FlashGenius Logo FlashGenius
Login Sign Up

GSEC Practice Questions: Cryptography Domain

Published: September 18, 2025 | 20 min read

Test your GSEC knowledge with 10 practice questions from the Cryptography domain. Includes detailed explanations and answers.

GSEC Practice Questions

Master the Cryptography Domain

Test your knowledge in the Cryptography domain with these 10 practice questions. Each question is designed to help you prepare for the GSEC certification exam with detailed explanations to reinforce your learning.

Question 1

A company has implemented a secure email communication system using PGP (Pretty Good Privacy). During an incident response, the security team notices that emails are being intercepted and read by unauthorized parties. Which of the following is the most likely cause of this issue?

A) The private keys are stored in a publicly accessible location.

B) The PGP algorithm being used is outdated and vulnerable.

C) The emails are being sent without encryption.

D) The passphrase to unlock the private keys is too weak.

Show Answer & Explanation

Correct Answer: C

Explanation: The most likely cause of emails being intercepted and read is that they are being sent without encryption (Option C). PGP requires that emails be encrypted with the recipient's public key to ensure confidentiality. If emails are sent in plaintext, they can be easily intercepted and read. Option A is incorrect because while storing private keys publicly is a security risk, it would not allow emails to be read unless those keys are also used without encryption. Option B is incorrect as PGP itself is not outdated, though specific implementations might be. Option D is incorrect because a weak passphrase would compromise key security, but it would not directly result in emails being readable if they were properly encrypted.

Question 2

You are configuring a VPN for remote employees to securely access the corporate network. Which encryption method should be used to ensure the confidentiality of data transmitted over the VPN?

A) SHA-256

B) RSA

C) AES

D) Diffie-Hellman

Show Answer & Explanation

Correct Answer: C

Explanation: AES is commonly used for encrypting data in VPNs due to its strong security and efficiency. SHA-256 (A) is a hashing algorithm, not used for encryption. RSA (B) is typically used for key exchange, not for encrypting bulk data. Diffie-Hellman (D) is used for securely exchanging cryptographic keys over a public channel, not for encrypting data.

Question 3

During an incident response, a security analyst is tasked with decrypting network traffic captured from a compromised server. The traffic is encrypted using TLS. What is the most effective method for the analyst to decrypt this traffic?

A) Use a man-in-the-middle attack to capture the session keys.

B) Obtain the private key from the server and use it to decrypt the traffic.

C) Use a brute-force attack to discover the session keys.

D) Analyze the traffic for weak ciphers and attempt to exploit them.

Show Answer & Explanation

Correct Answer: B

Explanation: B is correct because obtaining the server's private key allows the analyst to decrypt the TLS session if the traffic was recorded and the session keys are still valid. A is incorrect because a man-in-the-middle attack is not feasible after the fact. C is incorrect because brute-forcing session keys is computationally infeasible. D is incorrect because exploiting weak ciphers is not a reliable or efficient method for decrypting traffic.

Question 4

A company is implementing a new VPN solution and wants to ensure that data integrity is maintained during transmission. Which cryptographic technique should be used to achieve this?

A) Using a symmetric encryption algorithm.

B) Implementing a digital signature.

C) Applying a hash-based message authentication code (HMAC).

D) Encrypting data with an asymmetric algorithm.

Show Answer & Explanation

Correct Answer: C

Explanation: An HMAC provides data integrity and authenticity by combining a hash function with a secret key, making it suitable for ensuring data integrity in VPN communications. Option A provides confidentiality but not integrity. Option B ensures authenticity but is not specifically for integrity. Option D provides confidentiality and authenticity but is less efficient for integrity checks compared to HMAC.

Question 5

During a security audit of a cloud-based system, you discover that sensitive data is being transmitted without encryption. To address this, you decide to implement TLS for data in transit. Which of the following steps is crucial to ensure the encryption is effective?

A) Use self-signed certificates to avoid third-party costs.

B) Ensure the use of a strong cipher suite that supports forward secrecy.

C) Disable certificate validation to avoid connectivity issues.

D) Use TLS version 1.0 for maximum compatibility with older systems.

Show Answer & Explanation

Correct Answer: B

Explanation: Option B is correct because using a strong cipher suite that supports forward secrecy ensures that even if the server's private key is compromised, past communications remain secure. Option A is incorrect because self-signed certificates can lead to trust issues and are not suitable for production environments. Option C is incorrect because disabling certificate validation undermines the security provided by TLS. Option D is incorrect because TLS 1.0 is outdated and vulnerable to several attacks.

Question 6

Your organization uses OpenSSL to manage certificates for internal services on Linux servers. A recent vulnerability scan indicates that the servers are using outdated OpenSSL libraries. What is the most appropriate action to mitigate the risk associated with this finding?

A) Update the OpenSSL libraries to the latest version available from the official repositories.

B) Switch to using a different cryptographic library that is not affected by the vulnerability.

