Practice CAS-004 Security Engineering and Cryptography questions with full explanations on every answer.
Start practicing
Security Engineering and Cryptography — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security architect is designing a new authentication system for a high-security environment. The system must support passwordless authentication while providing strong protection against phishing attacks. Which of the following protocols best meets these requirements?
2A security engineer is reviewing a PKI deployment where the root CA is kept offline. The issuing CA signs certificates for internal applications. Recently, a subordinate CA was compromised, and the engineer needs to revoke all certificates issued by that CA. Which of the following is the most efficient method to revoke these certificates?
3A company requires a cryptographic hash function for integrity verification of large files. The solution must be resistant to length extension attacks and provide high performance. Which of the following is the best choice?
4An organization is implementing IPsec VPNs between sites. The security team wants to ensure data integrity and authentication but is less concerned about confidentiality for this particular link. Which IPsec protocol and mode should they use?
5A security analyst is configuring a TPM 2.0 for a new fleet of laptops. The requirement is to ensure that only authorized operating systems can boot and that any tampering with the boot process is detected. Which TPM feature should be used?
6An organization wants to implement a privileged access management (PAM) solution to manage administrative credentials. They require that administrators request temporary access to privileged accounts and that these credentials are automatically rotated after each use. Which PAM approach best meets these requirements?
7A web server is configured to use TLS 1.3. Which of the following is a key security benefit of TLS 1.3 over earlier versions?
8A security engineer is selecting an asymmetric encryption algorithm for a system that must provide non-repudiation and long-term security (at least 20 years). The system has limited computational resources. Which of the following is the best choice?
9A company is deploying IoT sensors that require secure firmware updates over the air (OTA). To ensure integrity and authenticity of the firmware, which of the following should be implemented?
10Which of the following certificate types is most appropriate for an organization that needs to validate the identity of individuals for email encryption and signing?
11During a security assessment, an analyst discovers that an HSM used for key generation is FIPS 140-2 Level 2 compliant. The organization requires a higher level of physical security to prevent tampering. Which upgrade would best address this requirement?
12A security administrator is hardening SSH access to a jump host. The requirement is to allow only key-based authentication and restrict the use of weak cryptographic algorithms. Which of the following configurations accomplishes this?
13An organization is implementing a PKI with a three-tier hierarchy (root CA, intermediate CA, issuing CA). The security team wants to ensure that certificate revocation information is available quickly and efficiently. Which TWO mechanisms should they implement? (Select TWO.)
14A company is migrating from RSA to elliptic curve cryptography for digital signatures. They require a signature algorithm that provides at least 128 bits of security strength and is resistant to quantum computing attacks in the foreseeable future. Which TWO algorithms meet these requirements? (Select TWO.)
15A security engineer is evaluating hardware security modules (HSMs) for key management. The HSM must support key generation, storage, and cryptographic operations without exposing private keys. Additionally, the solution must comply with FIPS 140-2 Level 3. Which THREE features are essential for this requirement? (Select THREE.)
16A security architect is designing a new web application that must meet strict data confidentiality and integrity requirements. The application will run in a cloud environment and must support low-latency operations. The architect is considering cipher suites for TLS 1.3. Which combination of algorithms would best meet these requirements?
17An organization is implementing a PKI to issue certificates for internal applications. The security team wants to minimize the risk of compromise to the root CA. Which of the following is the BEST practice to protect the root CA?
18A company is migrating its internal services to use SSH key-based authentication instead of passwords. The security policy requires using the strongest supported algorithms. The SSH server supports the following key exchange algorithms: diffie-hellman-group14-sha256, ecdh-sha2-nistp384, curve25519-sha256. Which algorithm should the administrator choose to meet the policy?
19A security auditor is reviewing the cryptographic controls of a financial application that processes transactions. The application uses digital signatures with RSA 4096 and SHA-256. The auditor recommends migrating to a stronger algorithm due to concerns about long-term security and quantum resistance. Which of the following would be the MOST appropriate replacement?
20An organization is deploying a new IoT device that must securely update its firmware over the air (OTA). The device has limited processing power and memory. Which cryptographic solution would provide the BEST balance of security and performance for verifying firmware updates?
21A security engineer is configuring a new web server to support TLS 1.3. The server must provide forward secrecy and support clients that may not have updated certificates frequently. Which of the following is a feature of TLS 1.3 that addresses these requirements?
