Welcome to today’s practice test!
Today’s practice test is based on subdomain 1.4 (Explain the importance of using appropriate cryptographic solutions) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a financial institution needs to ensure that all customer data stored on laptops is unreadable if the device is lost or stolen. Which solution provides the BEST protection in this scenario?
#2. An analyst is configuring secure email communication between two executives. Which cryptographic tool is primarily used to ensure that the sender cannot later deny having sent the message?
#3. A company needs a secure method to store encryption keys in hardware that resists tampering and unauthorized access. Which of the following is the MOST appropriate solution?
#4. An attacker has managed to view hashed passwords in a compromised database. What technique can strengthen the hashes against rainbow table attacks?
#5. Which cryptographic algorithm is MOST appropriate for creating digital signatures due to its use of asymmetric key pairs?
#6. An organization is deploying SSL/TLS for web applications. Which key exchange method is typically used to negotiate the session key in TLS?
#7. A developer is using steganography in an application. What is the PRIMARY purpose of this technique?
#8. Which certificate-related component ensures a certificate is still valid and has not been revoked?
#9. Which of the following best describes the function of a Key Management System (KMS)?
#10. You are securing sensitive data in a cloud-based database for a healthcare provider. You must ensure: Records are individually encrypted, Keys are securely managed, and Encryption meets HIPAA requirements. Task: Choose the appropriate combination of encryption level and tools:
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | Full-disk encryption (FDE) encrypts the entire hard drive of the laptop, including the operating system, applications, and all user data. If the device is lost or stolen, the entire contents of the disk are unreadable without the proper decryption key or passphrase, providing the most comprehensive protection for data at rest. File-level encryption only encrypts specific files or folders. It might leave other sensitive data (e.g., temporary files, application data, OS files) unprotected. While volume encryption is effective for a specific volume, a laptop might have multiple volumes or partitions, and this doesn’t guarantee the entire drive is covered. Partition encryption encrypts only a specific partition. If the laptop has other partitions or unpartitioned space, data there would remain unprotected. |
| 2 | C | Digital signatures provide non-repudiation. Hashing ensures integrity, encryption ensures confidentiality, and obfuscation hides but doesn’t verify identity. |
| 3 | A | Trusted Platform Module (TPM) is a hardware-based storage solution for cryptographic keys. CSR and OCSP relate to certificate management, not key storage. Steganography is a technique for hiding data within other files (like images or audio), not for secure key storage. |
| 4 | B | Salting involves adding a unique, random string of data (the “salt”) to each password before it is hashed. This ensures that even if two users have the same password, their stored hashes will be different (because the salt is different). This directly defeats rainbow tables, which rely on pre-computed hashes of common passwords, as the rainbow table would not contain hashes for unique password-salt combinations. Symmetric encryption is used to encrypt data, not to strengthen one-way cryptographic hashes. Passwords are hashed, not typically symmetrically encrypted for storage directly. Tokenization replaces sensitive data with a non-sensitive token, primarily used for data protection in databases (e.g., credit card numbers). It’s not a method for strengthening password hashes. Key stretching (e.g., using bcrypt, PBKDF2) increases the computational cost required to compute a hash, making brute-force and dictionary attacks slower. While often used with salting for robust password hashing, salting is the specific technique that directly addresses the effectiveness of pre-computed rainbow tables by ensuring unique hashes for identical passwords. |
| 5 | B | RSA uses public-private key pairs suitable for digital signatures. AES is symmetric, SHA-256 is a hash function, and PBKDF2 is for key stretching. |
| 6 | D | Diffie-Hellman (DH) is a widely used key exchange method in TLS. It allows two parties to securely negotiate a shared secret (the session key) over an insecure channel, often with ephemeral variants (DHE, ECDHE) to provide perfect forward secrecy. While RSA can be used for key exchange in older TLS versions (encrypting the pre-master secret), its primary role in modern TLS is for server authentication via digital signatures. For session key negotiation, Diffie-Hellman variants are preferred for forward secrecy. AES (Advanced Encryption Standard) is a symmetric encryption algorithm used to encrypt the actual data during the TLS session once the session key has been negotiated. It is not a key exchange method. ECC (Elliptic Curve Cryptography) is a type of public-key cryptography that provides the underlying mathematical basis for efficient key exchange. When used for key exchange in TLS, it’s specifically as Elliptic Curve Diffie-Hellman (ECDH) or ECDHE. So, while related, “Diffie-Hellman” is the name of the key exchange method |
| 7 | B | Steganography’s primary purpose is to hide the existence of data by embedding it within a seemingly innocuous cover medium (like an image, audio file, or video) in such a way that its presence is not readily apparent. Hashing creates a fixed-size string of characters from data for integrity verification. It doesn’t hide the data itself. Encryption scrambles data to make it unreadable without a key, but its presence is obvious. Steganography aims to hide the fact that there’s secret data at all. Digital signatures are used for authentication and integrity, proving the sender’s identity and that the data hasn’t been tampered with. They don’t hide data |
| 8 | B | A Certificate Revocation List (CRL) provides a list of revoked certificates. HSM is for key storage, PKI is the overall infrastructure, TPM is a more limited, hardware-based solution typically built into endpoint devices. |
| 9 | C | A Key Management System (KMS) is a centralized system designed to manage the entire lifecycle of cryptographic keys. This includes generating, storing, distributing, backing up, revoking, and securely destroying encryption keys throughout their lifespan. Hashing operations (like SHA-256) are used for data integrity and password storage, and while a KMS might interact with systems that use hashing, it’s not its primary function. While KMS deals with keys, its primary function isn’t just storing public keys (which are often widely distributed). It manages both symmetric and asymmetric (public/private) keys, focusing on their secure lifecycle. Public keys are usually stored and distributed via Public Key Infrastructure (PKI) certificates. Creating and managing digital certificates for HTTPS traffic is primarily the function of a Certificate Authority (CA) as part of a Public Key Infrastructure (PKI), not a KMS. A KMS might store the CA’s private key, but it doesn’t issue certificates itself. |
| 10 | C | Record-level encryption + KMS directly addresses the need for individual record encryption and secure, centralized key management, which is vital for HIPAA compliance in a cloud environment. Volume-level encryption + TPM: Volume-level encryption encrypts an entire disk volume, not individual records. TPMs are typically hardware-based and tied to specific servers, not ideal for managing keys for granular, cloud-based database records. File-level encryption + Steganography: File-level encryption might be too coarse if multiple records reside in one file. Steganography is for hiding data’s existence, not for encrypting and managing keys for compliance. Partition encryption + HSM: Partition encryption is similar to volume encryption (too broad). HSMs are excellent for secure key storage, but a KMS provides the full lifecycle management and distribution capabilities needed for numerous record-level keys in a cloud database. HSMs are often used by KMSs, but KMS is the overarching solution for management. |