CCNA Cryptography Questions

50 questions · Cryptography · All types, answers revealed

1
Multi-Selectmedium

A security team is implementing a PKI for a large enterprise. Which TWO of the following are commonly used methods for certificate revocation checking? (Select TWO.)

Select 2 answers
A.Certificate Signing Request (CSR)
B.Online Certificate Status Protocol (OCSP)
C.Certificate Revocation List (CRL)
D.Key Escrow
E.Digital Signature Algorithm (DSA)
AnswersB, C

OCSP provides real-time status.

Why this answer

CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are the two primary methods.

2
MCQmedium

A company is deploying a VPN using IPsec. They want to ensure that even if the private key of the server is compromised, past session keys cannot be derived. Which key exchange method should they use?

A.Pre-shared key (PSK)
B.RSA key exchange
C.Ephemeral Diffie-Hellman (DHE or ECDHE)
D.Diffie-Hellman with static keys
AnswerC

Ephemeral key exchange ensures that session keys are temporary and not linked to long-term keys.

Why this answer

Ephemeral Diffie-Hellman (DHE or ECDHE) provides perfect forward secrecy (PFS) because it generates a unique, temporary session key for each session using ephemeral key pairs. Even if the server's long-term private key is compromised, past session keys cannot be derived because they were created from ephemeral keys that are discarded after each session. This ensures that historical encrypted traffic remains secure.

Exam trap

The trap here is that candidates confuse authentication with key exchange, assuming that RSA or static DH provides PFS because they involve public-key cryptography, but only ephemeral DH ensures that session keys are not derived from long-term secrets.

How to eliminate wrong answers

Option A is wrong because pre-shared keys (PSK) are static and do not provide PFS; if the PSK is compromised, all past session keys can be derived. Option B is wrong because RSA key exchange uses the server's static private key to encrypt the session key, so compromising that private key allows decryption of all past session keys. Option D is wrong because Diffie-Hellman with static keys uses long-term Diffie-Hellman keys that do not change per session, so compromising the static private key enables recovery of all past session keys.

3
MCQmedium

An organization is migrating from 3DES to AES-256 for encrypting data at rest. Which mode of AES is recommended for authenticated encryption?

A.ECB
B.GCM
C.CBC
D.CTR
AnswerB

GCM combines CTR mode with authentication tags, providing both confidentiality and integrity.

Why this answer

GCM (Galois/Counter Mode) is the correct choice because it provides both confidentiality and authenticity in a single, efficient mode. For data at rest, authenticated encryption ensures that encrypted data cannot be tampered with undetected, which is critical for integrity. AES-256-GCM is widely recommended and standardized (NIST SP 800-38D) for this purpose.

Exam trap

Cisco often tests the misconception that any mode providing confidentiality (like CBC or CTR) is sufficient for secure encryption, but the trap here is that authenticated encryption specifically requires a mode that also guarantees integrity, which only GCM (or CCM) provides among the listed options.

How to eliminate wrong answers

Option A is wrong because ECB (Electronic Codebook) mode encrypts each block independently, producing identical ciphertext for identical plaintext blocks, which leaks patterns and provides no authentication. Option C is wrong because CBC (Cipher Block Chaining) mode provides only confidentiality, not authentication; it requires a separate MAC (e.g., HMAC) to achieve authenticated encryption, and it is vulnerable to padding oracle attacks if not implemented carefully. Option D is wrong because CTR (Counter) mode provides only confidentiality and no integrity protection; it is a stream cipher mode that can be combined with a MAC but does not itself offer authenticated encryption.

4
MCQmedium

Which of the following protocols is used to securely transfer files over SSH and is considered a replacement for FTP?

A.IPsec
B.HTTPS
C.SFTP
D.SMTPS
AnswerC

SFTP is correct.

Why this answer

SFTP (SSH File Transfer Protocol) provides secure file transfer over SSH.

5
MCQmedium

An organization is implementing a digital signature solution to ensure non-repudiation of documents. Which combination of keys is used during the signing process?

A.Recipient's public key to sign, recipient's private key to verify
B.Sender's private key to sign, sender's public key to verify
C.Sender's public key to sign, recipient's private key to verify
D.A shared symmetric key for both signing and verification
AnswerB

The private key creates the signature, and the corresponding public key verifies it.

Why this answer

Digital signatures use asymmetric cryptography where the sender creates a signature with their private key, and the recipient verifies it with the sender's public key. This ensures non-repudiation because only the sender possesses their private key, so they cannot deny having signed the document. The process typically involves hashing the document and encrypting the hash with the sender's private key.

Exam trap

Cisco often tests the misconception that signing uses a public key or that verification uses a private key, leading candidates to confuse the roles of keys in encryption versus signing.

How to eliminate wrong answers

Option A is wrong because the recipient's public key is used for encrypting messages to the recipient, not for signing; signing requires the sender's private key, and verification uses the sender's public key, not the recipient's private key. Option C is wrong because the sender's public key cannot sign (signing requires a private key), and the recipient's private key is never used for verification of a sender's signature. Option D is wrong because symmetric keys do not provide non-repudiation; they are shared secrets and cannot uniquely tie a signature to a single sender, as both parties possess the same key.

6
MCQhard

A certificate authority (CA) issues a certificate with the extended key usage (EKU) extension specifying 'serverAuth'. Which of the following is this certificate allowed to do?

A.Encrypt email
B.Authenticate a TLS server
C.Sign code
D.Issue subordinate CA certificates
AnswerB

The serverAuth EKU is specifically for TLS server authentication.

Why this answer

The Extended Key Usage (EKU) extension specifies the intended purpose of a certificate. The 'serverAuth' OID (1.3.6.1.5.5.7.3.1) explicitly permits the certificate to be used for authenticating a TLS server during the SSL/TLS handshake, such as in HTTPS. This is defined in RFC 5280 and is enforced by TLS clients to ensure the certificate is used only for its designated purpose.

Exam trap

Cisco often tests the misconception that any certificate can be used for any purpose, but the trap here is that the EKU extension strictly limits the certificate's intended use, and candidates must know the specific OIDs and their mappings to common tasks like server authentication, email encryption, and code signing.

How to eliminate wrong answers

Option A is wrong because encrypting email requires the 'emailProtection' EKU (1.3.6.1.5.5.7.3.4), not 'serverAuth'. Option C is wrong because signing code requires the 'codeSigning' EKU (1.3.6.1.5.5.7.3.3), which is a separate purpose. Option D is wrong because issuing subordinate CA certificates requires the 'keyCertSign' key usage extension and often the 'CA:TRUE' basic constraint, not the 'serverAuth' EKU; 'serverAuth' is for end-entity certificates, not for CA certificates.

