GyanDesk

Encryption, Hashing, Digital Certificate

🔐 Encryption, Hashing & Digital Certificates

Complete Study Notes for Government, Banking, SSC, UPSC, Railway & Other Competitive Exams

📊 All Key Comparison Tables 📝 50+ MCQs with Explanations 🇮🇳 India-Specific Content ⚡ Quick Revision Cheat Sheet
3
Core Concepts Explained
50+
MCQs with Answers
8
Comparison Tables
10+
Real-World Applications
🔒 1. Encryption — Making Data Secret

Encryption = Converting readable data (Plaintext) into unreadable form (Ciphertext) using an algorithm and a key. Only someone with the correct key can read the data back.

🎯
Primary Purpose: Confidentiality — ensuring only authorized people can read the data. Encryption protects data both in transit (internet) and at rest (stored on disk).
🔄 How Encryption Works
📄 Plaintext
Original Data
+🔑→
🔐 Algorithm
Encrypt
🔒 Ciphertext
Scrambled Data
+🔑→
📄 Plaintext
Decrypted
⚖️ Symmetric vs Asymmetric Encryption

🔵 Symmetric Encryption

  • One shared key for both encrypt & decrypt
  • Fast — ideal for large data
  • Key must be shared securely (biggest challenge)
  • Examples: AES, DES, 3DES, RC4, Blowfish
  • Used for: File encryption, VPNs, Wi-Fi (WPA2)
  • Memory trick: “Single Key = Speed”

🟣 Asymmetric Encryption

  • Two keys: Public key (encrypts) + Private key (decrypts)
  • Slower — used for small data / key exchange
  • Public key can be shared openly — private key stays secret
  • Examples: RSA, ECC, Diffie-Hellman, DSA
  • Used for: HTTPS, digital signatures, email security
  • Memory trick: “A Pair = Added Security”
📋 Important Encryption Algorithms
AlgorithmTypeKey SizeUsed ForStatus
AES Symmetric 128/192/256-bit Wi-Fi (WPA2/WPA3), VPN, disk encryption, banking ✅ Current Standard
DES Symmetric 56-bit Old banking systems (legacy) ❌ Obsolete / Broken
3DES (Triple DES) Symmetric 112/168-bit Legacy banking, ATMs ⚠️ Being Phased Out
RSA Asymmetric 2048/4096-bit HTTPS, digital signatures, email security ✅ Widely Used
ECC Asymmetric 256-bit (= RSA 3072-bit security) Mobile, IoT, modern TLS, cryptocurrency ✅ Growing Use
Diffie-Hellman Asymmetric (Key Exchange) Variable Securely sharing encryption keys over public channel 📌 Key Exchange Only
RC4 Symmetric (Stream) 40-2048-bit Old SSL/TLS, WEP Wi-Fi ❌ Broken / Deprecated
📌 Where Encryption is Used
Use CaseEncryption TypeExample
Secure websitesAsymmetric + Symmetric (Hybrid)HTTPS — TLS uses RSA for key exchange, AES for data
WhatsApp / Signal messagesHybrid (End-to-End)Signal Protocol — AES + Curve25519
VPN connectionsSymmetricAES-256 used in OpenVPN, IPSec
Wi-Fi securitySymmetricWPA2 uses AES; WEP (old, broken)
Disk/file encryptionSymmetricBitLocker (AES), VeraCrypt
Banking/ATM transactionsSymmetric / Hybrid3DES (old), AES (new)
Cryptocurrency walletsAsymmetricECC (Bitcoin uses secp256k1)
Digital signaturesAsymmetric (private key signs)RSA, DSA, ECDSA
💡
Hybrid Encryption (Most Common in Real World): Asymmetric encryption (RSA/ECC) is used to securely exchange an AES session key. Then AES encrypts all actual data. This combines the security of asymmetric with the speed of symmetric encryption. Used in TLS/HTTPS, email, WhatsApp.
Exam Tip: AES = Symmetric (fast, same key) | RSA = Asymmetric (key pair) | ECC = Asymmetric (smaller keys, more efficient) | DES = Obsolete | HTTPS uses Hybrid encryption. Most important for Banking/SSC/UPSC: AES is the current global standard for symmetric encryption.
🖐️ 2. Hashing — Digital Fingerprinting

Hashing = Converting any input data into a fixed-length string (called a hash, digest, or checksum) using a mathematical function. The same input always gives the same output. The process is one-way — cannot be reversed.

