Cryptography MCQ 60 Practice Tests With Answers (2026)
PerfectNotes TeamUpdated: May 27, 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Cryptography MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA Security+, CISSP), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering cryptography fundamentals, key threats, and defensive strategies.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology and core definitions), Concepts (covering intermediate protocols, threat mechanics, and architectural trade-offs), and Advanced (covering scenario-based analysis, advanced compliance, and enterprise architectures). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA Security+ or university exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across symmetric and asymmetric encryption, hash functions, digital signatures, and key exchange.
Contents
- 1.Basics (20 Questions)Symmetric vs asymmetric Β· hashing Β· digital signatures Β· PKI basics Β· trust chain
- 2.Concepts (20 Questions)AES modes Β· RSA Β· ECC Β· Diffie-Hellman key exchange Β· TLS handshake Β· PFS
- 3.Advanced (20 Questions)Shor's Algorithm Β· lattice-based PQC Β· homomorphic encryption Β· AEAD Β· ZKP Β· KDFs
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Cryptography β Basics
1Which statement best captures the fundamental definition of Cryptography?
CorrectC: The mathematical practice of transforming readable information into an unreadable form to protect confidentiality and integrity
Cryptography is the mathematical science of securing information by transforming it (encryption) so only authorized parties can read it, and verifying that data has not been altered. It protects confidentiality, integrity, authenticity, and non-repudiation.
IncorrectC: The mathematical practice of transforming readable information into an unreadable form to protect confidentiality and integrity
Cryptography is the mathematical science of securing information by transforming it (encryption) so only authorized parties can read it, and verifying that data has not been altered. It protects confidentiality, integrity, authenticity, and non-repudiation.
2What is the correct distinction between Plaintext and Ciphertext?
CorrectA: Plaintext is the original readable data; Ciphertext is the scrambled, unreadable result after encryption
Plaintext (or cleartext) is the original human-readable data before any transformation. Ciphertext is the encrypted, scrambled output produced by applying a cryptographic algorithm and key to the plaintext. Decryption reverses this process.
IncorrectA: Plaintext is the original readable data; Ciphertext is the scrambled, unreadable result after encryption
Plaintext (or cleartext) is the original human-readable data before any transformation. Ciphertext is the encrypted, scrambled output produced by applying a cryptographic algorithm and key to the plaintext. Decryption reverses this process.
3What is the core difference between Symmetric and Asymmetric Cryptography?
CorrectD: Symmetric cryptography uses a single shared secret key; Asymmetric cryptography uses a mathematically linked public/private key pair
In Symmetric cryptography, the same key encrypts and decrypts β both parties must securely share it. In Asymmetric (public-key) cryptography, a mathematically linked key pair is used: the public key encrypts or verifies, and the private key decrypts or signs.
IncorrectD: Symmetric cryptography uses a single shared secret key; Asymmetric cryptography uses a mathematically linked public/private key pair
In Symmetric cryptography, the same key encrypts and decrypts β both parties must securely share it. In Asymmetric (public-key) cryptography, a mathematically linked key pair is used: the public key encrypts or verifies, and the private key decrypts or signs.
4In cryptographic terms, what is a "Key"?
CorrectB: A piece of variable data fed into a cryptographic algorithm to control the transformation of plaintext to ciphertext (and back)
A cryptographic key is a piece of variable data (a string of bits) used as input to an algorithm. The key controls how plaintext is encrypted into ciphertext. Security depends on the key remaining secret (symmetric) or the private key remaining secret (asymmetric).
IncorrectB: A piece of variable data fed into a cryptographic algorithm to control the transformation of plaintext to ciphertext (and back)
A cryptographic key is a piece of variable data (a string of bits) used as input to an algorithm. The key controls how plaintext is encrypted into ciphertext. Security depends on the key remaining secret (symmetric) or the private key remaining secret (asymmetric).
5What is the primary purpose of a Cryptographic Hash Function?
CorrectC: To produce a fixed-size digital fingerprint (digest) of data for integrity verification
A hash function maps arbitrary-length input to a fixed-size digest (e.g., SHA-256 β 256 bits). It is one-way (cannot be reversed), collision-resistant (hard to find two inputs with the same hash), and deterministic. Hash functions are used to verify data integrity β not for encryption.
IncorrectC: To produce a fixed-size digital fingerprint (digest) of data for integrity verification
A hash function maps arbitrary-length input to a fixed-size digest (e.g., SHA-256 β 256 bits). It is one-way (cannot be reversed), collision-resistant (hard to find two inputs with the same hash), and deterministic. Hash functions are used to verify data integrity β not for encryption.
6The Caesar Cipher, which shifts each letter by a fixed number of positions in the alphabet, is an example of which type of cipher?
CorrectA: Substitution cipher
The Caesar Cipher is a monoalphabetic substitution cipher β each letter in the plaintext is replaced ("substituted") by a letter a fixed number of positions further along the alphabet. It is one of the simplest and most historically known encryption techniques.
IncorrectA: Substitution cipher
The Caesar Cipher is a monoalphabetic substitution cipher β each letter in the plaintext is replaced ("substituted") by a letter a fixed number of positions further along the alphabet. It is one of the simplest and most historically known encryption techniques.
7How does Steganography differ from Cryptography?
CorrectD: Steganography conceals the existence of a message inside an innocent carrier; Cryptography makes the message unreadable but does not hide its existence
Cryptography scrambles data to make it unreadable (the message's existence is known). Steganography hides the message itself within a cover medium (image, audio, video) so its very existence is concealed. These techniques are sometimes combined for extra security.
IncorrectD: Steganography conceals the existence of a message inside an innocent carrier; Cryptography makes the message unreadable but does not hide its existence
Cryptography scrambles data to make it unreadable (the message's existence is known). Steganography hides the message itself within a cover medium (image, audio, video) so its very existence is concealed. These techniques are sometimes combined for extra security.
8Which cryptographic property ensures that a sender cannot later deny having sent a message?
CorrectB: Non-repudiation, typically provided by digital signatures
Non-repudiation prevents a sender from credibly denying they sent a message. Digital signatures provide non-repudiation: only the holder of the private key can produce a valid signature, so the signer cannot later deny authorship.
IncorrectB: Non-repudiation, typically provided by digital signatures
Non-repudiation prevents a sender from credibly denying they sent a message. Digital signatures provide non-repudiation: only the holder of the private key can produce a valid signature, so the signer cannot later deny authorship.
9In cryptographic protocol descriptions, which character name is conventionally used for a passive eavesdropper who only listens to communications between Alice and Bob?
CorrectC: Eve
Eve is the conventional passive eavesdropper in cryptographic narratives β she can intercept and read communications but cannot modify them. Mallory is an active attacker who can alter messages. Trent is a trusted third party, and Charlie is often a third legitimate communicant.
IncorrectC: Eve
Eve is the conventional passive eavesdropper in cryptographic narratives β she can intercept and read communications but cannot modify them. Mallory is an active attacker who can alter messages. Trent is a trusted third party, and Charlie is often a third legitimate communicant.
10What is Cryptanalysis?