7
MCQmedium

An organization wants to implement a key exchange mechanism that provides forward secrecy. Which of the following should be used?

A.Pre-shared key
B.Ephemeral Diffie-Hellman
C.RSA key exchange
D.Static Diffie-Hellman
AnswerB

Ephemeral DH provides forward secrecy.

Why this answer

Ephemeral Diffie-Hellman (DHE or ECDHE) provides forward secrecy because the session keys are ephemeral and not derived from long-term keys.

8
MCQhard

An organization is configuring a VPN using IPsec. To ensure forward secrecy, which key exchange method should be used?

A.Ephemeral Diffie-Hellman (DHE or ECDHE)
B.RSA key exchange
C.Pre-shared key (PSK)
D.Static Diffie-Hellman
AnswerA

Ephemeral DH generates new key pairs for each session, so compromise of long-term keys does not expose past session keys.

Why this answer

Ephemeral Diffie-Hellman (DHE or ECDHE) provides forward secrecy because it generates a temporary, one-time key pair for each session. If the long-term private key is compromised, past session keys cannot be derived, as the ephemeral keys are discarded after use. This ensures that even if an attacker records encrypted traffic and later obtains the private key, they cannot decrypt past sessions.

Exam trap

The trap here is that candidates often confuse 'Diffie-Hellman' in general with forward secrecy, not realizing that only the ephemeral variant (DHE/ECDHE) provides it, while static Diffie-Hellman does not.

How to eliminate wrong answers

Option B (RSA key exchange) is wrong because RSA uses the server's static private key to encrypt the pre-master secret; if the private key is later compromised, all past session keys can be decrypted, providing no forward secrecy. Option C (Pre-shared key (PSK)) is wrong because PSK relies on a static shared secret that does not change per session; if the PSK is compromised, all past and future sessions can be decrypted. Option D (Static Diffie-Hellman) is wrong because it uses fixed, long-term Diffie-Hellman keys that do not change per session; compromise of the static private key allows an attacker to derive all past session keys, violating forward secrecy.

9
MCQeasy

Which of the following is a method to check the revocation status of a digital certificate in real-time without the client downloading a full list?

A.Certificate Revocation List (CRL)
B.Self-signed certificate validation
C.Online Certificate Status Protocol (OCSP)
D.Certificate Transparency (CT)
AnswerC

OCSP provides real-time revocation status for individual certificates.

Why this answer

OCSP allows querying the CA's responder for the status of a specific certificate in real-time.

10
Multi-Selectmedium

A company is migrating from 3DES to a modern encryption algorithm. Which of the following are acceptable choices? (Select TWO)

Select 2 answers
A.DES
B.ChaCha20
C.AES
D.RC4
E.Blowfish
AnswersB, C

ChaCha20 is a modern stream cipher, considered secure and efficient.

Why this answer

AES and ChaCha20 are modern symmetric ciphers considered secure. RC4 is broken, Blowfish is older (64-bit block), and DES is obsolete.

11
MCQhard

An organization is planning to implement ECC for digital signatures. Which key size provides a security level equivalent to a 3072-bit RSA key?

A.192-bit ECC
B.256-bit ECC
C.1024-bit ECC
D.384-bit ECC
AnswerB

256-bit ECC provides ~128-bit security strength, equivalent to 3072-bit RSA.

Why this answer

The National Institute of Standards and Technology (NIST) recommends that a 256-bit elliptic curve (e.g., P-256) provides a security strength of 128 bits, which is equivalent to a 3072-bit RSA key. This equivalence is based on the computational difficulty of the discrete logarithm problem in elliptic curve groups versus integer factorization, where ECC requires significantly smaller key sizes for the same security level.

Exam trap

The trap here is that candidates often confuse symmetric key equivalence (e.g., 256-bit ECC matches 128-bit symmetric) with RSA equivalence, or mistakenly think larger ECC keys (like 384-bit) are needed to match 3072-bit RSA, when in fact 256-bit ECC is the correct match per NIST guidelines.

How to eliminate wrong answers

Option A is wrong because a 192-bit ECC key provides only 96 bits of security strength, which is equivalent to a 2048-bit RSA key, not 3072-bit. Option C is wrong because 1024-bit ECC is not a standard key size; ECC key sizes are typically much smaller (e.g., 256-bit) and a 1024-bit ECC key would provide far more security than needed, but the question asks for the equivalent to 3072-bit RSA, which is 256-bit ECC. Option D is wrong because a 384-bit ECC key provides 192 bits of security strength, equivalent to a 7680-bit RSA key, which is stronger than required for 3072-bit RSA.

12
MCQhard

Which of the following best describes the difference between HMAC and a simple hash function like SHA-256 when used for message authentication?

A.HMAC is faster than SHA-256
B.SHA-256 produces a larger digest than HMAC
C.HMAC provides integrity and authentication; SHA-256 provides only integrity
D.HMAC is used for encryption, not hashing
AnswerC

Correct: HMAC uses a key for authentication.

Why this answer

HMAC incorporates a secret key into the hash process, providing authentication that a simple hash cannot.

13
Multi-Selecthard

Which of the following are considered secure cryptographic practices for key management? (Select THREE)

Select 3 answers
A.Storing keys in plaintext configuration files
B.Implementing regular key rotation
C.Using a Hardware Security Module (HSM) for key storage
D.Sharing keys over email for convenience
E.Securely destroying keys when no longer needed
AnswersB, C, E

Key rotation limits the impact of a key compromise.

Why this answer

Regular key rotation limits the amount of data encrypted with a single key, reducing the impact of a key compromise and aligning with cryptographic best practices such as NIST SP 800-57. Rotating keys ensures that even if a key is exposed, only data encrypted after the last rotation is vulnerable, and it helps enforce cryptographic hygiene by retiring keys before they become weak due to cryptanalytic advances.

Exam trap

Cisco often tests the misconception that convenience (e.g., email sharing or plaintext storage) can be acceptable in secure environments, but the SSCP exam strictly enforces that keys must never be transmitted or stored in an insecure manner.

14
MCQmedium

A company is implementing a PKI for internal use. What is the primary purpose of a Certificate Revocation List (CRL)?

A.To validate certificate chains
B.To encrypt certificate requests
C.To store all issued certificates
D.To publish revoked certificates
AnswerD

CRLs list certificates that have been revoked and should no longer be trusted.

