1. Encryption
Encryption = Converting readable data (plain text) into unreadable data (ciphertext).
Purpose → Confidentiality (keep data secret).
Types of Encryption
A. Symmetric Encryption
- Uses one shared key for both encryption and decryption.
- Examples: AES, DES, 3DES
- Pros: Very fast, good for large data
- Cons: Secure key sharing is difficult
Mnemonic: “Single Key = Speed”
B. Asymmetric Encryption
- Uses two keys (a key pair):
- Public key → Encrypts
- Private key → Decrypts
- Examples: RSA, ECC
- Pros: Secure key exchange
- Cons: Slower than symmetric
Mnemonic: “A Pair = Added Security”
Popular Encryption Algorithms
| Algorithm | Type | Use | Notes |
|---|---|---|---|
| AES | Symmetric | Wi-Fi, VPN, disk encryption | Fast & secure (standard today) |
| RSA | Asymmetric | HTTPS, digital signatures | Used for key exchange & signing |
| ECC | Asymmetric | Mobile, IoT | Strong security with small keys |
| DES / 3DES | Symmetric | Legacy systems | DES is obsolete, 3DES slower |
Common Uses of Encryption
- Data at rest: Hard drives, databases
- Data in transit: HTTPS websites, VPN, messaging apps (WhatsApp uses hybrid encryption)
- Secure key exchange: RSA/ECC used to share AES keys
2. Hashing
Hashing = Converting data into a fixed-length string (hash).
Purpose → Integrity (check if data changed).
Hashing is one-way → cannot be reversed.
Key Properties of Hashing
- Deterministic: Same input → Same hash
- Fixed length: SHA-256 always gives 256-bit output
- Irreversible: You cannot decode a hash
- Collision-resistant: Hard to find two inputs with same hash
- Fast to compute
Popular Hashing Algorithms
| Algorithm | Output | Use | Security |
|---|---|---|---|
| MD5 | 128-bit | File checks | Weak; collisions |
| SHA-1 | 160-bit | Old systems | Weak |
| SHA-256 | 256-bit | Blockchain, certificates | Strong |
| SHA-512 | 512-bit | High-security apps | Strong |
| Bcrypt | Variable | Password hashing | Very strong (slow by design) |
| CRC | Variable | Error detection | Not for security |
Common Uses of Hashing
- Integrity checks: Verify file downloads
- Password storage: Store only hashed values
- Digital signatures: Verify message content
- Blockchain: Each block linked by hash values
Hashing vs Encryption
| Feature | Hashing | Encryption |
|---|---|---|
| Purpose | Integrity | Confidentiality |
| Reversible? | ❌ No | ✅ Yes (with key) |
| Output | Fixed length | Variable |
| Used For | Passwords, blockchain | Secure data transmission |
Mnemonic:
Hashing = Fingerprint → unique & irreversible.
3. Digital Certificates
A Digital Certificate is like an electronic ID card that proves the owner’s identity on the internet.
It verifies that a public key really belongs to the person/website claiming it.
Used mainly for trust & secure communication (HTTPS).
What a Digital Certificate Contains
- Public Key (used in encryption or signature verification)
- Owner Information (website/person)
- Certificate Authority (CA) details
- Serial Number
- Validity Period
- CA’s Digital Signature (proves certificate is genuine)
How It Works:
- A website applies for a certificate from a Certificate Authority (CA).
- CA verifies identity and issues the certificate.
- Browser checks CA’s signature → trusts website.
- Browser uses the public key to start encrypted communication (HTTPS lock icon 🔒).
Types of Digital Certificates
| Type | Purpose |
|---|---|
| SSL/TLS Certificates | Secure websites (HTTPS) |
| Code Signing Certificates | Verify software/app authenticity |
| Email Certificates (S/MIME) | Secure email encryption & signing |
| Client Certificates | Authenticate users to servers |
PKI (Public Key Infrastructure)
PKI is the system that manages digital certificates.
Components:
- CA (Certificate Authority): Issues certificates
- RA (Registration Authority): Verifies user identity
- CRL (Certificate Revocation List): List of revoked certificates
- OCSP (Online Certificate Status Protocol): Online check if certificate is valid/revoked
Mnemonics:
- CA: Certificate Authenticator
- PKI: Public Key Infrastructure
- CRL: Cancelled Record List
Quick Summary Table
| Concept | Purpose | Examples | Key Points |
|---|---|---|---|
| Encryption | Protect data (confidentiality) | AES, RSA | Symmetric = fast, Asymmetric = secure |
| Hashing | Check integrity, store passwords | SHA-256, Bcrypt | One-way, fixed output |
| Digital Certificate | Identity verification | SSL/TLS, Code Signing | Issued by CA, enables trust |
MCQs — Encryption, Hashing & Digital Certificates
1. Which of the following is a symmetric-key encryption algorithm?
A. RSA
B. AES
C. ECC
D. Diffie–Hellman
Answer: B. AES — AES uses a single shared key for encryption/decryption.
