Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cryptography practice sets

SSCP Cryptography • Complete Question Bank

SSCP Cryptography — All Questions With Answers

Complete SSCP Cryptography question bank — all 0 questions with answers and detailed explanations.

51
Questions
Free
No signup
Certifications/SSCP/Practice Test/Cryptography/All Questions
Question 1easymultiple choice
Read the full Cryptography explanation →

A company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?

Question 2mediummultiple choice
Read the full Cryptography explanation →

A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?

Question 3hardmultiple choice
Read the full Cryptography explanation →

A system administrator notices that a server's certificate was issued by a CA that is not in the trusted root store of client machines. What is the most likely impact on clients connecting via TLS?

Question 4easymultiple choice
Read the full NAT/PAT explanation →

When implementing a digital signature, which key is used to create the signature?

Question 5mediummultiple choice
Read the full Cryptography explanation →

A company's policy requires that all data at rest be encrypted. Which of the following is the most effective method to encrypt files on a laptop?

Question 6mediummulti select
Read the full Cryptography explanation →

Which TWO of the following are symmetric encryption algorithms? (Select exactly two.)

Question 7hardmulti select
Read the full Cryptography explanation →

Which THREE of the following are common use cases for public key infrastructure (PKI)? (Select exactly three.)

Question 8hardmultiple choice
Read the full Cryptography explanation →

Refer to the exhibit. An administrator runs an OpenSSL s_client command and receives the output shown. What is the most likely cause of the 'unable to get local issuer certificate' error?

Exhibit

Refer to the exhibit.

```
openssl s_client -connect server.example.com:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = Example Inc, CN = server.example.com
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Example Inc/CN=server.example.com
   i:/C=US/O=Example Root CA/CN=Example Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBxTCCAS0CAQAwDQYJKoZIhvcNAQELBQAwHzENMAsGA1UEAwwEUm9vdDEPMA0G
A1UEChMGVGVzdCBDQTAeFw0yNDAxMDEwMDAwMDBaFw0yNTAxMDEwMDAwMDBaMD8x
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTYW4g
RnJhbmNpc2NvMQ0wCwYDVQQDDARUZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC0Yj1J2K1F1L2y3Y4Z5X6Z7Q8a9b0c1d2e3f4g5h6i7j8k9l0m1n2o3p4
q5r6s7t8u9v0w1x2y3z4A5B6C7D8E9F0G1H2I3J4K5L6M7N8O9P0QCAwEAATAN
BgkqhkiG9w0BAQsFAAOBgQBmJ6k7L8P9Q0R1S2T3U4V5W6X7Y8Z9a0b1c2d3e4f5
g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5A6B7C8D9E0F1G2H3I4J5K6L7
M8N9O0P1Q2R3S4T5U6V7W8X9Y0Z1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r
```
Question 9mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network engineer is configuring an IPsec VPN. Which protocol does this configuration apply to?

Exhibit

Refer to the exhibit.

```
# Security policy snippet
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha256
 group 14
 lifetime 86400
```
Question 10hardmultiple choice
Read the full Cryptography explanation →

A mid-sized company has deployed a web application that handles sensitive customer data. The application uses TLS to encrypt data in transit. Recently, the company received a penetration test report indicating that an attacker could potentially downgrade the TLS connection to an older, weaker version (e.g., TLS 1.0) by performing a man-in-the-middle attack. The application server runs on Windows Server 2022 with IIS 10. The security team wants to disable all versions of TLS below 1.2 on the server. However, after making registry changes to disable TLS 1.0 and 1.1, some legacy clients that only support TLS 1.0 are unable to connect. The business requires that these legacy clients still be able to access the application securely, but the security team insists on disabling weak protocols. The server currently has a valid certificate from a public CA. Which of the following is the most appropriate course of action?

Question 11mediumdrag order
Read the full Cryptography explanation →

Drag and drop the steps for a typical TLS 1.3 handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Cryptography explanation →

Match each disaster recovery site type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully operational, real-time replication

Partially configured, ready in hours

Empty facility, setup required

Portable unit with equipment

Question 13easymultiple choice
Read the full Cryptography explanation →

A security administrator needs to store sensitive customer data in a database. To protect the data at rest, which encryption method should be used?

Question 14easymultiple choice
Read the full Cryptography explanation →

An organization wants to ensure that a software update has not been tampered with during download. Which cryptographic technique should be used?

Question 15easymultiple choice
Read the full Cryptography explanation →

A security professional is implementing a solution to verify the authenticity of a digital certificate. Which component of a PKI is responsible for issuing and revoking certificates?

Question 16mediummultiple choice
Read the full Cryptography explanation →

A company deploys a web application that handles sensitive financial transactions. To protect data in transit, which protocol should be used?

Question 17mediummultiple choice
Read the full Cryptography explanation →

A system administrator is configuring a file encryption solution for a shared network drive. The solution must allow multiple users to read the files without sharing a single symmetric key. Which approach should be used?