🎯
Primary Purpose: Integrity — verifying that data has NOT been tampered with or altered. Think of a hash as a digital fingerprint of data.
📋 Key Properties of a Good Hash Function
PropertyWhat It MeansExample
DeterministicSame input ALWAYS gives same output“hello” → same hash every time
Fixed Length OutputOutput size is always the same, regardless of input sizeSHA-256 = always 256 bits
One-Way (Irreversible)Cannot reverse-engineer the input from the hashCannot get “password” back from its hash
Avalanche EffectTiny change in input → completely different hash“hello” vs “Hello” → totally different hashes
Collision ResistantExtremely hard to find two different inputs with same hashMD5 FAILED this — it’s broken
Fast to ComputeHashing should be quick to calculateSHA-256 is fast; bcrypt is intentionally slow
📋 Hashing Algorithms — Comparison
AlgorithmOutput SizeUsed ForSecurity Status
MD5 128-bit (32 hex chars) File checksums (legacy), non-security use ❌ BROKEN — Collisions Found
SHA-1 160-bit (40 hex chars) Old SSL certificates, Git commit IDs ❌ WEAK — Deprecated 2017
SHA-256 256-bit (64 hex chars) SSL certificates, Bitcoin, file verification, passwords ✅ SECURE — Current Standard
SHA-512 512-bit (128 hex chars) High-security applications, password hashing ✅ Very Secure
SHA-3 224/256/384/512-bit Next-generation alternative to SHA-2 ✅ Very Secure
bcrypt 60 characters (fixed) Password storage in databases ✅ Best for Passwords (slow by design)
Argon2 Variable Password hashing (winner of PHC 2015 competition) ✅ Best Modern Password Hash
CRC32 32-bit Error detection in data transmission (NOT for security) ⚠️ Error Detection Only
🌐 Real-World Uses of Hashing
  • Password Storage: Websites store hash of your password, not the actual password. When you log in, your entry is hashed and compared.
  • File Integrity Verification: Download a file → compare its SHA-256 hash with the published one → if they match, file is genuine and untampered.
  • Digital Signatures: The message is hashed first, then the hash is signed with a private key (not the full message, which is too large).
  • Blockchain Technology: Each block contains the hash of the previous block, creating a tamper-evident chain. Bitcoin uses SHA-256.
  • Data Deduplication: Cloud storage systems hash files to detect duplicate copies and save storage space.
  • Message Authentication Code (HMAC): Hash + secret key → used to verify both integrity AND authenticity of messages.
🧂 Salt & Pepper in Password Hashing
ConceptWhat It IsPurpose
SaltRandom data added to a password BEFORE hashingPrevents rainbow table attacks; same password → different hashes for each user
PepperSecret value added in addition to salt (stored separately from DB)Extra protection even if database is stolen
Rainbow TablePre-computed table of passwords and their hashesUsed by attackers to reverse hashed passwords — defeated by salting
Key StretchingRunning the hash function many times (iterations)Makes brute-force attacks much slower (bcrypt, PBKDF2 do this)
Exam Tip: Hashing = One-way, Fixed output, Integrity check | SHA-256 = 256-bit output (⭐ most asked) | MD5 = Broken/Weak | SHA-1 = Deprecated | bcrypt = Best for password storage | Salt prevents rainbow table attacks | Bitcoin uses SHA-256.
⚖️ 3. Encryption vs Hashing vs Encoding — Key Differences
FeatureEncryptionHashingEncoding
PurposeConfidentiality (hide data)Integrity (verify data)Format conversion (NOT security)
Reversible?✅ Yes — with the correct key❌ No — one-way process✅ Yes — anyone can decode
Uses Key?✅ Yes (symmetric or asymmetric)❌ No key (HMAC uses a key)❌ No key needed
Output SizeVariable (same or larger than input)Fixed length alwaysLarger than input
ExamplesAES, RSA, ECCSHA-256, MD5, bcryptBase64, URL encoding, ASCII
Used ForSecure data transmission, storagePasswords, file integrity, blockchainEmail attachments, URLs, data transfer
Security?✅ Yes — designed for security✅ Yes — designed for integrity❌ No security — easily reversible
⚠️
Common Exam Trap: Base64 encoding is NOT encryption. Many students confuse these. Base64 just converts binary to text — anyone can decode it without any key. Never use it for security purposes.
✍️ 4. Digital Signatures

A Digital Signature is the electronic equivalent of a handwritten signature. It proves: 1) Who sent the message (Authentication) and 2) The message was not altered (Integrity).

💡
Key Concept: In digital signatures, the roles of public and private keys are REVERSED compared to encryption.
Private Key → Signs (only the sender/owner can sign)
Public Key → Verifies (anyone can verify the signature)
🔄 How a Digital Signature Works
Step 1 — Hash the Message

Sender creates a hash (SHA-256) of the original message or document.

Step 2 — Sign with Private Key

Sender encrypts the hash using their own private key → this creates the “Digital Signature”.

Step 3 — Send Message + Signature

Both the original message and the digital signature are sent to the receiver.

Step 4 — Verify with Public Key

Receiver decrypts the signature using sender’s public key to get the original hash.

Step 5 — Compare Hashes

Receiver hashes the received message independently. If both hashes match → signature is valid → message is authentic and untampered.

Security GoalHow Digital Signature Helps
AuthenticationProves message came from the genuine sender (only they have the private key)
IntegrityIf message is altered, the hash won’t match — forgery detected
Non-RepudiationSender cannot later deny sending the message — legally enforceable
🇮🇳
India — Digital Signature Laws:
IT Act 2000, Section 5: Digital signatures are legally valid in India
Section 3: Authentication of electronic records via digital signature
Controller of Certifying Authorities (CCA) under MeitY regulates digital signature issuers in India
• Indian CAs licensed by CCA: NIC, e-Mudhra, CDAC, Capricorn, (n)Code
• Used in: GST filing, income tax returns, MCA filings, e-tender, Aadhaar eSign
Exam Tip: Digital Signature = Hash + Asymmetric Encryption | Provides: Authentication + Integrity + Non-Repudiation | Private key signs; Public key verifies | IT Act 2000 makes them legally valid in India | CCA controls digital signature CAs in India.
📜 5. Digital Certificates — Electronic ID Cards

A Digital Certificate is like an electronic ID card for a website or person. It proves that a public key truly belongs to a specific entity. Without certificates, anyone could impersonate a website — certificates prevent this “man-in-the-middle” attack.

