). The device has limited processing power and memory. Which cryptographic solution would provide the BEST balance of security and performance for verifying firmware updates?

21

A security engineer is configuring a new web server to support TLS 1.3. The server must provide forward secrecy and support clients that may not have updated certificates frequently. Which of the following is a feature of TLS 1.3 that addresses these requirements?

22

An organization is implementing a Windows Hello for Business deployment to enable passwordless authentication. The solution uses TPM 2.0 for key storage. Which of the following TPM features ensures that the system has not been tampered with before the user authenticates?

23

A security architect is evaluating hardware security modules (HSMs) for a new PKI deployment. The HSM must be compliant with FIPS 140-2 Level 3. Which of the following is a requirement for Level 3 that distinguishes it from Level 2?

24

An enterprise is deploying a multi-factor authentication (MFA) solution. The security team requires a factor that is resistant to phishing and does not rely on shared secrets. Which of the following MFA types BEST meets this requirement?

25

A security administrator is configuring IPsec VPN between two sites. The data transmitted includes sensitive financial records. The administrator wants to ensure both confidentiality and integrity of the data, and also wants to authenticate the source. Which IPsec protocol and mode should be used?

26

An organization uses a PKI with a three-tier hierarchy: root CA, issuing CA, and registration authority. The root CA is kept offline. An intermediate CA certificate must be renewed. Which of the following is the correct process?

27

During a security assessment, a penetration tester discovers that a smart card used for authentication is vulnerable to a timing attack. The card uses a cryptographic algorithm that has data-dependent timing variations. Which of the following algorithms is MOST likely being used on the smart card?

28

A security architect is designing a just-in-time (JIT) privileged access management (PAM) solution. Which TWO of the following are key characteristics of JIT access?

29

A security engineer is hardening an SSH server. The policy requires disabling all legacy algorithms and using only modern, secure cryptography. Which THREE of the following configurations should the engineer apply?

30

An organization is planning to deploy digital certificates for various use cases. Which TWO of the following certificate types are typically used for email security?

31

A security architect is selecting a cipher suite for TLS 1.3 to ensure forward secrecy and high performance. Which cipher suite should be recommended?

32

A company wants to implement certificate pinning for its mobile app to prevent man-in-the-middle attacks. Which approach is most secure and maintainable?

33

During a PKI migration, the security team discovers that some internal clients do not support OCSP stapling but require online certificate status checking. Which alternative should be configured to minimize latency and ensure validity?

34

An organization is implementing SSH hardening for server access. Which configuration change most effectively reduces the attack surface against brute-force and credential theft?

35

A system administrator needs to securely store cryptographic keys and perform signing operations in a tamper-resistant hardware device. Which solution should be used?

36

A security analyst is investigating a potential side-channel attack on an IoT device. The device's cryptographic operations show variable execution times based on the key and plaintext. Which mitigation is most effective against timing attacks?

37

A PKI administrator is concerned about the risk of a compromised issuing CA. Which certificate transparency feature helps detect unauthorized certificate issuance?

38

An organization wants to implement passwordless authentication for its employees using FIDO2/WebAuthn. What is a primary security advantage of this approach over traditional password-based MFA?

39

Which hashing algorithm is recommended for modern applications requiring high security and resistance to quantum computing threats, and offers improved performance over SHA-2?

40

A security engineer is configuring IPsec VPN between two sites. The requirement is to encrypt the entire IP packet, including the original IP header. Which IPsec mode and protocol should be used?

41

An organization is deploying a just-in-time (JIT) privileged access management solution. What is a key benefit of JIT access compared to standing privileged accounts?

42

A company is implementing measured boot using TPM 2.0. What is the primary purpose of storing boot measurements in Platform Configuration Registers (PCRs)?

43

A security architect is designing a secure OTA update mechanism for IoT devices. Which TWO features are essential to ensure the integrity and authenticity of firmware updates?

44

An organization is planning to deploy a new internal CA hierarchy. Which THREE considerations are critical for ensuring the security and manageability of the PKI?

45

A company is implementing MFA for remote access. Which TWO factors are considered possession factors?

46

A security engineer is configuring a VPN between two sites and needs to ensure data confidentiality and integrity. Which IPsec mode and protocol combination should be used to encrypt the entire IP packet including the header?

47

An organization is implementing a hardware security module (HSM) to protect cryptographic keys used for code signing. The HSM is required to meet a government standard for physical security and tamper resistance. Which FIPS 140 security level must the HSM achieve to provide tamper-evident coatings and tamper response mechanisms?

48

A company is deploying a new authentication system that leverages FIDO2/WebAuthn. Security architects want to ensure that the private key never leaves the authenticator device. Which attack vector is mitigated by this approach?

