Are you preparing for the CompTIA Security+ exam or enhancing your knowledge of cryptography and PKI concepts? This section of our Security+ MCQ series (questions 251–300) focuses on encryption algorithms, hashing, digital signatures, certificates, PKI trust models, and quantum-resilient cryptography.
251. Which encryption algorithm is most commonly used in WPA2 for securing wireless networks?
A) DES
B) AES
C) RC4
D) Blowfish
Correct Answer: B) AES
Explanation: WPA2 uses AES (Advanced Encryption Standard) with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for strong wireless encryption. DES and RC4 are outdated, while Blowfish is not used in WPA2.
252. What is the key length of AES-256 encryption?
A) 128 bits
B) 192 bits
C) 256 bits
D) 512 bits
Correct Answer: C) 256 bits
Explanation: AES can operate with 128, 192, or 256-bit keys. AES-256 specifically uses a 256-bit key, offering the highest security among AES options.
253. Which of the following is a symmetric encryption algorithm?
A) RSA
B) ECC
C) AES
D) DSA
Correct Answer: C) AES
Explanation: AES is a symmetric algorithm (same key for encryption and decryption). RSA, ECC, and DSA are asymmetric cryptographic algorithms.
254. What is the main advantage of asymmetric encryption over symmetric encryption?
A) Faster encryption speed
B) Requires fewer resources
C) Secure key distribution
D) Works only for hashing
Correct Answer: C) Secure key distribution
Explanation: Asymmetric encryption solves the key distribution problem by using public-private key pairs. Symmetric encryption is faster but requires secure key sharing.
255. Which protocol uses asymmetric cryptography to establish a secure session before switching to symmetric encryption?
A) HTTPS (TLS/SSL)
B) IPSec
C) WPA3
D) Kerberos
Correct Answer: A) HTTPS (TLS/SSL)
Explanation: TLS/SSL first uses asymmetric cryptography (RSA or ECC) during the handshake to exchange keys, then switches to faster symmetric encryption (AES).
256. What does PKI primarily provide?
A) Faster encryption speeds
B) Digital certificates and trust management
C) Stronger hashing algorithms
D) Data compression
Correct Answer: B) Digital certificates and trust management
Explanation: Public Key Infrastructure (PKI) issues and manages digital certificates, ensuring authenticity, integrity, and trust in secure communications.
257. Which of the following is an example of a hashing algorithm?
A) AES
B) SHA-256
C) RSA
D) ECC
Correct Answer: B) SHA-256
Explanation: SHA-256 is a hashing function used for integrity verification. AES is symmetric, RSA/ECC are asymmetric algorithms.
258. What is a digital signature used for?
A) Encrypting data
B) Verifying integrity and authenticity
C) Speeding up communication
D) Providing anonymity
Correct Answer: B) Verifying integrity and authenticity
Explanation: A digital signature confirms the sender’s authenticity and ensures the message has not been altered. It uses hashing + private key encryption.
259. Which PKI component issues, manages, and revokes digital certificates?
A) Registration Authority (RA)
B) Certificate Authority (CA)
C) Key Distribution Center (KDC)
D) Root Server
Correct Answer: B) Certificate Authority (CA)
Explanation: The CA is the trusted entity in PKI that issues and manages certificates. The RA assists in validating requests before forwarding them to the CA.
260. What is a common attack against hashing algorithms like MD5?
A) Brute force
B) Collision attack
C) Replay attack
D) Phishing
Correct Answer: B) Collision attack
Explanation: A collision attack occurs when two different inputs produce the same hash value. MD5 and SHA-1 are vulnerable to collisions, which is why they are considered insecure.
261. Which encryption algorithm is considered quantum-resistant?
A) RSA
B) ECC
C) AES-256
D) Lattice-based cryptography
Correct Answer: D) Lattice-based cryptography
Explanation: Quantum computers can break RSA and ECC. Lattice-based cryptography is being researched as a post-quantum secure method.
262. Which cryptographic attack attempts all possible keys until the correct one is found?
A) Birthday attack
B) Brute-force attack
C) Replay attack
D) Dictionary attack
Correct Answer: B) Brute-force attack
Explanation: In a brute-force attack, the attacker systematically tries every possible key until the right one is found.