2. Which algorithm is most commonly used for asymmetric (public-key) encryption?
A. AES
B. 3DES
C. RSA
D. MD5
Answer: C. RSA — RSA is a widely used public-key algorithm.
3. Which of the following is true about hashing?
A. Hashing is reversible
B. Hashing uses keys to encrypt data
C. Hashing produces a fixed-length output for variable input
D. Hashing is primarily used for confidentiality
Answer: C. Hashing produces a fixed-length output for variable input — Hash functions map arbitrary data to fixed-size hashes.
4. Which hash algorithm is considered insecure due to collisions?
A. SHA-256
B. MD5
C. SHA-512
D. Bcrypt
Answer: B. MD5 — MD5 has known collisions and is insecure for cryptographic use.
5. Which of the following provides integrity and non-repudiation when used with hashing?
A. Symmetric encryption only
B. Digital signature
C. SSL/TLS without certificates
D. CRC check
Answer: B. Digital signature — A digital signature (signing a hash) provides integrity and non-repudiation.
6. TLS certificates are issued by:
A. ISPs
B. Certificate Authorities (CAs)
C. Firewall vendors
D. Operating system vendors
Answer: B. Certificate Authorities (CAs) — CAs verify identity and issue certificates.
7. What is the primary purpose of a digital certificate?
A. Increase bandwidth
B. Verify ownership of a public key and identity
C. Encrypt data with symmetric key only
D. Generate hashes
Answer: B. Verify ownership of a public key and identity — Certificates bind public keys to identities.
8. Which one is NOT a property of cryptographic hash functions?
A. Deterministic
B. Collision-resistant
C. Reversible
D. Fixed output length
Answer: C. Reversible — Hash functions are one-way and not reversible.
9. Which mode of AES provides authenticated encryption (integrity + confidentiality)?
A. ECB
B. CBC
C. GCM
D. OFB
Answer: C. GCM — Galois/Counter Mode (GCM) provides authenticated encryption.
10. Which of the following is used to prevent rainbow-table attacks when storing passwords?
A. Symmetric encryption
B. Salting the password hash
C. Using MD5 alone
D. Shortening the password
Answer: B. Salting the password hash — A salt is random data added before hashing to prevent precomputed attacks.
11. Which algorithm is designed specifically for secure password hashing (slow by design)?
A. SHA-1
B. Bcrypt
C. AES
D. MD5
Answer: B. Bcrypt — bcrypt is slow and adaptive to resist brute-force.
12. SSL is primarily replaced by which protocol in modern systems?
A. FTP
B. TLS
C. IPsec
D. SSH
Answer: B. TLS — TLS is the modern successor to SSL.
13. Which port is default for HTTPS (TLS/SSL)?
A. 21
B. 25
C. 80
D. 443
Answer: D. 443 — HTTPS commonly uses port 443.
14. Public key encryption is best used for:
A. Encrypting large files directly
B. Secure key exchange and digital signatures
C. Hashing passwords
D. Replacing symmetric algorithms for speed
Answer: B. Secure key exchange and digital signatures — Asymmetric crypto is slower but good for key exchange and signing.
15. What does PKI stand for?
A. Private Key Interface
B. Public Key Infrastructure
C. Protected Key Index
D. Public Key Internet
Answer: B. Public Key Infrastructure — PKI manages keys and certificates.
16. What is OCSP used for?
A. Encrypting messages
B. Checking certificate revocation status online
C. Generating key pairs
D. Hashing passwords
Answer: B. Checking certificate revocation status online — OCSP provides real-time revocation checking.
17. If a certificate appears in a CRL, this means:
A. The certificate is trusted forever
B. The certificate has been revoked
C. The certificate never existed
D. The certificate is self-signed
Answer: B. The certificate has been revoked — CRL lists revoked certificates.
18. Which of the following is an elliptic curve cryptography algorithm?
A. AES
B. RSA
C. ECC
D. SHA-256
Answer: C. ECC — ECC refers to elliptic curve cryptography methods.
19. What is a digital signature generated from?
A. Encrypted file with AES key
B. Private key applied to a message digest (hash)
C. Public key applied to plain text
D. A symmetric key and salt
Answer: B. Private key applied to a message digest (hash) — That creates a digital signature.