Question 18mediummultiple choice
Read the full Cryptography explanation →

A security analyst reviews a cryptographic implementation and notices that the same initialization vector (IV) is used repeatedly with the same key in CBC mode. What is the primary risk?

Question 19hardmultiple choice
Read the full Cryptography explanation →

An organization wants to implement a cryptographic solution that ensures forward secrecy for its internal communications. Which key exchange method should be used?

Question 20hardmultiple choice
Read the full Cryptography explanation →

A security engineer is designing a system to store passwords securely. Which of the following is the most robust approach for password storage?

Question 21hardmultiple choice
Read the full Cryptography explanation →

An administrator notices that a certificate used for code signing is about to expire. The certificate is signed by a trusted root CA. What is the correct procedure to ensure continued trust?

Question 22mediummulti select
Read the full Cryptography explanation →

Which TWO factors are most critical when selecting a cryptographic algorithm for a government application?

Question 23easymulti select
Read the full Cryptography explanation →

Which THREE characteristics are important for a password hashing algorithm?

Question 24hardmulti select
Read the full Cryptography explanation →

Which THREE are security implications of using deprecated cryptographic protocols such as SSL 3.0 and TLS 1.0?

Question 25easymultiple choice
Read the full Cryptography explanation →

Refer to the exhibit. Which component of the cipher suite provides perfect forward secrecy?

Exhibit

Refer to the exhibit.
OpenSSL> s_client -connect example.com:443
...
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
...
Question 26mediummultiple choice
Read the full Cryptography explanation →

Refer to the exhibit. What is the purpose of the 'group 14' parameter in the IKEv2 proposal?

Exhibit

Refer to the exhibit.
! IPsec IKEv2 configuration
crypto ikev2 proposal 1
 encryption aes-cbc-256
 integrity sha-256
 group 14
!
Question 27hardmultiple choice
Read the full Cryptography explanation →

Refer to the exhibit. What is the most likely cause of this error?

Exhibit

Refer to the exhibit.
ERROR: Certificate verification failed - self-signed certificate in certificate chain
Question 28easymultiple choice
Read the full Cryptography explanation →

A company needs to encrypt large volumes of data at rest on a file server. Which type of cryptography is most appropriate for this task?

Question 29mediummultiple choice
Read the full Cryptography explanation →

An administrator reports that a TLS handshake fails between a web server and client. The server supports TLS 1.2 with ciphers ECDHE-RSA-AES128-GCM-SHA256 and RSA-AES256-CBC-SHA256. The client supports only TLS 1.0 with ciphers RSA-RC4-SHA and RSA-AES128-SHA. What is the most likely cause?

Question 30hardmultiple choice
Read the full Cryptography explanation →

A PKI administrator is designing a key management lifecycle for a high-security environment. Which practice is most critical for ensuring long-term security of asymmetric keys?

Question 31easymultiple choice
Read the full Cryptography explanation →

A security analyst needs to verify that a downloaded file has not been tampered with. The publisher provides a SHA-256 hash. Which property of the hash function is being relied upon?

Question 32mediummultiple choice
Read the full Cryptography explanation →

A software developer wants to ensure the authenticity and integrity of an API request but does not require non-repudiation. Which cryptographic method should be used?

Question 33hardmultiple choice
Read the full Cryptography explanation →

An organization implements a hybrid encryption scheme to secure sensitive emails. The email body is encrypted with AES-256, and the AES key is encrypted with RSA-2048. What is the primary advantage of this approach?

Question 34easymultiple choice
Read the full Cryptography explanation →

When using CBC mode encryption, what is the purpose of the initialization vector (IV)?

Question 35mediummultiple choice
Read the full Cryptography explanation →

A security team discovers that a legacy system uses ECB mode to encrypt credit card numbers. What is the primary security concern with this mode?

Question 36hardmultiple choice
Read the full Cryptography explanation →

In RSA, the public exponent e is often chosen as 65537. What is the primary reason for this choice?

Question 37mediummulti select
Read the full Cryptography explanation →

Which TWO of the following are required properties of a cryptographically secure hash function? (Select exactly 2.)

Question 38hardmulti select
Read the full Cryptography explanation →

Which THREE of the following are considered cryptographic best practices for key management? (Select exactly 3.)

Question 39easymulti select
Read the full Cryptography explanation →

Which TWO of the following are common weaknesses in cryptographic implementations that an SSCP should be aware of? (Select exactly 2.)

Question 40easymultiple choice
Read the full NAT/PAT explanation →

A company uses digital signatures to ensure the integrity and non-repudiation of internal contracts. The private key used for signing is stored in a hardware security module (HSM). A junior administrator asks why the HSM is necessary. What is the primary reason?

Question 41mediummultiple choice
Read the full Cryptography explanation →

A security analyst reviews the TLS configuration of a web server and notices that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is enabled. The analyst recommends disabling RSA key exchange and enabling ECDHE. Which security property does ECDHE provide that RSA key exchange lacks?