263. Which of the following provides non-repudiation?
A) Digital signatures
B) Hashing
C) Symmetric encryption
D) VPN tunnels
Correct Answer: A) Digital signatures
Explanation: Digital signatures ensure that the sender cannot deny sending a message, thus providing non-repudiation.
264. What is the main purpose of a Certificate Revocation List (CRL)?
A) To store all issued certificates
B) To validate public keys
C) To list revoked digital certificates
D) To renew expired certificates
Correct Answer: C) To list revoked digital certificates
Explanation: A CRL contains certificates that have been revoked by the CA and should no longer be trusted.
265. Which is more efficient for mobile devices due to smaller key sizes?
A) RSA
B) ECC
C) DES
D) Blowfish
Correct Answer: B) ECC
Explanation: Elliptic Curve Cryptography (ECC) provides equivalent security to RSA but with much smaller key sizes, making it ideal for resource-limited devices.
266. What does a “salt” do in password hashing?
A) Speeds up hashing
B) Randomizes the hash to prevent rainbow table attacks
C) Encrypts the hash value
D) Reduces storage space
Correct Answer: B) Randomizes the hash to prevent rainbow table attacks
Explanation: A salt is random data added to passwords before hashing, preventing attackers from using precomputed hash databases (rainbow tables).
267. Which of the following is a stream cipher?
A) AES
B) DES
C) RC4
D) Blowfish
Correct Answer: C) RC4
Explanation: RC4 is a stream cipher, while AES, DES, and Blowfish are block ciphers.
268. What is the block size of AES?
A) 64 bits
B) 128 bits
C) 192 bits
D) 256 bits
Correct Answer: B) 128 bits
Explanation: AES always operates on 128-bit blocks, regardless of key size (128, 192, 256 bits).
269. Which algorithm is widely used for secure email (PGP/GPG)?
A) AES
B) RSA
C) SHA-1
D) DES
Correct Answer: B) RSA
Explanation: Pretty Good Privacy (PGP) uses RSA for key exchange and symmetric algorithms (like AES) for encrypting messages.
270. Which PKI trust model is most commonly used on the internet?
A) Web of trust
B) Hierarchical trust model
C) Distributed trust model
D) Blockchain trust model
Correct Answer: B) Hierarchical trust model
Explanation: The internet relies on a hierarchical PKI model with root CAs, intermediate CAs, and end-entity certificates.
271. Which protocol secures email messages by encrypting and signing them?
A) SMTP
B) S/MIME
C) POP3
D) IMAP
Correct Answer: B) S/MIME
Explanation: S/MIME (Secure/Multipurpose Internet Mail Extensions) provides encryption and digital signing of emails using PKI.
272. Which of the following is an example of key stretching?
A) SHA-1
B) MD5
C) PBKDF2
D) HMAC
Correct Answer: C) PBKDF2
Explanation: PBKDF2 is a key stretching algorithm that applies hashing repeatedly to slow down brute-force attacks.
273. What is the purpose of an HMAC (Hash-based Message Authentication Code)?
A) Only encryption
B) Only hashing
C) Integrity and authentication
D) Key exchange
Correct Answer: C) Integrity and authentication
Explanation: HMAC uses a hash function with a secret key to verify both the integrity and authenticity of a message.
274. Which asymmetric algorithm is primarily used for digital signatures and is part of the Digital Signature Algorithm (DSA)?
A) ECC
B) RSA
C) ElGamal
D) DSA
Correct Answer: D) DSA
Explanation: DSA is a standardized asymmetric algorithm used for digital signatures, not encryption.
275. What is the purpose of an OCSP (Online Certificate Status Protocol)?
A) Encrypts messages between servers
B) Provides real-time validation of certificate status
C) Generates public-private key pairs
D) Revokes certificates automatically
Correct Answer: B) Provides real-time validation of certificate status
Explanation: OCSP allows clients to query the status of a certificate in real time, unlike CRLs which must be downloaded periodically.
276. Which cryptographic algorithm was broken in 2017 by Google’s “SHAttered” attack?
A) SHA-1
B) SHA-256
C) MD5
D) AES
Correct Answer: A) SHA-1
Explanation: In 2017, Google demonstrated a collision attack against SHA-1, proving it is no longer secure.
