Welcome to today’s practice test!
Today’s practice test is based on subdomain 1.4 (Explain the importance of using appropriate cryptographic solutions) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a healthcare organization is configuring data encryption on a server storing sensitive medical records. To ensure data remains encrypted even if the server is stolen, what encryption level should be implemented?
#2. An organization uses a system where users encrypt data with the recipient’s public key, and only the recipient can decrypt it using their private key. What cryptographic method is being utilized?
#3. An enterprise wants to ensure email messages cannot be repudiated by the sender. What cryptographic method should be used?
#4. A secure enclave is most closely associated with:
#5. Which of the following is used to verify the status of a certificate in real-time?
#6. An attacker is attempting to reverse engineer hashed passwords. Which cryptographic control best mitigates this risk?
#7. A systems engineer is implementing a centralized appliance to manage and protect encryption keys for the organization. What tool should be used?
#8. Which encryption method is most appropriate for securing individual records in a database without encrypting the entire database?
#9. What is the primary purpose of a certificate authority (CA)?
#10. Which cryptographic mechanism ensures data integrity without confidentiality?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Full-disk encryption (FDE) is the best choice to ensure data remains encrypted even if the server is physically stolen. FDE encrypts the entire storage drive, meaning that without the correct decryption key (usually entered at boot-up or unlocked by a hardware module), all data on the disk remains unreadable if the drive is removed from the server. Record-level encryption encrypts individual records within a database. While good for specific data elements, it doesn’t protect the entire server’s data if the whole disk is stolen, as other unencrypted files might still be accessible. File-level encryption encrypts individual files. While better than nothing, it still requires proper management of access to the encrypted files. If the server is stolen, and the OS can boot, an attacker might circumvent user permissions to access the underlying unencrypted parts of the system or even some files if the decryption keys are accessible on the live system. FDE protects the data at rest regardless of OS state. Transport encryption (like TLS/SSL) protects data in transit over a network. It does nothing to protect data at rest on a stolen server. |
| 2 | D | This scenario perfectly describes asymmetric encryption, also known as public-key cryptography. In this method, a pair of mathematically linked keys is used: a public key (used by anyone to encrypt data for the recipient) and a private key (kept secret by the recipient to decrypt data). Symmetric encryption uses the same key for both encryption and decryption. This doesn’t fit the “public key/private key” scenario. Hashing is a one-way function that produces a fixed-size string of characters (a hash value) from input data. It’s used for data integrity verification, not for encrypting and decrypting data. Steganography is the art of concealing a message or file within another message or file. It’s hides existence, not encrypt with keys. |
| 3 | C | Digital signatures are specifically designed to provide non-repudiation, along with authenticity and integrity. When a sender digitally signs an email, it creates a unique, encrypted hash of the message using the sender’s private key. The recipient can then verify this signature using the sender’s public key, proving that the sender indeed sent the message and that it hasn’t been tampered with. Tokenization replaces sensitive data with non-sensitive substitutes (tokens) to protect the original data. It’s for data security, not non-repudiation of messages. Symmetric encryption uses the same key for encryption and decryption. While it provides confidentiality, it does not inherently provide non-repudiation because both sender and receiver share the same key. Data masking replaces sensitive data with realistic, but fake, data (e.g., for testing environments). It’s for data privacy and security, not for non-repudiation of communications. |
| 4 | C | A secure enclave is a dedicated, isolated processing environment within a CPU or system-on-chip (SoC) that provides secure hardware execution. It’s designed to protect sensitive data and code from the rest of the system, including the operating system and other applications, even if the main system is compromised. Remote attestation is a process where a trusted computing base verifies its integrity to a remote challenger. While a secure enclave might play a role in providing attestation capabilities, it’s a component or feature that enables attestation, not what it’s most closely associated with as its primary function. Network segmentation divides networks into smaller, isolated segments. A secure enclave is a hardware-level isolation mechanism, not a network-level one. Certificate management involves the handling of digital certificates. While secure enclaves can securely store cryptographic keys used in certificates, their primary function is secure execution, not the management of certificates themselves. |