C) Disable all SSL/TLS services until a patch is applied.

D) Implement a firewall rule to block all incoming traffic to the affected services.

Show Answer & Explanation

Correct Answer: A

Explanation: Updating the OpenSSL libraries to the latest version is the most effective way to mitigate vulnerabilities without disrupting services. Option B is not practical due to potential compatibility and support issues. Option C would unnecessarily disrupt services. Option D does not address the vulnerability and could block legitimate traffic.

Question 7

During a security assessment, it is found that a Windows server is using self-signed certificates for HTTPS connections. What is a potential risk associated with this setup?

A) Increased susceptibility to man-in-the-middle attacks.

B) Higher computational overhead due to self-signing.

C) Inability to encrypt data in transit.

D) Increased administrative burden for certificate renewal.

Show Answer & Explanation

Correct Answer: A

Explanation: Self-signed certificates are not inherently trusted by clients, making them susceptible to man-in-the-middle attacks since clients cannot verify the authenticity of the server. Option B is incorrect because self-signing does not affect computational overhead. Option C is incorrect because self-signed certificates can still encrypt data. Option D is incorrect because self-signing typically reduces the need for renewal management.

Question 8

A Linux server uses GPG to encrypt files before sending them over the network. What is a critical step to ensure the integrity and authenticity of these files?

A) Encrypt the files with the recipient's private key.

B) Sign the files with the sender's private key.

C) Compress the files before encryption.

D) Use a symmetric key for both encryption and signing.

Show Answer & Explanation

Correct Answer: B

Explanation: Option B is correct because signing the files with the sender's private key ensures integrity and authenticity, allowing recipients to verify the sender's identity. Option A is incorrect because encryption is done with the recipient's public key, not their private key. Option C is incorrect because compression does not affect integrity or authenticity. Option D is incorrect because symmetric keys do not provide a mechanism for signing.

Question 9

A security engineer is reviewing the configuration of a web server that uses HTTPS to secure communications. The engineer notices that the server supports several outdated cryptographic protocols. What action should be taken to improve the server's security?

A) Disable support for outdated protocols and enable only TLS 1.2 and above.

B) Increase the key length for all supported protocols.

C) Enable Perfect Forward Secrecy (PFS) for all protocols.

D) Use a self-signed certificate to ensure authenticity.

Show Answer & Explanation

Correct Answer: A

Explanation: A is correct because disabling outdated protocols like SSL and older versions of TLS reduces the risk of attacks exploiting known vulnerabilities. B is incorrect because increasing key length does not address protocol vulnerabilities. C is incorrect because while enabling PFS is good practice, it does not mitigate the risks associated with outdated protocols. D is incorrect because a self-signed certificate does not improve protocol security and may reduce trust.

Question 10

A security analyst needs to encrypt sensitive data on a Linux server using the AES-256 algorithm. Which of the following commands should they use to ensure the data is securely encrypted?

A) openssl enc -aes-256-cbc -in file.txt -out file.enc

B) openssl enc -des -in file.txt -out file.enc

C) gpg --symmetric --cipher-algo AES256 file.txt

D) gpg --symmetric --cipher-algo DES file.txt

Show Answer & Explanation

Correct Answer: C

Explanation: Option C is correct because the command uses GnuPG (gpg) with the AES256 cipher algorithm to symmetrically encrypt the file, which is a secure method for encrypting data with AES-256. Option A, while using AES-256, employs the CBC mode, which can be vulnerable if not implemented with additional precautions like a secure IV management. Option B uses the DES algorithm, which is considered insecure due to its short key length. Option D also uses DES, which is outdated and insecure.

Ready to Accelerate Your GSEC Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GSEC domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GSEC Certification

The GSEC certification validates your expertise in cryptography and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

More GSEC Practice Exams & Domain Drills

Sharpen your GIAC Security Essentials skills with domain-focused question sets. Practice, review explanations, and track your weak areas.

GSEC Windows Security – Practice Questions

Hardening, auditing (Event Viewer), Group Policy, PowerShell basics, and common misconfigurations.

Start Windows Practice →
GSEC Linux Security – Practice Questions

Users & groups, file permissions, SSH, sudoers, log review, and PAM/password policy essentials.

Start Linux Practice →
GSEC Cryptography – Practice Questions

Hashing vs. encryption, HMAC, TLS/PGP, key management, and integrity/authentication scenarios.

Start Crypto Practice →
GSEC Defense in Depth – Practice Questions

Layered controls, monitoring, segmentation, DLP, and practical risk reduction strategies.

Start DiD Practice →
GSEC Access Controls & Passwords – Practice Questions

RBAC/least privilege, password policy enforcement, MFA, account lockout, and audit basics.

Start Access Control Practice →

Want full exam prep? Try FlashGenius Exam Simulation, Domain Practice, and Smart Review to fix weak areas faster.

Prep with FlashGenius →