CCNA Cryptography Questions

51 questions · Cryptography topic · All types, answers revealed

1
MCQeasy

A security professional is implementing a solution to verify the authenticity of a digital certificate. Which component of a PKI is responsible for issuing and revoking certificates?

A.Online Certificate Status Protocol (OCSP) responder
B.Certificate Authority (CA)
C.Certificate Revocation List (CRL)
D.Registration Authority (RA)
AnswerB

The CA issues and revokes digital certificates.

Why this answer

The Certificate Authority (CA) is the core component of a Public Key Infrastructure (PKI) responsible for issuing digital certificates and, crucially, for revoking them when they are no longer trusted. While other components support certificate status checking or verification, only the CA has the authority to sign and publish certificates or revocation information.

Exam trap

The trap here is that candidates confuse the OCSP responder or CRL as the entity that performs revocation, when in fact they are merely mechanisms to check or distribute revocation status, while only the CA has the authority to issue or revoke a certificate.

How to eliminate wrong answers

Option A is wrong because an OCSP responder is a service that provides real-time certificate status (valid, revoked, or unknown) by querying the CA's database, but it does not issue or revoke certificates. Option C is wrong because a Certificate Revocation List (CRL) is a published list of revoked certificates maintained by the CA, but it is a data structure, not the entity that performs the revocation action. Option D is wrong because a Registration Authority (RA) is an optional component that verifies the identity of certificate requestors and forwards requests to the CA, but it does not have the authority to issue or revoke certificates itself.

2
MCQmedium

Refer to the exhibit. A network engineer is configuring an IPsec VPN. Which protocol does this configuration apply to?

B.SSH
C.SSL/TLS
D.IKE (Internet Key Exchange)
AnswerD

ISAKMP is the framework for IKE, used in IPsec VPNs.

Why this answer

The configuration shown in the exhibit is for an IPsec VPN, which relies on IKE (Internet Key Exchange) to establish security associations and negotiate cryptographic keys. IKE (RFC 7296) is the mandatory key management protocol for IPsec, handling authentication and key exchange over UDP ports 500 and 4500. Without IKE, IPsec cannot dynamically negotiate the encryption and hashing parameters required for secure tunnel establishment.

Exam trap

The trap here is that candidates often confuse SSL/TLS with IPsec because both are used for VPNs, but SSL/TLS VPNs operate at the transport layer (e.g., OpenVPN) while IPsec VPNs require IKE for key exchange at the network layer.

How to eliminate wrong answers

Option A is wrong because HTTPS is an application-layer protocol (HTTP over TLS) used for secure web browsing, not for negotiating IPsec security associations. Option B is wrong because SSH is a protocol for secure remote login and command execution, operating at the application layer, and does not handle IPsec key management. Option C is wrong because SSL/TLS operates at the transport layer to secure TCP connections (e.g., HTTPS, FTPS) and is not used for IPsec VPN key exchange; IPsec uses IKE for this purpose.

3
MCQhard

An organization implements a hybrid encryption scheme to secure sensitive emails. The email body is encrypted with AES-256, and the AES key is encrypted with RSA-2048. What is the primary advantage of this approach?

A.Ensures forward secrecy
B.Simplifies key management by using a single key
C.Combines performance of symmetric with secure key distribution of asymmetric
D.Provides non-repudiation for the email
AnswerC

AES is fast for large data; RSA securely encrypts the key.

Why this answer

Hybrid encryption combines the speed of symmetric encryption (AES-256) for bulk data with the secure key distribution of asymmetric encryption (RSA-2048). The symmetric key encrypts the email body efficiently, while the asymmetric key encrypts only the symmetric key, solving the key distribution problem without sacrificing performance.

Exam trap

The trap here is that candidates confuse hybrid encryption with forward secrecy or non-repudiation, but hybrid encryption specifically addresses the performance vs. key distribution trade-off, not security properties like forward secrecy or authentication.

How to eliminate wrong answers

Option A is wrong because forward secrecy requires ephemeral key exchange (e.g., Diffie-Hellman) where compromise of a long-term key does not expose past sessions; RSA-2048 alone does not provide forward secrecy. Option B is wrong because hybrid encryption actually increases key management complexity by requiring both a symmetric key and an asymmetric key pair, not simplifying to a single key. Option D is wrong because non-repudiation is provided by digital signatures (e.g., using RSA or DSA), not by encryption; encrypting the AES key with RSA does not prove the sender's identity.

4
MCQhard

In RSA, the public exponent e is often chosen as 65537. What is the primary reason for this choice?

A.It ensures that the private key d is small
B.It prevents side-channel attacks
C.It provides the highest security level
D.It offers a balance between security and performance due to low Hamming weight
AnswerD

Few 1 bits speed up modular exponentiation.

Why this answer

Option D is correct because 65537 (0x10001) has a low Hamming weight of only 2 bits set, which makes modular exponentiation significantly faster than using a random large exponent, while still providing strong security. This choice balances computational efficiency with cryptographic strength, as a larger exponent would slow down encryption without proportional security gains.

Exam trap

ISC2 often tests the misconception that a larger exponent always means higher security, when in fact the exponent's size has negligible impact on security compared to the modulus length, and the real benefit of 65537 is performance due to its low Hamming weight.

How to eliminate wrong answers

Option A is wrong because a small public exponent e does not ensure a small private key d; in fact, d is typically large and unpredictable due to the modular inverse calculation. Option B is wrong because 65537 does not inherently prevent side-channel attacks; those require specific countermeasures like blinding or constant-time algorithms. Option C is wrong because 65537 does not provide the highest security level; security in RSA depends on key size (e.g., 2048-bit modulus), not on the exponent value, and larger exponents do not increase security.

5
Matchingmedium

Match each disaster recovery site type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully operational, real-time replication

Partially configured, ready in hours

Empty facility, setup required

Portable unit with equipment

Why these pairings

These are common disaster recovery site options.

6
MCQhard

Refer to the exhibit. An administrator runs an OpenSSL s_client command and receives the output shown. What is the most likely cause of the 'unable to get local issuer certificate' error?

A.The server's private key is missing.
B.The client does not trust the issuing CA.
C.The server certificate is self-signed.
D.The server certificate has expired.
AnswerB

The 'unable to get local issuer certificate' error means the CA is not trusted.

Why this answer

The 'unable to get local issuer certificate' error from OpenSSL s_client indicates that the client (the machine running the command) does not have the issuing Certificate Authority (CA) certificate in its trust store. This means the client cannot verify the server certificate's chain of trust. Option B is correct because the error specifically points to a missing or untrusted CA certificate on the client side, not a problem with the server's private key, self-signing, or expiration.

Exam trap

The trap here is that candidates confuse 'unable to get local issuer certificate' with a server-side certificate issue (like expiration or self-signing), when it actually points to a client-side trust store problem.

How to eliminate wrong answers

Option A is wrong because a missing server private key would cause a different error, such as 'unable to load private key' or a TLS handshake failure, not an issuer certificate validation error. Option C is wrong because a self-signed certificate would produce an 'unable to verify the first certificate' or 'self-signed certificate in chain' error, not specifically 'unable to get local issuer certificate' (which implies a missing CA in the trust store, not a self-signed root). Option D is wrong because an expired server certificate would generate an 'certificate has expired' error during validation, not an issuer certificate lookup failure.

7
MCQmedium

A company's policy requires that all data at rest be encrypted. Which of the following is the most effective method to encrypt files on a laptop?

A.Encrypt only the user's home folder.
B.Encrypt individual files using a symmetric key.
C.Implement full disk encryption (FDE).
D.Use a self-extracting encrypted archive.
AnswerC

FDE provides blanket encryption for the entire drive.

Why this answer

Full disk encryption (FDE) encrypts the entire storage volume, including the operating system, swap files, temporary files, and all user data. This ensures that if the laptop is lost or stolen, all data at rest is protected without relying on the user to selectively encrypt files or folders, which can leave sensitive data exposed in unencrypted system areas.

Exam trap

The trap here is that candidates often choose encrypting only the home folder or individual files because they think it is sufficient, but they overlook that system areas like swap, temp, and hibernation files can contain sensitive data in plaintext, making full disk encryption the only comprehensive solution for data at rest on a laptop.