📋 What a Digital Certificate Contains
FieldDescription
Subject / Owner NameName of the website, person, or organization the certificate belongs to
Public KeyThe owner’s public key (used for encryption or signature verification)
Issuer (CA Name)Name of the Certificate Authority that issued and signed the certificate
Serial NumberUnique identifier for this certificate
Validity PeriodStart date and expiry date (certificates must be renewed)
CA’s Digital SignatureCA’s own signature proving the certificate is genuine
Certificate StandardMost certs follow X.509 standard (the global format)
🏷️ Types of Digital Certificates
Certificate TypePurposeUsed In
SSL/TLS CertificateSecures websites — enables HTTPS (lock icon 🔒)All HTTPS websites
DV (Domain Validation)Only domain ownership verified — basic levelBlogs, small websites
OV (Organization Validation)Domain + Organization identity verifiedBusiness websites
EV (Extended Validation)Strictest verification — shows green bar/company name in old browsersBanks, govt portals, e-commerce
Wildcard CertificateCovers main domain + all subdomains (*.example.com)Large websites with many subdomains
Code Signing CertificateVerifies software publisher — proves software is not tamperedWindows apps, Android APKs
S/MIME CertificateSecure email — sign and encrypt email messagesCorporate email systems
Client CertificateAuthenticates a user (not server) to a serverCorporate VPNs, smart cards
🔄 How SSL/TLS Handshake Works (Simplified)
Client Hello

Your browser sends: “Hello! I support TLS 1.3. Here are my supported cipher suites.”

Server Hello + Certificate

Server responds: “Here is my digital certificate and public key.”

Certificate Verification

Browser checks: Is the certificate valid? Is it signed by a trusted CA? Has it expired or been revoked?

Key Exchange

Browser and server use asymmetric encryption (RSA/ECC) to agree on a shared symmetric session key.

Encrypted Communication Begins

All data is now encrypted using the AES session key. The 🔒 lock icon appears in your browser.

Exam Tip: HTTPS = HTTP + TLS certificate (Port 443) | Certificate = electronic ID card for websites | CA issues certificates | X.509 = certificate standard | EV certificate = highest trust level | Certificate tells you: who owns the key, validity period, issuer CA.
🏛️ 6. PKI — Public Key Infrastructure

PKI (Public Key Infrastructure) is the complete system — people, processes, software, and hardware — that manages the creation, distribution, storage, and revocation of digital certificates.