CorrectA: The study and practice of breaking or bypassing cryptographic systems without possessed keys
Cryptanalysis is the study of analyzing and breaking cryptographic systems. Cryptanalysts seek weaknesses β whether in algorithms, implementations, protocols, or key management β to recover plaintext or keys without authorization. Together, cryptography and cryptanalysis form cryptology.
IncorrectA: The study and practice of breaking or bypassing cryptographic systems without possessed keys
Cryptanalysis is the study of analyzing and breaking cryptographic systems. Cryptanalysts seek weaknesses β whether in algorithms, implementations, protocols, or key management β to recover plaintext or keys without authorization. Together, cryptography and cryptanalysis form cryptology.
11Which principle states that a cryptographic system should be secure even if everything about it β except the key β is publicly known?
CorrectC: Kerckhoffs's Principle: a system should be secure even if the algorithm is fully public and only the key is secret
Kerckhoffs's Principle (1883) states a cryptosystem should remain secure even when everything except the key is publicly known. This enables open public scrutiny of algorithms (strengthening confidence), while security depends solely on key secrecy. Its corollary is "security through obscurity" is insufficient.
IncorrectC: Kerckhoffs's Principle: a system should be secure even if the algorithm is fully public and only the key is secret
Kerckhoffs's Principle (1883) states a cryptosystem should remain secure even when everything except the key is publicly known. This enables open public scrutiny of algorithms (strengthening confidence), while security depends solely on key secrecy. Its corollary is "security through obscurity" is insufficient.
12What does the distinction "Encryption At Rest" vs. "Encryption In Transit" refer to?
CorrectB: Protecting data stored on disks, databases, or backups vs. protecting data traveling across networks
Encryption at rest protects data that is stored β on hard drives, SSDs, databases, or backups β from unauthorized physical access. Encryption in transit (e.g., TLS/HTTPS) protects data as it moves across networks from interception or eavesdropping.
IncorrectB: Protecting data stored on disks, databases, or backups vs. protecting data traveling across networks
Encryption at rest protects data that is stored β on hard drives, SSDs, databases, or backups β from unauthorized physical access. Encryption in transit (e.g., TLS/HTTPS) protects data as it moves across networks from interception or eavesdropping.
13What is the fundamental difference between a Block Cipher and a Stream Cipher?
CorrectD: Block ciphers process data in fixed-size chunks (e.g., 128-bit blocks); Stream ciphers encrypt data one bit or byte at a time continuously
A block cipher (e.g., AES) divides plaintext into fixed-size blocks and encrypts each block. A stream cipher (e.g., ChaCha20) generates a pseudorandom keystream and XORs it with plaintext bit-by-bit or byte-by-byte. Stream ciphers are faster and better suited for real-time communication.
IncorrectD: Block ciphers process data in fixed-size chunks (e.g., 128-bit blocks); Stream ciphers encrypt data one bit or byte at a time continuously
A block cipher (e.g., AES) divides plaintext into fixed-size blocks and encrypts each block. A stream cipher (e.g., ChaCha20) generates a pseudorandom keystream and XORs it with plaintext bit-by-bit or byte-by-byte. Stream ciphers are faster and better suited for real-time communication.
14What does "Entropy" mean in the context of cryptographic key generation?
CorrectA: A measure of randomness and unpredictability in data used to ensure cryptographic keys are not guessable
Entropy in cryptography measures the unpredictability (randomness) of data. High-entropy keys are computationally infeasible to guess or brute-force. Key generation requires a high-entropy source (e.g., hardware random number generators, environmental noise) to ensure keys are truly random.
IncorrectA: A measure of randomness and unpredictability in data used to ensure cryptographic keys are not guessable
Entropy in cryptography measures the unpredictability (randomness) of data. High-entropy keys are computationally infeasible to guess or brute-force. Key generation requires a high-entropy source (e.g., hardware random number generators, environmental noise) to ensure keys are truly random.
15What is the purpose of a Digital Signature?
CorrectC: To provide authentication, data integrity, and non-repudiation by allowing recipients to verify the sender's identity and confirm data was not altered
A digital signature is created by hashing the message and encrypting the hash with the sender's private key. The recipient decrypts the signature with the sender's public key and compares hashes. This proves the message came from the claimed sender (authentication) and was not modified (integrity), and the sender cannot deny it (non-repudiation).
IncorrectC: To provide authentication, data integrity, and non-repudiation by allowing recipients to verify the sender's identity and confirm data was not altered
A digital signature is created by hashing the message and encrypting the hash with the sender's private key. The recipient decrypts the signature with the sender's public key and compares hashes. This proves the message came from the claimed sender (authentication) and was not modified (integrity), and the sender cannot deny it (non-repudiation).
16How should a Public Key be handled in an asymmetric cryptosystem?
CorrectB: It can be freely distributed to anyone β it can only encrypt data or verify signatures; it cannot decrypt
The public key in an asymmetric system is designed to be openly shared. Anyone can use it to encrypt a message (only the private key holder can decrypt it) or to verify a digital signature (only the private key can produce). The private key, however, must remain strictly secret.
IncorrectB: It can be freely distributed to anyone β it can only encrypt data or verify signatures; it cannot decrypt
The public key in an asymmetric system is designed to be openly shared. Anyone can use it to encrypt a message (only the private key holder can decrypt it) or to verify a digital signature (only the private key can produce). The private key, however, must remain strictly secret.
17Which characteristic is a fundamental requirement of a secure Cryptographic Hash Function?
CorrectD: It is deterministic β the same input always produces the same fixed-size output hash
A secure hash function must be: (1) deterministic β same input β same hash always; (2) pre-image resistant β cannot reverse the hash; (3) collision resistant β hard to find two inputs with the same hash; (4) avalanche effect β small input change drastically changes the hash. Determinism is essential so integrity checks are reproducible.
IncorrectD: It is deterministic β the same input always produces the same fixed-size output hash
A secure hash function must be: (1) deterministic β same input β same hash always; (2) pre-image resistant β cannot reverse the hash; (3) collision resistant β hard to find two inputs with the same hash; (4) avalanche effect β small input change drastically changes the hash. Determinism is essential so integrity checks are reproducible.
18What is the purpose of adding a "Salt" to a password before hashing it?
CorrectA: To prepend a unique random value to each password before hashing, defeating rainbow table and precomputed hash attacks
A salt is a unique random value added to each password before hashing. This ensures that two users with the same password produce different hashes, and defeats precomputed rainbow table attacks β the attacker would need a separate rainbow table for every possible salt value.
IncorrectA: To prepend a unique random value to each password before hashing, defeating rainbow table and precomputed hash attacks
A salt is a unique random value added to each password before hashing. This ensures that two users with the same password produce different hashes, and defeats precomputed rainbow table attacks β the attacker would need a separate rainbow table for every possible salt value.
19Which term is a direct synonym for Symmetric Key Cryptography?
CorrectC: Secret-Key Cryptography
Symmetric Key Cryptography is also called Secret-Key Cryptography because both parties share the same secret key for encryption and decryption. This contrasts with Public-Key (Asymmetric) Cryptography, which uses key pairs. Common symmetric algorithms include AES, ChaCha20, and 3DES.