How to eliminate wrong answers

Option A is wrong because encrypting only the user's home folder leaves the operating system, swap files, temporary files, and other system areas unencrypted, which can contain cached or residual copies of sensitive data. Option B is wrong because encrypting individual files with a symmetric key requires manual selection and management of each file, increasing the risk of human error and leaving metadata, temporary copies, and swap space unencrypted. Option D is wrong because a self-extracting encrypted archive only protects the specific files placed inside it, leaving the rest of the filesystem and system areas unencrypted, and it requires user interaction to create and extract, making it impractical for comprehensive data-at-rest protection.

8
Multi-Selectmedium

Which TWO of the following cryptographic algorithms are considered secure for modern use?

Select 2 answers
A.MD5 (Message Digest 5)
B.ChaCha20
C.AES-256 (Advanced Encryption Standard with 256-bit key)
D.RC4 (Rivest Cipher 4)
E.DES (Data Encryption Standard)
AnswersB, C

ChaCha20 is a secure stream cipher, commonly used in TLS.

Why this answer

AES-256 (option B) is a symmetric cipher with 256-bit key, considered secure. ChaCha20 (option D) is a stream cipher also considered secure. DES, RC4, and MD5 are broken or deprecated.

9
Multi-Selectmedium

Which TWO factors are most critical when selecting a cryptographic algorithm for a government application?

Select 2 answers
A.Speed of encryption/decryption
B.Key length
C.Algorithm popularity
D.Regulatory compliance (e.g., FIPS 140-2)
E.Ease of implementation
AnswersB, D

Key length directly affects security strength.

Why this answer

For government applications, regulatory compliance (e.g., FIPS 140-2) is critical because it mandates that cryptographic modules meet specific security standards for protecting sensitive data. Key length is equally critical because it directly determines the algorithm's resistance to brute-force attacks; insufficient key length can render encryption ineffective regardless of other factors.

Exam trap

ISC2 often tests the misconception that speed or popularity are primary selection criteria, when in fact government applications are driven by regulatory mandates and cryptographic strength (key length) as defined by standards like FIPS.

10
MCQhard

A security engineer is designing a system to store passwords securely. Which of the following is the most robust approach for password storage?

A.Hash passwords with SHA-256
B.Encode passwords with Base64
C.Encrypt passwords using AES-256 and store the key separately
D.Use bcrypt with a high cost factor
AnswerD

bcrypt is slow and includes a salt, making it resistant to brute-force and rainbow tables.

Why this answer

Bcrypt is the most robust option because it incorporates a salt to defend against rainbow table attacks and uses a configurable cost factor to deliberately slow down the hashing process, making brute-force attacks computationally expensive. Unlike general-purpose hashes like SHA-256, bcrypt is designed specifically for password storage and resists GPU-accelerated attacks by requiring significant memory and time per attempt.

Exam trap

ISC2 often tests the misconception that encryption (AES) is equivalent to hashing for password storage, but the trap is that encryption is reversible and introduces key management risks, whereas a proper password storage mechanism must be one-way and computationally expensive.

How to eliminate wrong answers

Option A is wrong because SHA-256 is a fast, general-purpose cryptographic hash that lacks a built-in salt and is vulnerable to rainbow table and brute-force attacks when used alone for password storage. Option B is wrong because Base64 is an encoding scheme, not a cryptographic operation; it provides no security and can be trivially reversed to recover the original password. Option C is wrong because encrypting passwords with AES-256 introduces key management complexity, and if the encryption key is compromised, all stored passwords can be decrypted; encryption is reversible by design, whereas password storage requires a one-way, irreversible function.

11
MCQeasy

A company has deployed an internal public key infrastructure (PKI) using Microsoft Active Directory Certificate Services (AD CS) to issue certificates for internal web servers. The certificate policy requires RSA 2048-bit keys and SHA-256 hashing. During a routine security audit, the administrator discovers that several web server certificates issued by the internal CA are using SHA-1 signatures. The CA is configured with a default Web Server certificate template. The administrator wants to ensure that all future certificates from this CA use SHA-256 as the hash algorithm. What is the most effective and secure course of action?

A.Update the certificate template to specify SHA-256 as the hash algorithm and reissue certificates
B.Increase the CA's security level in the console and restart the service
C.Modify the CA's signing algorithm in the registry to force SHA-256
D.Revoke all SHA-1 certificates and request new ones from a public CA
AnswerA

This directly addresses the issue and ensures future certificates use SHA-256.

Why this answer

Updating the certificate template to specify SHA-256 ensures that all new requests use the correct hash algorithm. Changing the CA signing algorithm (A) does not affect templates; revoking certificates (C) is disruptive and unnecessary; setting security level (D) is vague and does not change the hash algorithm.

12
MCQeasy

An e-commerce company runs its web application on a Windows Server 2019 with IIS 10. The security team runs a vulnerability scan and discovers that the server supports TLS 1.0 and several CBC-mode cipher suites, which are prohibited by the company's security policy. The policy requires disabling all versions of TLS below 1.2 and all cipher suites that do not use GCM mode. The administrator needs to implement the required changes without affecting the application's functionality, as it still needs to support a small number of legacy clients that require TLS 1.2 but not CBC. Which action should the administrator take?

A.Upgrade the server to Windows Server 2022, which automatically disables TLS 1.0.
B.Implement a reverse proxy with strong TLS configuration and route all traffic through it.
C.Disable TLS 1.0 via the registry and configure the cipher suite order in IIS to prefer GCM-based ciphers.
D.Apply a hotfix from Microsoft that removes TLS 1.0 support.
AnswerC

This directly implements the policy and only affects prohibited protocols and ciphers.

Why this answer

Option C is correct because the administrator can disable TLS 1.0 via the Windows registry (e.g., by creating the 'Enabled' DWORD under 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' and setting it to 0) and then configure the cipher suite order in IIS using the 'SchUseStrongCrypto' registry key or the 'Cipher Suites' group policy to prioritize GCM-based ciphers (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). This directly enforces the policy—disabling TLS below 1.2 and non-GCM ciphers—while still allowing legacy clients that support TLS 1.2 with GCM to connect without breaking functionality.

Exam trap

The trap here is that candidates may assume a reverse proxy or an OS upgrade is required to enforce strong TLS settings, when in fact Windows Server 2019 fully supports disabling TLS 1.0 and configuring cipher suites natively through registry and IIS settings without additional hardware or software.

How to eliminate wrong answers

Option A is wrong because upgrading to Windows Server 2022 does not automatically disable TLS 1.0; it only changes default settings, and TLS 1.0 can still be enabled unless explicitly disabled via registry or group policy. Option B is wrong because implementing a reverse proxy adds unnecessary complexity and a potential single point of failure; the policy can be met directly on the IIS server without an additional component, and the question asks for an action the administrator should take, not a workaround. Option D is wrong because there is no Microsoft hotfix that removes TLS 1.0 support; TLS 1.0 is a protocol supported by the Schannel security package and is disabled only through registry configuration, not a hotfix.

13
MCQmedium

A security analyst reviews the TLS configuration of a web server and notices that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is enabled. The analyst recommends disabling RSA key exchange and enabling ECDHE. Which security property does ECDHE provide that RSA key exchange lacks?

A.ECDHE provides perfect forward secrecy.
B.ECDHE is faster than RSA key exchange.
C.ECDHE is required by PCI DSS for all web transactions.
D.ECDHE uses smaller key sizes for equivalent security.
AnswerA

This ensures that compromise of the server's long-term key does not expose past session keys.

Why this answer

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides Perfect Forward Secrecy (PFS), meaning that if the server's long-term private key is compromised, past session keys cannot be derived. RSA key exchange does not provide PFS because the session key is encrypted with the server's static RSA public key; if the private key is later exposed, all recorded sessions can be decrypted.

Exam trap

The trap here is that candidates confuse the general benefits of elliptic curve cryptography (smaller keys, speed) with the specific security property of Perfect Forward Secrecy, which is the unique advantage of ephemeral Diffie-Hellman over static RSA key exchange.

How to eliminate wrong answers

Option B is wrong because ECDHE is not inherently faster than RSA key exchange; while ECDHE can have lower computational overhead in some contexts, performance depends on implementation and key sizes, and speed is not the primary security property. Option C is wrong because PCI DSS does not require ECDHE specifically; it requires the use of strong cryptography and may recommend PFS, but it does not mandate ECDHE for all web transactions. Option D is wrong because while ECDHE does use smaller key sizes for equivalent security compared to RSA, this is a property of elliptic curve cryptography in general, not the specific security property that RSA key exchange lacks—the key distinction is PFS.