49

A security administrator is configuring SSH for a jump host used to access critical servers. Which of the following is the most secure configuration option to restrict authentication and reduce the attack surface?

50

An IoT device manufacturer wants to ensure that firmware updates are authentic and have not been tampered with. The device has limited computational resources. Which cryptographic primitive is most appropriate for verifying the integrity and authenticity of firmware images?

51

An organization is implementing a PKI and wants to ensure that clients can quickly check if a certificate has been revoked without downloading a large list. Which protocol should be used?

52

A security architect is designing a secure boot process for a new line of embedded devices. The boot ROM loads the bootloader, which then loads the OS kernel. To ensure that only signed code is executed, which mechanism should the bootloader use to verify the kernel?

53

During a security audit, it was discovered that an application uses RSA with 1024-bit keys for encrypting sensitive data. The organization's security policy mandates a minimum of 128-bit symmetric equivalent security. Which of the following should be recommended as a replacement?

54

A company is implementing a privileged access management (PAM) solution to reduce the risk of standing privileges. Which feature allows users to request temporary elevated access for a specific task, which is automatically revoked after the task is completed?

55

A security team wants to implement a certificate pinning strategy for their mobile application to prevent man-in-the-middle attacks. Which of the following should be pinned in the application code?

56

An organization is moving to a passwordless authentication approach. They require a solution that supports hardware-based cryptographic authentication and is resistant to phishing. Which standard should they implement?

57

A security engineer is reviewing a TLS 1.3 configuration. Which of the following is a key feature of TLS 1.3 that improves security compared to earlier versions?

58

An organization is setting up a PKI with a three-tier hierarchy (root CA, issuing CA, and registration authority). Which TWO of the following are best practices for securing the root CA?

59

An IoT device uses a Trusted Platform Module (TPM) 2.0 for secure boot and attestation. Which THREE of the following functions does the TPM provide to support these security features?

60

A security assessor is evaluating an application that uses ChaCha20-Poly1305 for encryption. Which TWO of the following are true about this cryptographic algorithm?

61

A security architect is designing a VPN that requires both authentication and encryption. Which IPsec protocol provides both services in a single protocol?

62

An organization wants to implement a hardware root of trust for measuring system integrity at boot. Which technology should be used to store measurements in Platform Configuration Registers (PCRs) and support remote attestation?

63

A security engineer is configuring a web server to use TLS 1.3. Which feature of TLS 1.3 should be disabled to prevent replay attacks in 0-RTT mode?

64

A PKI administrator is deploying certificates for code signing. Which certificate type should be used to ensure that the signed code can be verified by clients without requiring a full chain validation?

65

An organization requires a cryptographic algorithm that provides both encryption and authentication in a single pass. Which algorithm should be selected?

66

A company is implementing a passwordless authentication solution using FIDO2/WebAuthn. What is the primary security advantage of this approach over traditional password-based authentication?

67

During a security assessment, an engineer discovers that a smartcard used for authentication is vulnerable to side-channel attacks. Which countermeasure would best mitigate power analysis attacks?

68

A company wants to ensure that a compromised root CA does not affect the validity of previously issued certificates. Which PKI control should be implemented?

69

Which key exchange algorithm provides perfect forward secrecy (PFS) and is recommended for use in TLS 1.3?

70

An IoT device manufacturer wants to ensure secure firmware updates. Which approach best protects against malicious firmware being installed on devices?

71

A security architect is designing a system that requires hardware-enforced isolation for sensitive computations. Which technology provides the strongest isolation by running code in a protected environment within the CPU?

72

A company is implementing a Privileged Access Management (PAM) solution to manage admin credentials. Which feature allows administrators to request temporary elevated access for a specific task?

73

A security engineer is hardening SSH server configuration. Which TWO options improve security? (Select TWO.)

74

An organization is deploying a new PKI and wants to ensure certificate revocation is performed efficiently. Which THREE methods should be implemented? (Select THREE.)

75

A company is evaluating multi-factor authentication methods. Which TWO are considered phishing-resistant? (Select TWO.)

76

A security architect is designing a new authentication system for a cloud-based application that requires strong multi-factor authentication. The solution must be resistant to phishing attacks and not rely on shared secrets. Which of the following is the BEST choice?

77

A company is deploying a new IoT device that must perform secure boot and verify the integrity of firmware updates. The device has limited processing power. Which cryptographic algorithm combination is MOST appropriate for verifying firmware signatures efficiently?

78

An organization is implementing a PKI hierarchy. The security team wants to ensure that if an issuing CA is compromised, the root CA remains unaffected and can revoke the issuing CA's certificate. Which of the following BEST describes the recommended architecture?