IncorrectC: Secret-Key Cryptography
Symmetric Key Cryptography is also called Secret-Key Cryptography because both parties share the same secret key for encryption and decryption. This contrasts with Public-Key (Asymmetric) Cryptography, which uses key pairs. Common symmetric algorithms include AES, ChaCha20, and 3DES.
20What is the primary purpose of a Digital Certificate?
CorrectB: To cryptographically bind a public key to a specific entity's identity, verified and signed by a trusted Certificate Authority
A Digital Certificate (X.509 standard) is a digitally signed document that binds a public key to an entity's identity (person, server, organization). A trusted Certificate Authority (CA) verifies the identity and signs the certificate, enabling others to trust the public key is authentic.
IncorrectB: To cryptographically bind a public key to a specific entity's identity, verified and signed by a trusted Certificate Authority
A Digital Certificate (X.509 standard) is a digitally signed document that binds a public key to an entity's identity (person, server, organization). A trusted Certificate Authority (CA) verifies the identity and signs the certificate, enabling others to trust the public key is authentic.
Cryptography β Concepts
1What is the fixed block size used by the AES (Advanced Encryption Standard) cipher?
CorrectD: 128 bits
AES always operates on 128-bit (16-byte) blocks of data, regardless of the key size. The key can be 128, 192, or 256 bits (giving AES-128, AES-192, or AES-256). This fixed block size makes AES a block cipher requiring a mode of operation (CBC, CTR, GCM) for arbitrary-length data.
IncorrectD: 128 bits
AES always operates on 128-bit (16-byte) blocks of data, regardless of the key size. The key can be 128, 192, or 256 bits (giving AES-128, AES-192, or AES-256). This fixed block size makes AES a block cipher requiring a mode of operation (CBC, CTR, GCM) for arbitrary-length data.
2The security of RSA encryption relies on which mathematical hard problem?
CorrectB: The computational difficulty of factoring the product of two large prime numbers
RSA security is based on the integer factorization problem: given a large composite number N = p Γ q (where p and q are large primes), it is computationally infeasible to recover p and q. Typical RSA key sizes are 2048 or 4096 bits to ensure adequate security margins.
IncorrectB: The computational difficulty of factoring the product of two large prime numbers
RSA security is based on the integer factorization problem: given a large composite number N = p Γ q (where p and q are large primes), it is computationally infeasible to recover p and q. Typical RSA key sizes are 2048 or 4096 bits to ensure adequate security margins.
3What is the primary purpose of the Diffie-Hellman (DH) key exchange protocol?
CorrectA: To allow two parties to establish a shared secret key over an insecure public channel without prior shared knowledge
Diffie-Hellman (1976) enables two parties to establish a shared symmetric key over an insecure channel with no prior secrets. Each party generates a key pair, exchanges public values, and independently computes the same shared secret. ECDH (Elliptic Curve Diffie-Hellman) is the modern variant.
IncorrectA: To allow two parties to establish a shared secret key over an insecure public channel without prior shared knowledge
Diffie-Hellman (1976) enables two parties to establish a shared symmetric key over an insecure channel with no prior secrets. Each party generates a key pair, exchanges public values, and independently computes the same shared secret. ECDH (Elliptic Curve Diffie-Hellman) is the modern variant.
4In cryptography, what is a "Hash Collision"?
CorrectC: When two different input values produce the identical hash digest output from the same hash function
A hash collision occurs when two distinct inputs produce the same hash output. This is dangerous for digital signatures and integrity checks. MD5 and SHA-1 are considered broken because practical collision attacks exist. SHA-256 and SHA-3 are currently collision-resistant.
IncorrectC: When two different input values produce the identical hash digest output from the same hash function
A hash collision occurs when two distinct inputs produce the same hash output. This is dangerous for digital signatures and integrity checks. MD5 and SHA-1 are considered broken because practical collision attacks exist. SHA-256 and SHA-3 are currently collision-resistant.
5What is the role of a Certificate Authority (CA) in Public Key Infrastructure (PKI)?
CorrectD: To act as a trusted third party that issues, digitally signs, and when necessary revokes digital certificates
A CA is the trust anchor of PKI. It verifies an entity's identity and issues a digitally signed certificate binding that identity to a public key. CAs also maintain Certificate Revocation Lists (CRLs) or support OCSP to invalidate compromised certificates. Root CAs are embedded in operating systems and browsers.
IncorrectD: To act as a trusted third party that issues, digitally signs, and when necessary revokes digital certificates
A CA is the trust anchor of PKI. It verifies an entity's identity and issues a digitally signed certificate binding that identity to a public key. CAs also maintain Certificate Revocation Lists (CRLs) or support OCSP to invalidate compromised certificates. Root CAs are embedded in operating systems and browsers.
6How does a Message Authentication Code (MAC) work?
CorrectB: It combines a message with a shared secret key through a cryptographic function to produce an authentication tag that detects tampering
A MAC takes a message and a shared secret key as inputs and produces a fixed-size authentication tag. The recipient, who also holds the secret key, recomputes the MAC and compares it. A valid MAC proves both the message's integrity (not modified) and authenticity (came from the key holder). HMAC-SHA256 is the most common construction.
IncorrectB: It combines a message with a shared secret key through a cryptographic function to produce an authentication tag that detects tampering
A MAC takes a message and a shared secret key as inputs and produces a fixed-size authentication tag. The recipient, who also holds the secret key, recomputes the MAC and compares it. A valid MAC proves both the message's integrity (not modified) and authenticity (came from the key holder). HMAC-SHA256 is the most common construction.
7Why is ECB (Electronic Codebook) mode considered a weak cipher mode of operation?
CorrectC: Identical plaintext blocks always produce identical ciphertext blocks, leaking data patterns
ECB encrypts each block independently with the same key. Consequently, identical plaintext blocks produce identical ciphertext blocks. This reveals data structure β famously visible when encrypting bitmap images (the "ECB penguin"). ECB should never be used for encrypting more than one block of data.
IncorrectC: Identical plaintext blocks always produce identical ciphertext blocks, leaking data patterns
ECB encrypts each block independently with the same key. Consequently, identical plaintext blocks produce identical ciphertext blocks. This reveals data structure β famously visible when encrypting bitmap images (the "ECB penguin"). ECB should never be used for encrypting more than one block of data.
8What is the purpose of an Initialization Vector (IV) in block cipher modes like CBC?
CorrectA: To introduce randomness so that encrypting identical plaintexts with the same key produces different ciphertexts each time
An IV is a random (or pseudorandom) value XORed with the first plaintext block before encryption (in CBC). It ensures that encrypting the same plaintext multiple times with the same key produces different ciphertexts. IVs must be unpredictable (in CBC) or unique (in CTR/GCM) β never reused with the same key.
IncorrectA: To introduce randomness so that encrypting identical plaintexts with the same key produces different ciphertexts each time
An IV is a random (or pseudorandom) value XORed with the first plaintext block before encryption (in CBC). It ensures that encrypting the same plaintext multiple times with the same key produces different ciphertexts. IVs must be unpredictable (in CBC) or unique (in CTR/GCM) β never reused with the same key.
9How does Triple DES (3DES) work?