14
MCQeasy

A small business with 20 employees uses a legacy customer relationship management (CRM) application that supports only RC4 encryption for data transmission between the client and server. The company must comply with a new industry regulation that mandates the use of strong encryption (e.g., AES or TLS 1.2+). The IT manager has attempted to upgrade the CRM application, but the vendor has discontinued support and no updates are available. The company cannot afford to replace the CRM immediately, but must achieve compliance within 60 days. The network consists of a single Windows Server 2016 running the CRM server application and 20 Windows 10 workstations. All systems are on a flat internal network. The IT manager proposes several options. Which action is the most appropriate to achieve compliance?

A.Replace the legacy CRM application with a modern web-based CRM that supports TLS 1.2.
B.Continue using RC4 and accept the risk, since the network is isolated.
C.Place a reverse proxy in front of the CRM server that terminates TLS and forwards requests to the server using RC4.
D.Deploy a VPN tunnel between each workstation and the server to encapsulate the RC4 traffic.
AnswerA

Replacing the application ensures strong encryption is used and achieves compliance.

Why this answer

Option A is correct because replacing the legacy CRM with a modern web-based CRM that supports TLS 1.2 directly satisfies the regulation's requirement for strong encryption (AES or TLS 1.2+). This is the only option that eliminates the use of RC4 entirely and achieves compliance within the 60-day timeframe, as the company cannot upgrade the unsupported legacy application.

Exam trap

The trap here is that candidates may think a VPN or reverse proxy 'wraps' the weak encryption to achieve compliance, but the regulation requires the application itself to use strong encryption, not just the network tunnel.

How to eliminate wrong answers

Option B is wrong because accepting the risk of using RC4 violates the mandatory regulation, regardless of network isolation; compliance is not optional and RC4 is considered weak due to known vulnerabilities (e.g., biases in its keystream). Option C is wrong because placing a reverse proxy that terminates TLS but forwards requests to the server using RC4 still exposes the internal traffic to RC4 encryption, which does not meet the regulation's requirement for strong encryption end-to-end. Option D is wrong because deploying a VPN tunnel encapsulates the RC4 traffic but does not replace it; the CRM application still uses RC4 for its own data transmission, and the regulation mandates strong encryption for the application layer, not just the transport layer.

15
MCQeasy

A security administrator needs to store sensitive customer data in a database. To protect the data at rest, which encryption method should be used?

A.RSA-2048
B.Blowfish in CTR mode
C.AES-256 in CBC mode
D.DES in ECB mode
AnswerC

AES-256 in CBC mode is a strong symmetric encryption suitable for data at rest.

Why this answer

AES-256 in CBC mode is the correct choice because it is a strong, widely accepted symmetric encryption algorithm that provides confidentiality for data at rest. AES-256 uses a 256-bit key, making it resistant to brute-force attacks, and CBC mode adds an initialization vector (IV) to ensure that identical plaintext blocks produce different ciphertext, preventing pattern leakage. This combination is recommended by standards such as NIST SP 800-38A for protecting sensitive stored data.

Exam trap

The trap here is that candidates often confuse asymmetric encryption (RSA) with symmetric encryption for data at rest, or they overlook the weaknesses of legacy algorithms like DES and Blowfish, assuming any encryption is sufficient without considering key size and mode of operation.

How to eliminate wrong answers

Option A is wrong because RSA-2048 is an asymmetric encryption algorithm used for key exchange and digital signatures, not for encrypting large volumes of data at rest; it is computationally expensive and impractical for database encryption. Option B is wrong because Blowfish in CTR mode is a legacy cipher with a 64-bit block size, which is vulnerable to birthday attacks and not recommended for modern data-at-rest protection; CTR mode also turns the cipher into a stream cipher, which can introduce risks if the IV is reused. Option D is wrong because DES in ECB mode uses a 56-bit key that is easily brute-forced with modern hardware, and ECB mode encrypts identical plaintext blocks into identical ciphertext blocks, revealing patterns in the data.

16
MCQeasy

An organization wants to ensure that a software update has not been tampered with during download. Which cryptographic technique should be used?

A.Compute a SHA-256 hash of the update
B.Sign the update with the developer's private key
C.Encrypt the update with AES
D.Append a MAC (Message Authentication Code)
AnswerB

A digital signature ensures integrity and authenticates the developer.

Why this answer

Signing the update with the developer's private key provides both integrity and authenticity. When the user verifies the signature using the developer's public key, they can confirm that the update has not been tampered with and that it originated from the claimed developer. This is the standard approach for ensuring trust in software distribution, as used in code signing certificates (e.g., Authenticode, GPG).

Exam trap

The trap here is that candidates confuse integrity-only mechanisms (hash, MAC) with the combined integrity and authenticity provided by digital signatures, or they mistakenly think encryption (AES) prevents tampering when it only provides confidentiality.

How to eliminate wrong answers

Option A is wrong because computing a SHA-256 hash alone provides integrity but no authentication; an attacker could replace both the update and its hash, and the user would have no way to detect the substitution. Option C is wrong because encrypting the update with AES ensures confidentiality but does not prevent tampering; an attacker could modify the ciphertext, and decryption would produce garbage, but the user would not know if the original plaintext was altered. Option D is wrong because appending a MAC (Message Authentication Code) provides integrity and authenticity only if both parties share a secret key; in a public download scenario, the user cannot verify the MAC without the shared secret, making it impractical for verifying the update's origin.

17
Multi-Selecteasy

Which TWO of the following are common weaknesses in cryptographic implementations that an SSCP should be aware of? (Select exactly 2.)

Select 2 answers
A.Weak random number generation
B.Improper key storage
C.Frequent rekeying
D.Using proven encryption algorithms like AES
E.Following NIST guidelines
AnswersA, B

Predictable random numbers can lead to key compromise.

Why this answer

Weak random number generation is a critical flaw because cryptographic keys, nonces, and initialization vectors rely on unpredictability. If an attacker can predict or reproduce the random values (e.g., due to a low-entropy source or a flawed PRNG like a linear congruential generator), they can derive secret keys or break session security. This undermines the entire cryptographic system regardless of the algorithm strength.

Exam trap

ISC2 often tests the misconception that 'using strong algorithms' or 'following standards' automatically guarantees security, when in fact implementation flaws like weak randomness or poor key management are the real vulnerabilities.

18
MCQeasy

A security analyst needs to verify that a downloaded file has not been tampered with. The publisher provides a SHA-256 hash. Which property of the hash function is being relied upon?

A.Avalanche effect
B.Collision resistance
C.Second pre-image resistance
D.Pre-image resistance
AnswerB

Collision resistance prevents finding two inputs with same hash.

Why this answer

The security analyst relies on collision resistance to ensure that no two different inputs produce the same SHA-256 hash. If an attacker could find a collision, they could substitute a malicious file that hashes to the same value as the legitimate file, bypassing integrity verification. SHA-256 is designed to make finding such collisions computationally infeasible, which is why it is trusted for file integrity checks.

Exam trap

The trap here is that candidates often confuse collision resistance with second pre-image resistance, mistakenly thinking that verifying a file against a known hash requires second pre-image resistance, when in fact the scenario of a publisher providing a hash for a file relies on collision resistance to prevent an attacker from creating a different file that hashes to the same value.

How to eliminate wrong answers

Option A is wrong because the avalanche effect describes how a small change in input drastically changes the output hash, but it does not directly prevent tampering; it is a property that contributes to security but is not the primary reliance for verifying file integrity. Option C is wrong because second pre-image resistance ensures that given a message and its hash, an attacker cannot find a different message with the same hash; while important, the scenario of verifying a downloaded file against a provided hash relies on collision resistance to prevent an attacker from creating any two messages with the same hash, not just finding a second pre-image for a known message. Option D is wrong because pre-image resistance ensures that given a hash, an attacker cannot find the original input; this is irrelevant for verifying that a file has not been tampered with, as the analyst already has the file and is checking its hash against the published one.

19
MCQhard

A company uses a cloud storage service that encrypts files with a key derived from the user's password (e.g., using PBKDF2). The security team recommends migrating to a separate key management service (KMS) that generates and manages encryption keys independently of user passwords. What is the most critical security advantage of using a KMS in this scenario?

A.Password-derived keys are inherently weaker than KMS-generated keys.
B.Changing the user password does not require re-encrypting all files.
C.A KMS is faster at encrypting and decrypting large files.
D.A KMS provides better audit logging of key usage.
AnswerB

When keys are separate from passwords, password changes can be handled without re-encrypting data.