22An organization is implementing a Windows Hello for Business deployment to enable passwordless authentication. The solution uses TPM 2.0 for key storage. Which of the following TPM features ensures that the system has not been tampered with before the user authenticates?
23A security architect is evaluating hardware security modules (HSMs) for a new PKI deployment. The HSM must be compliant with FIPS 140-2 Level 3. Which of the following is a requirement for Level 3 that distinguishes it from Level 2?
24An enterprise is deploying a multi-factor authentication (MFA) solution. The security team requires a factor that is resistant to phishing and does not rely on shared secrets. Which of the following MFA types BEST meets this requirement?
25A security administrator is configuring IPsec VPN between two sites. The data transmitted includes sensitive financial records. The administrator wants to ensure both confidentiality and integrity of the data, and also wants to authenticate the source. Which IPsec protocol and mode should be used?
26An organization uses a PKI with a three-tier hierarchy: root CA, issuing CA, and registration authority. The root CA is kept offline. An intermediate CA certificate must be renewed. Which of the following is the correct process?
27During a security assessment, a penetration tester discovers that a smart card used for authentication is vulnerable to a timing attack. The card uses a cryptographic algorithm that has data-dependent timing variations. Which of the following algorithms is MOST likely being used on the smart card?
28A security architect is designing a just-in-time (JIT) privileged access management (PAM) solution. Which TWO of the following are key characteristics of JIT access?
29A security engineer is hardening an SSH server. The policy requires disabling all legacy algorithms and using only modern, secure cryptography. Which THREE of the following configurations should the engineer apply?
30An organization is planning to deploy digital certificates for various use cases. Which TWO of the following certificate types are typically used for email security?
31A security architect is selecting a cipher suite for TLS 1.3 to ensure forward secrecy and high performance. Which cipher suite should be recommended?
32A company wants to implement certificate pinning for its mobile app to prevent man-in-the-middle attacks. Which approach is most secure and maintainable?
33During a PKI migration, the security team discovers that some internal clients do not support OCSP stapling but require online certificate status checking. Which alternative should be configured to minimize latency and ensure validity?
34An organization is implementing SSH hardening for server access. Which configuration change most effectively reduces the attack surface against brute-force and credential theft?
35A system administrator needs to securely store cryptographic keys and perform signing operations in a tamper-resistant hardware device. Which solution should be used?
36A security analyst is investigating a potential side-channel attack on an IoT device. The device's cryptographic operations show variable execution times based on the key and plaintext. Which mitigation is most effective against timing attacks?
37A PKI administrator is concerned about the risk of a compromised issuing CA. Which certificate transparency feature helps detect unauthorized certificate issuance?
38An organization wants to implement passwordless authentication for its employees using FIDO2/WebAuthn. What is a primary security advantage of this approach over traditional password-based MFA?
39Which hashing algorithm is recommended for modern applications requiring high security and resistance to quantum computing threats, and offers improved performance over SHA-2?
40A security engineer is configuring IPsec VPN between two sites. The requirement is to encrypt the entire IP packet, including the original IP header. Which IPsec mode and protocol should be used?
41An organization is deploying a just-in-time (JIT) privileged access management solution. What is a key benefit of JIT access compared to standing privileged accounts?
42A company is implementing measured boot using TPM 2.0. What is the primary purpose of storing boot measurements in Platform Configuration Registers (PCRs)?
43A security architect is designing a secure OTA update mechanism for IoT devices. Which TWO features are essential to ensure the integrity and authenticity of firmware updates?
44An organization is planning to deploy a new internal CA hierarchy. Which THREE considerations are critical for ensuring the security and manageability of the PKI?
45A company is implementing MFA for remote access. Which TWO factors are considered possession factors?
46A security engineer is configuring a VPN between two sites and needs to ensure data confidentiality and integrity. Which IPsec mode and protocol combination should be used to encrypt the entire IP packet including the header?
47An organization is implementing a hardware security module (HSM) to protect cryptographic keys used for code signing. The HSM is required to meet a government standard for physical security and tamper resistance. Which FIPS 140 security level must the HSM achieve to provide tamper-evident coatings and tamper response mechanisms?
48A company is deploying a new authentication system that leverages FIDO2/WebAuthn. Security architects want to ensure that the private key never leaves the authenticator device. Which attack vector is mitigated by this approach?
49A security administrator is configuring SSH for a jump host used to access critical servers. Which of the following is the most secure configuration option to restrict authentication and reduce the attack surface?
