If you are studying for Security+ and cryptography feels like alphabet soup, start with scenarios instead of memorizing every acronym in a vacuum. The exam usually cares less about reciting textbook definitions and more about knowing which control fits the situation.
Quick answer: for Security+ cryptography questions, identify the job first. Need confidentiality? Think encryption. Need integrity? Think hashing. Need identity and trust? Think certificates and PKI. Need non-repudiation? Think digital signatures. Need safe web traffic? Think TLS with a valid certificate chain.
Use these practice questions to drill the common choices: symmetric vs asymmetric encryption, hashing, salting, digital signatures, certificates, certificate authorities, TLS, key storage, and basic PKI troubleshooting.
What to remember before the questions
| Scenario clue | Usually points to | Why |
|---|---|---|
| Protecting data at rest or in transit | Encryption | Keeps unauthorized people from reading it |
| Verifying a file did not change | Hashing | Produces a fingerprint of the data |
| Protecting stored passwords | Salted hashing | Makes password cracking harder |
| Proving who signed a message | Digital signature | Uses asymmetric crypto for identity and integrity |
| Browser says a site is not trusted | Certificate chain, hostname, expiration, or CA issue | TLS depends on valid certificate trust |
| Fast bulk data encryption | Symmetric encryption | One shared key is efficient |
| Exchanging keys over an untrusted network | Asymmetric encryption or key exchange | Avoids sending the secret directly |
Do not overthink every question. Read the symptom, name the security goal, then pick the tool that solves that goal.
Security+ cryptography and PKI practice questions
1. File integrity after download
A user downloads a firmware update from a vendor site. The vendor publishes a SHA-256 value next to the download. What is the main reason the vendor provides that value?
A. To encrypt the firmware file
B. To verify the file has not changed
C. To hide the file from antivirus tools
D. To prove the user is authorized to install it
Answer: B. To verify the file has not changed
A hash is a one-way fingerprint of data. If the downloaded file produces the same SHA-256 hash as the vendor published, the file is probably intact. This does not encrypt the file, authenticate the user, or bypass security tools. It is an integrity check.
2. Password storage
A developer says, βWe encrypt user passwords in the database, so we can decrypt them if a customer forgets one.β What should you recommend instead?
A. Store passwords with reversible encryption and rotate the database password weekly
B. Store passwords as salted hashes
C. Store passwords in plain text but restrict database access
D. Email users their password after identity verification
Answer: B. Store passwords as salted hashes
Passwords should not be recoverable. A good password storage design hashes each password with a unique salt and stores the result. When the user logs in, the system hashes the submitted password and compares it. If they forget it, they reset it. Nobody should be able to decrypt and read the original password.
3. Symmetric encryption use case
A backup system needs to encrypt several terabytes of data every night before sending it to cloud storage. Which option is usually best for the bulk encryption work?
A. Symmetric encryption
B. Digital signatures only
C. Hashing only
D. Certificate revocation lists
Answer: A. Symmetric encryption
Symmetric encryption is the normal choice for encrypting large amounts of data because it is fast and efficient. Asymmetric crypto is useful for key exchange, certificates, and signatures, but it is not the usual tool for bulk data encryption.
4. Digital signature purpose
A finance team receives a signed document from a vendor. The signature must prove the document came from the vendor and was not altered after signing. What cryptographic concept is being used?
A. Salting
B. Digital signature
C. Symmetric key escrow
D. Steganography
Answer: B. Digital signature
A digital signature provides integrity and authentication. It can also support non-repudiation because the signer cannot easily claim someone else signed it if their private key was protected. A hash alone checks integrity, but the signature ties that integrity check to an identity.
5. Expired certificate error
Users report that an internal web app suddenly shows a browser warning: βYour connection is not private.β The app worked yesterday, and no DNS changes were made. What should you check first?
A. Whether the certificate expired
B. Whether the user has enough RAM
C. Whether the switch supports VLANs
D. Whether the application uses compression
Answer: A. Whether the certificate expired
A sudden TLS trust warning on a previously working site often means the certificate expired, the certificate chain changed, or the certificate no longer matches the host. Start with the certificate details in the browser or with a TLS checker. Do not burn an hour troubleshooting random network gear before looking at the obvious certificate clue.
6. Certificate name mismatch
A company buys a certificate for portal.example.com, but users browse to helpdesk.example.com and get a certificate warning. The certificate is not expired and was issued by a trusted CA. What is the most likely problem?
A. The certificate private key is too long
B. The certificate common name or SAN does not match the site name
C. The browser cannot perform hashing
D. The server is using symmetric encryption
Answer: B. The certificate common name or SAN does not match the site name
TLS certificates must match the hostname users visit. Modern certificates use the Subject Alternative Name field for this. A trusted, unexpired certificate can still fail if it is issued for the wrong name. This is common when teams reuse certificates between environments without checking the actual hostnames.
7. Public key vs private key
A new admin asks which part of an asymmetric key pair can be shared with other people. What should you tell them?