CorrectD: It applies the DES cipher three times to each data block, typically in an Encrypt-Decrypt-Encrypt (EDE) sequence
3DES (Triple DES) applies the original 56-bit DES algorithm three times per block. The standard EDE mode uses two or three different 56-bit keys (112/168-bit effective strength). While more secure than single DES, 3DES is slow and deprecated in modern systems β AES replaced it.
IncorrectD: It applies the DES cipher three times to each data block, typically in an Encrypt-Decrypt-Encrypt (EDE) sequence
3DES (Triple DES) applies the original 56-bit DES algorithm three times per block. The standard EDE mode uses two or three different 56-bit keys (112/168-bit effective strength). While more secure than single DES, 3DES is slow and deprecated in modern systems β AES replaced it.
10In an SSL/TLS handshake, how are asymmetric and symmetric cryptography typically combined?
CorrectB: Asymmetric cryptography is used to securely negotiate a shared symmetric session key, which then encrypts all application data
TLS uses asymmetric cryptography (e.g., ECDH key exchange, RSA authentication) during the handshake to securely establish a shared session key. Once the symmetric session key is established, all bulk data is encrypted with faster symmetric algorithms (e.g., AES-GCM or ChaCha20-Poly1305). This hybrid approach balances security and performance.
IncorrectB: Asymmetric cryptography is used to securely negotiate a shared symmetric session key, which then encrypts all application data
TLS uses asymmetric cryptography (e.g., ECDH key exchange, RSA authentication) during the handshake to securely establish a shared session key. Once the symmetric session key is established, all bulk data is encrypted with faster symmetric algorithms (e.g., AES-GCM or ChaCha20-Poly1305). This hybrid approach balances security and performance.
11What does Perfect Forward Secrecy (PFS) guarantee?
CorrectA: Each session uses a freshly generated ephemeral key pair, ensuring past communications remain secure even if a long-term private key is later compromised
PFS uses ephemeral (temporary) key exchange (e.g., ECDHE). A new key pair is generated for every TLS session and discarded afterward. If an attacker records encrypted traffic and later compromises the long-term server key, they still cannot decrypt previously recorded sessions because the ephemeral keys no longer exist.
IncorrectA: Each session uses a freshly generated ephemeral key pair, ensuring past communications remain secure even if a long-term private key is later compromised
PFS uses ephemeral (temporary) key exchange (e.g., ECDHE). A new key pair is generated for every TLS session and discarded afterward. If an attacker records encrypted traffic and later compromises the long-term server key, they still cannot decrypt previously recorded sessions because the ephemeral keys no longer exist.
12What is HMAC (Hash-based Message Authentication Code)?
CorrectC: A MAC construction that combines a cryptographic hash function with a shared secret key to provide message authentication and integrity
HMAC constructs a MAC by applying a hash function (e.g., SHA-256) with a shared secret key. The key is padded and XORed with constants, then combined with the message in a nested hash construction: HMAC(K, m) = H((Kβopad) || H((Kβipad) || m)). HMAC-SHA256 is widely used in APIs, JWT, and TLS.
IncorrectC: A MAC construction that combines a cryptographic hash function with a shared secret key to provide message authentication and integrity
HMAC constructs a MAC by applying a hash function (e.g., SHA-256) with a shared secret key. The key is padded and XORed with constants, then combined with the message in a nested hash construction: HMAC(K, m) = H((Kβopad) || H((Kβipad) || m)). HMAC-SHA256 is widely used in APIs, JWT, and TLS.
13Which asymmetric algorithm is most widely used in modern TLS certificates and secure communications due to its smaller key size offering equivalent security to RSA?
CorrectD: ECC (Elliptic Curve Cryptography)
ECC (Elliptic Curve Cryptography) is widely used in modern TLS (ECDSA certificates, ECDHE key exchange). A 256-bit ECC key provides approximately the same security as a 3072-bit RSA key, resulting in smaller key sizes, faster computations, and lower bandwidth β critical for mobile and IoT devices.
IncorrectD: ECC (Elliptic Curve Cryptography)
ECC (Elliptic Curve Cryptography) is widely used in modern TLS (ECDSA certificates, ECDHE key exchange). A 256-bit ECC key provides approximately the same security as a 3072-bit RSA key, resulting in smaller key sizes, faster computations, and lower bandwidth β critical for mobile and IoT devices.
14What is the output length (digest size) of the SHA-256 hash algorithm?
CorrectB: 256 bits
SHA-256 always produces a 256-bit (32-byte) fixed-size hash digest, regardless of the input size. It is part of the SHA-2 family standardized by NIST. SHA-256 is used in digital certificates, HMAC, Bitcoin, TLS, and many security protocols.
IncorrectB: 256 bits
SHA-256 always produces a 256-bit (32-byte) fixed-size hash digest, regardless of the input size. It is part of the SHA-2 family standardized by NIST. SHA-256 is used in digital certificates, HMAC, Bitcoin, TLS, and many security protocols.
15What is "Key Escrow" in the context of cryptographic key management?
CorrectA: A mechanism where cryptographic keys are held in trust by a designated third party (e.g., government or recovery agent) for lawful access or disaster recovery
Key escrow is the practice of depositing a copy of a cryptographic key with a trusted third party (a "key escrow agent"). This allows authorized parties (e.g., law enforcement with a court order, or corporate IT for employee key recovery) to decrypt data when needed. It is controversial due to the risk of the escrow agent being compromised.
IncorrectA: A mechanism where cryptographic keys are held in trust by a designated third party (e.g., government or recovery agent) for lawful access or disaster recovery
Key escrow is the practice of depositing a copy of a cryptographic key with a trusted third party (a "key escrow agent"). This allows authorized parties (e.g., law enforcement with a court order, or corporate IT for employee key recovery) to decrypt data when needed. It is controversial due to the risk of the escrow agent being compromised.
16Which ITU/ISO standard defines the widely used format for Public Key Infrastructure (PKI) digital certificates?
CorrectC: X.509
X.509 is the ITU-T standard that defines the format of Public Key Certificates. An X.509 certificate contains: subject/issuer identity, public key, validity period, serial number, and the CA's digital signature. It is used in TLS/HTTPS, email (S/MIME), code signing, and most PKI implementations.
IncorrectC: X.509
X.509 is the ITU-T standard that defines the format of Public Key Certificates. An X.509 certificate contains: subject/issuer identity, public key, validity period, serial number, and the CA's digital signature. It is used in TLS/HTTPS, email (S/MIME), code signing, and most PKI implementations.
17RC4 is which type of algorithm, and why is it no longer recommended for modern use?
CorrectD: A stream cipher that has been deprecated in modern TLS due to multiple statistical biases and vulnerabilities (e.g., BEAST, RC4 NOMORE attacks)
RC4 (Rivest Cipher 4) is a stream cipher that generates a pseudorandom keystream XORed with plaintext. It was widely used in WEP and early TLS, but severe statistical biases (especially in the first bytes of keystream) enabled practical attacks. RFC 7465 prohibits RC4 in TLS. Modern replacements include ChaCha20.