| 5 | A | Online Certificate Status Protocol (OCSP) is a real-time protocol used to determine the revocation status of an X.509 digital certificate. It allows a client to query an OCSP responder for the current status of a specific certificate, providing an immediate “good,” “revoked,” or “unknown” response. Public Key Infrastructure (PKI) is the entire framework that supports digital certificates, including CAs, policies, and management systems. It’s the broader system, not a specific real-time verification protocol. Certificate Signing Request (CSR) is a request sent to a Certificate Authority to obtain a new certificate. It’s part of the certificate issuance process, not status verification. Certificate Revocation List (CRL) is a list of revoked certificates issued by a CA. While it provides revocation information, it is a periodic download and check, not a real-time, on-demand query for an individual certificate’s status. |
| 6 | A | Salting is the practice of adding a unique, random string of data (the “salt”) to each password before it is hashed. This dramatically mitigates the risk of reverse engineering hashed passwords, especially against attacks like rainbow tables, by ensuring that identical passwords will produce unique hashes and requiring attackers to crack each hash individually. Key escrow is a system where cryptographic keys are held in trust by a third party. It’s for key management and recovery, not for protecting hashed passwords from reverse engineering. Wildcard certificates are SSL/TLS certificates that can secure multiple subdomains within a single domain. They are for web security and do not relate to password hashing. Steganography is the art of concealing a message or file within another message or file. It’s for hiding the existence of data, not for securing hashed passwords. |
| 7 | A HSM (Hardware Security Module) is a dedicated, centralized hardware appliance designed specifically to securely generate, store, and manage cryptographic keys, as well as perform cryptographic operations in a highly protected environment. This is the ideal tool for an organization needing to manage and protect encryption keys. A TPM (Trusted Platform Module) is a hardware security chip typically embedded on a single device’s motherboard, not a centralized appliance for an entire organization. A secure enclave is an isolated processing environment within a CPU, designed for a single device’s secure execution, not a centralized organizational tool for key management. Blockchain is a distributed ledger technology primarily for secure record-keeping and transactions; it’s not a tool for centralized management and protection of encryption keys. | |
| 8 | D | Record-level encryption is specifically designed to encrypt individual rows or specific fields (records) within a database table. This allows for highly granular protection of sensitive data elements without needing to encrypt the entire database file or the underlying storage volume. Volume encryption secures an entire storage partition or disk, protecting all data on it, which is much broader than securing individual records within a database. Transport layer encryption (e.g., TLS) protects data as it moves across a network, not data stored at rest within the database. File-level encryption secures entire files. While a database might reside in a file, this method encrypts the whole file, not specific records within that file, when the database is in operation. |
| 9 | B | The primary purpose of a Certificate Authority (CA) is to act as a trusted third party that issues, signs, and manages digital certificates. By signing a certificate, the CA vouches for the identity of the entity (person, organization, server) associated with the public key contained within the certificate. Key stretching is a technique used in password hashing to make brute-force attacks more difficult. It’s unrelated to the primary function of a CA. While CAs do issue and maintain Certificate Revocation Lists (CRLs), this is a function they perform as part of managing certificates, not their primary purpose itself. Their primary purpose is the issuance and signing that establishes trust. Managing password policies is typically a function of identity and access management systems or operating systems, not a CA. |
| 10 | B | Hashing is a one-way cryptographic function that takes an input (data) and produces a fixed-size string of characters, called a hash value or digest. If even a single bit of the original data is changed, the resulting hash value will be completely different. This allows for verification of data integrity (ensuring it hasn’t been tampered with) without encrypting the data itself, thus providing no confidentiality. Asymmetric encryption uses a public/private key pair to provide both confidentiality (through encryption) and authentication/non-repudiation (through digital signatures), but it doesn’t primarily focus on integrity without confidentiality. Obfuscation attempts to make data or code difficult to understand but does not use cryptographic principles to ensure data integrity. It’s more about obscurity than provable integrity. Key management refers to the processes and practices for handling cryptographic keys throughout their lifecycle. It’s a foundational aspect of using cryptography but is not a cryptographic mechanism itself that ensures integrity without confidentiality. |