Why this answer

Option B is correct because when encryption keys are derived from a user's password (e.g., via PBKDF2), changing the password changes the derived key, requiring all files encrypted under the old key to be decrypted and re-encrypted with the new key. A separate KMS decouples key management from user credentials, allowing password changes without affecting the underlying encryption keys, thus avoiding costly and time-consuming re-encryption operations.

Exam trap

ISC2 often tests the misconception that KMS-generated keys are always cryptographically stronger than password-derived keys, when the real advantage is operational separation of key lifecycle from user credentials.

How to eliminate wrong answers

Option A is wrong because password-derived keys are not inherently weaker than KMS-generated keys; PBKDF2 with sufficient iterations and salt can produce strong keys, and the weakness often lies in poor password entropy rather than the derivation algorithm itself. Option C is wrong because KMS encryption/decryption speed is typically slower than local operations due to network latency and API overhead, especially for large files where envelope encryption is used. Option D is wrong because while KMS can provide audit logging, this is not the most critical advantage in this scenario; the primary security benefit is the separation of key management from user passwords, which directly addresses the re-encryption problem.

20
MCQmedium

A company deploys a web application that handles sensitive financial transactions. To protect data in transit, which protocol should be used?

A.SSH (Secure Shell)
B.SSL 3.0
C.IPsec in transport mode
D.TLS 1.2
AnswerD

TLS 1.2 is secure and appropriate for web applications.

Why this answer

TLS 1.2 is the correct choice because it is the industry-standard protocol for securing HTTP traffic, providing encryption, integrity, and authentication for data in transit. It is widely supported, has no known practical vulnerabilities (unlike SSL 3.0), and is specifically designed for web application protocols like HTTPS, making it ideal for protecting sensitive financial transactions.

Exam trap

The trap here is that candidates often confuse SSH with a general-purpose encryption protocol or think SSL 3.0 is still acceptable because it was historically used, but the exam tests awareness of deprecated protocols and the correct protocol for web-specific security.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) is a protocol for secure remote administration and file transfer (e.g., SFTP), not for securing web application traffic; it operates on a different application layer and does not integrate with HTTP. Option B is wrong because SSL 3.0 is deprecated due to critical vulnerabilities such as the POODLE attack (CVE-2014-3566), which allows plaintext recovery, and it is no longer considered secure for protecting sensitive data. Option C is wrong because IPsec in transport mode secures IP packets between two hosts (e.g., for VPNs or host-to-host communication), but it is not designed to protect application-layer web traffic like HTTP; it requires complex configuration and does not natively integrate with web browsers or servers.

21
MCQhard

A system administrator notices that a server's certificate was issued by a CA that is not in the trusted root store of client machines. What is the most likely impact on clients connecting via TLS?

A.Clients will receive a certificate warning or be unable to connect.
B.The server will automatically obtain a new certificate.
C.Clients will connect but with reduced cipher strength.
D.Clients will be able to connect without any warning.
AnswerA

Untrusted CA causes a trust error, resulting in a warning or failure.

Why this answer

When a server presents a certificate issued by a Certificate Authority (CA) that is not in the client's trusted root store, the TLS handshake fails the trust chain validation. The client's TLS library (e.g., OpenSSL, Schannel) will either display a certificate warning to the user or terminate the connection with an error such as 'SEC_ERROR_UNKNOWN_ISSUER' in Firefox or 'ERR_CERT_AUTHORITY_INVALID' in Chrome, depending on the client's security policy.

Exam trap

The trap here is that candidates assume TLS connections will proceed with reduced security or a warning, but in strict implementations (e.g., many browsers and modern applications), the connection is completely blocked rather than just warned.

How to eliminate wrong answers

Option B is wrong because the server cannot automatically obtain a new certificate; certificate renewal or replacement requires manual intervention or an automated protocol like ACME, but the client's lack of trust does not trigger any automatic action on the server. Option C is wrong because TLS cipher strength is negotiated independently of certificate trust; a client will not downgrade ciphers due to an untrusted CA — the handshake will fail before cipher negotiation completes. Option D is wrong because clients enforce trust validation by default; they will not connect without a warning unless the user has explicitly disabled certificate validation (e.g., by adding an exception or using an insecure configuration like `CURLOPT_SSL_VERIFYPEER` set to false).

22
Multi-Selecthard

A security auditor is reviewing the cryptographic algorithms used in an organization. Which THREE of the following are considered insecure or deprecated and should be avoided? (Select THREE.)

Select 3 answers
A.RSA-2048
B.DES
C.3DES
D.AES-256
E.MD5
AnswersB, C, E

DES uses a 56-bit key, making it vulnerable to brute-force attacks.

Why this answer

DES (Data Encryption Standard) uses a 56-bit key, which is too short to withstand modern brute-force attacks; it was officially withdrawn as a standard by NIST in 2005. 3DES, while an improvement, is now deprecated due to its relatively slow performance and susceptibility to meet-in-the-middle attacks, with NIST disallowing it for new applications after 2023. MD5 is a broken hash algorithm; collision attacks (e.g., using a chosen-prefix collision) can be performed in seconds on commodity hardware, making it unsuitable for any security-sensitive use.

Exam trap

ISC2 often tests the misconception that 3DES is still acceptable because it is 'triple' strength, but the trap is that both DES and 3DES are deprecated due to small block sizes and key lengths, while MD5 is often mistakenly considered safe for checksums despite its proven collision vulnerabilities.

23
Multi-Selecthard

Which THREE of the following are common use cases for public key infrastructure (PKI)? (Select exactly three.)

Select 3 answers
A.Password hashing
B.Symmetric key exchange
C.Digital signatures
D.Email encryption (S/MIME)
E.SSL/TLS certificate authentication
AnswersC, D, E

PKI enables digital signatures using certificates.

Why this answer

Digital signatures are a core use case for PKI because they rely on asymmetric cryptography where a private key signs data and the corresponding public key, bound to an identity via a digital certificate issued by a Certificate Authority (CA), verifies the signature. This ensures authenticity, integrity, and non-repudiation of the signed message or document.

Exam trap

The trap here is that candidates may confuse the mechanism (e.g., using PKI to exchange a symmetric key) with a direct use case of PKI, or mistakenly think password hashing involves certificates, when PKI is specifically about public key certificates, not symmetric key exchange or hashing algorithms.

24
Multi-Selectmedium

Which TWO of the following are required properties of a cryptographically secure hash function? (Select exactly 2.)

Select 2 answers
A.Deterministic output
B.Collision resistance
C.High speed for large inputs
D.Low output entropy
E.Preimage resistance
AnswersB, E

It should be infeasible to find two different inputs with the same hash.

Why this answer

Collision resistance (B) is a required property because it ensures that it is computationally infeasible to find two distinct inputs that produce the same hash output. Without this property, an attacker could substitute a legitimate message with a fraudulent one that yields an identical hash, breaking the integrity guarantees of the hash function. This is a fundamental requirement for digital signatures and message authentication codes (MACs) in cryptographic protocols.

Exam trap

ISC2 often tests the distinction between general hash function properties (like deterministic output) and the specific security properties required for cryptographic use, leading candidates to mistakenly select deterministic output as a required property when it is merely a basic characteristic of any hash function.

25
MCQmedium

An administrator reports that a TLS handshake fails between a web server and client. The server supports TLS 1.2 with ciphers ECDHE-RSA-AES128-GCM-SHA256 and RSA-AES256-CBC-SHA256. The client supports only TLS 1.0 with ciphers RSA-RC4-SHA and RSA-AES128-SHA. What is the most likely cause?

A.Cipher suite order misconfiguration
B.Certificate validation failure
C.No common TLS version
D.No common cipher suite
AnswerC

The server supports TLS 1.2 only; client only TLS 1.0.

Why this answer

The TLS handshake fails because the server supports only TLS 1.2, while the client supports only TLS 1.0. During the handshake, the client sends a ClientHello with its highest supported version (1.0), and the server responds with a ServerHello indicating its highest supported version (1.2). Since neither side can downgrade to a mutually supported version, the handshake aborts.

This is a version negotiation failure, not a cipher mismatch.

Exam trap

The trap here is that candidates see different cipher suites and assume a cipher mismatch (Option D), but the real issue is that the TLS versions are incompatible, which is checked before cipher negotiation.

