SSCP Practice Questions: Cryptography Domain

Correct Answer: A

Explanation: Regularly rotating encryption keys and securely distributing them is crucial for maintaining security in a symmetric encryption system. Storing keys with the files, using a single key for all files, or embedding keys in metadata are insecure practices that can lead to unauthorized access.

Correct Answer: B

Explanation: Using a hardware security module (HSM) is the most secure method for managing encryption keys, as it provides physical and logical protection. Storing keys in application code or databases can lead to exposure. Encrypting keys and storing them on the same server increases the risk of compromise.

Correct Answer: B

Explanation: The best action is to implement salting and switch to a stronger hash function like SHA-256, which provides better security for password storage. SHA-1 is also considered weak and not recommended. Increasing password length does not mitigate the weaknesses of MD5. Encrypting passwords with a symmetric key is not suitable for password storage as it requires key management.

Correct Answer: B

Explanation: Hashing passwords with SHA-256 and a unique salt for each password is a best practice for securely storing passwords, as it protects against rainbow table attacks. Encrypting passwords does not provide the same level of security for password storage, and Base64 encoding is not a secure method for storing passwords.

Correct Answer: A

Explanation: Full disk encryption with LUKS (Linux Unified Key Setup) is a robust and widely used method for encrypting data at rest on Linux systems. Scheduling a maintenance window ensures minimal disruption. Option B is incorrect because XOR is not a secure encryption method. Option C is incorrect as storing the key on the same server compromises security. Option D is incorrect because ZIP file encryption is not as secure as full disk encryption and can be bypassed if the password is weak.

Correct Answer: B

Explanation: Option B is correct because TLS 1.2 is a secure protocol that provides confidentiality and integrity, and using strong ciphers ensures enhanced security. Option A is incorrect because SSLv3 is outdated and vulnerable to attacks like POODLE. Option C is incorrect because self-signed certificates are not trusted by clients, leading to potential security warnings. Option D is incorrect because HTTP/2 without encryption does not secure data in transit.

Correct Answer: C

Explanation: IPSec VPN with AES encryption is the most appropriate choice as it provides both data integrity and confidentiality through strong encryption (AES) and is designed for secure communication over potentially insecure networks. SSH tunneling is secure but typically used for specific applications or ports, not general communication. PPTP is considered weak due to its vulnerabilities. FTP with SSL/TLS only secures file transfers, not general communication.

Correct Answer: A

Explanation: AES-256 is a robust encryption algorithm widely used for securing VPN traffic due to its strength and efficiency. DES and RC4 are outdated and susceptible to attacks, while MD5 is a hashing algorithm, not suitable for encrypting data.

Correct Answer: B

Explanation: Signing an email with your private key ensures that recipients can verify the authenticity and integrity of the email using your public key. Encrypting with the recipient's public key ensures confidentiality, not authenticity. Encrypting with your private key or signing with the recipient's public key is incorrect.

Correct Answer: A

Explanation: Option A is correct because a common reason for certificate revocation is the compromise of the private key associated with the certificate. Option B is incorrect because expiration is not a reason for revocation; the certificate simply becomes invalid. Option C could cause trust issues but not revocation. Option D is not a standard reason for revocation.