IncorrectD: A stream cipher that has been deprecated in modern TLS due to multiple statistical biases and vulnerabilities (e.g., BEAST, RC4 NOMORE attacks)
RC4 (Rivest Cipher 4) is a stream cipher that generates a pseudorandom keystream XORed with plaintext. It was widely used in WEP and early TLS, but severe statistical biases (especially in the first bytes of keystream) enabled practical attacks. RFC 7465 prohibits RC4 in TLS. Modern replacements include ChaCha20.
18What is "Hybrid Encryption" and why is it used?
CorrectB: Using symmetric encryption for bulk data (fast) and asymmetric encryption to securely exchange the symmetric key
Hybrid encryption combines the speed of symmetric encryption with the key-distribution advantage of asymmetric encryption. A random symmetric session key (e.g., AES-256) encrypts the bulk data. The session key is then encrypted with the recipient's public key (e.g., RSA or ECDH). TLS, PGP, and most real-world systems use this approach.
IncorrectB: Using symmetric encryption for bulk data (fast) and asymmetric encryption to securely exchange the symmetric key
Hybrid encryption combines the speed of symmetric encryption with the key-distribution advantage of asymmetric encryption. A random symmetric session key (e.g., AES-256) encrypts the bulk data. The session key is then encrypted with the recipient's public key (e.g., RSA or ECDH). TLS, PGP, and most real-world systems use this approach.
19Which set contains ONLY symmetric encryption algorithms?
CorrectC: AES, Twofish, ChaCha20
AES, Twofish, and ChaCha20 are all symmetric (secret-key) encryption algorithms. RSA, DSA, DH, ECC, and ElGamal are asymmetric. SHA-1, MD5, and RIPEMD are hash functions (not encryption). PGP is an encryption standard that combines multiple algorithms (it is not a single symmetric algorithm).
IncorrectC: AES, Twofish, ChaCha20
AES, Twofish, and ChaCha20 are all symmetric (secret-key) encryption algorithms. RSA, DSA, DH, ECC, and ElGamal are asymmetric. SHA-1, MD5, and RIPEMD are hash functions (not encryption). PGP is an encryption standard that combines multiple algorithms (it is not a single symmetric algorithm).
20What is a Certificate Revocation List (CRL)?
CorrectA: A CA-published list of digital certificates that have been invalidated before their expiration date, allowing relying parties to check certificate validity
A CRL is a signed list published by a CA containing the serial numbers of certificates it has revoked (due to key compromise, CA compromise, or operational reasons) before their scheduled expiration. Clients check the CRL before trusting a certificate. OCSP (Online Certificate Status Protocol) is the modern, more efficient alternative.
IncorrectA: A CA-published list of digital certificates that have been invalidated before their expiration date, allowing relying parties to check certificate validity
A CRL is a signed list published by a CA containing the serial numbers of certificates it has revoked (due to key compromise, CA compromise, or operational reasons) before their scheduled expiration. Clients check the CRL before trusting a certificate. OCSP (Online Certificate Status Protocol) is the modern, more efficient alternative.
Cryptography β Advanced
1What is the primary advantage of Elliptic Curve Cryptography (ECC) over RSA for the same security level?
CorrectC: ECC achieves equivalent cryptographic strength with significantly smaller key sizes, reducing computational overhead and bandwidth
ECC security is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP), which is harder to solve than integer factorization. A 256-bit ECC key is roughly equivalent to a 3072-bit RSA key. Smaller keys mean faster operations, less memory, and reduced bandwidth β critical for mobile, embedded, and IoT devices.
IncorrectC: ECC achieves equivalent cryptographic strength with significantly smaller key sizes, reducing computational overhead and bandwidth
ECC security is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP), which is harder to solve than integer factorization. A 256-bit ECC key is roughly equivalent to a 3072-bit RSA key. Smaller keys mean faster operations, less memory, and reduced bandwidth β critical for mobile, embedded, and IoT devices.
2What does Homomorphic Encryption enable that traditional encryption does not?
CorrectB: Performing computations directly on encrypted (ciphertext) data without decrypting it first, so the plaintext is never exposed during processing
Homomorphic encryption (HE) allows computation on ciphertexts such that decrypting the result equals performing the same operation on the plaintexts. This is powerful for cloud computing: a cloud provider can process sensitive data (e.g., medical records) without ever seeing the plaintext. Fully Homomorphic Encryption (FHE) is currently computationally expensive but advancing.
IncorrectB: Performing computations directly on encrypted (ciphertext) data without decrypting it first, so the plaintext is never exposed during processing
Homomorphic encryption (HE) allows computation on ciphertexts such that decrypting the result equals performing the same operation on the plaintexts. This is powerful for cloud computing: a cloud provider can process sensitive data (e.g., medical records) without ever seeing the plaintext. Fully Homomorphic Encryption (FHE) is currently computationally expensive but advancing.
3What is the primary objective of Post-Quantum Cryptography (PQC)?
CorrectD: To develop classical algorithms (e.g., lattice-based, hash-based, code-based) that remain secure against attacks from large-scale quantum computers
PQC develops cryptographic algorithms designed to resist attacks by quantum computers (which would break RSA, ECC, and DH using Shor's Algorithm). NIST standardized PQC algorithms in 2024: ML-KEM (CRYSTALS-Kyber) for key encapsulation, ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) for signatures.
IncorrectD: To develop classical algorithms (e.g., lattice-based, hash-based, code-based) that remain secure against attacks from large-scale quantum computers
PQC develops cryptographic algorithms designed to resist attacks by quantum computers (which would break RSA, ECC, and DH using Shor's Algorithm). NIST standardized PQC algorithms in 2024: ML-KEM (CRYSTALS-Kyber) for key encapsulation, ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) for signatures.
4What cryptographic threat does Shor's Algorithm pose?
CorrectA: A quantum algorithm that can factor large integers and compute discrete logarithms in polynomial time, breaking RSA and ECC on a sufficiently large quantum computer
Shor's Algorithm (1994) can solve integer factorization and discrete logarithm problems in polynomial time on a quantum computer. This would break RSA (based on factoring) and ECC/DH (based on discrete logs). A large enough quantum computer running Shor's Algorithm would render most current public-key cryptography obsolete.
IncorrectA: A quantum algorithm that can factor large integers and compute discrete logarithms in polynomial time, breaking RSA and ECC on a sufficiently large quantum computer
Shor's Algorithm (1994) can solve integer factorization and discrete logarithm problems in polynomial time on a quantum computer. This would break RSA (based on factoring) and ECC/DH (based on discrete logs). A large enough quantum computer running Shor's Algorithm would render most current public-key cryptography obsolete.
5What is a Padding Oracle Attack against block cipher encryption?
CorrectC: An attack that exploits cryptographic error messages or timing differences related to invalid padding to iteratively decrypt ciphertext without knowing the key
A padding oracle attack (e.g., POODLE against SSL 3.0, PKCS#7 attacks against CBC mode) exploits a system that reveals whether decrypted ciphertext has valid padding. By sending crafted ciphertexts and observing the oracle's response (error or not), an attacker can recover the plaintext byte-by-byte without the key.