🧩 Key Components of PKI
ComponentFull FormRole
CACertificate AuthorityIssues, signs, and manages digital certificates — the most trusted entity in PKI
Root CARoot Certificate AuthorityTop-level CA; self-signed; pre-installed in all browsers/OSes (e.g., DigiCert, GlobalSign, Comodo)
Intermediate CASubordinate / Intermediate CAIssues certificates on behalf of Root CA; creates a trust chain
RARegistration AuthorityVerifies the identity of certificate applicants before CA issues the certificate
CRLCertificate Revocation ListPublished list of revoked (cancelled) certificates — browsers check this
OCSPOnline Certificate Status ProtocolReal-time, per-certificate revocation check — more efficient than downloading full CRL
RepositoryCertificate RepositoryDirectory where certificates and CRLs are publicly stored
🔗 Certificate Chain of Trust
🏛️ Root CA
(Self-signed, Pre-trusted)
🔑 Intermediate CA
(Signed by Root)
📜 End-Entity Cert
(Signed by Intermediate)
✅ Browser Trusts
Website
🇮🇳
PKI in India — Controller of Certifying Authorities (CCA)
CCA is the apex authority for digital signatures in India (under MeitY, IT Act 2000)
• CCA licenses Certifying Authorities (CAs) in India
Licensed Indian CAs: NIC-CA, e-Mudhra, SafeScrypt, CDAC, Capricorn, (n)Code Solutions, NSDL Database Management
• Used for: Income Tax e-filing, GST, MCA21, e-Procurement, DigiLocker documents
eSign: Aadhaar-based digital signature — no USB token needed; OTP-based signing
Exam Tip: PKI = complete certificate management system | CA = issues certificates | Root CA = highest trust | CRL = list of revoked certificates | OCSP = real-time revocation check | CCA (India) = regulates digital signatures under IT Act 2000.
📖 7. Important Terms — Quick Reference
TermSimple Definition
PlaintextOriginal, readable data BEFORE encryption
CiphertextScrambled, unreadable data AFTER encryption
CipherThe encryption algorithm used (e.g., AES cipher)
KeySecret parameter used by the cipher to encrypt/decrypt data
Digest / HashFixed-length output of a hash function (digital fingerprint)
HMACHash-based Message Authentication Code — hash + secret key = proves integrity AND authenticity
CertificateElectronic document binding a public key to an identity, signed by a CA
X.509The international standard format for digital certificates
PEM / DERFile formats for certificates — PEM is base64 text (.pem, .crt), DER is binary (.der)
HandshakeThe process by which client and server negotiate encryption settings and exchange keys
Session KeyTemporary symmetric key generated for a single communication session
Key ExchangeProcess of securely sharing a symmetric key between two parties (Diffie-Hellman, RSA, ECDH)
Forward Secrecy (PFS)Past session keys remain safe even if long-term key is compromised — uses ephemeral keys
Non-RepudiationSender cannot deny sending a message — provided by digital signatures
Public KeyCan be shared freely; used to encrypt data or verify signatures
Private KeyMust be kept secret; used to decrypt data or create digital signatures
Key PairMathematically linked public + private key generated together
ChecksumSimple value used to detect errors in data (CRC); NOT for security
Collision AttackFinding two different inputs that produce the same hash — fatal flaw for MD5
Rainbow TablePre-computed database of password → hash mappings used to crack passwords
Brute ForceTrying all possible keys/passwords until correct one found
TLSTransport Layer Security — secure protocol for internet communication (replaces SSL)
SSLSecure Sockets Layer — older version of TLS (deprecated, but name still used informally)
HTTPSHTTP over TLS — secure web browsing — Port 443 — shows 🔒 in browser
Post-Quantum CryptographyNew encryption algorithms resistant to quantum computers (NIST standardizing them)
End-to-End Encryption (E2EE)Only sender and receiver can read messages — even the service provider cannot
🇮🇳 8. Encryption & Digital Certificates in India
Law / InitiativeRelevant to Encryption
IT Act 2000 — Section 3 Authentication of electronic records using digital signatures — legally recognized in India
IT Act 2000 — Section 5 Legal validity of digital signatures — equivalent to handwritten signature
IT Act 2000 — Section 84A Central Government can prescribe encryption modes/methods for use in India
DPDPA 2023 Mandates data protection measures — encryption is key tool for compliance
CERT-In Guidelines (2022) Mandates encryption and secure communication for reporting cyber incidents
RBI Guidelines Mandate AES-256 encryption for banking data; TLS for online transactions; tokenization for card data
UIDAI / Aadhaar Uses AES-256 encryption for biometric data; 2048-bit RSA for secure authentication
DigiLocker Uses 256-bit encryption to store government documents securely
eSign Framework Aadhaar-based digital signature service — uses ECDSA or RSA + SHA-256; no hardware token needed
NeSL (National e-Governance Services Ltd) Uses PKI and digital certificates for legal documentation
🔔
Key India Facts for Exams: CCA (Controller of Certifying Authorities) = apex digital signature body under MeitY | India’s IT Act 2000 recognizes digital signatures | eSign uses Aadhaar OTP for signing | WhatsApp uses end-to-end encryption (Signal Protocol) in India | RBI mandates TLS 1.2+ for banking websites
9. Quick Revision Cheat Sheet
Encryption PurposeConfidentiality — hide data from unauthorized access
Hashing PurposeIntegrity — verify data is not tampered with
Digital Signature PurposeAuthentication + Integrity + Non-Repudiation
Symmetric EncryptionSame key for encrypt & decrypt — AES is the standard
Asymmetric EncryptionKey pair (public + private) — RSA, ECC, Diffie-Hellman
Hybrid EncryptionAsymmetric key exchange + Symmetric data encryption (TLS/HTTPS)