20. Which of these is TRUE about symmetric vs asymmetric encryption?
A. Symmetric uses key pairs; asymmetric uses single shared key
B. Symmetric is slower than asymmetric
C. Asymmetric is typically used for key exchange, symmetric for data encryption
D. Asymmetric cannot provide authentication
Answer: C. Asymmetric is typically used for key exchange, symmetric for data encryption — Hybrid systems use both.
21. SHA-256 produces an output of how many bits?
A. 128 bits
B. 160 bits
C. 256 bits
D. 512 bits
Answer: C. 256 bits — SHA-256 outputs 256-bit hashes.
22. Which algorithm is considered quantum-resistant among the traditional ones below?
A. RSA
B. ECC
C. AES (with large key)
D. MD5
Answer: C. AES (with large key) — Symmetric algorithms like AES are more resilient to quantum attacks than RSA/ECC; AES-256 offers stronger post-quantum resistance (note: full post-quantum safety requires specialized algorithms).
23. What is certificate chaining?
A. Using multiple symmetric keys in sequence
B. A sequence of certificates from end-entity to trusted root CA
C. Tunneling certificates over SSH
D. Encrypting private keys with a chain of passwords
Answer: B. A sequence of certificates from end-entity to trusted root CA — Chain links intermediate CAs to root CA.
24. A self-signed certificate is:
A. Issued by a trusted CA
B. Signed by the same entity that it certifies
C. Always trusted by browsers
D. Used for code signing by default
Answer: B. Signed by the same entity that it certifies — Self-signed certs are not inherently trusted by others.
25. HMAC stands for:
A. Hashed Message Authentication Code
B. High Message Authentication Cipher
C. Hashing Mandatory Asymmetric Code
D. Hybrid Message Authentication Certificate
Answer: A. Hashed Message Authentication Code — HMAC uses a hash and a secret key for message authentication.
26. Which mode should NOT be used for encrypting multiple identical blocks because it leaks patterns?
A. CBC
B. GCM
C. ECB
D. CTR
Answer: C. ECB — Electronic Codebook (ECB) leaks block patterns and is insecure for many uses.
27. Which of the following is used in hybrid encryption schemes (commonly in TLS)?
A. Only symmetric keys
B. Only asymmetric keys
C. Asymmetric for key exchange + symmetric for data encryption
D. Hashing for encryption
Answer: C. Asymmetric for key exchange + symmetric for data encryption — Hybrid approach leverages strengths of both.
28. What is the main purpose of a salt in password storage?
A. Speed up hashing
B. Make hashes deterministic
C. Add randomness to prevent precomputed attacks
D. Encrypt the password before hashing
Answer: C. Add randomness to prevent precomputed attacks — Salt ensures same password has different hashes per user.
29. Which is true about RSA key sizes for similar security level to ECC?
A. RSA keys are smaller than ECC keys
B. RSA keys are larger than ECC keys for similar security
C. RSA and ECC key sizes are always equal
D. ECC keys require multiple primes
Answer: B. RSA keys are larger than ECC keys for similar security — ECC gives same security with smaller key sizes.
30. What does “forward secrecy” (perfect forward secrecy) ensure?
A. Old session keys cannot be recovered if long-term key is compromised
B. Future session keys are revealed if the server key is stolen
C. Certificates never expire
D. Hashes are reversible
Answer: A. Old session keys cannot be recovered if long-term key is compromised — PFS uses ephemeral keys.
31. Which certificate type is used to sign software so users can verify publisher?
A. SSL/TLS certificate
B. Code signing certificate
C. S/MIME certificate
D. Root CA certificate
Answer: B. Code signing certificate — Used to sign executables and software packages.
32. Which of the following is used to check whether a certificate has been revoked without downloading the entire CRL?
A. OCSP
B. HMAC
C. ECB
D. SHA-1
Answer: A. OCSP — Online Certificate Status Protocol provides per-certificate status.
33. PBKDF2 is used for:
A. File encryption
B. Key stretching for password hashing
C. Generating SSL certificates
D. Replacing asymmetric keys
Answer: B. Key stretching for password hashing — PBKDF2 makes brute-force harder by iteration.
34. Which hashing algorithm is recommended for modern cryptographic use (integrity)?
A. SHA-1
B. MD5
C. SHA-256
D. CRC32
Answer: C. SHA-256 — SHA-256 is secure for integrity.