IncorrectC: An attack that exploits cryptographic error messages or timing differences related to invalid padding to iteratively decrypt ciphertext without knowing the key
A padding oracle attack (e.g., POODLE against SSL 3.0, PKCS#7 attacks against CBC mode) exploits a system that reveals whether decrypted ciphertext has valid padding. By sending crafted ciphertexts and observing the oracle's response (error or not), an attacker can recover the plaintext byte-by-byte without the key.
6What is a Zero-Knowledge Proof (ZKP) in cryptography?
CorrectD: A cryptographic protocol that allows a prover to convince a verifier that a statement is true without revealing any additional information beyond the truth of the statement
A ZKP allows a prover to demonstrate knowledge of a secret (e.g., a password, a key, a solution) to a verifier without revealing the secret itself. Properties: completeness (honest prover convinces verifier), soundness (dishonest prover cannot fake it), zero-knowledge (verifier learns nothing extra). Used in blockchain privacy protocols (Zcash) and identity authentication.
IncorrectD: A cryptographic protocol that allows a prover to convince a verifier that a statement is true without revealing any additional information beyond the truth of the statement
A ZKP allows a prover to demonstrate knowledge of a secret (e.g., a password, a key, a solution) to a verifier without revealing the secret itself. Properties: completeness (honest prover convinces verifier), soundness (dishonest prover cannot fake it), zero-knowledge (verifier learns nothing extra). Used in blockchain privacy protocols (Zcash) and identity authentication.
7What is the purpose of Key Derivation Functions (KDFs) such as PBKDF2 and Argon2?
CorrectB: To stretch low-entropy inputs (like passwords) into cryptographic keys using a pseudorandom function, salt, and many iterations to make brute-force attacks computationally expensive
KDFs convert a potentially weak input (password) into a strong cryptographic key. PBKDF2 applies HMAC many thousands of times with a salt. Argon2 (winner of the Password Hashing Competition 2015) adds memory-hardness, making it resistant to GPU/ASIC-based brute-force attacks. High iteration counts increase the time to test each password guess.
IncorrectB: To stretch low-entropy inputs (like passwords) into cryptographic keys using a pseudorandom function, salt, and many iterations to make brute-force attacks computationally expensive
KDFs convert a potentially weak input (password) into a strong cryptographic key. PBKDF2 applies HMAC many thousands of times with a salt. Argon2 (winner of the Password Hashing Competition 2015) adds memory-hardness, making it resistant to GPU/ASIC-based brute-force attacks. High iteration counts increase the time to test each password guess.
8What is the core security property of Quantum Key Distribution (QKD)?
CorrectA: Any eavesdropping attempt disturbs the quantum states of transmitted photons, making interception physically detectable by the communicating parties
QKD (e.g., BB84 protocol) uses quantum mechanics to distribute encryption keys. Quantum states (e.g., photon polarization) cannot be measured without disturbing them (Heisenberg uncertainty principle). If an eavesdropper intercepts key transmission, the quantum states change, introducing detectable errors β the communicating parties can then abort and retry. QKD provides information-theoretic security.
IncorrectA: Any eavesdropping attempt disturbs the quantum states of transmitted photons, making interception physically detectable by the communicating parties
QKD (e.g., BB84 protocol) uses quantum mechanics to distribute encryption keys. Quantum states (e.g., photon polarization) cannot be measured without disturbing them (Heisenberg uncertainty principle). If an eavesdropper intercepts key transmission, the quantum states change, introducing detectable errors β the communicating parties can then abort and retry. QKD provides information-theoretic security.
9What does AEAD (Authenticated Encryption with Associated Data) achieve?
CorrectC: A single cryptographic algorithm that simultaneously provides confidentiality (encryption) and authenticity/integrity (authentication tag) for both the ciphertext and associated unencrypted metadata
AEAD schemes (e.g., AES-GCM, ChaCha20-Poly1305) combine symmetric encryption with a MAC in one operation. They encrypt the data and produce an authentication tag that covers both the ciphertext and any associated data (e.g., packet headers). This prevents both passive decryption and active tampering. AEAD is the recommended mode for modern symmetric encryption.
IncorrectC: A single cryptographic algorithm that simultaneously provides confidentiality (encryption) and authenticity/integrity (authentication tag) for both the ciphertext and associated unencrypted metadata
AEAD schemes (e.g., AES-GCM, ChaCha20-Poly1305) combine symmetric encryption with a MAC in one operation. They encrypt the data and produce an authentication tag that covers both the ciphertext and any associated data (e.g., packet headers). This prevents both passive decryption and active tampering. AEAD is the recommended mode for modern symmetric encryption.
10What is ChaCha20-Poly1305 and why is it preferred over AES-GCM in certain environments?
CorrectB: A modern AEAD stream cipher construction that offers high performance on CPUs lacking hardware AES acceleration (e.g., mobile, IoT, ARM) and is the alternative AEAD cipher in TLS 1.3
ChaCha20-Poly1305 combines the ChaCha20 stream cipher (encryption) with the Poly1305 MAC (authentication). It is an AEAD cipher and one of TLS 1.3's two mandatory cipher suites. It is preferred on devices without AES hardware acceleration because it performs faster in software and is immune to timing side-channels that affect AES in some implementations.
IncorrectB: A modern AEAD stream cipher construction that offers high performance on CPUs lacking hardware AES acceleration (e.g., mobile, IoT, ARM) and is the alternative AEAD cipher in TLS 1.3
ChaCha20-Poly1305 combines the ChaCha20 stream cipher (encryption) with the Poly1305 MAC (authentication). It is an AEAD cipher and one of TLS 1.3's two mandatory cipher suites. It is preferred on devices without AES hardware acceleration because it performs faster in software and is immune to timing side-channels that affect AES in some implementations.
11On which mathematical foundation do most Post-Quantum Cryptography (PQC) algorithms endorsed by NIST rely?
CorrectD: Lattice-based cryptography (specifically the Learning With Errors β LWE β and related problems) which are believed to be hard for both classical and quantum computers
NIST's 2024 PQC standards are primarily lattice-based: ML-KEM (Kyber) and ML-DSA (Dilithium) rely on the hardness of Learning With Errors (LWE) and Module-LWE problems. Lattice problems are believed quantum-resistant because no quantum speedup (like Shor's Algorithm provides for factoring) is known for these problems.
IncorrectD: Lattice-based cryptography (specifically the Learning With Errors β LWE β and related problems) which are believed to be hard for both classical and quantum computers
NIST's 2024 PQC standards are primarily lattice-based: ML-KEM (Kyber) and ML-DSA (Dilithium) rely on the hardness of Learning With Errors (LWE) and Module-LWE problems. Lattice problems are believed quantum-resistant because no quantum speedup (like Shor's Algorithm provides for factoring) is known for these problems.
12What is a Length Extension Attack and which hash constructions are vulnerable to it?
CorrectC: An attack exploiting the Merkle-DamgΓ₯rd construction (used by SHA-1, SHA-256, MD5) allowing an attacker who knows H(Secret || Data) to compute H(Secret || Data || AttackerInput) without knowing the secret
Merkle-DamgΓ₯rd hashes (SHA-1/2, MD5) are vulnerable to length extension because their internal state after hashing a message can be used to continue hashing. An attacker knowing H(Secret || Message) can compute H(Secret || Message || Padding || Attacker_Data). HMAC and SHA-3 (sponge construction) are not vulnerable. Fixes include using HMAC or a keyed hash.