Question 42hardmultiple choice
Read the full Cryptography explanation →

A company uses a cloud storage service that encrypts files with a key derived from the user's password (e.g., using PBKDF2). The security team recommends migrating to a separate key management service (KMS) that generates and manages encryption keys independently of user passwords. What is the most critical security advantage of using a KMS in this scenario?

Question 43mediummulti select
Read the full Cryptography explanation →

A company is implementing encryption for data at rest in a file server. Which TWO of the following algorithms are suitable for this purpose? (Select TWO.)

Question 44hardmulti select
Read the full Cryptography explanation →

A security auditor is reviewing the cryptographic algorithms used in an organization. Which THREE of the following are considered insecure or deprecated and should be avoided? (Select THREE.)

Question 45easymultiple choice
Read the full Cryptography explanation →

A small business with 20 employees uses a legacy customer relationship management (CRM) application that supports only RC4 encryption for data transmission between the client and server. The company must comply with a new industry regulation that mandates the use of strong encryption (e.g., AES or TLS 1.2+). The IT manager has attempted to upgrade the CRM application, but the vendor has discontinued support and no updates are available. The company cannot afford to replace the CRM immediately, but must achieve compliance within 60 days. The network consists of a single Windows Server 2016 running the CRM server application and 20 Windows 10 workstations. All systems are on a flat internal network. The IT manager proposes several options. Which action is the most appropriate to achieve compliance?

Question 46mediummultiple choice
Read the full Cryptography explanation →

A financial services firm with 500 servers and 2000 workstations uses an internal public key infrastructure (PKI) for authentication and secure communication. The root CA certificate is self-signed and stored on an offline root CA server. Recently, the root CA server was physically stolen from a locked data center. Although the server was encrypted, forensic analysis confirms that the root CA private key was extracted. The security team must immediately revoke trust in the compromised root CA and issue new certificates to all devices. The environment includes Active Directory and Group Policy. Which approach best ensures all systems trust the new CA hierarchy and obtain valid certificates with minimal disruption?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization stores patient records in a database that is encrypted at rest using AES-256-CBC. The encryption key is stored in a plaintext configuration file on the database server, with file permissions set to read-only for the database service account and administrators. During an internal audit, the security team flags this as a critical vulnerability because the key is co-located with the encrypted data. The system administrator argues that the file permissions are sufficient to prevent unauthorized access. Separately, the organization must comply with HIPAA requirements for encryption key management. Which remediation most effectively addresses the vulnerability and meets compliance requirements?

Question 48easymultiple choice
Read the full Cryptography explanation →

An e-commerce company runs its web application on a Windows Server 2019 with IIS 10. The security team runs a vulnerability scan and discovers that the server supports TLS 1.0 and several CBC-mode cipher suites, which are prohibited by the company's security policy. The policy requires disabling all versions of TLS below 1.2 and all cipher suites that do not use GCM mode. The administrator needs to implement the required changes without affecting the application's functionality, as it still needs to support a small number of legacy clients that require TLS 1.2 but not CBC. Which action should the administrator take?

Question 49mediummulti select
Read the full Cryptography explanation →

Which TWO of the following cryptographic algorithms are considered secure for modern use?

Question 50hardmultiple choice
Read the full Cryptography explanation →

Based on the TLS connection output, what is a potential security vulnerability?

Exhibit

Refer to the exhibit.
openssl s_client -connect example.com:443
...
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt
   Signature Algorithm: sha1WithRSAEncryption
...
Cipher    : ECDHE-RSA-AES128-GCM-SHA256
Question 51easymultiple choice
Read the full NAT/PAT explanation →

A company has deployed an internal public key infrastructure (PKI) using Microsoft Active Directory Certificate Services (AD CS) to issue certificates for internal web servers. The certificate policy requires RSA 2048-bit keys and SHA-256 hashing. During a routine security audit, the administrator discovers that several web server certificates issued by the internal CA are using SHA-1 signatures. The CA is configured with a default Web Server certificate template. The administrator wants to ensure that all future certificates from this CA use SHA-256 as the hash algorithm. What is the most effective and secure course of action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SSCP Practice Test 1 — 10 Questions→SSCP Practice Test 2 — 10 Questions→SSCP Practice Test 3 — 10 Questions→SSCP Practice Test 4 — 10 Questions→SSCP Practice Test 5 — 10 Questions→SSCP Practice Exam 1 — 20 Questions→SSCP Practice Exam 2 — 20 Questions→SSCP Practice Exam 3 — 20 Questions→SSCP Practice Exam 4 — 20 Questions→Free SSCP Practice Test 1 — 30 Questions→Free SSCP Practice Test 2 — 30 Questions→Free SSCP Practice Test 3 — 30 Questions→SSCP Practice Questions 1 — 50 Questions→SSCP Practice Questions 2 — 50 Questions→SSCP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cryptography setsAll Cryptography questionsSSCP Practice Hub