50An IoT device manufacturer wants to ensure that firmware updates are authentic and have not been tampered with. The device has limited computational resources. Which cryptographic primitive is most appropriate for verifying the integrity and authenticity of firmware images?
51An organization is implementing a PKI and wants to ensure that clients can quickly check if a certificate has been revoked without downloading a large list. Which protocol should be used?
52A security architect is designing a secure boot process for a new line of embedded devices. The boot ROM loads the bootloader, which then loads the OS kernel. To ensure that only signed code is executed, which mechanism should the bootloader use to verify the kernel?
53During a security audit, it was discovered that an application uses RSA with 1024-bit keys for encrypting sensitive data. The organization's security policy mandates a minimum of 128-bit symmetric equivalent security. Which of the following should be recommended as a replacement?
54A company is implementing a privileged access management (PAM) solution to reduce the risk of standing privileges. Which feature allows users to request temporary elevated access for a specific task, which is automatically revoked after the task is completed?
55A security team wants to implement a certificate pinning strategy for their mobile application to prevent man-in-the-middle attacks. Which of the following should be pinned in the application code?
56An organization is moving to a passwordless authentication approach. They require a solution that supports hardware-based cryptographic authentication and is resistant to phishing. Which standard should they implement?
57A security engineer is reviewing a TLS 1.3 configuration. Which of the following is a key feature of TLS 1.3 that improves security compared to earlier versions?
58An organization is setting up a PKI with a three-tier hierarchy (root CA, issuing CA, and registration authority). Which TWO of the following are best practices for securing the root CA?
59An IoT device uses a Trusted Platform Module (TPM) 2.0 for secure boot and attestation. Which THREE of the following functions does the TPM provide to support these security features?
60A security assessor is evaluating an application that uses ChaCha20-Poly1305 for encryption. Which TWO of the following are true about this cryptographic algorithm?
61A security architect is designing a VPN that requires both authentication and encryption. Which IPsec protocol provides both services in a single protocol?
62An organization wants to implement a hardware root of trust for measuring system integrity at boot. Which technology should be used to store measurements in Platform Configuration Registers (PCRs) and support remote attestation?
63A security engineer is configuring a web server to use TLS 1.3. Which feature of TLS 1.3 should be disabled to prevent replay attacks in 0-RTT mode?
64A PKI administrator is deploying certificates for code signing. Which certificate type should be used to ensure that the signed code can be verified by clients without requiring a full chain validation?
65An organization requires a cryptographic algorithm that provides both encryption and authentication in a single pass. Which algorithm should be selected?
66A company is implementing a passwordless authentication solution using FIDO2/WebAuthn. What is the primary security advantage of this approach over traditional password-based authentication?
67During a security assessment, an engineer discovers that a smartcard used for authentication is vulnerable to side-channel attacks. Which countermeasure would best mitigate power analysis attacks?
68A company wants to ensure that a compromised root CA does not affect the validity of previously issued certificates. Which PKI control should be implemented?
69Which key exchange algorithm provides perfect forward secrecy (PFS) and is recommended for use in TLS 1.3?
70An IoT device manufacturer wants to ensure secure firmware updates. Which approach best protects against malicious firmware being installed on devices?
71A security architect is designing a system that requires hardware-enforced isolation for sensitive computations. Which technology provides the strongest isolation by running code in a protected environment within the CPU?
72A company is implementing a Privileged Access Management (PAM) solution to manage admin credentials. Which feature allows administrators to request temporary elevated access for a specific task?
73A security engineer is hardening SSH server configuration. Which TWO options improve security? (Select TWO.)
74An organization is deploying a new PKI and wants to ensure certificate revocation is performed efficiently. Which THREE methods should be implemented? (Select THREE.)
75A company is evaluating multi-factor authentication methods. Which TWO are considered phishing-resistant? (Select TWO.)
76A security architect is designing a new authentication system for a cloud-based application that requires strong multi-factor authentication. The solution must be resistant to phishing attacks and not rely on shared secrets. Which of the following is the BEST choice?
77A company is deploying a new IoT device that must perform secure boot and verify the integrity of firmware updates. The device has limited processing power. Which cryptographic algorithm combination is MOST appropriate for verifying firmware signatures efficiently?
78An organization is implementing a PKI hierarchy. The security team wants to ensure that if an issuing CA is compromised, the root CA remains unaffected and can revoke the issuing CA's certificate. Which of the following BEST describes the recommended architecture?