IncorrectC: An attack exploiting the Merkle-DamgΓ₯rd construction (used by SHA-1, SHA-256, MD5) allowing an attacker who knows H(Secret || Data) to compute H(Secret || Data || AttackerInput) without knowing the secret
Merkle-DamgΓ₯rd hashes (SHA-1/2, MD5) are vulnerable to length extension because their internal state after hashing a message can be used to continue hashing. An attacker knowing H(Secret || Message) can compute H(Secret || Message || Padding || Attacker_Data). HMAC and SHA-3 (sponge construction) are not vulnerable. Fixes include using HMAC or a keyed hash.
13What mathematical concept underlies the Birthday Attack against hash functions?
CorrectA: The statistical probability that finding ANY two inputs with the same hash requires far fewer attempts than finding an input matching a specific target hash (birthday paradox)
The birthday paradox states that in a group of 23 people, there is a >50% chance two share a birthday. Applied to hashing: finding a collision (any two matching inputs) in an n-bit hash requires ~2^(n/2) operations β far fewer than 2^n. For MD5 (128-bit), collisions require ~2^64 operations; for SHA-256 (256-bit), ~2^128 β currently infeasible.
IncorrectA: The statistical probability that finding ANY two inputs with the same hash requires far fewer attempts than finding an input matching a specific target hash (birthday paradox)
The birthday paradox states that in a group of 23 people, there is a >50% chance two share a birthday. Applied to hashing: finding a collision (any two matching inputs) in an n-bit hash requires ~2^(n/2) operations β far fewer than 2^n. For MD5 (128-bit), collisions require ~2^64 operations; for SHA-256 (256-bit), ~2^128 β currently infeasible.
14What is Differential Cryptanalysis and what does it reveal?
CorrectB: A chosen-plaintext attack that studies how differences in plaintexts translate into differences in ciphertexts to deduce information about subkeys in block cipher rounds
Differential cryptanalysis (invented by Biham and Shamir, 1990) is a chosen-plaintext attack. It analyzes pairs of plaintexts with specific XOR differences and tracks how those differences propagate through cipher rounds. By studying ciphertext difference patterns, attackers can probabilistically recover round subkeys. It motivated the design of DES S-boxes and influenced all subsequent block cipher design.
IncorrectB: A chosen-plaintext attack that studies how differences in plaintexts translate into differences in ciphertexts to deduce information about subkeys in block cipher rounds
Differential cryptanalysis (invented by Biham and Shamir, 1990) is a chosen-plaintext attack. It analyzes pairs of plaintexts with specific XOR differences and tracks how those differences propagate through cipher rounds. By studying ciphertext difference patterns, attackers can probabilistically recover round subkeys. It motivated the design of DES S-boxes and influenced all subsequent block cipher design.
15What is a Blind Signature scheme in cryptography?
CorrectD: A protocol that allows a user to obtain a valid digital signature from an authority on a message without the authority being able to see the message content
Blind signatures (Chaum, 1983) allow a user to get a message signed by an authority without revealing the message. The user "blinds" (masks) the message, the authority signs the blinded version, and the user "unblinds" it to get a valid signature on the original message. Used in anonymous e-cash systems and privacy-preserving voting schemes.
IncorrectD: A protocol that allows a user to obtain a valid digital signature from an authority on a message without the authority being able to see the message content
Blind signatures (Chaum, 1983) allow a user to get a message signed by an authority without revealing the message. The user "blinds" (masks) the message, the authority signs the blinded version, and the user "unblinds" it to get a valid signature on the original message. Used in anonymous e-cash systems and privacy-preserving voting schemes.
16What is Shamir's Secret Sharing (SSS)?
CorrectA: A threshold cryptography scheme that divides a secret into N shares such that any K shares are sufficient to reconstruct it, but fewer than K shares reveal nothing
Shamir's Secret Sharing (1979) uses polynomial interpolation over a finite field. A secret S is encoded as the constant term of a polynomial of degree K-1. N points (shares) are distributed such that any K points uniquely determine the polynomial (and thus S), but K-1 or fewer share nothing. Used in HSMs, cryptocurrency key custody, and distributed key management.
IncorrectA: A threshold cryptography scheme that divides a secret into N shares such that any K shares are sufficient to reconstruct it, but fewer than K shares reveal nothing
Shamir's Secret Sharing (1979) uses polynomial interpolation over a finite field. A secret S is encoded as the constant term of a polynomial of degree K-1. N points (shares) are distributed such that any K points uniquely determine the polynomial (and thus S), but K-1 or fewer share nothing. Used in HSMs, cryptocurrency key custody, and distributed key management.
17What is the key difference between a True Random Number Generator (TRNG) and a Pseudo-Random Number Generator (PRNG)?
CorrectC: TRNGs derive randomness from physical phenomena (thermal noise, radioactive decay, photon timing); PRNGs are deterministic algorithms seeded with an initial value
TRNGs (True RNGs) harvest entropy from genuinely unpredictable physical processes (hardware noise, disk seek timing, mouse movement). PRNGs (e.g., Fortuna, ChaCha20/DRBG) are deterministic algorithms β given the same seed, they produce the same sequence. PRNGs are seeded from TRNGs and are fast but not truly random. Cryptographically Secure PRNGs (CSPRNGs) are safe for cryptographic key generation.
IncorrectC: TRNGs derive randomness from physical phenomena (thermal noise, radioactive decay, photon timing); PRNGs are deterministic algorithms seeded with an initial value
TRNGs (True RNGs) harvest entropy from genuinely unpredictable physical processes (hardware noise, disk seek timing, mouse movement). PRNGs (e.g., Fortuna, ChaCha20/DRBG) are deterministic algorithms β given the same seed, they produce the same sequence. PRNGs are seeded from TRNGs and are fast but not truly random. Cryptographically Secure PRNGs (CSPRNGs) are safe for cryptographic key generation.
18What privacy property makes Ring Signatures unique compared to standard digital signatures?
CorrectB: Any member of a defined group can sign a message, and the resulting signature is verifiable as coming from the group but makes it computationally infeasible to determine which specific member signed
Ring signatures (Rivest, Shamir, Tauman 2001) allow a group member to sign on behalf of the group. Anyone can verify the signature is from a group member, but cannot determine which one. This provides signer anonymity within the group ("plausible deniability"). Used in privacy cryptocurrencies (Monero) and whistleblowing systems.
IncorrectB: Any member of a defined group can sign a message, and the resulting signature is verifiable as coming from the group but makes it computationally infeasible to determine which specific member signed
Ring signatures (Rivest, Shamir, Tauman 2001) allow a group member to sign on behalf of the group. Anyone can verify the signature is from a group member, but cannot determine which one. This provides signer anonymity within the group ("plausible deniability"). Used in privacy cryptocurrencies (Monero) and whistleblowing systems.
19What does the formal security notion of Ciphertext Indistinguishability under Chosen Ciphertext Attack (IND-CCA) mean?