AESAdvanced Encryption Standard — best symmetric cipher — 128/256-bit keys
RSAMost popular asymmetric algorithm — use 2048/4096-bit for security
ECCElliptic Curve Cryptography — same security as RSA with smaller keys
DES56-bit — OBSOLETE & BROKEN — replaced by AES
SHA-256256-bit output — Used by Bitcoin, TLS certs, file verification
MD5 (128-bit)BROKEN — collision vulnerability — do NOT use for security
SHA-1 (160-bit)DEPRECATED since 2017 — vulnerable to collisions
bcryptBest for password hashing — slow by design — resists brute force
SaltRandom data added before hashing — prevents rainbow table attacks
Rainbow TablePre-computed hash table used to crack passwords — defeated by salting
HMACHash + Secret Key — verifies integrity AND authenticity of messages
CA (Certificate Authority)Issues and signs digital certificates — the trust anchor
PKIPublic Key Infrastructure — complete system to manage certificates
CRLCertificate Revocation List — list of cancelled/invalid certificates
OCSPOnline Certificate Status Protocol — real-time revocation check
X.509International standard format for digital certificates
HTTPS Port443 — HTTP port = 80
TLS vs SSLTLS is the secure modern version — SSL is deprecated
Digital Sign — Signing KeyPrivate Key signs — Public Key verifies (reverse of encryption)
Non-RepudiationSender cannot deny sending — provided by digital signatures
End-to-End EncryptionOnly sender & receiver can read — WhatsApp, Signal use this
Forward Secrecy (PFS)Past sessions safe even if server key compromised — uses ephemeral keys
CCA (India)Controller of Certifying Authorities — regulates digital signatures under IT Act 2000
eSign (India)Aadhaar OTP-based digital signature — no USB token required
Base64Encoding — NOT encryption — easily reversible — NO security
Post-Quantum CryptoNew algorithms to resist quantum computers — NIST standardizing Kyber, Dilithium
📝 Practice MCQs — With Answers & Explanations
💡
50+ questions organized by topic. Green option = correct answer. Read each explanation to understand WHY — not just WHAT. Questions are modelled on previous Banking, SSC, UPSC, and Railway exam patterns.
🔒 Section A — Encryption Basics
1What is the primary purpose of encryption?
  • A. Confidentiality — ensuring only authorized parties can read the data
  • B. Integrity — ensuring data is not altered
  • C. Authentication — verifying sender identity
  • D. Availability — ensuring systems are accessible
✅ Answer: A Encryption’s primary purpose is Confidentiality — protecting data from unauthorized reading. Integrity is the goal of hashing; authentication is provided by digital signatures.
2Which of the following is a Symmetric encryption algorithm?
  • A. RSA
  • B. AES
  • C. ECC
  • D. Diffie-Hellman
✅ Answer: B AES (Advanced Encryption Standard) uses a single shared key for both encryption and decryption — making it symmetric. RSA, ECC, and Diffie-Hellman are asymmetric.
3In asymmetric encryption, which key is used to ENCRYPT data for confidentiality?
  • A. Private Key
  • B. Public Key of the recipient
  • C. Session Key
  • D. Any key can be used
✅ Answer: B For confidentiality: sender uses recipient’s PUBLIC key to encrypt. Only the recipient’s PRIVATE key can decrypt it. This ensures only the intended recipient can read the message.
4The encryption standard DES (Data Encryption Standard) is considered insecure today because:
  • A. It uses asymmetric keys
  • B. It cannot encrypt large files
  • C. Its 56-bit key is too short and can be cracked by brute force
  • D. It was never widely used
✅ Answer: C DES uses only a 56-bit key, which modern computers can brute-force crack very quickly. AES replaced DES as the global standard.
5Modern HTTPS websites use which type of encryption system?
  • A. Only symmetric encryption (AES)
  • B. Only asymmetric encryption (RSA)
  • C. Hybrid — asymmetric for key exchange, symmetric for data
  • D. Only hashing
✅ Answer: C HTTPS/TLS uses a Hybrid system: RSA or ECC (asymmetric) to securely exchange a session key, then AES (symmetric) to encrypt all actual data — combining speed and security.
6ECC (Elliptic Curve Cryptography) is preferred over RSA in mobile devices and IoT because:
  • A. ECC is simpler to implement
  • B. ECC uses symmetric keys
  • C. ECC provides equivalent security with much smaller key sizes, consuming less power
  • D. RSA is not supported on mobile devices
✅ Answer: C A 256-bit ECC key provides roughly the same security as a 3072-bit RSA key. Smaller keys mean less computation, less power consumption — ideal for battery-powered mobile/IoT devices.
7WhatsApp uses end-to-end encryption based on which protocol?
  • A. SSL/TLS Protocol
  • B. PGP Protocol
  • C. Signal Protocol
  • D. RSA-4096 Protocol
✅ Answer: C WhatsApp uses the Signal Protocol (developed by Open Whisper Systems), which provides end-to-end encryption using a combination of X3DH key agreement and the Double Ratchet algorithm.
8AES-256 means:
  • A. AES algorithm with 256 rounds of encryption
  • B. AES algorithm using a 256-bit key length
  • C. AES encrypting 256 bytes at a time
  • D. AES with 256 different cipher modes
✅ Answer: B The number after AES refers to the key size: AES-128 (128-bit key), AES-192, AES-256 (strongest). Larger key size = harder to brute-force.
🖐️ Section B — Hashing
9Which of the following is TRUE about a hash function?
  • A. Hashing is reversible with the correct key
  • B. Hashing is primarily used for confidentiality
  • C. Hashing produces a fixed-length output regardless of input size
  • D. Hashing requires a public and private key pair
✅ Answer: C Hash functions always produce a fixed-length output (e.g., SHA-256 always outputs 256 bits) regardless of whether the input is 1 byte or 1 GB. Hashing is one-way and used for integrity, not confidentiality.