79A network administrator needs to establish a secure VPN tunnel between two branch offices using IPsec. The requirement is to encrypt the entire IP packet, including the original IP header. Which IPsec mode should be used?
80A security analyst is reviewing TLS 1.3 configuration for a web server. The analyst wants to ensure that the configuration provides forward secrecy and prevents the reuse of session keys. Which of the following is a characteristic of TLS 1.3 that supports these goals?
81During a security audit, it was discovered that an HSM used for code signing is FIPS 140-2 Level 3 certified. The auditor is concerned about the key ceremony process. Which of the following is a required element of a secure key ceremony for an HSM at this level?
82A company wants to implement certificate pinning for its mobile application to prevent man-in-the-middle attacks. Which of the following is the BEST practice when implementing certificate pinning?
83An organization is concerned about side-channel attacks on its embedded devices. Which of the following is the MOST effective countermeasure against power analysis attacks?
84A security engineer is configuring SSH for a jump host used to access critical servers. The engineer wants to restrict the cryptographic algorithms to the most secure options. Which of the following should be DISABLED?
85Which of the following is a primary advantage of using ChaCha20-Poly1305 over AES-256-GCM in certain environments?
86A company is deploying a just-in-time (JIT) privileged access management solution. Which of the following BEST describes a key security benefit of JIT access?
87An organization uses a TPM 2.0 for measured boot and attestation. Which TPM feature ensures that the boot process has not been tampered with by measuring each component before it executes?
88A security architect is designing a PKI for a large enterprise that issues certificates to thousands of users and devices. The architect wants to implement a mechanism to efficiently check certificate revocation status without requiring clients to download a full CRL. Which TWO technologies should be considered?
89A company is migrating its legacy VPN to use IPsec with IKEv2. The security team wants to ensure the strongest possible security. Which THREE configuration options should be selected?
90An IoT device manufacturer wants to ensure the security of over-the-air (OTA) firmware updates. Which TWO measures are essential to protect the update process?
91A security engineer is configuring a TLS 1.3 connection between a web server and client. Which feature is unique to TLS 1.3 and provides reduced latency for returning clients?
92An organization wants to implement passwordless authentication using FIDO2/WebAuthn. Which of the following best describes the primary security advantage of this approach over traditional password-based authentication?
93A security architect is designing a PKI hierarchy for a large enterprise that issues certificates for internal users, devices, and code signing. Which of the following best practices should be implemented to minimize the impact of a CA compromise?
94A company is deploying IoT sensors in a harsh environment. The sensors have limited processing power and memory. Which of the following cryptographic algorithms is most suitable for ensuring data confidentiality with minimal overhead?
95During a security audit, it is discovered that a critical server uses SSH with password authentication and supports weak key exchange algorithms. Which of the following is the most effective hardening step to prevent brute-force attacks and ensure forward secrecy?
96A security administrator is implementing TPM 2.0 for secure boot and measured boot on new laptops. Which TWO capabilities does TPM 2.0 provide that are directly related to ensuring the integrity of the boot process? (Select TWO.)
97A security engineer is evaluating a new Hardware Security Module (HSM) for a financial application that requires FIPS 140-2 Level 3 compliance. Which TWO features are required for Level 3 validation? (Select TWO.)
98An incident response team discovers that an attacker was able to forge a certificate for a legitimate domain. Which TWO mechanisms should the team implement to detect and prevent such misissuance in the future? (Select TWO.)
99A company is designing a secure communication channel between two branch offices over the internet using IPsec. Which TWO statements are true regarding IPsec modes and protocols? (Select TWO.)
100A security analyst is reviewing cryptographic implementations for a new application. The application needs to support digital signatures that are quantum-resistant and provide high performance. Which TWO algorithms should the analyst consider? (Select TWO.)
101A company is implementing privileged access management (PAM) for its critical servers. Which THREE practices should be included to enhance security? (Select THREE.)
102A security architect is designing a secure boot chain for an IoT device. Which THREE components are essential to ensure the integrity of the firmware update process? (Select THREE.)
103During a penetration test, an assessor successfully exploits a timing side-channel attack to extract an ECDSA private key from a secure enclave. Which TWO mitigations should the development team implement to prevent such attacks? (Select TWO.)
The Security Engineering and Cryptography domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 103 questions in the Security Engineering and Cryptography domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Engineering and Cryptography domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included