CorrectD: A formal security definition where a computationally bounded adversary cannot distinguish the encryption of two chosen messages even when given access to a decryption oracle (except for the challenge ciphertext)
IND-CCA2 is the gold standard formal security definition for public-key encryption. An adversary chooses two plaintexts, receives the encryption of one (the challenge), and can query decryption of any ciphertext except the challenge. Security holds if the adversary cannot determine which plaintext was encrypted better than random. OAEP-padded RSA and modern AEAD schemes satisfy IND-CCA2.
IncorrectD: A formal security definition where a computationally bounded adversary cannot distinguish the encryption of two chosen messages even when given access to a decryption oracle (except for the challenge ciphertext)
IND-CCA2 is the gold standard formal security definition for public-key encryption. An adversary chooses two plaintexts, receives the encryption of one (the challenge), and can query decryption of any ciphertext except the challenge. Security holds if the adversary cannot determine which plaintext was encrypted better than random. OAEP-padded RSA and modern AEAD schemes satisfy IND-CCA2.
20What does AES operating in Galois/Counter Mode (GCM) provide, and how does it work?
CorrectC: It combines counter mode (CTR) encryption for confidentiality with Galois field (GF(2^128)) multiplication for authentication, producing an AEAD scheme with a single pass for both encryption and message authentication
AES-GCM is an AEAD mode. CTR mode uses AES to generate a keystream for encryption (XORed with plaintext). The GHASH function (Galois field multiplication) authenticates the ciphertext and optional associated data, producing a 128-bit authentication tag. AES-GCM is fast (parallelizable), hardware-accelerated (AES-NI + PCLMULQDQ), and is the dominant AEAD mode in TLS 1.3.
IncorrectC: It combines counter mode (CTR) encryption for confidentiality with Galois field (GF(2^128)) multiplication for authentication, producing an AEAD scheme with a single pass for both encryption and message authentication
AES-GCM is an AEAD mode. CTR mode uses AES to generate a keystream for encryption (XORed with plaintext). The GHASH function (Galois field multiplication) authenticates the ciphertext and optional associated data, producing a 128-bit authentication tag. AES-GCM is fast (parallelizable), hardware-accelerated (AES-NI + PCLMULQDQ), and is the dominant AEAD mode in TLS 1.3.
Conclusion: Cryptography as Security Foundation
Cryptography is the mathematical foundation of cybersecurity β every secure communication, data protection scheme, and authentication mechanism depends on one or more cryptographic primitives. These 60 MCQs span symmetric encryption (AES, 3DES), asymmetric encryption (RSA, ECC), hashing (SHA, MD5), key exchange protocols (Diffie-Hellman, ECDHE), digital signatures, and Real-world applications (TLS, PKI, blockchain, post-quantum cryptography).
The questions reflect scenarios that cryptography engineers and security architects face β from selecting appropriate key sizes and modes of operation to understanding implementation flaws (timing attacks, weak randomness, algorithm downgrade attacks) and preparing for quantum-resistant cryptography.
Master these concepts by revisiting missed questions, understanding why specific algorithms are chosen in real protocols (TLS 1.3 uses ECDHE + AES-GCM + SHA-256), and exploring cryptographic implementation pitfalls in security advisories and CVE databases.
Key Takeaways β Cryptography
- Symmetric vs. Asymmetric: Symmetric (AES, DES) is fast, suited for bulk data; asymmetric (RSA, ECC) is slower but enables key distribution without secure pre-channel. Use asymmetric for key exchange, then symmetric for session data.
- Hashing Properties: Deterministic, non-invertible, avalanche effect (1-bit change = completely different hash), collision-resistant. Use for integrity verification, digital signatures, and password storage (with salt).
- Encryption β Authentication: Encryption provides confidentiality; authentication provides origin verification and integrity. Many systems need both β use authenticated encryption (AES-GCM, ChaCha20-Poly1305).
- Key Size Matters: 128-bit keys are secure against current brute-force; 256-bit keys protect against quantum threats. Always use minimum: AES-128, RSA-2048 or ECC-256.
- Perfect Forward Secrecy (PFS): Ephemeral session keys (ECDHE in TLS) ensure past traffic cannot be decrypted if long-term keys are compromised β mandatory for modern TLS.
- Block Cipher Modes: ECB is insecure; CBC requires IV and provides confidentiality; CTR is parallelizable; GCM provides authenticated encryption. Choose GCM or ChaCha20-Poly1305 for new applications.
- Certificate Authorities (CAs): Bind public keys to identities via digital signatures. Trust in the CA's root certificate allows verification of any leaf certificate without prior contact with the entity.
- Common Implementation Flaws: Weak randomness, timing attacks leaking information via execution time, algorithm downgrade attacks (SSLv3 POODLE), side-channel attacks on AES (cache timing), quantum-ready threats to RSA/ECC.
- Post-Quantum Cryptography: RSA and ECC are vulnerable to quantum computers; NIST is standardizing quantum-resistant algorithms (lattice-based, hash-based) β plan migration now.
Quick Review & Summary
Use this table to consolidate cryptographic algorithms and their properties before or after attempting the questions above.
| Cryptographic Algorithm / Concept | Type / Purpose | Key Characteristics |
|---|---|---|
| AES (Advanced Encryption Standard) | Symmetric encryption | Block cipher, 128/192/256-bit keys, NIST standard, fast |
| RSA | Asymmetric encryption & digital signatures | 2048/4096-bit keys, slower, factorization-based, vulnerable to quantum |
| Elliptic Curve Cryptography (ECC) | Asymmetric encryption, key exchange, signatures | 256-bit ECC ~= 2048-bit RSA, faster, more efficient |
| SHA-256 | Cryptographic hash function | 256-bit output, collision-resistant, deterministic, used in TLS, blockchain |
| Diffie-Hellman (DH) / ECDHE | Key exchange protocol | Allows two parties to establish shared secret over insecure channel; ECDHE is ephemeral & provides PFS |
| AES-GCM | Authenticated encryption | Provides both confidentiality & authenticity, used in TLS 1.3 |
| Digital Signatures (RSA-PSS, ECDSA) | Authentication & non-repudiation | Proves origin & integrity; receiver cannot forge sender's signature |
| X.509 Certificates | Public key infrastructure (PKI) | Digitally signed public key bound to identity; trust chain to root CA |
| Perfect Forward Secrecy (PFS) | Session key freshness | Ephemeral session keys ensure past traffic is safe if long-term key is compromised |
| Post-Quantum Algorithms | Quantum-resistant encryption | Lattice-based (Kyber), hash-based (SPHINCS), code-based (Classic McEliece) β in NIST standardization |
Frequently Asked Questions
Q. What is the fundamental difference between symmetric and asymmetric encryption?
Q. What is a cryptographic hash function and what properties must it have?
Q. What is the difference between encryption and authentication in cryptography?
Q. What is Perfect Forward Secrecy (PFS) and why is it important for TLS?
Q. What is the role of a Certificate Authority (CA) in public key infrastructure (PKI)?
Q. What is the difference between encryption key size (128-bit, 256-bit) and security strength?
Q. What is a key exchange protocol and why is it necessary?
Q. What are block cipher modes of operation and why are they needed?
Struggling with some questions? Re-read the full Theory Guide: Cryptography