277. Which of the following is considered a one-time pad (OTP) characteristic?
A) Uses a short repeating key
B) Unbreakable when used correctly
C) Relies on hashing
D) Provides authentication only
Correct Answer: B) Unbreakable when used correctly
Explanation: A one-time pad uses a random key as long as the message and is theoretically unbreakable if used properly.
278. Which type of encryption does SSL/TLS use for bulk data transfer after the handshake?
A) Asymmetric encryption
B) Symmetric encryption
C) Hashing only
D) Steganography
Correct Answer: B) Symmetric encryption
Explanation: SSL/TLS starts with asymmetric key exchange but switches to symmetric encryption (e.g., AES) for performance during bulk data transfer.
279. Which of the following is a modern hashing algorithm recommended for secure password storage?
A) MD5
B) SHA-1
C) bcrypt
D) DES
Correct Answer: C) bcrypt
Explanation: bcrypt is designed for secure password hashing with salting and adaptive cost factors. MD5 and SHA-1 are outdated.
280. Which asymmetric algorithm is based on the difficulty of factoring large prime numbers?
A) RSA
B) ECC
C) DSA
D) AES
Correct Answer: A) RSA
Explanation: The security of RSA relies on the difficulty of factoring large prime numbers. ECC and DSA rely on different mathematical problems.
281. Which of the following provides forward secrecy in TLS connections?
A) RSA key exchange
B) Diffie-Hellman Ephemeral (DHE)
C) SHA-1 hashing
D) Static keys
Correct Answer: B) Diffie-Hellman Ephemeral (DHE)
Explanation: Forward secrecy ensures past sessions cannot be decrypted even if keys are compromised. DHE provides this property.
282. What is steganography?
A) Encrypting text with AES
B) Hiding data inside another file
C) Breaking encryption keys
D) Hashing files for integrity
Correct Answer: B) Hiding data inside another file
Explanation: Steganography is the practice of hiding messages within images, audio, or other files to conceal information.
283. What type of cryptographic algorithm is Diffie-Hellman?
A) Symmetric key algorithm
B) Asymmetric key exchange algorithm
C) Hashing algorithm
D) Digital signature algorithm
Correct Answer: B) Asymmetric key exchange algorithm
Explanation: Diffie-Hellman is used for secure key exchange, not for encryption of actual data.
284. Which encryption method is primarily used in blockchain transactions like Bitcoin?
A) RSA
B) SHA-256 + ECDSA
C) DES
D) Blowfish
Correct Answer: B) SHA-256 + ECDSA
Explanation: Bitcoin uses SHA-256 for hashing and ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures.
285. What is the primary weakness of symmetric encryption?
A) It is slower than asymmetric
B) It requires secure key distribution
C) It cannot handle large data
D) It cannot be brute-forced
Correct Answer: B) It requires secure key distribution
Explanation: Symmetric encryption is fast but suffers from the key distribution problem.
286. Which cryptographic concept ensures data has not been altered in transit?
A) Confidentiality
B) Integrity
C) Availability
D) Non-repudiation
Correct Answer: B) Integrity
Explanation: Integrity ensures that data has not been changed. It is often provided by hashing and digital signatures.
287. What is key escrow?
A) Secure key storage by a trusted third party
B) Random key generation process
C) Automatic key rotation
D) User-managed private key storage
Correct Answer: A) Secure key storage by a trusted third party
Explanation: Key escrow allows a trusted authority to hold copies of encryption keys for recovery or legal purposes.
288. What is the difference between block and stream ciphers?
A) Block ciphers process data bit by bit; stream ciphers process blocks
B) Block ciphers process data in fixed-size blocks; stream ciphers process data bit by bit
C) Stream ciphers use asymmetric encryption; block ciphers use symmetric
D) Stream ciphers are always more secure
Correct Answer: B) Block ciphers process data in fixed-size blocks; stream ciphers process data bit by bit
Explanation: Block ciphers (AES, DES) operate on fixed data blocks, while stream ciphers (RC4) work one bit or byte at a time.
289. What does perfect forward secrecy (PFS) prevent?
A) Replay attacks
B) Session key compromise affecting past sessions
C) Brute force attacks
D) Certificate spoofing
Correct Answer: B) Session key compromise affecting past sessions
Explanation: PFS ensures that even if long-term keys are compromised, past communications remain secure.