A. Share the private key only
B. Share the public key; protect the private key
C. Share both keys if the certificate is trusted
D. Never share either key under any condition
Answer: B. Share the public key; protect the private key
The public key is meant to be shared. The private key is the sensitive part and should be protected with strong access controls, secure storage, and rotation when needed. If the private key leaks, attackers may be able to impersonate the service or decrypt data depending on the design.
8. Root CA trust
A laptop does not trust an internal company site, but other managed laptops trust it. The certificate is valid and issued by the companyβs internal certificate authority. What is a likely cause?
A. The laptop does not trust the internal root CA
B. The site is using HTTPS instead of HTTP
C. The laptop has too many browser tabs open
D. The certificate uses a public key
Answer: A. The laptop does not trust the internal root CA
Internal PKI only works when devices trust the organizationβs root or intermediate CA certificates. If one laptop is missing the trusted root, it may reject otherwise valid internal certificates. In a managed environment, this often points to group policy, MDM, device enrollment, or certificate store problems.
9. Key escrow scenario
A company encrypts employee laptops. Security wants a way to recover business data if an employee leaves and the laptop is locked. Which concept best fits that requirement?
A. Key escrow or recovery key management
B. Hash collision
C. Steganography
D. Certificate pinning
Answer: A. Key escrow or recovery key management
Key escrow or recovery key management stores recovery material in a controlled place so authorized staff can regain access when needed. This has to be tightly governed. If everybody can access recovery keys, the encryption is mostly theater with a nicer logo.
10. TLS in plain English
A manager asks why the company should force HTTPS on an internal app that only employees use. What is the best answer?
A. HTTPS makes the app load faster in every situation
B. HTTPS protects credentials and session cookies from being read or modified in transit
C. HTTPS removes the need for authentication
D. HTTPS prevents all malware infections
Answer: B. HTTPS protects credentials and session cookies from being read or modified in transit
Internal does not mean safe. Office networks have guests, unmanaged devices, compromised endpoints, Wi-Fi, VPN users, and plenty of weird routing. HTTPS with TLS protects traffic between the browser and server from casual interception and tampering. It is not a replacement for authentication or endpoint security.
How to review missed questions
When you miss one, do not just memorize the answer. Put it into one of these buckets:
- Confidentiality: Was the question asking how to keep data secret?
- Integrity: Was it asking how to prove something did not change?
- Authentication: Was it asking how to prove identity?
- Non-repudiation: Was it asking how to prove someone signed or approved something?
- Trust chain: Was it asking why a certificate is trusted or not trusted?
- Operations: Was it really about lifecycle stuff like renewal, revocation, key recovery, or device trust?
That last bucket matters more than people expect. Real IT security work is not just knowing what AES or RSA stands for. It is knowing why half the office gets a certificate warning after someone forgot to renew a cert on a random Thursday.
Mini troubleshooting checklist for PKI questions
If a Security+ question describes a certificate warning, check these in order:
- Is the certificate expired or not valid yet?
- Does the certificate name match the hostname?
- Is the issuing CA trusted by the client?
- Is the full intermediate chain installed on the server?
- Has the certificate been revoked?
- Is the client clock wrong?
- Was the certificate installed on the wrong server or load balancer?
That checklist also works in real help desk life. Certificate errors look mysterious until you treat them like any other ticket: scope it, read the exact error, inspect the object, then fix the broken link in the chain.
What to practice next
If this felt rough, review basic security terms and then drill more scenarios. If it felt easy, move into mixed questions where cryptography is only one part of the answer.
Good next steps on ITSG:
- Work through the Security+ access control practice questions for identity and authorization scenarios.
- Use the Security+ phishing practice questions to practice reading messy incident prompts.
- Review the Security+ risk management practice questions so governance terms do not sneak up on you.
- If you are still building your certification plan, compare options in Best IT Certifications 2026.
FAQ
Is cryptography heavily tested on Security+?
You should expect cryptography and PKI concepts to appear, but usually in applied scenarios. Know what the tools are for: encryption, hashing, signatures, certificates, key exchange, and lifecycle management.
Do I need to memorize every algorithm?
No. Know the common categories and use cases. For daily Security+ prep, it is more useful to know when to use hashing versus encryption than to obsess over every possible algorithm name.
What is the easiest way to remember hashing versus encryption?
Encryption is meant to be reversible with the right key. Hashing is meant to be one-way. If the question asks whether a file changed, think hash. If it asks how to hide readable data, think encryption.
Why do certificate questions show up so much?
Because certificates connect theory to real IT work. Web apps, VPNs, Wi-Fi authentication, device management, and internal tools all depend on trust chains. When PKI breaks, users notice fast.
Bottom line
Cryptography questions get easier when you stop treating them like vocabulary flashcards. Name the job: hide data, prove integrity, prove identity, establish trust, or recover keys. Once you know the job, the right answer usually stops hiding.
If you want more no-fluff cert prep like this, join the IT Support Group newsletter. We send practical study help, job-search advice, and IT career notes without pretending every subnet mask is a life-changing revelation.