Why this answer

The primary purpose of a Certificate Revocation List (CRL) is to publish a list of certificates that have been revoked by the Certificate Authority (CA) before their scheduled expiration. This allows relying parties to verify that a certificate is still valid and has not been compromised, ensuring trust in the PKI.

Exam trap

The trap here is that candidates confuse the CRL's purpose with certificate validation or storage, mistakenly thinking it validates chains or stores all certificates, when in fact it only publishes revoked certificates for status checking.

How to eliminate wrong answers

Option A is wrong because validating certificate chains is performed using the CA's public key and checking signatures, not by consulting a CRL; CRLs are used only to check revocation status. Option B is wrong because encrypting certificate requests is the role of protocols like PKCS#10 or CMP, not the CRL, which is a signed list of revoked certificates. Option C is wrong because storing all issued certificates is the function of a certificate repository or database, whereas a CRL only contains certificates that have been revoked, not all issued ones.

15
MCQhard

A security engineer is implementing a digital signature scheme to ensure non-repudiation. Which process correctly describes how a digital signature is created and verified?

A.Sign with private key, verify with public key
B.Sign with public key, verify with private key
C.Sign with symmetric key, verify with asymmetric key
D.Sign with hash, verify with private key
AnswerA

Correct process.

Why this answer

A digital signature is created by hashing the message and then encrypting that hash with the signer's private key. Verification is performed by decrypting the signature with the signer's public key and comparing the result to a freshly computed hash of the message. This asymmetric process ensures non-repudiation because only the private key holder could have created the signature, while anyone with the public key can verify it.

Exam trap

Cisco often tests the misconception that the public key is used for signing because it is 'publicly available,' but the trap is that signing requires the private key to ensure only the claimed signer could have produced the signature.

How to eliminate wrong answers

Option B is wrong because signing with a public key would allow anyone to create a signature, destroying non-repudiation; the public key is used only for verification, not signing. Option C is wrong because symmetric keys are shared secrets and cannot provide non-repudiation—both parties could create the same signature, making it impossible to prove origin. Option D is wrong because signing with a hash is meaningless without a key; the hash is an intermediate step, and verification uses the public key, not the private key.

16
MCQmedium

An organization is moving away from legacy encryption and wants to avoid stream ciphers due to known vulnerabilities. Which of the following algorithms should be avoided because it is a stream cipher with known weaknesses like the BEAST attack?

A.RC4
B.3DES
C.AES-GCM
D.ChaCha20
AnswerA

RC4 is the deprecated stream cipher.

Why this answer

RC4 is a stream cipher that has known vulnerabilities, including the BEAST attack (Browser Exploit Against SSL/TLS), which exploits weaknesses in RC4's key scheduling and allows plaintext recovery. Since the organization wants to avoid stream ciphers due to such vulnerabilities, RC4 should be avoided.

Exam trap

The trap here is that candidates may assume all stream ciphers are equally vulnerable, but ChaCha20 is a modern, secure stream cipher, while RC4 is the specific one with known weaknesses like BEAST.

How to eliminate wrong answers

Option B (3DES) is wrong because 3DES is a block cipher, not a stream cipher, and while it is deprecated due to slow performance and small block size, it is not associated with the BEAST attack. Option C (AES-GCM) is wrong because AES-GCM is a block cipher operating in Galois/Counter Mode, which is an authenticated encryption mode and not a stream cipher; it is not vulnerable to BEAST. Option D (ChaCha20) is wrong because ChaCha20 is a stream cipher, but it is modern, secure, and not associated with the BEAST attack; it is actually recommended as a replacement for RC4.

17
MCQmedium

A security analyst is evaluating the cryptographic settings for a new application that requires both confidentiality and integrity for data in transit. The analyst needs to choose a symmetric cipher that provides authenticated encryption. Which of the following is the best choice?

A.RC4 stream cipher
B.AES in ECB mode
C.AES in GCM mode
D.AES in CBC mode
AnswerC

GCM mode provides both confidentiality and integrity (authenticated encryption) using a counter mode for encryption and a Galois field for authentication.

Why this answer

AES in GCM mode provides both encryption and authentication, making it the preferred choice for authenticated encryption. ECB lacks diffusion and is insecure, CBC provides only encryption, and RC4 is a broken stream cipher.

18
MCQmedium

In X.509 certificate format, which field is used to specify the fully qualified domain name(s) for which the certificate is valid?

A.Key Usage
B.Issuer
C.Subject
D.Subject Alternative Name
AnswerD

SAN is the correct field.

Why this answer

The Subject Alternative Name (SAN) extension allows specifying multiple hostnames.

19
Multi-Selecthard

An organization is designing a secure email system using S/MIME. Which of the following are essential components of the PKI that must be in place? (Select THREE)

Select 3 answers
A.A symmetric key distribution center (KDC)
B.X.509 digital certificates for each user
C.A method to check certificate revocation (e.g., CRL or OCSP)
D.A timestamp authority (TSA)
E.A certificate authority (CA) to sign certificates
AnswersB, C, E

Each user needs a certificate containing their public key and identity.

Why this answer

S/MIME relies on a PKI where each user possesses an X.509 digital certificate that binds their identity to a public key. This certificate is essential for signing and encrypting emails, as it allows recipients to verify the sender's identity and encrypt messages using the sender's public key.

Exam trap

Cisco often tests the distinction between PKI components and auxiliary services like timestamping or symmetric key distribution, so candidates mistakenly select a KDC or TSA as essential for S/MIME when they are not part of the core PKI.

20
MCQmedium

A security analyst is reviewing a digital signature implementation. The signer uses their private key to encrypt the hash of a message. What does the recipient use to verify the signature?

A.The recipient's private key
B.The signer's private key
C.The recipient's public key
D.The signer's public key
AnswerD

The signer's public key is used to verify the signature by decrypting the hash.

Why this answer

Digital signatures use asymmetric cryptography where the signer encrypts the message hash with their private key. The recipient decrypts that encrypted hash using the signer's public key, then compares it to a locally computed hash of the received message. If they match, the signature is verified, proving both authenticity and integrity.

Exam trap

Cisco often tests the misconception that encryption and signing use the same key pair roles, leading candidates to confuse which key is used for verification versus decryption.

How to eliminate wrong answers

Option A is wrong because the recipient's private key is used for decryption of data encrypted with the recipient's public key, not for verifying a signature from another party. Option B is wrong because the signer's private key is kept secret and used only by the signer to create the signature; sharing it would compromise the entire system. Option C is wrong because the recipient's public key is used by others to encrypt data for the recipient, not to verify a signature created by a different entity.