How to eliminate wrong answers

Option A is wrong because cipher suite order misconfiguration would only matter if both sides shared a common TLS version; here, the version mismatch prevents any cipher negotiation from occurring. Option B is wrong because certificate validation failure occurs after the handshake establishes a secure channel, typically during the CertificateVerify or Finished messages, but the handshake fails before that point due to version incompatibility. Option D is wrong because even if the client and server had no common cipher suites, the handshake would still proceed to the ServerHello stage and fail at cipher negotiation, but here the failure is earlier at version negotiation; the client's TLS 1.0 ciphers are irrelevant when the server only offers TLS 1.2.

26
Multi-Selecthard

Which THREE are security implications of using deprecated cryptographic protocols such as SSL 3.0 and TLS 1.0?

Select 3 answers
A.Susceptibility to downgrade attacks
B.Increased computational overhead
C.Compliance with regulations
D.Weak key exchange
E.Interoperability issues with modern systems
AnswersA, D, E

Attackers can force the use of weaker protocols.

Why this answer

Option A is correct because deprecated protocols like SSL 3.0 and TLS 1.0 are vulnerable to downgrade attacks, such as the POODLE attack (CVE-2014-3566). In a downgrade attack, an active man-in-the-middle forces the client and server to negotiate a weaker, deprecated protocol version, bypassing stronger security. This allows the attacker to exploit known weaknesses in the older protocol, such as padding oracle vulnerabilities in SSL 3.0.

Exam trap

ISC2 often tests the misconception that deprecated protocols are 'still secure enough' or that their only downside is performance overhead, but the real trap is that candidates confuse 'interoperability issues' (which are a practical concern) with 'security implications' (which are the core focus of the question).

27
MCQeasy

A company uses digital signatures to ensure the integrity and non-repudiation of internal contracts. The private key used for signing is stored in a hardware security module (HSM). A junior administrator asks why the HSM is necessary. What is the primary reason?

A.It reduces network latency during signing.
B.It enables symmetric key exchange for large files.
C.It allows the signing process to be faster.
D.It provides non-repudiation by protecting the private key.
AnswerD

Protecting the private key in a tamper-resistant device ensures that only the authorized user can sign, providing non-repudiation.

Why this answer

The primary reason for using an HSM is to protect the private key from unauthorized access or extraction. Non-repudiation relies on the assurance that only the legitimate signer could have used the private key; if the key is compromised, that assurance is lost. The HSM provides a tamper-resistant environment that performs signing operations internally, ensuring the private key never leaves the secure hardware.

Exam trap

The trap here is that candidates may think an HSM is used for performance or key exchange, but the SSCP exam emphasizes that its core purpose is to safeguard the private key to maintain non-repudiation and integrity.

How to eliminate wrong answers

Option A is wrong because an HSM does not reduce network latency; in fact, it may add slight latency due to hardware communication overhead. Option B is wrong because HSMs are used for asymmetric key operations (signing/encryption), not symmetric key exchange; symmetric keys are typically exchanged using asymmetric methods like Diffie-Hellman or RSA. Option C is wrong because HSMs are not primarily designed for speed; software-based signing can be faster, but HSMs prioritize security over raw performance.

28
Multi-Selectmedium

Which TWO of the following are symmetric encryption algorithms? (Select exactly two.)

Select 2 answers
A.DES
B.AES
C.RSA
D.ECC
E.SHA-256
AnswersA, B

DES is a symmetric cipher.

Why this answer

DES (Data Encryption Standard) is a symmetric encryption algorithm that uses a single key for both encryption and decryption. It operates on 64-bit blocks with a 56-bit key, and while now considered insecure due to its small key size, it remains a foundational symmetric cipher. AES (Advanced Encryption Standard) is also symmetric, using block sizes of 128 bits and key sizes of 128, 192, or 256 bits, and is the current standard for symmetric encryption.

Exam trap

ISC2 often tests the distinction between symmetric and asymmetric algorithms, and the trap here is that candidates may confuse RSA or ECC (both asymmetric) with symmetric ciphers, or mistakenly think SHA-256 is an encryption algorithm because it is used in security contexts.

29
MCQmedium

A security team discovers that a legacy system uses ECB mode to encrypt credit card numbers. What is the primary security concern with this mode?

A.Identical plaintext blocks produce identical ciphertext, revealing patterns
B.It is slow compared to other modes
C.It is vulnerable to padding oracle attacks
D.It does not provide integrity
AnswerA

This is the classic weakness of ECB.

Why this answer

ECB (Electronic Codebook) mode encrypts each plaintext block independently using the same key. This means identical plaintext blocks produce identical ciphertext blocks, which allows an attacker to detect patterns, data boundaries, and repetitions in the encrypted data. For credit card numbers, which often have predictable formats (e.g., BIN ranges, fixed lengths), this pattern leakage can reveal sensitive information without breaking the encryption key.

Exam trap

The trap here is that candidates often confuse ECB's lack of diffusion with performance issues or integrity flaws, but Cisco specifically tests whether you recognize that ECB's deterministic block mapping is its fundamental weakness, not speed or padding vulnerabilities.

How to eliminate wrong answers

Option B is wrong because ECB is actually one of the fastest modes—it processes blocks in parallel with no chaining overhead, so slowness is not a valid concern. Option C is wrong because padding oracle attacks exploit CBC mode (or other modes using PKCS#7 padding), not ECB; ECB does not use an initialization vector or chaining, so padding oracle attacks are not applicable. Option D is wrong because ECB does not inherently provide integrity, but that is not its primary security concern—the core issue is pattern leakage from deterministic encryption; integrity is a separate property typically addressed by MACs or authenticated encryption modes like GCM.

30
MCQeasy

A company needs to encrypt large volumes of data at rest on a file server. Which type of cryptography is most appropriate for this task?

A.Asymmetric encryption
B.Public Key Infrastructure (PKI)
C.Symmetric encryption
D.Hash function
AnswerC

Symmetric encryption is fast and suitable for bulk data.

Why this answer

Symmetric encryption uses a single shared key for both encryption and decryption, making it significantly faster and more efficient than asymmetric encryption for bulk data encryption. For large volumes of data at rest on a file server, symmetric algorithms like AES-256 provide the necessary performance and security, as they are designed to handle high-throughput encryption with minimal computational overhead.

Exam trap

The trap here is that candidates confuse the role of asymmetric encryption (used for key exchange or small data) with bulk encryption, or mistakenly think PKI is an encryption method rather than a management framework, leading them to choose options that are technically valid in other contexts but inappropriate for large-scale data-at-rest encryption.

How to eliminate wrong answers

Option A is wrong because asymmetric encryption (e.g., RSA, ECC) is computationally intensive and orders of magnitude slower than symmetric encryption, making it impractical for encrypting large volumes of data at rest; it is typically used for key exchange or digital signatures. Option B is wrong because Public Key Infrastructure (PKI) is a framework for managing digital certificates and public keys, not an encryption algorithm itself; it supports asymmetric operations but does not directly encrypt bulk data. Option D is wrong because a hash function (e.g., SHA-256) is a one-way function that produces a fixed-size digest and is not reversible, so it cannot be used for encryption or decryption of data at rest.

31
MCQmedium

A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?

A.RSA
B.Diffie-Hellman
C.AES
D.SHA-256
AnswerC

AES is symmetric, fast, and suitable for link-layer encryption.

Why this answer

AES (Advanced Encryption Standard) is the most appropriate choice for link-layer encryption in high-speed networks because it is a symmetric block cipher designed for efficient hardware and software implementation, offering high throughput with low latency. Unlike asymmetric algorithms, AES operates with a single shared key, making it ideal for encrypting bulk data at the data link layer where speed and minimal overhead are critical.

Exam trap

The trap here is that candidates confuse encryption algorithms with key exchange or hashing functions, mistakenly choosing RSA or Diffie-Hellman for bulk encryption, or SHA-256 for confidentiality, when symmetric ciphers like AES are the correct choice for high-speed link-layer encryption.

How to eliminate wrong answers

Option A is wrong because RSA is an asymmetric encryption algorithm used primarily for key exchange and digital signatures, not for bulk data encryption; its computational overhead makes it unsuitable for high-speed link-layer encryption. Option B is wrong because Diffie-Hellman is a key exchange protocol, not an encryption algorithm; it establishes a shared secret but does not encrypt data itself. Option D is wrong because SHA-256 is a cryptographic hash function, not an encryption algorithm; it provides integrity and authentication but cannot encrypt or decrypt data.

32
MCQmedium

Refer to the exhibit. What is the purpose of the 'group 14' parameter in the IKEv2 proposal?