35. In HTTPS, which item does the browser verify first when connecting to a secure website?
A. Page content size
B. CA’s signature on the server certificate
C. Number of images on the page
D. Server’s IP geolocation
Answer: B. CA’s signature on the server certificate — Browser verifies certificate authenticity via CA signature.
36. Which of the following is a symmetric block cipher?
A. RSA
B. AES
C. DSA
D. ECDSA
Answer: B. AES — AES is a symmetric block cipher.
37. What is the recommended minimum key length for RSA for modern security (commonly advised)?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits is the minimum
Answer: C. 2048 bits — 2048-bit RSA is widely recommended as minimum for today.
38. Which of the following ensures both confidentiality and integrity when properly used?
A. AES in ECB mode without MAC
B. AES-GCM (authenticated encryption)
C. SHA-256 alone
D. Plain base64 encoding
Answer: B. AES-GCM (authenticated encryption) — Authenticated encryption provides both.
39. A certificate signed by an intermediate CA whose root CA is trusted — this certificate is:
A. Invalid
B. Trusted if chain to trusted root is intact
C. Always untrusted
D. Self-signed
Answer: B. Trusted if chain to trusted root is intact — Trust follows chain to a trusted root.
40. Which of the following is NOT a valid use of digital certificates?
A. Verifying website identity (HTTPS)
B. Signing email (S/MIME)
C. Storing plain text passwords securely
D. Code signing
Answer: C. Storing plain text passwords securely — Certificates are not for storing passwords.
41. Which authentication code combines a secret key with a hash function to verify message authenticity?
A. CRC
B. HMAC
C. MD5 only
D. AES-CBC
Answer: B. HMAC — HMAC uses a secret key with a hash.
42. Which algorithm family is commonly used for digital signatures?
A. RSA, DSA, ECDSA
B. MD5, SHA-1, SHA-256
C. AES, 3DES, DES
D. CRC32, Adler32
Answer: A. RSA, DSA, ECDSA — These are used for signing.
43. What does “salt + pepper” in password hashing refer to?
A. Two encryption modes
B. Salt = per-user random value; Pepper = global secret value stored separately
C. A type of symmetric key algorithm
D. A deprecated certificate type
Answer: B. Salt = per-user random value; Pepper = global secret value stored separately — Pepper adds another secret to hashing.
44. Which of these is true about MD5 and SHA-1 in modern security?
A. Both are considered secure for new systems
B. MD5 is secure; SHA-1 is not
C. Both have known weaknesses and are deprecated for collision resistance
D. They are used for symmetric encryption
Answer: C. Both have known weaknesses and are deprecated for collision resistance — Use stronger hashes like SHA-256.
45. What is the purpose of a Registration Authority (RA) in PKI?
A. Issue root certificates without verification
B. Function as a middleman that verifies identity before CA issues a certificate
C. Store private keys for users
D. Hash passwords for databases
Answer: B. Function as a middleman that verifies identity before CA issues a certificate — RA handles identity vetting.
46. To prevent man-in-the-middle attacks in HTTPS, which is most important?
A. Using HTTP port 80
B. Trustworthy certificate chain (CA signature) and correct hostname match
C. Using MD5 for hashing
D. Short certificate validity only
Answer: B. Trustworthy certificate chain (CA signature) and correct hostname match — Browser checks both for authenticity.
47. Which is a primary advantage of ECC over RSA?
A. ECC keys are longer for same security
B. ECC is less secure than RSA always
C. ECC provides similar security with smaller keys (efficient for mobile)
D. ECC cannot be used for digital signatures
Answer: C. ECC provides similar security with smaller keys (efficient for mobile) — Smaller key sizes are an ECC advantage.
48. What is a root CA certificate?
A. A certificate issued to a website by a browser
B. The top-most certificate trusted implicitly by systems and used to sign intermediates
C. Always expired certificate
D. A certificate used only for email
Answer: B. The top-most certificate trusted implicitly by systems and used to sign intermediates — Root CA anchors trust.
49. Which of the following transforms are reversible?
A. Hashing (SHA-256)
B. Symmetric encryption (AES with key)
C. One-way salted hash
D. CRC checks
Answer: B. Symmetric encryption (AES with key) — With the key you can decrypt (reversible).
50. Which practice improves security of stored passwords most?
A. Store plain text passwords in the database
B. Store only salted & iterated hashed passwords (e.g., bcrypt/PBKDF2/Argon2)
C. Use MD5 without salt
D. Use reversible symmetric encryption only
Answer: B. Store only salted & iterated hashed passwordsh (e.g., bcrypt/PBKDF2/Argon2) — Best practice ifor password storage.