10Which hashing algorithm is considered INSECURE due to collision vulnerabilities?
  • A. SHA-256
  • B. MD5
  • C. SHA-512
  • D. SHA-3
✅ Answer: B MD5 (Message Digest 5) has known collision vulnerabilities — two different inputs can produce the same 128-bit hash. It is deprecated for cryptographic security use.
11SHA-256 produces an output of how many bits?
  • A. 128 bits
  • B. 160 bits
  • C. 256 bits
  • D. 512 bits
✅ Answer: C SHA-256 (Secure Hash Algorithm 256) produces a 256-bit (32-byte / 64 hexadecimal characters) hash. It’s part of the SHA-2 family and is the current standard for most security applications.
12Bitcoin uses which hashing algorithm for mining and transaction verification?
  • A. MD5
  • B. SHA-1
  • C. SHA-256
  • D. bcrypt
✅ Answer: C Bitcoin uses SHA-256 for its Proof-of-Work mining algorithm and for creating transaction identifiers. This is frequently asked in exam questions about blockchain and cryptocurrency.
13Which algorithm is specifically designed for PASSWORD hashing and is intentionally slow?
  • A. SHA-256
  • B. MD5
  • C. bcrypt
  • D. AES-128
✅ Answer: C bcrypt is intentionally slow and computationally expensive, making brute-force attacks impractical. It also automatically salts passwords. Argon2 is another modern alternative for password hashing.
14A SALT in password hashing is used to:
  • A. Make passwords longer
  • B. Speed up the hashing process
  • C. Add randomness to prevent rainbow table attacks
  • D. Encrypt the hash using AES
✅ Answer: C A salt is a random value added to each password before hashing. This ensures that even if two users have the same password, their stored hashes will be different, making rainbow table attacks ineffective.
15The Avalanche Effect in hashing means:
  • A. Large inputs take much longer to hash
  • B. A tiny change in input results in a completely different output hash
  • C. Hashes cascade into longer values
  • D. Multiple hashes can produce the same output
✅ Answer: B The Avalanche Effect means even a 1-bit change in input produces a drastically different hash output. This is a desirable property — changing “Hello” to “hello” gives a completely different SHA-256 hash.
16HMAC stands for:
  • A. Hash-based Message Authentication Code
  • B. High-level Message Authentication Cipher
  • C. Hashed Mandatory Asymmetric Code
  • D. Hybrid Message Authentication Certificate
✅ Answer: A HMAC = Hash + Secret Key. It provides both integrity (data not tampered) AND authenticity (from the correct sender). Unlike a simple hash, HMAC requires the secret key to verify — preventing forgery.
17Which is NOT a property of a cryptographic hash function?
  • A. Deterministic
  • B. Collision-resistant
  • C. Reversible
  • D. Fixed output length
✅ Answer: C Reversibility is NOT a property of hash functions. Hashing is a one-way process — you cannot recover the original input from the hash. The other options (deterministic, collision-resistant, fixed output) ARE properties of good hash functions.
18A Rainbow Table attack is most effectively prevented by:
  • A. Using a longer password
  • B. Using MD5 instead of SHA-256
  • C. Adding a unique salt before hashing each password
  • D. Encrypting the password before hashing
✅ Answer: C Rainbow Tables are pre-computed hash lookups. A unique salt for each password means attackers would need to build separate tables for every possible salt — computationally infeasible.
✍️ Section C — Digital Signatures
19A digital signature provides which THREE security properties?
  • A. Confidentiality, Availability, Integrity
  • B. Authentication, Integrity, Non-Repudiation
  • C. Availability, Authentication, Encryption
  • D. Confidentiality, Authentication, Encryption
✅ Answer: B Digital signatures provide: Authentication (proves who sent it), Integrity (data not altered), and Non-Repudiation (sender cannot deny sending). Encryption provides confidentiality — that’s a different goal.
20To CREATE a digital signature, which key is used?
  • A. Recipient’s Public Key
  • C. Sender’s Private Key
  • D. A shared symmetric key
✅ Answer: C Digital signatures use the SENDER’s PRIVATE KEY to sign. Anyone can verify the signature using the sender’s PUBLIC KEY. This proves the signature could only have come from the person with that private key.
21Which of the following correctly describes the digital signature process?
  • A. Encrypt full message with private key
  • B. Hash the message, then encrypt with public key
  • C. Hash the message, then encrypt the hash with private key
  • D. Encrypt message with symmetric key, then hash
✅ Answer: C The correct process: 1) Hash the message using SHA-256. 2) Encrypt that hash using the sender’s private key → this is the digital signature. The full message + signature are sent together.
22“Non-repudiation” in the context of digital signatures means:
  • A. Data cannot be read by unauthorized users
  • B. Data integrity is guaranteed
  • C. The sender cannot deny having sent the signed document
  • D. The message is encrypted from end-to-end
✅ Answer: C Non-Repudiation means the sender cannot later deny sending the message. Since only they have their private key, only they could have created the signature — legally binding evidence in court.
23Under which section of the IT Act, 2000 is a digital signature legally valid in India?
  • A. Section 43
  • B. Section 66F
  • C. Section 5
  • D. Section 69A
✅ Answer: C Section 5 of the IT Act, 2000 grants legal recognition to digital signatures in India, making them equivalent to handwritten signatures for legal and commercial purposes.
24The eSign service in India is based on:
  • A. Physical USB token with embedded certificate
  • B. Aadhaar-based OTP authentication for digital signing
