CompTIA Security+ Cryptography Practice Questions 2026
Cryptography is one of the most technically challenging topics on the CompTIA Security+ exam, appearing across multiple domains and testing your understanding of encryption algorithms, hashing functions, public key infrastructure, and cryptographic protocols. Whether you're securing data at rest with AES encryption or validating website identity through PKI certificates, cryptographic concepts underpin nearly every security control you'll encounter on the exam and in professional practice.
What Is Cryptography on the Security+ Exam?
Cryptography is the science of securing information through mathematical algorithms that transform readable data (plaintext) into unreadable ciphertext, ensuring confidentiality, integrity, authentication, and non-repudiation. For the Security+ exam, you need to understand both the theoretical foundations and practical applications of cryptographic systems.
The exam tests three main cryptographic areas. First, encryption — both symmetric algorithms (AES, 3DES) that use a single shared key and asymmetric algorithms (RSA, ECC) that use public/private key pairs. Second, hashing — one-way functions (SHA-256, SHA-512) that create fixed-length fingerprints of data for integrity verification, password storage, and digital signatures. Third, PKI infrastructure — the certificate authorities, digital certificates, certificate revocation mechanisms, and trust models that enable secure communications across the internet.
Understanding cryptography at the Security+ level means knowing when to apply which algorithm, why certain algorithms are deprecated (MD5, SHA-1, DES), how key exchange works (Diffie-Hellman), and how TLS/SSL combines symmetric and asymmetric encryption to create secure web connections. You also need to understand cryptographic attacks — from brute force and dictionary attacks to more sophisticated rainbow table, birthday, and downgrade attacks.
Why Cryptography Matters for Security+
Cryptography questions appear across multiple Security+ domains because encryption is a fundamental security control. Data protection regulations (GDPR, HIPAA, PCI-DSS) require encryption for sensitive data. Network security relies on TLS/SSL and IPsec for secure communications. Identity management uses digital certificates and PKI for authentication. Even incident response involves analyzing encrypted traffic and understanding how attackers exploit cryptographic weaknesses.
The Security+ exam places particular emphasis on practical cryptographic decisions: choosing the right algorithm for a given use case, understanding why some algorithms are insecure, configuring PKI trust chains, and recognizing when cryptographic implementations are vulnerable. Questions are often scenario-based — you might be asked to recommend the best encryption standard for data at rest, select the appropriate certificate type for a web server, or identify why a cryptographic implementation is flawed.
Post-quantum cryptography is an emerging topic that CompTIA has started including in newer exam questions. As quantum computers threaten to break RSA and ECC algorithms, understanding quantum-resistant algorithms and the migration timeline is becoming increasingly relevant for security professionals.
Key Cryptography Concepts to Master
Symmetric Encryption
Uses one shared key for encryption and decryption. AES (128/192/256-bit) is the current standard. 3DES (168-bit effective) is legacy. DES (56-bit) is broken. Block ciphers (AES) process fixed-size blocks; stream ciphers (RC4, ChaCha20) encrypt byte-by-byte. Fast but key distribution is the challenge.
Asymmetric Encryption
Uses a public/private key pair. RSA (2048/4096-bit) for encryption and signatures. ECC (256-384-bit) provides equivalent security with smaller keys. Diffie-Hellman enables secure key exchange over insecure channels. Slower than symmetric but solves the key distribution problem.
Hashing Algorithms
One-way functions producing fixed-length output. MD5 (128-bit) and SHA-1 (160-bit) are broken — vulnerable to collision attacks. SHA-256 and SHA-512 are current standards. HMAC adds a secret key to hashing for message authentication. Salting prevents rainbow table attacks on password hashes.
Public Key Infrastructure
PKI manages digital certificates through Certificate Authorities (CA), Registration Authorities (RA), and Certificate Revocation Lists (CRL)/OCSP. Certificate types: DV (domain validation), OV (organization validation), EV (extended validation), wildcard (*.domain.com), SAN (multiple domains). Trust chains link leaf certificates to root CAs.
Digital Signatures
Combine hashing and asymmetric encryption to provide authentication, integrity, and non-repudiation. The signer hashes the message and encrypts the hash with their private key. The recipient decrypts with the public key and compares hashes. Used in code signing, email (S/MIME), and document signing.
Cryptographic Protocols
TLS 1.3 secures web traffic (replaces SSL and older TLS versions). IPsec secures network layer communications (tunnel and transport modes). SSH encrypts remote administration. S/MIME encrypts email. WPA3/SAE secures wireless. Know which protocol applies to which use case.
Encryption Algorithm Quick Reference
| Algorithm | Type | Key Size | Status | Use Case |
|---|---|---|---|---|
| AES | Symmetric (block) | 128/192/256-bit | Current standard | Data at rest, TLS, VPN |
| 3DES | Symmetric (block) | 168-bit (112 effective) | Legacy, deprecated | Legacy payment systems |
| RSA | Asymmetric | 2048/4096-bit | Current (quantum risk) | Key exchange, signatures |
| ECC | Asymmetric | 256/384-bit | Current, efficient | Mobile, IoT, TLS |
| SHA-256 | Hash | 256-bit output | Current standard | Integrity, passwords |
| SHA-512 | Hash | 512-bit output | Current, high security | Digital signatures |
| MD5 | Hash | 128-bit output | Broken | File checksums only |
| Diffie-Hellman | Key exchange | 2048+ bit | Current | TLS key negotiation |
Sample Cryptography Questions
Question 1: Algorithm Selection
A company needs to encrypt a large database of customer records at rest. Which encryption algorithm would provide the best balance of security and performance?