21
MCQhard

A security auditor reviews a system that uses HMAC-SHA256 for message authentication. Which property does HMAC provide that a simple hash of the message does not?

A.Confidentiality
B.Non-repudiation
C.Integrity and authentication using a shared secret
D.Forward secrecy
AnswerC

HMAC ensures the message has not been altered and verifies the sender's possession of the secret key.

Why this answer

HMAC-SHA256 uses a shared secret key combined with the message before hashing, which provides both integrity (detecting tampering) and authentication (verifying the sender knows the secret). A simple hash of the message alone offers integrity but no authentication, because anyone can compute the same hash without a secret. Thus, HMAC adds authentication via the shared secret, making option C correct.

Exam trap

The trap here is that candidates confuse integrity (provided by any hash) with authentication (which requires a shared secret), leading them to think a simple hash is sufficient for message authentication, but HMAC specifically adds the keyed property.

How to eliminate wrong answers

Option A is wrong because HMAC does not provide confidentiality; it does not encrypt the message, only authenticates it. Option B is wrong because non-repudiation requires asymmetric cryptography (e.g., digital signatures) to bind a message to a specific entity, whereas HMAC uses a shared symmetric key and cannot prove which party created it. Option D is wrong because forward secrecy is a property of key exchange protocols (e.g., Diffie-Hellman ephemeral) that ensures session keys are not compromised if long-term keys are leaked; HMAC does not provide forward secrecy.

22
Multi-Selectmedium

An organization wants to implement a hashing algorithm for integrity checks. Which of the following should be avoided due to known vulnerabilities? (Select TWO)

Select 2 answers
A.SHA-3
B.SHA-256
C.MD5
D.HMAC-SHA256
E.SHA-1
AnswersC, E

MD5 is vulnerable to collision attacks.

Why this answer

MD5 is correct because it is a widely deprecated hashing algorithm with known collision vulnerabilities, making it unsuitable for integrity checks. Practical collision attacks (e.g., using a chosen-prefix collision) can be executed in seconds on commodity hardware, so any integrity check relying on MD5 can be trivially bypassed.

Exam trap

The trap here is that candidates often assume SHA-1 is still acceptable because it was once widely used, but the SSCP exam expects you to know that both MD5 and SHA-1 are broken for collision resistance and should be avoided.

23
MCQmedium

Which of the following best describes the purpose of a Hardware Security Module (HSM) in key management?

A.To store cryptographic keys in a secure, tamper-resistant environment
B.To replace public key infrastructure (PKI)
C.To accelerate network traffic encryption
D.To generate random numbers for non-cryptographic use
AnswerA

HSMs are designed to protect keys throughout their lifecycle.

Why this answer

A Hardware Security Module (HSM) is a dedicated, tamper-resistant hardware appliance designed to securely generate, store, and manage cryptographic keys throughout their lifecycle. By keeping keys within the HSM's physical and logical boundaries, it prevents unauthorized extraction even if the host system is compromised, which is the core purpose of an HSM in key management.

Exam trap

The trap here is that candidates confuse an HSM's ability to perform cryptographic operations (like encryption or signing) with its primary purpose, which is secure key storage and lifecycle management, not performance acceleration or replacing PKI.

How to eliminate wrong answers

Option B is wrong because an HSM does not replace Public Key Infrastructure (PKI); PKI is a framework of policies, roles, and software (e.g., Certificate Authorities) for managing digital certificates, while an HSM is a hardware device that can be used to protect the private keys within a PKI. Option C is wrong because accelerating network traffic encryption is not the primary purpose of an HSM; that function is typically performed by dedicated cryptographic accelerators or offload engines (e.g., Intel QAT), whereas an HSM focuses on secure key storage and limited cryptographic operations. Option D is wrong because while HSMs can generate random numbers, they are used for cryptographic purposes (e.g., key generation, nonces) and not for non-cryptographic use; general random number generation for non-cryptographic tasks is done by simpler PRNGs like those in standard OS libraries.

24
MCQeasy

Which of the following hash algorithms is considered cryptographically broken and should be avoided due to collision attacks?

A.SHA-3
B.SHA-256
C.MD5
D.HMAC-SHA256
AnswerC

MD5 is broken and collisions can be generated easily.

Why this answer

MD5 is known to have collision vulnerabilities and is no longer considered secure.

25
MCQeasy

What is the minimum recommended RSA key size for secure use as of current best practices?

A.1024 bits
B.4096 bits
C.3072 bits
D.2048 bits
AnswerD

2048-bit is the minimum recommended.

Why this answer

Option D (2048 bits) is correct because current best practices, as recommended by NIST SP 800-57 and other cryptographic standards, consider 2048-bit RSA keys as the minimum secure size for protecting data through 2030. This key length provides a sufficient security margin against known factoring attacks, balancing computational efficiency with cryptographic strength.

Exam trap

Cisco often tests the misconception that larger keys are always better, leading candidates to choose 4096 bits as the minimum, when in fact 2048 bits is the officially recommended baseline for secure use.

How to eliminate wrong answers

Option A is wrong because 1024-bit RSA keys are deprecated and considered insecure due to advances in factoring algorithms and computational power; they provide only about 80 bits of security, which is below the recommended 112-bit minimum. Option B is wrong because 4096-bit RSA keys, while secure, are not the minimum recommended size; they offer excessive security margin (about 140 bits) at the cost of significantly slower performance, making them unnecessary for most applications. Option C is wrong because 3072-bit RSA keys, though providing a higher security level (128 bits), are not the minimum recommended size; 2048 bits is the established baseline per NIST and industry standards.

26
MCQmedium

Which of the following is a cryptographic hash function that is considered cryptographically broken due to collision attacks and should not be used for security purposes?

A.SHA-1
B.SHA-256
C.SHA-3
D.MD5
AnswerD

MD5 is broken.

Why this answer

MD5 is known to have collision vulnerabilities and is considered broken.

27
Multi-Selectmedium

A security team is evaluating hashing algorithms for use in a new system. Which of the following are considered currently secure for general use? (Select TWO)

Select 2 answers
A.SHA-1
B.MD5
C.SHA-3
D.SHA-256
E.HMAC-SHA256
AnswersC, D

SHA-3 is the latest standard and secure.

Why this answer

SHA-3 (C) is the latest member of the Secure Hash Algorithm family, standardized by NIST in FIPS 202. It is based on the Keccak sponge construction and is not susceptible to the collision attacks that weaken SHA-1 or the length-extension vulnerabilities of SHA-2, making it currently secure for general use.

Exam trap

Cisco often tests the distinction between a hashing algorithm (like SHA-256) and a keyed construction (like HMAC-SHA256), causing candidates to mistakenly select HMAC-SHA256 as a hashing algorithm when it is actually an authentication mechanism.

28
MCQmedium

In a PKI, what is the role of the root Certificate Authority (CA)?

A.To be the trust anchor for the entire PKI hierarchy
B.To issue certificates directly to end users
C.To generate private keys for all users
D.To revoke certificates and publish CRLs
AnswerA

The root CA's certificate is the trust anchor; all other certificates are validated against it.

Why this answer

The root Certificate Authority (CA) is the trust anchor in a Public Key Infrastructure (PKI) hierarchy. Its self-signed root certificate is the ultimate trust point from which all subordinate CA certificates and end-entity certificates derive their trust. Without a trusted root, the entire chain of trust collapses, as no certificate can be validated back to a trusted source.

Exam trap

The trap here is that candidates often assume the root CA directly issues end-user certificates or handles revocation, but the SSCP exam tests the understanding that the root CA's primary role is to serve as the immutable trust anchor, with operational tasks delegated to subordinate CAs.

How to eliminate wrong answers

Option B is wrong because the root CA typically does not issue certificates directly to end users; that task is delegated to subordinate or intermediate CAs to limit exposure of the root key. Option C is wrong because the root CA does not generate private keys for users; private keys are generated by the user or their client software and should never be known to the CA. Option D is wrong because while the root CA can theoretically revoke certificates and publish CRLs, in practice this is usually handled by subordinate CAs or a dedicated CRL issuer to reduce operational load on the root.

29
MCQmedium

A security engineer needs to choose an asymmetric algorithm for a system with limited computational resources, such as an IoT device. The algorithm must provide equivalent security to RSA 2048-bit while using smaller key sizes. Which algorithm should they choose?

A.RSA with 2048-bit keys
B.Elliptic Curve Cryptography (ECC) with 256-bit keys
C.Diffie-Hellman with 2048-bit keys
D.3DES with 168-bit keys
AnswerB

ECC provides strong security with smaller keys, ideal for IoT.

Why this answer

Elliptic Curve Cryptography (ECC) with 256-bit keys provides equivalent security to RSA 2048-bit because the elliptic curve discrete logarithm problem is significantly harder to solve than the integer factorization problem for the same key length. This allows ECC to achieve strong security with much smaller key sizes, making it ideal for resource-constrained IoT devices where memory, power, and processing are limited.

Exam trap

Cisco often tests the misconception that larger key sizes always mean stronger security, leading candidates to pick RSA 2048-bit or Diffie-Hellman 2048-bit, while the trap is that ECC with much smaller key sizes (e.g., 256-bit) provides equivalent security with lower computational overhead, which is the exact requirement for IoT devices.

How to eliminate wrong answers

Option A is wrong because RSA with 2048-bit keys is the baseline for comparison, not a smaller key size alternative, and it requires significantly more computational resources than ECC for equivalent security. Option C is wrong because Diffie-Hellman with 2048-bit keys is a symmetric-key-agreement protocol that also uses large key sizes for security, not a smaller key size alternative, and it does not provide the same key-size efficiency as ECC. Option D is wrong because 3DES with 168-bit keys is a symmetric encryption algorithm, not an asymmetric algorithm, and it provides only about 112 bits of security, far less than RSA 2048-bit, while also being computationally heavy and deprecated in modern standards.

30
MCQhard

An analyst is comparing symmetric and asymmetric encryption. Which statement accurately describes a typical use case?

A.Symmetric encryption is used for key exchange over insecure channels.
B.Asymmetric encryption is used to securely exchange a symmetric key.
C.Symmetric encryption is used to sign documents to provide non-repudiation.
D.Asymmetric encryption is used for bulk data encryption because it is faster.
AnswerB

Hybrid cryptosystems use asymmetric encryption to exchange a symmetric session key.

Why this answer

Asymmetric encryption (e.g., RSA, ECDH) is computationally expensive and slow, making it unsuitable for bulk data encryption. Instead, it is commonly used to securely exchange a symmetric session key (e.g., an AES key) over an insecure channel. Once both parties have the symmetric key, they can switch to symmetric encryption (e.g., AES-GCM) for efficient bulk data encryption.

This hybrid approach combines the secure key distribution of asymmetric encryption with the speed of symmetric encryption.

Exam trap

Cisco often tests the misconception that symmetric encryption is used for key exchange or that asymmetric encryption is faster for bulk data, when in fact the opposite is true: asymmetric encryption is slow and reserved for key exchange, while symmetric encryption is fast and used for bulk data.

How to eliminate wrong answers

Option A is wrong because symmetric encryption uses a single shared key and cannot securely exchange that key over an insecure channel without a pre-existing secure method; key exchange is a primary use case for asymmetric encryption (e.g., Diffie-Hellman, RSA key transport). Option C is wrong because symmetric encryption does not provide non-repudiation; digital signatures, which use asymmetric encryption (e.g., RSA or ECDSA with a private key), are required to provide non-repudiation by binding the signer's identity to the document. Option D is wrong because asymmetric encryption is significantly slower than symmetric encryption (e.g., RSA is hundreds to thousands of times slower than AES for equivalent security levels) and is therefore not used for bulk data encryption; symmetric encryption (e.g., AES-256) is the standard for encrypting large volumes of data.

31
Multi-Selecteasy

A security administrator is setting up a public key infrastructure (PKI) for internal use. Which two of the following components are essential for establishing a chain of trust from the root CA to end-entity certificates?

Select 2 answers
A.An intermediate (subordinate) CA certificate signed by the root CA
B.A certificate signing request (CSR)
C.A self-signed root CA certificate
D.An online certificate status protocol (OCSP) responder
E.A certificate revocation list (CRL)
AnswersA, C

Intermediate CAs issue end-entity certificates and are signed by the root CA, forming the chain.

Why this answer

The root CA must be self-signed (trust anchor), and intermediate CAs (subordinate) are used to issue end-entity certificates. CRLs and OCSP are revocation mechanisms, not trust chain components. CSR is for requesting certificates.

32
MCQhard

A PKI administrator needs to check the revocation status of a digital certificate without requiring the client to download the entire CRL. Which method is designed for online, real-time certificate status checking?

A.OCSP
B.OCSP stapling
C.CRL
D.Certificate transparency
AnswerA

OCSP provides real-time status.

Why this answer

OCSP (Online Certificate Status Protocol) allows real-time checking of a certificate's revocation status without downloading the full CRL.

33
MCQmedium

A company wants to implement a key management system. They need to generate cryptographic keys that are unpredictable. Which source of randomness should be used?