A.Defines the integrity checking method
B.Specifies the encryption algorithm
C.Sets the Diffie-Hellman group for key exchange
D.Indicates the authentication method
AnswerC

Group 14 is a 2048-bit Diffie-Hellman group used for key exchange.

Why this answer

In IKEv2 proposals, the 'group 14' parameter specifies the Diffie-Hellman (DH) group used for the key exchange process. DH group 14 corresponds to a 2048-bit modular exponentiation group, which provides the cryptographic strength for establishing a shared secret over an insecure channel. This is distinct from encryption, integrity, or authentication parameters.

Exam trap

The trap here is that candidates often confuse 'group' with an integrity or encryption algorithm because Cisco IOS uses the 'group' keyword in other contexts (e.g., OSPF), but in IKE proposals it specifically refers to the Diffie-Hellman group for key exchange.

How to eliminate wrong answers

Option A is wrong because integrity checking methods in IKEv2 are defined by the integrity algorithm (e.g., HMAC-SHA256), not by the DH group parameter. Option B is wrong because the encryption algorithm (e.g., AES-256) is specified by a separate 'encr' parameter in the IKEv2 proposal, not by 'group 14'. Option D is wrong because authentication methods (e.g., pre-shared keys, certificates) are configured independently, often under an 'authentication' or 'auth' parameter, and are not related to DH group selection.

33
MCQmedium

A financial services firm with 500 servers and 2000 workstations uses an internal public key infrastructure (PKI) for authentication and secure communication. The root CA certificate is self-signed and stored on an offline root CA server. Recently, the root CA server was physically stolen from a locked data center. Although the server was encrypted, forensic analysis confirms that the root CA private key was extracted. The security team must immediately revoke trust in the compromised root CA and issue new certificates to all devices. The environment includes Active Directory and Group Policy. Which approach best ensures all systems trust the new CA hierarchy and obtain valid certificates with minimal disruption?

A.Generate a new root CA, sign new subordinate CAs, distribute the new root via Group Policy, and re-issue all end-entity certificates.
B.Publish a certificate revocation list (CRL) and wait for existing certificates to expire.
C.Generate a new root CA certificate and key, then re-issue all subordinate CA certificates without re-issuing end-entity certificates.
D.Enable OCSP stapling on all web servers to check revocation status in real time.
AnswerA

This ensures all systems trust the new CA hierarchy and have valid certificates.

Why this answer

Option A is correct because the root CA private key has been compromised, requiring the entire PKI hierarchy to be rebuilt from scratch. A new self-signed root CA must be generated, new subordinate CAs signed under it, and all end-entity certificates re-issued to devices. Distributing the new root CA certificate via Active Directory Group Policy ensures that all domain-joined systems trust the new hierarchy automatically, minimizing manual intervention and disruption.

Exam trap

The trap here is that candidates may think re-issuing only subordinate CAs (Option C) is sufficient, overlooking that end-entity certificates signed by the compromised root remain untrusted and must also be replaced to restore a valid chain of trust.

How to eliminate wrong answers

Option B is wrong because publishing a CRL only revokes trust in the compromised root CA but does not establish a new trusted hierarchy; waiting for existing certificates to expire leaves systems vulnerable and without valid certificates for an extended period. Option C is wrong because re-issuing subordinate CA certificates without re-issuing end-entity certificates leaves all existing end-entity certificates signed by the compromised root CA still in use, which are untrusted and cannot be validated. Option D is wrong because OCSP stapling is a revocation checking mechanism, not a method to replace a compromised root CA or issue new certificates; it does not address the need to establish a new trust anchor.

34
MCQeasy

Refer to the exhibit. Which component of the cipher suite provides perfect forward secrecy?

A.ECDHE
B.TLS 1.2
C.AES256-GCM
D.SHA384
AnswerA

ECDHE uses ephemeral keys, ensuring forward secrecy.

Why this answer

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides perfect forward secrecy (PFS) because it generates a unique, ephemeral session key for each TLS session. If the long-term private key is compromised, past session keys cannot be derived, as the ephemeral keys are discarded after use. This is defined in RFC 4492 and is a core property of ephemeral Diffie-Hellman key exchange.

Exam trap

ISC2 often tests the distinction between the protocol version (TLS 1.2) and the cipher suite components that actually implement PFS, leading candidates to incorrectly select TLS 1.2 because they associate it with modern security features.

How to eliminate wrong answers

Option B (TLS 1.2) is wrong because TLS 1.2 is a protocol version, not a component that provides PFS; it can support PFS if ECDHE or DHE cipher suites are negotiated, but the protocol itself does not guarantee PFS. Option C (AES256-GCM) is wrong because AES256-GCM is a symmetric encryption and authenticated encryption algorithm (AEAD) that protects data confidentiality and integrity, but it does not influence key exchange or provide PFS. Option D (SHA384) is wrong because SHA384 is a hash function used for message authentication in HMAC or for integrity checks in TLS, and it has no role in establishing ephemeral keys or PFS.

35
MCQmedium

A software developer wants to ensure the authenticity and integrity of an API request but does not require non-repudiation. Which cryptographic method should be used?

A.Digital signature using RSA
B.Symmetric encryption with CBC mode
C.Hash-based message authentication code (HMAC)
D.Elliptic curve Diffie-Hellman (ECDH)
AnswerC

HMAC verifies authenticity and integrity without non-repudiation.

Why this answer

HMAC uses a shared secret key combined with a cryptographic hash function to produce a fixed-size authentication tag. This ensures both authenticity (the request came from a party knowing the key) and integrity (the data has not been altered) without providing non-repudiation, because the same key is shared between sender and receiver, so the receiver could also have generated the tag.

Exam trap

ISC2 often tests the distinction between authentication/integrity (HMAC) and non-repudiation (digital signatures), leading candidates to incorrectly choose digital signatures when non-repudiation is explicitly not required.

How to eliminate wrong answers

Option A is wrong because a digital signature using RSA provides non-repudiation (the sender cannot deny signing) and is computationally heavier than necessary when non-repudiation is not required. Option B is wrong because symmetric encryption with CBC mode provides confidentiality, not authenticity or integrity; CBC mode alone does not prevent an attacker from modifying ciphertext blocks. Option D is wrong because Elliptic Curve Diffie-Hllman (ECDH) is a key exchange protocol used to establish a shared secret over an insecure channel, not a method for authenticating or verifying the integrity of an API request.

36
MCQhard

Refer to the exhibit. What is the most likely cause of this error?

A.The root CA is not trusted
B.The certificate has been revoked
C.The certificate is expired
D.The certificate uses weak encryption
AnswerA

A self-signed certificate in the chain means the CA is not in the trust store.

Why this answer

The error 'The root CA is not trusted' occurs because the client device does not have the root CA certificate installed in its trusted root store. When a server presents a certificate chain, the client must be able to validate the chain up to a trusted root CA; if the root CA is missing or not trusted, the certificate chain is considered invalid, and the connection is rejected.

Exam trap

ISC2 often tests the distinction between certificate chain validation failures (root CA not trusted) versus other certificate errors (expired, revoked, weak key), and the trap here is that candidates confuse a missing root CA with a revoked or expired certificate, which produce different error messages.

How to eliminate wrong answers

Option B is wrong because a revoked certificate would produce a different error, such as 'certificate revoked' or a CRL/OCSP failure message, not a trust-related error. Option C is wrong because an expired certificate would generate a specific 'certificate expired' error, not a root CA trust issue. Option D is wrong because weak encryption (e.g., RSA 512-bit) would cause a security policy violation or cipher mismatch error, not a root CA trust failure.

37
Multi-Selecthard

Which THREE of the following are considered cryptographic best practices for key management? (Select exactly 3.)

Select 3 answers
A.Separate keys used for encryption and digital signatures
B.Rotate keys periodically
C.Use hardware security modules (HSMs) for key storage
D.Publish symmetric keys on the company website for transparency
E.Store keys with the encrypted data for convenience
AnswersA, B, C

Using the same key for both purposes weakens security.

Why this answer

Option A is correct because using separate keys for encryption and digital signatures ensures that compromising one key does not affect the other. This separation aligns with the principle of key usage restrictions, as defined in NIST SP 800-57, which mandates distinct keys for different cryptographic operations to prevent misuse and maintain non-repudiation.

Exam trap

ISC2 often tests the misconception that convenience (like storing keys with data) is acceptable, when in fact it violates the core security principle of key separation and confidentiality.

38
MCQeasy

When implementing a digital signature, which key is used to create the signature?