A) RSA-4096 B) AES-256 C) 3DES D) ECC-384
Answer: B) AES-256 — AES is the standard for encrypting data at rest because it's a symmetric algorithm (fast for bulk data), uses strong key sizes (256-bit), and is approved by NIST. RSA and ECC are asymmetric (too slow for bulk encryption). 3DES is deprecated and slower than AES.
Question 2: Hashing and Salting
A security audit reveals that a web application stores password hashes using MD5 without salt. Which attack would be MOST effective against these stored passwords?
A) Brute force B) Rainbow table attack C) Birthday attack D) Known plaintext attack
Answer: B) Rainbow table attack — Rainbow tables contain precomputed hash-to-plaintext mappings. Without salt, identical passwords produce identical MD5 hashes, making rainbow tables devastatingly effective. Salting adds random data before hashing, making precomputed tables useless. The fix: use bcrypt, scrypt, or Argon2 with unique salts.
Question 3: Digital Certificates
A web server's TLS certificate has expired. Users see a browser warning but can still access the site. Which security property is MOST at risk?
A) Confidentiality B) Integrity C) Authentication D) Availability
Answer: C) Authentication — An expired certificate means the CA can no longer vouch for the server's identity, undermining authentication. The encryption (confidentiality) and integrity still function technically, but without valid authentication, users cannot verify they're communicating with the legitimate server rather than an impersonator.
Common Mistakes to Avoid
- Confusing encryption with hashing — encryption is reversible (two-way) while hashing is one-way; you cannot "decrypt" a hash
- Thinking longer keys always mean better — key length matters within the same algorithm type, but comparing across types is invalid (256-bit AES ≠ 256-bit RSA in security)
- Forgetting that MD5 and SHA-1 are broken — never select these for security purposes; they're only acceptable for non-security checksums
- Mixing up public and private key usage — public key encrypts (anyone can send you encrypted data), private key decrypts (only you can read it); for signatures, private key signs, public key verifies
- Ignoring key management — the algorithm is only as strong as the key management; compromised keys, weak key generation, and poor key storage undermine any encryption scheme
Study Checklist for Cryptography
- ☑ Compare symmetric vs. asymmetric encryption with algorithm examples
- ☑ Explain AES block cipher modes (CBC, GCM, CTR) at a high level
- ☑ Describe RSA and ECC key generation and usage differences
- ☑ List all hashing algorithms with their status (current vs. deprecated)
- ☑ Diagram the TLS handshake showing asymmetric→symmetric key transition
- ☑ Explain PKI components: CA, RA, CRL, OCSP, certificate pinning
- ☑ Differentiate certificate types: DV, OV, EV, wildcard, SAN, self-signed
- ☑ Describe digital signature creation and verification process
- ☑ Know cryptographic attacks: brute force, rainbow table, birthday, downgrade
- ☑ Understand salting, key stretching (bcrypt, PBKDF2), and perfect forward secrecy
Frequently Asked Questions
How many cryptography questions are on the Security+ exam?
Cryptography concepts appear primarily under Domain 1 (General Security Concepts) and Domain 3 (Security Architecture), collectively covering about 25-30% of the exam. You can expect 10-15 questions directly testing encryption algorithms, hashing, PKI, certificate management, and cryptographic protocols like TLS.
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses ONE key for both encryption and decryption (AES, DES, 3DES, Blowfish). It's fast but requires secure key exchange. Asymmetric encryption uses a KEY PAIR — public key encrypts, private key decrypts (RSA, ECC, Diffie-Hellman). It's slower but solves the key distribution problem. In practice, TLS uses asymmetric encryption to exchange a symmetric session key.
Which hashing algorithms should I know for Security+?
MD5 (128-bit, broken — do not use for security), SHA-1 (160-bit, deprecated), SHA-256 (256-bit, current standard), SHA-512 (512-bit, high security), and HMAC (keyed hashing for message authentication). Know that MD5 and SHA-1 are vulnerable to collision attacks and should not be used for digital signatures or certificate validation.
What is PKI and how does it work?
Public Key Infrastructure is a framework for managing digital certificates and encryption keys. Components include Certificate Authority (CA) that issues and signs certificates, Registration Authority (RA) that verifies identity, Certificate Revocation List (CRL) and OCSP for checking certificate validity, and the certificate store. PKI enables TLS/SSL, digital signatures, email encryption (S/MIME), and code signing.
What cryptographic attacks are tested on Security+?
Brute force (try all possible keys), dictionary attacks (common passwords), rainbow table attacks (precomputed hashes — defeated by salting), birthday attacks (finding hash collisions), downgrade attacks (forcing weaker protocols), and known plaintext attacks. Also know about side-channel attacks that exploit implementation weaknesses like timing or power consumption.
Do I need to memorize key sizes for the Security+ exam?
You should know the common key sizes: AES uses 128, 192, or 256 bits; RSA typically uses 2048 or 4096 bits; ECC provides equivalent security to RSA with much smaller keys (256-bit ECC ≈ 3072-bit RSA). Know that longer keys = stronger encryption but slower performance, and that symmetric keys are shorter than asymmetric keys for equivalent security.
Practice Cryptography Questions Now
Our Smart Practice practice tests generate unlimited cryptography questions tailored to the CompTIA Security+ exam objectives. Get instant feedback with detailed explanations for every answer.
Start Free Practice Test →