A.Hardware random number generator (HRNG)
B.Random numbers from a website
C.Linear congruential generator (LCG)
D.Pseudorandom number generator (PRNG) seeded with current timestamp
AnswerA

HRNGs provide high-quality entropy suitable for key generation.

Why this answer

A hardware random number generator (HRNG) is the correct choice because it derives randomness from physical processes (e.g., thermal noise, quantum effects) that are inherently unpredictable and non-deterministic. Cryptographic key generation requires true entropy to resist brute-force and prediction attacks, which software-based deterministic methods cannot guarantee.

Exam trap

Cisco often tests the misconception that a PRNG seeded with a timestamp is sufficient for cryptography, but the trap is that timestamps are predictable or guessable, making the output deterministic and insecure for key generation.

How to eliminate wrong answers

Option B is wrong because random numbers from a website are sourced over an untrusted network and may be intercepted, reused, or generated by a pseudorandom algorithm, offering no verifiable entropy. Option C is wrong because a linear congruential generator (LCG) is a deterministic, predictable algorithm with a short period, making it unsuitable for cryptographic key generation. Option D is wrong because a pseudorandom number generator (PRNG) seeded with a current timestamp is deterministic; if the timestamp is guessed or observed, all outputs become predictable, violating the unpredictability requirement.

34
MCQeasy

Which of the following encryption algorithms is classified as a symmetric block cipher and is the current standard recommended by NIST, supporting key sizes of 128, 192, and 256 bits?

A.AES
B.RSA
C.3DES
D.ChaCha20
AnswerA

AES is the correct answer.

Why this answer

AES (Advanced Encryption Standard) is a symmetric block cipher that encrypts data in fixed 128-bit blocks and is the current standard recommended by NIST (FIPS 197). It supports key sizes of 128, 192, and 256 bits, making it the correct answer for a symmetric block cipher with those specific key lengths.

Exam trap

The trap here is that candidates often confuse symmetric vs. asymmetric algorithms or mistake 3DES for a modern standard, but NIST specifically deprecated 3DES in 2018 (NIST SP 800-131A Rev. 2) and recommends AES for all new applications.

How to eliminate wrong answers

Option B (RSA) is wrong because it is an asymmetric (public-key) cipher, not a symmetric block cipher, and it does not use fixed block sizes or the specified key sizes. Option C (3DES) is wrong because, while it is a symmetric block cipher, it is deprecated by NIST due to its small 64-bit block size and slow performance, and it supports key sizes of 56, 112, or 168 bits, not 128, 192, or 256 bits. Option D (ChaCha20) is wrong because it is a stream cipher, not a block cipher, and although it is a symmetric algorithm, it does not use the specified key sizes in the context of a block cipher standard.

35
MCQmedium

A security analyst is evaluating encryption modes for a new system that requires authenticated encryption to ensure both confidentiality and integrity of data in transit. Which AES mode should the analyst recommend?

A.ECB
B.CBC
C.CTR
D.GCM
AnswerD

GCM provides authenticated encryption.

Why this answer

GCM (Galois/Counter Mode) is the correct choice because it provides authenticated encryption, combining the confidentiality of CTR mode with integrity verification via a Galois field authentication tag. This makes it ideal for securing data in transit, as it ensures both privacy and tamper detection in a single, efficient operation.

Exam trap

The trap here is that candidates often confuse confidentiality-only modes (like CBC or CTR) with authenticated encryption, overlooking that GCM is the only option listed that natively provides both encryption and integrity in a single mode.

How to eliminate wrong answers

Option A is wrong because ECB (Electronic Codebook) mode encrypts each block independently, producing identical ciphertext for identical plaintext blocks, which leaks patterns and provides no integrity protection. Option B is wrong because CBC (Cipher Block Chaining) mode ensures confidentiality through chaining but does not inherently provide authentication or integrity; it requires a separate MAC (e.g., HMAC) for authenticated encryption. Option C is wrong because CTR (Counter) mode offers confidentiality by encrypting a counter value, but like CBC, it lacks built-in integrity verification and is vulnerable to bit-flipping attacks without an additional authentication mechanism.

36
MCQeasy

Which of the following is a secure hash algorithm currently recommended by NIST?

A.SHA-1
B.RC4
C.MD5
D.SHA-256
AnswerD

SHA-256 is a current standard and is considered secure.

Why this answer

SHA-256 is a member of the SHA-2 family of secure hash algorithms and is currently recommended by NIST for cryptographic use. It produces a 256-bit (32-byte) hash value and is widely deployed in protocols such as TLS, SSH, and IPsec, as well as in digital signatures and certificate validation.

Exam trap

Cisco often tests the distinction between hash algorithms and encryption ciphers, so candidates may mistakenly select RC4 because it is a well-known cryptographic algorithm, but it is not a hash function at all.

How to eliminate wrong answers

Option A is wrong because SHA-1 is no longer considered secure by NIST due to demonstrated collision attacks (e.g., the SHAttered attack in 2017) and is deprecated for most cryptographic applications. Option B is wrong because RC4 is a stream cipher, not a hash algorithm, and it is also deprecated due to severe biases in its output. Option C is wrong because MD5 is a broken hash algorithm with practical collision attacks (e.g., used in the Flame malware) and is explicitly not recommended by NIST for any security purpose.

37
Multi-Selecthard

A security engineer is designing a key management system for a large enterprise. Which two of the following practices are essential for securing cryptographic keys throughout their lifecycle?

Select 2 answers
A.Store keys in dedicated hardware security modules (HSMs).
B.Use the same key for encryption, digital signatures, and key exchange.
C.Email keys to authorized users for convenience.
D.Store keys in the same database as encrypted data.
E.Rotate keys regularly and upon compromise.
AnswersA, E

HSMs provide tamper-resistant storage and protect keys from unauthorized access.

Why this answer

Key storage in hardware security modules (HSMs) and regular key rotation are critical for key security. Storing keys with the data and emailing them violate security best practices. Using a single key for all purposes reduces security.

38
Multi-Selectmedium

A company is upgrading its legacy systems to use modern cryptographic standards. Which two of the following algorithms should be avoided due to known weaknesses or deprecation?

Select 2 answers
A.SHA-256 for hashing
B.MD5 for hashing
C.AES-256 for encryption
D.ECDH for key exchange
E.3DES for encryption
AnswersB, E

MD5 is cryptographically broken; collision attacks are feasible.

Why this answer

MD5 and 3DES are considered weak: MD5 has collision vulnerabilities, and 3DES is deprecated due to small block size and performance issues. SHA-256, AES-256, and ECDH are modern and secure.

39
MCQeasy

Which of the following is a secure protocol for remote administration of a server, replacing insecure protocols like Telnet?

A.FTP
B.SSH
C.HTTP
D.Telnet
AnswerB

SSH encrypts all traffic, making it secure for remote administration.

Why this answer

SSH (Secure Shell) is the correct answer because it provides encrypted remote administration capabilities, replacing insecure protocols like Telnet that transmit data in plaintext. SSH uses public-key cryptography for authentication and symmetric encryption (e.g., AES, ChaCha20) for session confidentiality, protecting against eavesdropping and man-in-the-middle attacks.

Exam trap

The trap here is that candidates may confuse Telnet with SSH or think that FTP or HTTP can be used for remote administration, but the question specifically asks for a secure replacement for Telnet, which is SSH.

How to eliminate wrong answers

Option A (FTP) is wrong because it is a file transfer protocol, not a remote administration protocol, and it transmits credentials and data in plaintext unless secured with FTPS or SFTP. Option C (HTTP) is wrong because it is a web protocol used for transferring hypertext, not for remote server administration, and it lacks encryption by default (HTTPS is the secure variant). Option D (Telnet) is wrong because it is the very insecure protocol that SSH replaces, sending all data including passwords in cleartext over TCP port 23.

40
Multi-Selecteasy

Which TWO of the following are considered secure cryptographic hash functions as of current standards? (Select TWO.)

Select 2 answers
A.SHA-3
B.RC4
C.SHA-1
D.MD5
E.SHA-256
AnswersA, E

SHA-3 is the latest standard.

Why this answer

SHA-256 and SHA-3 are currently secure. MD5 and SHA-1 are broken or deprecated.

41
Multi-Selecthard

A company is selecting a cryptographic algorithm for digital signatures. Which THREE of the following algorithms can be used for digital signatures? (Select THREE.)

Select 3 answers
A.SHA-256
B.DSA
C.AES
D.RSA
E.ECDSA
AnswersB, D, E

DSA is a digital signature algorithm.

Why this answer

RSA, ECDSA, and DSA are all capable of digital signatures. AES is symmetric and not for signatures; SHA-256 is a hash function.

42
MCQhard

A security administrator is configuring a web server to use TLS. They want to optimize performance while maintaining strong security. Which cipher suite should they prioritize?

A.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
B.TLS_RSA_WITH_AES_128_CBC_SHA256
C.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
D.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
AnswerD

This suite offers forward secrecy, strong authentication with ECDSA, and efficient authenticated encryption.

Why this answer

Option D is correct because TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for perfect forward secrecy, ECDSA for efficient authentication, AES-256 in GCM mode for authenticated encryption, and SHA-384 for integrity. This combination provides the strongest security with modern, optimized algorithms, making it the best choice for performance and security on a TLS web server.

Exam trap

The trap here is that candidates often choose option C (ECDHE_RSA) because it uses ECDHE and GCM, but they overlook that ECDSA with AES-256 and SHA-384 provides stronger security and better performance than RSA-based authentication, especially in modern TLS configurations.

How to eliminate wrong answers

Option A is wrong because TLS_DHE_RSA_WITH_AES_128_CBC_SHA uses DHE (which is slower than ECDHE due to larger key sizes) and CBC mode (which is vulnerable to padding oracle attacks like POODLE) with SHA-1 (deprecated due to collision attacks). Option B is wrong because TLS_RSA_WITH_AES_128_CBC_SHA256 uses RSA key exchange (no perfect forward secrecy, as the private key can decrypt all past sessions if compromised) and CBC mode (still susceptible to timing attacks). Option C is wrong because TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uses RSA for authentication (larger keys, slower than ECDSA) and AES-128 (weaker than AES-256 for long-term security), while the question asks to prioritize the strongest combination; ECDSA with AES-256 and SHA-384 is superior.

43
MCQhard

A security professional is designing a key management system and needs to ensure that keys are generated using a truly random source. Which of the following is the most appropriate method for generating cryptographic keys?

A.Hardware random number generator
B.Cryptographically secure PRNG seeded with a static password
C.Pseudorandom number generator (PRNG) seeded with current timestamp
D.User-memorized passphrase
AnswerA

Hardware RNG provides true randomness.

Why this answer

Hardware random number generators (HRNGs) provide true randomness, while CSPRNGs are deterministic. For key generation, a hardware RNG is best.

44
MCQeasy

Which of the following is a secure alternative to RC4 for stream ciphers?

A.MD5
B.AES in ECB mode
C.ChaCha20
D.3DES
AnswerC

ChaCha20 is a secure stream cipher used in TLS and other protocols.

Why this answer

ChaCha20 is a modern, high-speed stream cipher designed by Daniel J. Bernstein as a secure alternative to RC4, which has known vulnerabilities such as biases in its keystream and susceptibility to attacks like the Fluhrer-Mantin-Shamir attack. ChaCha20 is standardized in RFC 8439 and is widely used in TLS 1.3 and SSH, offering strong security and performance without the weaknesses of RC4.

Exam trap

Cisco often tests the misconception that any symmetric cipher can replace RC4, but the trap here is that candidates confuse block cipher modes (like ECB) or hash functions (like MD5) with stream ciphers, failing to recognize that only a dedicated stream cipher like ChaCha20 provides the same operational paradigm as RC4.

How to eliminate wrong answers

Option A is wrong because MD5 is a cryptographic hash function, not a stream cipher, and it is broken for collision resistance. Option B is wrong because AES in ECB mode is a block cipher mode that encrypts each block independently, making it deterministic and insecure for patterns, not a stream cipher; it also lacks the keystream generation property of RC4. Option D is wrong because 3DES is a block cipher (not a stream cipher) and is deprecated due to its small 56-bit effective key size and vulnerability to meet-in-the-middle attacks.

45
Multi-Selectmedium

An organization is implementing a digital signature solution to ensure non-repudiation and integrity of documents. Which three of the following are true regarding digital signatures?

Select 3 answers
A.The receiver uses the sender's private key to verify the signature.
B.The receiver verifies the signature using the sender's public key.
C.The sender encrypts the entire document with their public key to create a signature.
D.Digital signatures provide non-repudiation because the private key is kept secret by the sender.
E.The sender signs the message hash with their private key.
AnswersB, D, E

Verification involves decrypting the signature with the sender's public key and comparing the hash.

Why this answer

Digital signatures involve signing the hash of the message with the sender's private key. They provide non-repudiation because only the sender has the private key. Verification uses the sender's public key.