  • C. Biometric fingerprint matching only
  • D. Paper-based certificate issuance
✅ Answer: B India’s eSign service allows users to digitally sign documents using Aadhaar-based OTP verification — no physical USB token is needed. It uses the DSC (Digital Signature Certificate) issued in real-time.
📜 Section D — Digital Certificates & PKI
25What is the primary purpose of a Digital Certificate?
  • A. To encrypt all website traffic using AES
  • B. To verify that a public key belongs to a specific identity (website/person)
  • C. To store private keys securely
  • D. To generate hash values for files
✅ Answer: B A digital certificate binds a public key to a verified identity. Without certificates, anyone could present a fake public key. Certificates (issued by trusted CAs) prevent this impersonation.
26TLS certificates are issued by:
  • A. ISPs (Internet Service Providers)
  • B. Certificate Authorities (CAs)
  • C. Operating System vendors
  • D. Firewall manufacturers
✅ Answer: B Certificate Authorities (CAs) verify the identity of the certificate requester and then issue/sign the digital certificate. Major CAs include DigiCert, Let’s Encrypt, GlobalSign, Comodo.
27What does PKI stand for?
  • A. Private Key Interface
  • B. Public Key Infrastructure
  • C. Protected Key Index
  • D. Public Key Internet
✅ Answer: B PKI = Public Key Infrastructure. It is the complete framework of policies, hardware, software, and people that manages digital keys and certificates.
28OCSP is used for:
  • A. Encrypting messages in transit
  • B. Real-time checking of whether a digital certificate has been revoked
  • C. Generating new key pairs
  • D. Hashing passwords for storage
✅ Answer: B OCSP (Online Certificate Status Protocol) allows browsers to check in real-time whether a specific certificate is still valid or has been revoked — more efficient than downloading the full CRL (Certificate Revocation List).
29A Certificate Revocation List (CRL) contains:
  • A. A list of all valid certificates
  • B. A list of certificates that have been revoked before their expiry date
  • C. A list of all public keys
  • D. A list of firewall rules
✅ Answer: B CRL is published by the CA and contains serial numbers of certificates that have been revoked (cancelled). Browsers check this list before trusting a certificate.
30SSL has been replaced by which modern protocol for secure web communication?
  • A. FTP
  • B. TLS (Transport Layer Security)
  • C. IPSec
  • D. SSH
✅ Answer: B TLS (Transport Layer Security) is the modern, more secure successor to SSL. The term “SSL certificate” is still commonly used informally, but modern systems actually use TLS 1.2 or TLS 1.3.
31The default port for HTTPS is:
  • A. 21
  • B. 25
  • C. 80
  • D. 443
✅ Answer: D HTTPS uses Port 443. HTTP (unencrypted) uses Port 80. This is one of the most frequently tested facts in banking and government computer awareness exams.
32A self-signed certificate is:
  • A. Issued by a trusted Root CA
  • B. Signed by the same entity whose identity it certifies
  • C. Always trusted by all web browsers
  • D. More secure than CA-issued certificates
✅ Answer: B A self-signed certificate is signed by its own creator (not a CA). Browsers show a “Not Secure” warning for self-signed certificates because there’s no trusted third party vouching for the identity.
33The international standard format for digital certificates is:
  • A. PGP
  • B. AES-256
  • C. X.509
  • D. PKCS#7 only
✅ Answer: C X.509 is the internationally recognized standard that defines the format of digital certificates. All SSL/TLS certificates, S/MIME certificates, and code signing certificates follow the X.509 standard.
34Which body regulates digital signature certifying authorities in India?
  • A. CERT-In
  • B. TRAI
  • C. CCA (Controller of Certifying Authorities)
  • D. RBI
✅ Answer: C CCA (Controller of Certifying Authorities) under MeitY is the apex body that licenses and regulates Certifying Authorities (CAs) that issue digital signature certificates in India, as per IT Act 2000.
⭐ Section E — Mixed & High-Priority Questions
35The “lock icon” (🔒) in a web browser indicates:
  • A. The website is government-approved
  • C. The connection is encrypted using TLS and the certificate is valid
  • D. The website has no viruses
✅ Answer: C The lock icon means the website is using HTTPS — TLS encryption is active and the digital certificate was issued by a trusted CA. It does NOT guarantee the website is safe or legitimate — phishing sites can also have 🔒.
36Forward Secrecy (Perfect Forward Secrecy) ensures that:
  • A. Future sessions are encrypted with stronger keys
  • B. Past session keys remain secure even if the server’s long-term private key is later compromised
  • C. Certificates never expire
  • D. Hashes are reversible for debugging
✅ Answer: B PFS uses ephemeral (temporary) keys for each session. Even if a hacker later steals the server’s private key, they cannot decrypt previously recorded sessions because those session keys are gone.
37Base64 encoding is different from encryption because:
  • A. Base64 uses longer keys than AES
  • B. Base64 is only used for images
  • C. Base64 is reversible by anyone without any key — it provides NO security
  • D. Base64 creates a fixed-length output like a hash
✅ Answer: C Base64 is just a way to encode binary data as text — anyone can decode it instantly. It’s NOT encryption and provides ZERO security. This is a common exam trap.
38Aadhaar authentication system in India uses which encryption standard for biometric data?
  • A. DES-56
  • B. RSA-1024
  • C. AES-256
  • D. MD5
✅ Answer: C UIDAI uses AES-256 encryption to protect biometric data in the Aadhaar database — the strongest standard available for symmetric encryption.