79

A network administrator needs to establish a secure VPN tunnel between two branch offices using IPsec. The requirement is to encrypt the entire IP packet, including the original IP header. Which IPsec mode should be used?

80

A security analyst is reviewing TLS 1.3 configuration for a web server. The analyst wants to ensure that the configuration provides forward secrecy and prevents the reuse of session keys. Which of the following is a characteristic of TLS 1.3 that supports these goals?

81

During a security audit, it was discovered that an HSM used for code signing is FIPS 140-2 Level 3 certified. The auditor is concerned about the key ceremony process. Which of the following is a required element of a secure key ceremony for an HSM at this level?

82

A company wants to implement certificate pinning for its mobile application to prevent man-in-the-middle attacks. Which of the following is the BEST practice when implementing certificate pinning?

83

An organization is concerned about side-channel attacks on its embedded devices. Which of the following is the MOST effective countermeasure against power analysis attacks?

84

A security engineer is configuring SSH for a jump host used to access critical servers. The engineer wants to restrict the cryptographic algorithms to the most secure options. Which of the following should be DISABLED?

85

Which of the following is a primary advantage of using ChaCha20-Poly1305 over AES-256-GCM in certain environments?

86

A company is deploying a just-in-time (JIT) privileged access management solution. Which of the following BEST describes a key security benefit of JIT access?

87

An organization uses a TPM 2.0 for measured boot and attestation. Which TPM feature ensures that the boot process has not been tampered with by measuring each component before it executes?

88

A security architect is designing a PKI for a large enterprise that issues certificates to thousands of users and devices. The architect wants to implement a mechanism to efficiently check certificate revocation status without requiring clients to download a full CRL. Which TWO technologies should be considered?

89

A company is migrating its legacy VPN to use IPsec with IKEv2. The security team wants to ensure the strongest possible security. Which THREE configuration options should be selected?

90

An IoT device manufacturer wants to ensure the security of over-the-air (OTA) firmware updates. Which TWO measures are essential to protect the update process?

91

A security engineer is configuring a TLS 1.3 connection between a web server and client. Which feature is unique to TLS 1.3 and provides reduced latency for returning clients?

92

An organization wants to implement passwordless authentication using FIDO2/WebAuthn. Which of the following best describes the primary security advantage of this approach over traditional password-based authentication?

93

A security architect is designing a PKI hierarchy for a large enterprise that issues certificates for internal users, devices, and code signing. Which of the following best practices should be implemented to minimize the impact of a CA compromise?

94

A company is deploying IoT sensors in a harsh environment. The sensors have limited processing power and memory. Which of the following cryptographic algorithms is most suitable for ensuring data confidentiality with minimal overhead?

95

During a security audit, it is discovered that a critical server uses SSH with password authentication and supports weak key exchange algorithms. Which of the following is the most effective hardening step to prevent brute-force attacks and ensure forward secrecy?

96

A security administrator is implementing TPM 2.0 for secure boot and measured boot on new laptops. Which TWO capabilities does TPM 2.0 provide that are directly related to ensuring the integrity of the boot process? (Select TWO.)

97

A security engineer is evaluating a new Hardware Security Module (HSM) for a financial application that requires FIPS 140-2 Level 3 compliance. Which TWO features are required for Level 3 validation? (Select TWO.)

98

An incident response team discovers that an attacker was able to forge a certificate for a legitimate domain. Which TWO mechanisms should the team implement to detect and prevent such misissuance in the future? (Select TWO.)

99

A company is designing a secure communication channel between two branch offices over the internet using IPsec. Which TWO statements are true regarding IPsec modes and protocols? (Select TWO.)

100

A security analyst is reviewing cryptographic implementations for a new application. The application needs to support digital signatures that are quantum-resistant and provide high performance. Which TWO algorithms should the analyst consider? (Select TWO.)

101

A company is implementing privileged access management (PAM) for its critical servers. Which THREE practices should be included to enhance security? (Select THREE.)

102

A security architect is designing a secure boot chain for an IoT device. Which THREE components are essential to ensure the integrity of the firmware update process? (Select THREE.)

103

During a penetration test, an assessor successfully exploits a timing side-channel attack to extract an ECDSA private key from a secure enclave. Which TWO mitigations should the development team implement to prevent such attacks? (Select TWO.)

Practice all 103 Security Engineering and Cryptography questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Frequently asked questions

What does the Security Engineering and Cryptography domain cover on the CAS-004 exam?

The Security Engineering and Cryptography domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Security Engineering and Cryptography questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 103 questions in the Security Engineering and Cryptography domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Engineering and Cryptography for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Engineering and Cryptography questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Security Engineering and Cryptography domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP