CH.7 Cryptography and the PKI Flashcards
Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message?
A. Mike’s public key
B. Mike’s private key
C. David’s public key
D. Shared secret key
✅ D. Shared secret key
A. Mike’s public key – Public keys are used in asymmetric encryption, not symmetric.
B. Mike’s private key – Private keys are used to decrypt or sign messages in asymmetric cryptography.
C. David’s public key – You’d use this in asymmetric encryption when you want to send a secret to David.
✅ D. Shared secret key – Correct. In symmetric encryption, both sender and receiver use the same shared secret key to encrypt and decrypt the message.
🔐 Security+ Exam Tip: On the exam, if a question involves only one key used for both encryption and decryption, it’s symmetric encryption. Look for “shared secret” as your clue.
Shahla recently discovered an attack where the attacker managed to force a network user to use weak encryption and was then able to decrypt that content. What term best describes this attack?
A. Downgrade
B. Collision
C. Homomorphic encryption
D. Birthday attack
✅ A. Downgrade
✅ A. Downgrade – Correct. A downgrade attack tricks systems into switching to weaker encryption protocols that can be more easily exploited.
B. Collision – This refers to hashing, when two inputs produce the same output—not protocol strength.
C. Homomorphic encryption – This is a legitimate encryption method, not an attack.
D. Birthday attack – This is also a hashing-related attack and deals with finding collisions, not forcing weaker encryption.
🛡️ Security+ Exam Tip: Downgrade attacks and birthday attacks are both specifically mentioned in the exam objectives. Know how to tell them apart.
Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve?
A. Integrity
B. Non-repudiation
C. Authentication
D. Confidentiality
✅ D. Confidentiality
A. Integrity – This ensures data wasn’t changed, not that it’s hidden.
B. Non-repudiation – Proves someone performed an action (like signing), but doesn’t protect data confidentiality.
C. Authentication – Confirms identity, not data protection.
✅ D. Confidentiality – Correct. Full-disk encryption protects data from unauthorized access, which ensures confidentiality.
🔐 Security+ Exam Tip: If the goal is hiding or protecting data from unauthorized access, the answer is almost always confidentiality.
Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images?
A. Steganography
B. Homomorphic encryption
C. Replay attack
D. Birthday attack
✅ A. Steganography
✅ A. Steganography – Correct. This is the practice of hiding data within other files, such as images or audio, without noticeably altering the original file.
B. Homomorphic encryption – This allows encrypted data to be processed without decryption, not used to hide data in media.
C. Replay attack – Involves resending captured authentication traffic, not concealing data.
D. Birthday attack – Targets hash collisions, not image manipulation.
🔐 Security+ Exam Tip: If data is being hidden inside media (like images or videos), the answer is always steganography.
Which one of the following statements about cryptographic keys is incorrect?
A. All cryptographic keys should be kept secret.
B. Longer keys are better than shorter keys when the same algorithm is used.
C. Asymmetric algorithms generally use longer keys than symmetric algorithms.
D. Digital certificates are designed to share public keys.
✅ A. All cryptographic keys should be kept secret.
✅ A. All cryptographic keys should be kept secret. – Correct (as the incorrect statement). Only private keys need to be secret. Public keys are designed to be shared openly.
B. Longer keys are better than shorter keys when the same algorithm is used. – True. Longer keys increase cryptographic strength.
C. Asymmetric algorithms generally use longer keys than symmetric algorithms. – True. Asymmetric keys need to be longer for equivalent strength.
D. Digital certificates are designed to share public keys. – True. Certificates embed public keys for secure distribution.
🔐 Security+ Exam Tip: Public keys are meant to be shared. The term “cryptographic key” doesn’t always imply secrecy—watch for that trick on the exam.
What type of cipher operates on one character of text at a time?
A. Block cipher
B. Bit cipher
C. Stream cipher
D. Balanced cipher
✅ C. Stream cipher
A. Block cipher – Encrypts fixed-size groups of bits (e.g., 64-bit or 128-bit blocks).
B. Bit cipher – Not a standard cryptographic term.
✅ C. Stream cipher – Correct. Operates bit-by-bit or character-by-character, often used for real-time communication.
D. Balanced cipher – Not a recognized term in cryptography.
🔐 Security+ Exam Tip: Stream = continuous flow (real-time). Block = grouped data (e.g., AES).
Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from these choices. What algorithm should he choose?
A. DES
B. 3DES
C. RSA
D. AES
✅ D. AES
A. DES – Outdated. Uses a 56-bit key and is no longer secure.
B. 3DES – Stronger than DES but also deprecated due to performance and security issues.
C. RSA – Not symmetric. RSA is an asymmetric algorithm.
✅ D. AES – Correct. AES is a modern symmetric algorithm and the current standard for strong encryption.
🔐 Security+ Exam Tip: If you’re asked about current strong symmetric encryption, always go with AES.
Kevin is configuring a web server to use digital certificates. What technology can he use to allow clients to quickly verify the status of those certificates without contacting a remote server?
A. CRL
B. OCSP
C. Certificate stapling
D. Certificate pinning
✅ C. Certificate stapling
A. CRL – Certificate Revocation List is downloaded periodically and has latency.
B. OCSP – Real-time check, but it burdens the CA’s servers.
✅ C. Certificate stapling – Correct. Web server “staples” a cached OCSP response to the certificate, speeding up verification.
D. Certificate pinning – Prevents use of new/unauthorized certificates, not for real-time validation.
🔐 Security+ Exam Tip: Certificate stapling improves performance by caching OCSP responses. It’s the answer if speed and efficiency are mentioned.
Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?
A. 1
B. 2
C. 10
D. 11
✅ C. 10
✅ C. 10 – Correct. Symmetric encryption needs a separate key for every pair of users. Adding a new user means creating a key with each of the 10 existing users.
A. 1 / B. 2 / D. 11 – These underestimate or overestimate the required key pairings.
🔐 Security+ Exam Tip: Use the formula for symmetric keys: n(n–1)/2. Adding a new person means n – 1 new keys must be added.
Referring to the scenario in question 9, if Acme Widgets switched to an asymmetric encryption algorithm, how many keys would be required to add the 11th employee?
A. 1
B. 2
C. 10
D. 11
✅ B. 2
✅ B. 2 – Correct. In asymmetric encryption, each user only needs one public and one private key (a pair). So, 2 keys per person.
A. 1 / C. 10 / D. 11 – Not accurate. Public-key cryptography only requires one key pair per user, regardless of total users.
🔐 Security+ Exam Tip: For asymmetric systems, total keys = 2 × number of users (one public + one private key per user).
What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be?
A. DV
B. OV
C. UV
D. EV
✅ Correct Answer: D. EV (Extended Validation)
Explanation: Extended Validation (EV) certificates require a rigorous vetting process. The CA verifies the organization’s identity, legal existence, and domain control — providing the highest level of trust.
Incorrect Answers:
A. DV (Domain Validation) – Only proves you control a domain; no identity checks.
B. OV (Organization Validation) – Verifies some org info but not as thoroughly as EV.
C. UV – Not a real certificate type.
🔐 Security+ Tip: If the question asks for maximum trust, go with EV. DV = basic, OV = medium, EV = strong.
Glenn recently obtained a wildcard certificate for *.mydomain.com. Which one of the following domains would not be covered by this certificate?
A. mydomain.com
B. core.mydomain.com
C. dev.www.mydomain.com
D. mail.mydomain.com
✅ Correct Answer: C. dev.www.mydomain.com
Explanation: Wildcard certificates only cover one subdomain level. *.mydomain.com covers mail.mydomain.com, www.mydomain.com, but not nested subdomains like dev.www.mydomain.com.
Incorrect Answers:
A. mydomain.com – Root domain is usually covered.
B. core.mydomain.com – One level of subdomain = valid.
D. mail.mydomain.com – One level of subdomain = valid.
🧠 Security+ Tip: Wildcards = only 1 level. *.example.com covers a.example.com but not b.a.example.com.
Which one of the following servers is almost always an offline CA in a large PKI deployment?
A. Root CA
B. Intermediate CA
C. RA
D. Internal CA
✅ Correct Answer: A. Root CA
Explanation: The Root CA is the top of the trust chain and is usually offline to prevent compromise. It signs intermediate CAs, which handle day-to-day cert issuance.
Incorrect Answers:
B. Intermediate CA – These are online and used for signing user certs.
C. RA (Registration Authority) – Verifies identity but does not sign certificates.
D. Internal CA – May be online for internal use, but not the root.
🧠 Security+ Tip: If a question mentions offline CA or root of trust, the answer is Root CA.
Which one of the following certificate formats is closely associated with Windows binary certificate files?
A. DER
B. PEM
C. PFX
D. P7B
✅ Correct Answer: C. PFX
Explanation: PFX (.pfx or .p12) is a binary format used by Windows systems. It often includes the certificate + private key.
Incorrect Answers:
A. DER – Binary, but more common in Linux systems or general use.
B. PEM – Text format, not binary.
D. P7B – Text format for cert chains, no private key.
🔐 Security+ Tip: PFX = Windows + Private Key. Watch for extensions like .pfx or .p12.
What type of security solution provides a hardware platform for the storage and management of encryption keys?
A. HSM
B. IPS
C. SIEM
D. SOAR
✅ Correct Answer: A. HSM (Hardware Security Module)
Explanation: An HSM securely stores and manages cryptographic keys in hardware. Used in enterprises, cloud environments, or specialized devices.
Incorrect Answers:
B. IPS – Intrusion Prevention System. Not for key storage.
C. SIEM – Collects security event logs.
D. SOAR – Automates security response.
🛡️ Security+ Tip: If it mentions secure hardware-based key storage, answer is HSM.
What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server?
A. Birthday
B. Frequency
C. Downgrade
D. Collision
✅ Correct Answer: C. Downgrade
Explanation: A downgrade attack tricks users or systems into using older, weaker encryption protocols, making decryption easier for attackers.
Incorrect Answers:
A. Birthday – Targets hash collisions, not encryption negotiation.
B. Frequency – Used against old ciphers like Caesar, not modern TLS.
D. Collision – Refers to hashing, not encryption negotiation.
🧠 Security+ Tip: Downgrade attacks are explicitly mentioned in the exam objectives — memorize this!
David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key
✅ Correct Answer: C. Mike’s public key
Explanation: In asymmetric encryption, you encrypt with the recipient’s public key so only they can decrypt it with their private key.
Incorrect Answers:
A. David’s public key – Anyone could decrypt that; no confidentiality.
B. David’s private key – Used for signing, not encrypting messages.
D. Mike’s private key – Only Mike should ever use that to decrypt.
🔐 Security+ Tip: If it’s about sending a secure message, encrypt with the receiver’s public key.
When Mike receives the message that David encrypted for him, what key should he use to decrypt the message?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key
✅ Correct Answer: D. Mike’s private key
Explanation: Since David encrypted the message with Mike’s public key, only Mike’s private key can decrypt it. This ensures confidentiality.
Incorrect Answers:
A. David’s public key – Not involved in decrypting this message.
B. David’s private key – Would be used to create a signature.
C. Mike’s public key – Anyone has that; not for decryption.
🧠 Security+ Tip: Public key = lock it. Private key = unlock it. Only the intended receiver has the private key.
If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key
✅ Correct Answer: B. David’s private key
Explanation: You sign with your private key, and others verify with your public key. This proves authenticity and non-repudiation.
Incorrect Answers:
A. David’s public key – Used to verify, not to sign.
C. Mike’s public key – Irrelevant to the sender signing the message.
D. Mike’s private key – Only Mike should ever use his private key.
🛡️ Security+ Tip: Sign = private key. Verify = public key.
When Mike receives the digitally signed message from David, what key should he use to verify the digital signature?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key
✅ Correct Answer: A. David’s public key
Explanation: Mike verifies David’s digital signature using David’s public key. This proves the message came from David and wasn’t altered.
Incorrect Answers:
B. David’s private key – No one else should ever have it.
C. Mike’s public key – Not involved in verifying the sender.
D. Mike’s private key – Used only to decrypt messages encrypted for him.
🔐 Security+ Tip: Always verify digital signatures using the sender’s public key.
How does obfuscation relate to confidentiality?
Obfuscation conseals functionality and does not security confidentiatlity. It hides how something works, not what it contains.
A company is implementing encryption and digital signatures for internal email using S/MIME. They want to ensure compatibility with their existing Windows-based infrastructure and email clients. Which asymmetric algorithm is the MOST appropriate for this purpose?
A. Diffie–Hellman
B. Elliptic Curve Cryptography (ECC)
C. Rivest–Shamir–Adleman (RSA)
D. Advanced Encryption Standard (AES)
✅ Correct Answer: C. Rivest–Shamir–Adleman (RSA)
🔎 Explanation:
A. Diffie–Hellman – Incorrect. Used for key exchange, not encryption or digital signatures.
B. ECC – Incorrect. While efficient, RSA is more widely supported for S/MIME and legacy systems.
C. RSA – ✅ Correct. RSA is commonly used for email encryption and digital signatures in S/MIME and older systems bc its older and more supported.
D. AES – Incorrect. AES is a symmetric algorithm; cannot be used for digital signatures.
🧠 Security+ Tip:
If the question emphasizes legacy compatibility or email clients like Outlook/S/MIME, RSA is usually the correct choice.
An organization is designing a secure communication solution for mobile devices and IoT systems. They need strong encryption with minimal processing overhead and small key sizes. Which of the following would BEST meet these requirements?
A. RSA
B. AES
C. ECC
D. SHA-256
✅ Correct Answer: C. ECC
🔎 Explanation:
A. RSA – Incorrect. Strong but requires large key sizes and more processing power.
B. AES – Incorrect. AES is symmetric, not asymmetric, and doesn’t meet key exchange or authentication needs alone.
C. ECC – ✅ Correct. ECC offers strong encryption with small keys and low CPU usage, ideal for constrained devices.
D. SHA-256 – Incorrect. SHA-256 is a hashing algorithm, not used for encryption.
🧠 Security+ Tip:
If the question includes terms like mobile devices, low processing power, or smaller keys, the answer is most likely ECC.
Which of the following best explains how hashing is used to ensure file integrity?
A. It encrypts the entire file using a public key
B. It compares the original and received hash values for changes
C. It adds a random salt to make the file unique
D. It hides the contents of the file from unauthorized access
A. It encrypts the entire file using a public key – Incorrect. That’s public key encryption, which ensures confidentiality, not integrity.
✅ Correct. B. It compares the original and received hash values for changes – Hashing generates a unique fingerprint of a file. If the file changes in any way (even 1 character), the hash will also change. Comparing hashes ensures integrity.
C. It adds a random salt to make the file unique – Incorrect. Salting is used with passwords to defend against rainbow table attacks.
D. It hides the contents of the file from unauthorized access – Incorrect. That describes encryption, not hashing.
🔐 Security+ Exam Tip:
When the exam asks about file or message integrity, hashing is usually the answer. Look for words like “verify change”, “compare”, or “tampering.”
A system administrator wants to protect stored password hashes from rainbow table attacks. Which technique should they use?
A. Base64 encoding
B. Key rotation
C. Salting
D. XOR obfuscation
A. Base64 encoding – Incorrect. This is not encryption or hashing—just encoding that can be reversed easily.
B. Key rotation – Incorrect. Rotating encryption keys doesn’t affect password hashes.
✅ Correct. C. Salting – Adding a random value (salt) to each password before hashing ensures even users with the same password will have different hashes. This defeats precomputed rainbow tables.
D. XOR obfuscation – Incorrect. Not a secure method for defending against rainbow tables.
Which cryptographic technique intentionally slows down key generation to make brute-force attacks more difficult?
A. Hashing
B. Key stretching
C. Salting
D. Obfuscation
A. Hashing – Incorrect. Hashing is fast by design and not intended to slow attackers down.
✅ Correct. B. Key stretching – Key stretching (e.g., PBKDF2, bcrypt) repeatedly hashes a password thousands of times to produce a strong key, making brute-force attacks computationally expensive.
C. Salting – Incorrect. Salting adds randomness to passwords but doesn’t slow the hashing process.
D. Obfuscation – Incorrect. Obfuscation hides data but doesn’t affect cryptographic key generation.
💡 Security+ Exam Tip:
When brute-force defense is the topic, especially for passwords, key stretching is the answer. Look for terms like PBKDF2, bcrypt, or multiple hashing iterations.
Which of the following cryptographic solutions is most commonly associated with maintaining a decentralized, tamper-resistant ledger?
A. Public Key Infrastructure (PKI)
B. Certificate Signing Request (CSR)
C. Blockchain
D. Digital Signature Algorithm (DSA)
A. Public Key Infrastructure (PKI) – Incorrect. PKI provides trusted certificate-based authentication and encryption, but it’s centralized.
B. Certificate Signing Request (CSR) – Incorrect. A CSR is part of the PKI process, not a ledger.
✅ Correct. C. Blockchain – Blockchain is a decentralized and immutable ledger system, first used in cryptocurrency like Bitcoin. It’s also being adopted for supply chain tracking, records, and contracts.
D. Digital Signature Algorithm (DSA) – Incorrect. DSA is used for digital signatures but does not manage ledgers.
⛓️ Security+ Exam Tip:
If the question includes terms like “decentralized,” “ledger,” or “immutable records”, the answer is almost always blockchain.
Which of the following methods checks if a certificate has been revoked in real time?
A. Certificate Pinning
B. Certificate Revocation List (CRL)
C. Certificate Authority (CA)
D. Online Certificate Status Protocol (OCSP)
A. Certificate Pinning – Incorrect. Pinning ties a certificate to a known public key but doesn’t check revocation.
B. Certificate Revocation List (CRL) – Incorrect. CRLs are downloaded periodically and are not real-time.
C. Certificate Authority (CA) – Incorrect. The CA issues and manages certificates, but the question is asking how revocation is checked.
✅ Correct. D. Online Certificate Status Protocol (OCSP) – OCSP allows for real-time checking of certificate revocation status.
📡 Security+ Exam Tip:
If the question asks for “real-time” revocation status, pick OCSP. If it mentions latency or outdated revocation lists, they’re talking about CRLs.