39Which technology may render current asymmetric encryption (RSA, ECC) BREAKABLE in the future?
  • A. Blockchain
  • B. Cloud Computing
  • C. Quantum Computing
  • D. 5G Networks
✅ Answer: C Quantum computers could run Shor’s algorithm to break RSA and ECC by factoring large numbers quickly. This is why NIST is standardizing Post-Quantum Cryptography (PQC) algorithms like Kyber and Dilithium.
40RBI mandates which encryption standard for protecting banking data in India?
  • A. DES-56
  • B. MD5
  • C. AES-256
  • D. SHA-1
✅ Answer: C The Reserve Bank of India mandates AES-256 encryption for banking data and TLS 1.2 or higher for online banking communications.
41Asymmetric encryption is typically used for key exchange, and symmetric encryption for data encryption. This combined approach is called:
  • A. Double Encryption
  • B. Hybrid Encryption
  • C. Layered Encryption
  • D. Mixed Encryption
✅ Answer: B Hybrid Encryption combines the best of both: asymmetric for secure key exchange (handles the key distribution problem) and symmetric for fast bulk data encryption. Used in HTTPS/TLS, email, VPN.
42Which hashing algorithm is used by Git version control system for commit IDs?
  • A. MD5
  • B. SHA-1 (being migrated to SHA-256)
  • C. bcrypt
  • D. AES
✅ Answer: B Git historically used SHA-1 for commit hashes. Since SHA-1 is deprecated, Git is transitioning to SHA-256. Note: SHA-1 is still acceptable for non-security use cases like version control identifiers.
43When a website’s certificate expires, what happens?
  • A. The website is automatically renewed and stays secure
  • C. Browsers show a “Not Secure” or certificate error warning
  • D. The website gets a new certificate from the CA automatically
✅ Answer: C If a certificate expires, browsers display security warnings telling users the connection may not be secure. The website owner must renew the certificate from their CA. Let’s Encrypt auto-renews every 90 days.
44The IT Act 2000, Section 84A relates to:
  • A. Cyber terrorism
  • B. Identity theft
  • C. Central Government’s power to prescribe encryption modes and methods
  • D. Blocking of websites
✅ Answer: C Section 84A empowers the Central Government to prescribe the modes or methods for encryption for the purpose of securing electronic records and communication.
45A code signing certificate is used to:
  • A. Secure websites with HTTPS
  • B. Verify that software/apps have not been tampered with and came from a legitimate publisher
  • C. Encrypt email messages
  • D. Authenticate users to servers
✅ Answer: B Code signing certificates are used by software developers to digitally sign their applications. When you install software, Windows verifies this signature to ensure the code is from a trusted publisher and hasn’t been modified.
46Which is the MOST secure option for storing user passwords in a database?
  • A. Plain text
  • B. MD5 hash
  • C. AES encrypted
  • D. Argon2 or bcrypt with unique salt per user
✅ Answer: D Argon2 and bcrypt with unique salts are the gold standard for password storage. They are intentionally slow (resisting brute force), use unique salts (defeating rainbow tables), and are designed specifically for this purpose.
47What does the “S” in S/MIME stand for?
  • A. Standard
  • B. Secure
  • C. Simple
  • D. Signed
✅ Answer: B S/MIME = Secure/Multipurpose Internet Mail Extensions. It is a protocol for email encryption and digital signing, used in corporate email environments for secure communication.
48DigiLocker, India’s government document storage service, uses which encryption standard?
  • A. DES-56
  • B. MD5
  • C. 256-bit encryption (AES-256)
  • D. RSA-1024
✅ Answer: C DigiLocker uses 256-bit AES encryption to protect government documents. All documents stored (Aadhaar, driving licence, marksheets) are secured with this standard.
49Which of the following is an example of End-to-End Encryption (E2EE)?
  • A. HTTPS website with TLS
  • B. Email sent via Gmail without encryption
  • C. WhatsApp messages encrypted using Signal Protocol
  • D. FTP file transfer
✅ Answer: C End-to-End Encryption means only the communicating users can read messages — even the service provider (WhatsApp/Meta) cannot. HTTPS is server-side TLS (provider can read), not true E2EE.
50Wi-Fi Protected Access 2 (WPA2) uses which encryption algorithm?
  • A. DES
  • B. RC4
  • C. AES (CCMP)
  • D. RSA
✅ Answer: C WPA2 uses AES with CCMP (Counter Mode CBC-MAC Protocol) for encryption. The older WEP used RC4, which is broken. WPA3 (latest) also uses AES with stronger modes (SAE, GCMP).
51Which type of digital certificate provides the highest level of identity verification for websites?
  • A. DV (Domain Validated) Certificate
  • B. OV (Organization Validated) Certificate
  • C. EV (Extended Validation) Certificate
  • D. Self-signed Certificate
✅ Answer: C EV certificates require the most rigorous identity verification process — including legal existence, physical address, and business verification. Banks and major e-commerce sites use EV certificates for maximum trust.
52Which Indian government service allows filing income tax returns using a digital signature?
  • A. Aadhaar alone
  • B. PAN card
  • C. Digital Signature Certificate (DSC) or eSign through the Income Tax Portal
  • D. OTP only (no digital signature)
✅ Answer: C The Income Tax e-filing portal (incometax.gov.in) accepts Digital Signature Certificates (DSC) and eSign (Aadhaar-based) for electronically signing and verifying tax returns and other documents.
📚 GyanDesk — Encryption, Hashing & Digital Certificates
Topics: AES · RSA · ECC · SHA-256 · MD5 · bcrypt · PKI · Digital Signatures · TLS/HTTPS · CCA (India) · IT Act 2000
Last Updated: May 2026 | For: Banking · SSC · UPSC · Railway · State Govt Exams