Practice SSCP Cryptography questions with full explanations on every answer.
Start practicing
Cryptography — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is recommending a symmetric encryption algorithm for a new application that requires both confidentiality and authentication. Which algorithm and mode combination should they select?
2An organization is implementing a digital signature solution to ensure non-repudiation of documents. Which combination of keys is used during the signing process?
3A company is deploying a VPN using IPsec. They want to ensure that even if the private key of the server is compromised, past session keys cannot be derived. Which key exchange method should they use?
4A security administrator is configuring a web server to use TLS. They want to optimize performance while maintaining strong security. Which cipher suite should they prioritize?
5Which of the following hash algorithms is considered cryptographically broken and should be avoided due to collision attacks?
6An organization uses a PKI with a root CA that issues certificates to intermediate CAs, which then issue end-entity certificates. A client receives an end-entity certificate signed by an intermediate CA. During validation, which certificates are required to build the chain of trust?
7A security engineer needs to choose an asymmetric algorithm for a system with limited computational resources, such as an IoT device. The algorithm must provide equivalent security to RSA 2048-bit while using smaller key sizes. Which algorithm should they choose?
8A security auditor reviews a system that uses HMAC-SHA256 for message authentication. Which property does HMAC provide that a simple hash of the message does not?
9Which of the following is a secure protocol for remote administration of a server, replacing insecure protocols like Telnet?
10A company wants to implement a key management system. They need to generate cryptographic keys that are unpredictable. Which source of randomness should be used?
11A certificate authority (CA) issues a certificate with the extended key usage (EKU) extension specifying 'serverAuth'. Which of the following is this certificate allowed to do?
12Which of the following is a method to check the revocation status of a digital certificate in real-time without the client downloading a full list?
13A security team is evaluating hashing algorithms for use in a new system. Which of the following are considered currently secure for general use? (Select TWO)
14An organization is designing a secure email system using S/MIME. Which of the following are essential components of the PKI that must be in place? (Select THREE)
15A company is migrating from 3DES to a modern encryption algorithm. Which of the following are acceptable choices? (Select TWO)
16An organization is migrating from 3DES to AES-256 for encrypting data at rest. Which mode of AES is recommended for authenticated encryption?
17A security analyst is reviewing a digital signature implementation. The signer uses their private key to encrypt the hash of a message. What does the recipient use to verify the signature?
18Which of the following is a secure hash algorithm currently recommended by NIST?
19An organization is configuring a VPN using IPsec. To ensure forward secrecy, which key exchange method should be used?
20A company is implementing a PKI for internal use. What is the primary purpose of a Certificate Revocation List (CRL)?
21An analyst is comparing symmetric and asymmetric encryption. Which statement accurately describes a typical use case?
22Which of the following is a secure alternative to RC4 for stream ciphers?
23A security engineer is designing a system that requires non-repudiation of data origin. Which cryptographic technique should be used?
24Which of the following best describes the purpose of a Hardware Security Module (HSM) in key management?
25An organization is planning to implement ECC for digital signatures. Which key size provides a security level equivalent to a 3072-bit RSA key?
26Which protocol is used to provide secure remote shell access and replace Telnet?
27In a PKI, what is the role of the root Certificate Authority (CA)?
28A security administrator is evaluating encryption protocols for email communication. Which of the following protocols can secure email in transit? (Select TWO)
29Which of the following are considered secure cryptographic practices for key management? (Select THREE)
30An organization wants to implement a hashing algorithm for integrity checks. Which of the following should be avoided due to known vulnerabilities? (Select TWO)
31Which of the following encryption algorithms is classified as a symmetric block cipher and is the current standard recommended by NIST, supporting key sizes of 128, 192, and 256 bits?
32A security analyst is evaluating encryption modes for a new system that requires authenticated encryption to ensure both confidentiality and integrity of data in transit. Which AES mode should the analyst recommend?
33An organization is moving away from legacy encryption and wants to avoid stream ciphers due to known vulnerabilities. Which of the following algorithms should be avoided because it is a stream cipher with known weaknesses like the BEAST attack?
34A security engineer is implementing a digital signature scheme to ensure non-repudiation. Which process correctly describes how a digital signature is created and verified?
35Which of the following is a cryptographic hash function that is considered cryptographically broken due to collision attacks and should not be used for security purposes?
36An organization wants to implement a key exchange mechanism that provides forward secrecy. Which of the following should be used?
37A PKI administrator needs to check the revocation status of a digital certificate without requiring the client to download the entire CRL. Which method is designed for online, real-time certificate status checking?
38What is the minimum recommended RSA key size for secure use as of current best practices?
39Which of the following protocols is used to securely transfer files over SSH and is considered a replacement for FTP?
40In X.509 certificate format, which field is used to specify the fully qualified domain name(s) for which the certificate is valid?
41A security professional is designing a key management system and needs to ensure that keys are generated using a truly random source. Which of the following is the most appropriate method for generating cryptographic keys?
42Which of the following best describes the difference between HMAC and a simple hash function like SHA-256 when used for message authentication?
43A security team is implementing a PKI for a large enterprise. Which TWO of the following are commonly used methods for certificate revocation checking? (Select TWO.)
44A company is selecting a cryptographic algorithm for digital signatures. Which THREE of the following algorithms can be used for digital signatures? (Select THREE.)
45Which TWO of the following are considered secure cryptographic hash functions as of current standards? (Select TWO.)
46A security analyst is evaluating the cryptographic settings for a new application that requires both confidentiality and integrity for data in transit. The analyst needs to choose a symmetric cipher that provides authenticated encryption. Which of the following is the best choice?
47A security engineer is designing a key management system for a large enterprise. Which two of the following practices are essential for securing cryptographic keys throughout their lifecycle?
48An organization is implementing a digital signature solution to ensure non-repudiation and integrity of documents. Which three of the following are true regarding digital signatures?
49A company is upgrading its legacy systems to use modern cryptographic standards. Which two of the following algorithms should be avoided due to known weaknesses or deprecation?
50A security administrator is setting up a public key infrastructure (PKI) for internal use. Which two of the following components are essential for establishing a chain of trust from the root CA to end-entity certificates?
The Cryptography domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 50 questions in the Cryptography domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cryptography domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included