46
MCQmedium

An organization uses a PKI with a root CA that issues certificates to intermediate CAs, which then issue end-entity certificates. A client receives an end-entity certificate signed by an intermediate CA. During validation, which certificates are required to build the chain of trust?

A.Only the root CA certificate
B.End-entity certificate, intermediate CA certificate, and root CA certificate
C.Only the end-entity certificate and the root CA certificate
D.Only the end-entity certificate and the intermediate CA certificate
AnswerB

All three are required to validate the chain from end-entity to the trusted root.

Why this answer

In a PKI hierarchy, the chain of trust requires each certificate in the path to be validated up to a trusted root. The client must have the end-entity certificate, the intermediate CA certificate (to verify the end-entity's signature), and the root CA certificate (to verify the intermediate CA's signature). Without the intermediate CA certificate, the client cannot cryptographically link the end-entity to the root, breaking the chain.

Exam trap

The trap here is that candidates often assume the root CA directly signs all certificates, forgetting that intermediate CAs are used in practice, so they incorrectly select Option C or D, missing the need for the full chain.

How to eliminate wrong answers

Option A is wrong because the root CA certificate alone cannot verify the end-entity certificate's signature, which was issued by the intermediate CA, not the root. Option C is wrong because omitting the intermediate CA certificate leaves a gap in the chain; the client cannot validate the intermediate CA's signature on the end-entity certificate. Option D is wrong because without the root CA certificate, the client cannot verify the intermediate CA certificate's signature, so the chain of trust cannot be anchored to a trusted root.

47
MCQeasy

Which protocol is used to provide secure remote shell access and replace Telnet?

A.SFTP
B.SSH
C.IPsec
D.HTTPS
AnswerB

SSH provides encrypted remote shell access and is the standard replacement for Telnet.

Why this answer

SSH (Secure Shell) is the correct answer because it provides encrypted remote shell access and command execution, replacing the insecure Telnet protocol which transmits data in cleartext. SSH uses public-key cryptography for authentication and symmetric encryption (e.g., AES, ChaCha20) for session confidentiality, as defined in RFC 4251.

Exam trap

Cisco often tests the distinction between SSH (remote shell) and SFTP (file transfer), leading candidates to confuse SFTP as a replacement for Telnet when it actually relies on SSH for its secure transport.

How to eliminate wrong answers

Option A (SFTP) is wrong because SFTP (SSH File Transfer Protocol) is a file transfer protocol that runs over SSH, not a remote shell access protocol; it is used for secure file operations, not interactive shell sessions. Option C (IPsec) is wrong because IPsec is a network-layer security protocol suite used for encrypting IP packets (e.g., in VPNs), not for providing remote shell access or replacing Telnet. Option D (HTTPS) is wrong because HTTPS is HTTP over TLS, designed for secure web browsing, not for remote shell access or command-line interaction.

48
Multi-Selectmedium

A security administrator is evaluating encryption protocols for email communication. Which of the following protocols can secure email in transit? (Select TWO)

Select 2 answers
A.IMAPS
B.HTTPS
C.SSH
D.SMTPS
E.SFTP
AnswersA, D

IMAPS is IMAP over TLS, used for retrieving email securely.

Why this answer

IMAPS (Internet Message Access Protocol over SSL/TLS) encrypts email retrieval by wrapping IMAP traffic in TLS, typically on port 993. This ensures that email messages and credentials are protected from eavesdropping while in transit between the client and the mail server.

Exam trap

Cisco often tests the distinction between protocols that secure email in transit (IMAPS, SMTPS) versus protocols that secure other services (HTTPS for web, SSH for remote access, SFTP for file transfer), leading candidates to confuse secure versions of unrelated protocols.

49
MCQmedium

A security engineer is designing a system that requires non-repudiation of data origin. Which cryptographic technique should be used?

A.Keyed hash (HMAC)
B.Digital signature using RSA or ECDSA
C.Hash function only
D.Symmetric encryption with a shared key
AnswerB

Digital signatures bind the identity of the signer to the data, providing non-repudiation.

Why this answer

Digital signatures using RSA or ECDSA provide non-repudiation of data origin because they bind the signer's identity to the data through a private key that only the signer possesses. The recipient can verify the signature with the corresponding public key, and the signer cannot later deny having signed the data, as the private key is uniquely under their control. This meets the legal and technical requirement for non-repudiation, unlike symmetric or hash-only methods.

Exam trap

The trap here is that candidates confuse integrity (provided by HMAC or hash) with non-repudiation, or assume a shared secret (HMAC or symmetric encryption) can prove origin, but only asymmetric digital signatures satisfy the legal requirement of non-repudiation.

How to eliminate wrong answers

Option A is wrong because a keyed hash (HMAC) uses a shared secret key between sender and receiver, which cannot prove which party generated the MAC, thus failing to provide non-repudiation. Option C is wrong because a hash function alone provides integrity but no authentication or proof of origin, as anyone can compute the same hash. Option D is wrong because symmetric encryption with a shared key does not provide non-repudiation; both parties possess the same key, so the sender can deny creating the ciphertext.

50
MCQeasy

A security analyst is recommending a symmetric encryption algorithm for a new application that requires both confidentiality and authentication. Which algorithm and mode combination should they select?

A.3DES-CBC
B.AES-ECB
C.RC4
D.AES-GCM
AnswerD

GCM mode combines encryption and authentication, making it ideal for this requirement.

Why this answer

AES-GCM (Galois/Counter Mode) is a symmetric encryption algorithm that provides both confidentiality and authentication in a single, efficient operation. It combines AES encryption in counter mode with a Galois field-based message authentication code (GMAC), making it ideal for applications requiring both security properties.

Exam trap

The trap here is that candidates often confuse CBC mode with providing authentication (since it uses an IV), but CBC only offers confidentiality; GCM is the correct choice for combined confidentiality and authentication in symmetric encryption.

How to eliminate wrong answers

Option A is wrong because 3DES-CBC provides only confidentiality, not authentication; CBC mode requires a separate MAC (e.g., HMAC) to ensure integrity and authenticity, and 3DES is deprecated due to its 64-bit block size and slow performance. Option B is wrong because AES-ECB is deterministic and does not provide authentication; it encrypts identical plaintext blocks into identical ciphertext blocks, leaking patterns and lacking any integrity check. Option C is wrong because RC4 is a stream cipher that provides only confidentiality, not authentication, and is considered broken due to biases in its output (e.g., RC4 biases in TLS), making it unsuitable for secure applications.

Ready to test yourself?

Try a timed practice session using only Cryptography questions.