A.Receiver's private key
B.Sender's private key
C.Sender's public key
D.Receiver's public key
AnswerB

The private key is used to sign documents.

Why this answer

In a digital signature scheme, the sender uses their own private key to create the signature. This ensures non-repudiation because only the sender possesses that private key, and the corresponding public key can verify the signature. The process involves encrypting a hash of the message with the sender's private key, as specified in standards like PKCS#1 and RFC 8017.

Exam trap

The trap here is that candidates often confuse the roles of keys in encryption versus signing, mistakenly thinking the receiver's private key or the sender's public key is used to create the signature because they associate 'private' with secrecy and 'public' with sharing, without understanding the specific asymmetric operations required for non-repudiation.

How to eliminate wrong answers

Option A is wrong because the receiver's private key is used for decryption in asymmetric encryption, not for creating a digital signature; using it would allow anyone with the receiver's public key to forge the signature. Option C is wrong because the sender's public key is used to verify the signature, not create it; using it to sign would allow anyone to create a valid signature since the public key is widely known. Option D is wrong because the receiver's public key is used for encrypting messages to the receiver, not for signing; it cannot provide non-repudiation as the sender does not possess the corresponding private key.

39
MCQeasy

A company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Confidentiality is the goal of keeping data secret, achieved via encryption.

Why this answer

Confidentiality ensures that data is accessible only to authorized parties, typically achieved through encryption. In this scenario, the company wants to prevent unauthorized interception of data between branch offices, which is the core goal of confidentiality. Technologies such as IPsec VPNs or TLS are used to encrypt the data in transit, directly addressing this requirement.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, mistakenly thinking that protecting data from modification also prevents it from being read, but encryption alone does not guarantee integrity unless combined with a MAC or authenticated encryption mode like GCM.

How to eliminate wrong answers

Option A is wrong because availability ensures that systems and data are accessible when needed, often through redundancy or fault tolerance, not by protecting data from eavesdropping. Option B is wrong because non-repudiation provides proof of origin or delivery of data, typically via digital signatures, and does not prevent unauthorized reading of the data. Option C is wrong because integrity ensures that data has not been altered during transit, often using hashing or MACs, but does not protect against unauthorized viewing of the data.

40
MCQmedium

A security analyst reviews a cryptographic implementation and notices that the same initialization vector (IV) is used repeatedly with the same key in CBC mode. What is the primary risk?

A.Loss of confidentiality
B.Loss of authentication
C.Non-repudiation is compromised
D.Loss of integrity
AnswerA

IV reuse can lead to identical ciphertext blocks for identical plaintext, revealing patterns.

Why this answer

In CBC (Cipher Block Chaining) mode, the initialization vector (IV) is XORed with the first plaintext block before encryption. Reusing the same IV with the same key means that identical plaintext blocks will produce identical ciphertext blocks, revealing patterns in the data. This directly breaks confidentiality, as an attacker can detect repeated plaintext segments, infer message structure, or even recover plaintext through known-plaintext attacks.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity or authentication, mistakenly thinking IV reuse primarily enables data tampering (integrity) or impersonation (authentication), when in fact the core cryptographic weakness is the exposure of plaintext patterns, directly violating confidentiality.

How to eliminate wrong answers

Option B is wrong because loss of authentication refers to the inability to verify the origin or identity of the sender, which is not directly caused by IV reuse; CBC mode does not provide authentication by itself (that requires a MAC). Option C is wrong because non-repudiation is a property that prevents a party from denying an action, typically provided by digital signatures, not by CBC mode or IV usage. Option D is wrong because loss of integrity means data has been tampered with undetected; while IV reuse can enable certain attacks (e.g., bit-flipping), the primary and most immediate risk is the exposure of plaintext patterns, i.e., loss of confidentiality.

41
MCQhard

Based on the TLS connection output, what is a potential security vulnerability?

A.The certificate has expired
B.The key exchange is ephemeral, reducing security
C.The cipher suite uses AES-128, which is too weak
D.The certificate uses SHA-1 for the signature algorithm
AnswerD

SHA-1 is deprecated due to collision attacks.

Why this answer

The signature algorithm sha1WithRSAEncryption is deprecated for certificates; SHA-1 is weak and should not be used. Options A, B, D are incorrect: the certificate is not expired (no date shown), AES-128 is acceptable, and ECDHE provides forward secrecy.

42
MCQhard

A healthcare organization stores patient records in a database that is encrypted at rest using AES-256-CBC. The encryption key is stored in a plaintext configuration file on the database server, with file permissions set to read-only for the database service account and administrators. During an internal audit, the security team flags this as a critical vulnerability because the key is co-located with the encrypted data. The system administrator argues that the file permissions are sufficient to prevent unauthorized access. Separately, the organization must comply with HIPAA requirements for encryption key management. Which remediation most effectively addresses the vulnerability and meets compliance requirements?

A.Change the encryption algorithm from AES-256-CBC to AES-256-GCM.
B.Implement file integrity monitoring (FIM) on the configuration file to alert on unauthorized access.
C.Move the encryption key to a hardware security module (HSM) accessible only via authenticated API calls.
D.Encrypt the configuration file containing the key with a second AES-256 key stored in the same directory.
AnswerC

An HSM provides tamper-resistant key storage and meets compliance requirements.

Why this answer

Option C is correct because moving the encryption key to a hardware security module (HSM) physically separates the key from the encrypted data, eliminating the co-location vulnerability. HSMs provide tamper-resistant key storage and enforce access controls via authenticated API calls, which aligns with HIPAA requirements for proper key management and protection of electronic protected health information (ePHI).

Exam trap

The trap here is that candidates often confuse encryption algorithm improvements (like GCM) or monitoring controls (like FIM) with proper key management, failing to recognize that co-location of the key with the data is the core vulnerability that must be addressed by physical or logical separation.

How to eliminate wrong answers

Option A is wrong because changing the cipher mode from CBC to GCM addresses data integrity and authentication, not the fundamental issue of key storage co-location or access control. Option B is wrong because file integrity monitoring (FIM) only detects unauthorized access or changes after the fact; it does not prevent an attacker who gains access to the server from reading the plaintext key from the configuration file. Option D is wrong because encrypting the configuration file with a second key stored in the same directory merely adds a layer of obfuscation; the second key remains co-located and accessible, so an attacker who compromises the server can retrieve both keys.

43
MCQeasy

When using CBC mode encryption, what is the purpose of the initialization vector (IV)?

A.To provide authentication
B.To increase the key length
C.To add randomness and prevent identical ciphertext for repeated plaintext
D.To enable parallel encryption
AnswerC

IV randomizes the first block, causing different ciphertexts.

Why this answer

Option C is correct because the initialization vector (IV) in CBC mode ensures that each encryption of the same plaintext with the same key produces a different ciphertext. The IV is XORed with the first plaintext block before encryption, introducing randomness that prevents patterns from being exposed in the ciphertext, which is critical for semantic security.

Exam trap

The trap here is that candidates confuse the IV's role in adding randomness with authentication or key extension, or they mistakenly think CBC supports parallel encryption because they overlook the sequential dependency of ciphertext blocks.

How to eliminate wrong answers

Option A is wrong because CBC mode provides no inherent authentication; it is a confidentiality-only mode, and authentication requires a separate MAC or an authenticated encryption mode like GCM or CCM. Option B is wrong because the IV does not increase the effective key length; the key length remains fixed, and the IV is a non-secret, random value used per message. Option D is wrong because CBC mode is inherently sequential—each ciphertext block depends on the previous one—so it cannot be parallelized during encryption; only decryption can be parallelized.

44
Multi-Selecteasy

Which THREE characteristics are important for a password hashing algorithm?

Select 3 answers
A.Fixed output length
B.Salt usage
C.Reversible
D.Slow computation
E.Constant time comparison
AnswersB, D, E

Salt prevents rainbow table attacks.

Why this answer

B is correct because salting ensures that each password hash is unique even if two users have the same password, preventing precomputed rainbow table attacks. A salt is a random value concatenated with the password before hashing, and it must be stored alongside the hash for verification.

Exam trap

ISC2 often tests the misconception that fixed output length is a key requirement for password hashing, when in fact it is a generic property of all hash functions and not specific to password storage security.

45
MCQhard

An administrator notices that a certificate used for code signing is about to expire. The certificate is signed by a trusted root CA. What is the correct procedure to ensure continued trust?