290. Which hashing function is currently recommended for digital signatures?
A) SHA-1
B) SHA-256
C) MD5
D) DES
Correct Answer: B) SHA-256
Explanation: SHA-256 is widely used in digital signatures. SHA-1 and MD5 are deprecated due to vulnerabilities.
291. Which type of cryptographic key should never be shared?
A) Public key
B) Private key
C) Session key
D) Symmetric key
Correct Answer: B) Private key
Explanation: The private key must remain secret. Public keys can be shared openly.
292. Which encryption standard was replaced by AES due to vulnerabilities?
A) DES
B) ECC
C) DSA
D) Blowfish
Correct Answer: A) DES
Explanation: DES (56-bit key) was replaced by AES due to weak key length and brute-force susceptibility.
293. Which PKI certificate is used to sign and issue other certificates?
A) Root certificate
B) Intermediate certificate
C) End-user certificate
D) Wildcard certificate
Correct Answer: A) Root certificate
Explanation: The root certificate is the most trusted in PKI and is used to sign other certificates.
294. Which algorithm is typically used for key exchange in TLS?
A) AES
B) RSA or Diffie-Hellman
C) SHA-1
D) MD5
Correct Answer: B) RSA or Diffie-Hellman
Explanation: TLS commonly uses RSA or Diffie-Hellman (including ECDH) for key exchange.
295. What is the output size of SHA-256?
A) 128 bits
B) 160 bits
C) 256 bits
D) 512 bits
Correct Answer: C) 256 bits
Explanation: SHA-256 produces a 256-bit hash value, regardless of input size.
296. What does a wildcard certificate secure?
A) Only one domain
B) Multiple subdomains of a domain
C) Any domain
D) Expired domains
Correct Answer: B) Multiple subdomains of a domain
Explanation: A wildcard certificate secures all subdomains under a domain (e.g., *.example.com).
297. Which key length is considered secure for RSA today?
A) 512 bits
B) 1024 bits
C) 2048 bits
D) 4096 bits
Correct Answer: C) 2048 bits
Explanation: The minimum recommended RSA key size is 2048 bits. 1024-bit keys are insecure.
298. Which hashing algorithm is used in Bitcoin mining?
A) MD5
B) SHA-1
C) SHA-256
D) AES
Correct Answer: C) SHA-256
Explanation: Bitcoin mining relies on solving puzzles based on the SHA-256 hash function.
299. What is a hybrid cryptosystem?
A) Uses only hashing
B) Combines symmetric and asymmetric encryption
C) Uses two symmetric algorithms
D) Uses two hashing algorithms
Correct Answer: B) Combines symmetric and asymmetric encryption
Explanation: A hybrid cryptosystem (e.g., TLS) uses asymmetric encryption for key exchange and symmetric encryption for data transfer.
300. Which cryptographic concept ensures only intended recipients can read the data?
A) Integrity
B) Confidentiality
C) Availability
D) Non-repudiation
Correct Answer: B) Confidentiality
Explanation: Confidentiality ensures that sensitive data is accessible only to authorized users, usually achieved via encryption.
Each question comes with the correct answer and detailed explanation, making it a valuable study resource for Security+, CISSP, CEH, and other cybersecurity certifications. By practicing these MCQs, you’ll strengthen your understanding of confidentiality, integrity, availability, non-repudiation, forward secrecy, hashing, PKI, and modern cryptographic attacks.
Batch 1 (1–50): Threats, Attacks & Vulnerabilities
Batch 2 (51–100): Security Architecture & Design
Batch 3 (101–150): Implementation (Access, Authentication, PKI)
Batch 4 (151–200): Operations & Incident Response
Batch 5 (201–250): Governance, Risk & Compliance
Batch 7 (301–350): Mixed Practice Exam (Past Questions)
Batch 8 (351–400): Advanced Scenarios (Bonus Set)
You’ve now completed Security+ Cryptography & PKI MCQs (261–300) with answers and explanations. This batch covered essential concepts like RSA, ECC, AES, SHA-256, PKI trust models, forward secrecy, hashing algorithms, and certificate validation protocols – all critical for Security+ exam success.
📌 Bookmark this page and practice daily to boost your exam readiness.
✅ Whether you are targeting Security+, CISSP, or CEH, these MCQs will help you score higher and gain real-world cybersecurity knowledge.