A.Continue using the expired certificate until a new one is obtained
B.Extend the validity period of the existing certificate by modifying the certificate
C.Switch to a self-signed certificate
D.Request a new certificate from the same CA before expiration
AnswerD

This ensures continuity and trust from the same root.

Why this answer

The correct procedure is to request a new certificate from the same trusted root CA before the current certificate expires. This ensures that the new certificate is signed by the same trusted root, maintaining the chain of trust without interruption. Continuing to use an expired certificate would break trust validation, as clients and operating systems reject expired code-signing certificates to prevent execution of untrusted code.

Exam trap

The trap here is that candidates may think extending the validity period or using a self-signed certificate is acceptable, but Cisco tests the understanding that only a certificate from the same trusted CA preserves the existing chain of trust without requiring manual trust configuration.

How to eliminate wrong answers

Option A is wrong because using an expired certificate violates trust models; code-signing certificates are validated for expiration, and expired certificates cause signature verification failures, leading to warnings or blocked execution. Option B is wrong because certificate validity periods cannot be extended by modifying the certificate; the validity is cryptographically bound by the CA's signature, and any alteration invalidates the signature. Option C is wrong because switching to a self-signed certificate breaks the chain of trust; self-signed certificates are not trusted by default and require manual installation on every client, which is impractical for code signing.

46
Drag & Dropmedium

Drag and drop the steps for a typical TLS 1.3 handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TLS 1.3 reduces round trips: ClientHello, ServerHello, EncryptedExtensions, Finished from server, Finished from client.

47
MCQhard

An organization wants to implement a cryptographic solution that ensures forward secrecy for its internal communications. Which key exchange method should be used?

A.RSA key exchange
B.Elliptic Curve Diffie-Hellman (ECDH)
C.Diffie-Hellman Ephemeral (DHE)
D.Static Diffie-Hellman
AnswerC

DHE generates temporary keys each session, so compromise of long-term keys does not expose past sessions.

Why this answer

DHE (Diffie-Hellman Ephemeral) generates a fresh, temporary key pair for each session and never reuses the private key, ensuring that compromise of a long-term key does not expose past session keys. This provides forward secrecy because the ephemeral keys are destroyed after the session ends, making it computationally infeasible to decrypt recorded traffic even if the server's static key is later compromised.

Exam trap

ISC2 often tests the distinction between 'Diffie-Hellman' (which can be static) and 'Diffie-Hellman Ephemeral' (DHE) — the trap is that candidates see 'Diffie-Hellman' and assume forward secrecy, forgetting that only the ephemeral variant provides it.

How to eliminate wrong answers

Option A is wrong because RSA key exchange uses the server's static private key to decrypt the premaster secret; if that private key is later compromised, all past sessions can be decrypted, so it does not provide forward secrecy. Option B is wrong because Elliptic Curve Diffie-Hellman (ECDH) alone is a static-static or static-ephemeral variant unless the ephemeral (ECDHE) version is specified; the question asks for a method that ensures forward secrecy, and standard ECDH without the 'E' does not guarantee ephemeral keys. Option D is wrong because Static Diffie-Hellman uses fixed, long-term keys for both parties, meaning compromise of either static private key allows decryption of all past and future sessions, thus providing no forward secrecy.

48
MCQmedium

A system administrator is configuring a file encryption solution for a shared network drive. The solution must allow multiple users to read the files without sharing a single symmetric key. Which approach should be used?

A.Use a different symmetric key for each user and re-encrypt the file for each user
B.Encrypt the file with each user's public key directly
C.Encrypt the file with a symmetric key, then encrypt that key with each authorized user's public key
D.Encrypt the file with a single symmetric key and share that key securely with all users
AnswerC

This is a hybrid encryption approach that scales well and maintains security.

Why this answer

Option C describes hybrid encryption, which is the correct approach for this scenario. The file is encrypted with a random symmetric key (session key) for efficiency, and that symmetric key is then encrypted with each authorized user's public key. This allows multiple users to decrypt the symmetric key with their private key and then decrypt the file, without sharing a single symmetric key.

Exam trap

The trap here is that candidates may choose Option B (direct public key encryption) because they understand asymmetric encryption but overlook the performance and practical limitations of encrypting large files with public key algorithms, which are designed for small data like keys.

How to eliminate wrong answers

Option A is wrong because re-encrypting the entire file for each user with a different symmetric key is computationally expensive and does not scale; it also requires managing multiple encrypted copies. Option B is wrong because directly encrypting the file with each user's public key would require encrypting the entire file multiple times, which is inefficient for large files and does not leverage symmetric key performance. Option D is wrong because sharing a single symmetric key with all users violates the requirement of not sharing a single symmetric key and introduces a single point of compromise.

49
MCQhard

A mid-sized company has deployed a web application that handles sensitive customer data. The application uses TLS to encrypt data in transit. Recently, the company received a penetration test report indicating that an attacker could potentially downgrade the TLS connection to an older, weaker version (e.g., TLS 1.0) by performing a man-in-the-middle attack. The application server runs on Windows Server 2022 with IIS 10. The security team wants to disable all versions of TLS below 1.2 on the server. However, after making registry changes to disable TLS 1.0 and 1.1, some legacy clients that only support TLS 1.0 are unable to connect. The business requires that these legacy clients still be able to access the application securely, but the security team insists on disabling weak protocols. The server currently has a valid certificate from a public CA. Which of the following is the most appropriate course of action?

A.Switch the application to use a VPN instead of TLS for legacy client access.
B.Upgrade all legacy clients to support TLS 1.2 or later immediately.
C.Deploy a TLS-terminating reverse proxy that supports both strong and legacy TLS, placing it in front of the web server.
D.Re-enable TLS 1.0 and 1.1 on the server, as the business requirement outweighs security concerns.
AnswerC

The proxy can negotiate strong TLS with the server and weaker TLS with legacy clients, isolating the server from weak protocols.

Why this answer

Option C is correct because deploying a TLS-terminating reverse proxy allows the server to enforce TLS 1.2+ on the backend while the proxy handles legacy TLS 1.0 connections from older clients. This satisfies both the security requirement to disable weak protocols on the origin server and the business need to support legacy clients, without exposing the server to downgrade attacks. The proxy can be configured with separate TLS policies per listener, ensuring that only the proxy accepts weaker TLS versions while the IIS server remains locked down.

Exam trap

The trap here is that candidates may think re-enabling weak protocols (Option D) is the only way to support legacy clients, or that upgrading clients (Option B) is always feasible, but the exam expects you to recognize that a reverse proxy provides a secure, practical compromise without weakening the server's security posture.

How to eliminate wrong answers

Option A is wrong because switching to a VPN does not address the TLS downgrade vulnerability; it adds complexity and does not solve the legacy client compatibility issue at the application layer. Option B is wrong because upgrading all legacy clients immediately is often impractical or impossible due to business constraints, and the question explicitly states that the business requires these clients to still access the application. Option D is wrong because re-enabling TLS 1.0 and 1.1 on the server directly contradicts the security team's goal of disabling weak protocols and leaves the server vulnerable to downgrade attacks, which is not a balanced approach.

50
Multi-Selectmedium

A company is implementing encryption for data at rest in a file server. Which TWO of the following algorithms are suitable for this purpose? (Select TWO.)

Select 2 answers
A.3DES
B.Blowfish
C.SHA-256
D.AES-256
E.RSA-2048
AnswersB, D

Blowfish is a symmetric block cipher that can be used for data at rest, though AES is preferred.

Why this answer

Blowfish is a symmetric block cipher that supports variable key lengths (32–448 bits), making it suitable for encrypting data at rest on a file server. It is designed for fast encryption in software and has been widely used for file and disk encryption, though it is now considered less secure than modern alternatives like AES.

Exam trap

The trap here is that candidates often confuse hashing algorithms (like SHA-256) with encryption algorithms, or mistakenly think asymmetric ciphers (like RSA) are suitable for bulk data encryption, when in fact symmetric ciphers (like AES and Blowfish) are the correct choice for data at rest.

51
MCQhard

A PKI administrator is designing a key management lifecycle for a high-security environment. Which practice is most critical for ensuring long-term security of asymmetric keys?

A.Performing regular key rotation
B.Using hardware security modules (HSMs)
C.Implementing key escrow
D.Maintaining a Certificate Revocation List (CRL)
AnswerA

Regular rotation minimizes impact of key compromise.

Why this answer

Regular key rotation limits exposure in case of compromise. All other options are important but rotation is most critical for long-term security.

Ready to test yourself?

Try a timed practice session using only Cryptography questions.