Pass the WGU Courses and Certificates Introduction-to-Cryptography Questions and answers with Dumpstech

AES by itself is a symmetric block cipher that provides confidentiality, but not guaranteed integrity unless used in an authenticated mode. To protect integrity of the plaintext (ensuring it has not been altered), a Message Authentication Code (MAC) can be applied. In the classic Encrypt-then-MAC pattern, the sender encrypts the plaintext with AES and then computes a MAC (often HMAC-SHA-256 or CMAC-AES) over the ciphertext (and relevant headers). The receiver verifies the MAC before attempting decryption, preventing tampering and many padding-oracle style vulnerabilities. Alternatively, AES can be used in an AEAD mode like AES-GCM, which produces an authentication tag serving a similar purpose, but among the listed options the general integrity mechanism is “MAC.” RC4 is an unrelated stream cipher and does not provide integrity. RSA is asymmetric and not the standard integrity add-on for AES-encrypted bulk data. Kerberos is an authentication protocol and key distribution system, not a message integrity primitive. Therefore, to protect plaintext integrity when using AES, the correct mechanism is a Message Authentication Code.

The value 51 mod 11 is the remainder after dividing 51 by 11. Modular arithmetic is widely used in cryptography to keep computations within a finite set of residues, such as in RSA where values are taken modulo n, or in Diffie–Hellman where exponents and group elements are reduced modulo a prime. To compute 51 mod 11, find the largest multiple of 11 less than or equal to 51. Multiples of 11 are 11, 22, 33, 44, 55. The closest without exceeding 51 is 44. Subtracting gives 51 − 44 = 7, so the remainder is 7. Therefore, 51 mod 11 = 7, matching option “07.” This remainder is always in the range 0 through 10 because the modulus is 11. Such residue computations underpin the “wraparound” behavior that makes modular exponentiation and inverse computations well-defined in cryptographic groups.

Lightweight cryptography is designed for constrained environments—devices with limited CPU, memory, storage, bandwidth, and power (battery). Examples include IoT sensors, smart locks, RFID tags, embedded controllers, and industrial devices. Administrators choose lightweight algorithms and protocols to maintain reasonable security while fitting strict resource budgets and real-time constraints. The goal is not “weaker security because data is unimportant,” but rather efficient security that can still meet threat models under constraints. Option B captures this: embedded systems often cannot afford the computational cost of heavy cryptographic primitives (large key sizes, complex modes, frequent handshakes) or may struggle with latency and energy consumption. Option A is irrelevant because physical security of a desktop doesn’t remove the need for cryptography in communications or storage. Option C is the opposite of lightweight design. Option D is a poor justification; security design should be based on risk, and lightweight cryptography is not merely for “minimal protection,” but for practical deployability under constraints. Therefore, the correct reason is limited resources on embedded systems.

The “Issued” stage in a certificate lifecycle indicates that the certificate has been generated and signed by the issuing CA and is now valid for use (subject to validity dates, policy constraints, and revocation status). At this point, the operational focus shifts from creating the certificate to making it available to the subject and relying parties. “Distribution” is the lifecycle activity most directly associated with an issued certificate: installing it on servers or endpoints, provisioning it into keystores, publishing it to directories if required, and ensuring the chain (intermediates) is accessible for validation. By contrast, “Creation” is earlier in the process (key generation, CSR creation, identity validation, issuance/signing). “Key recovery” and “key archiving” relate to private key management and escrow policies (often for encryption keys, not signing keys), and are governed by organizational policy and key management systems rather than the certificate’s issued state itself. A certificate can be distributed after issuance regardless of whether any key escrow features exist. Therefore, the operation that fits the certificate’s “Issued” stage best is distribution of the issued credential for operational use.

A rainbow table attack uses large, precomputed tables that link hash outputs back to likely original inputs (typically passwords). Instead of storing every password→hash pair directly (which would be huge), rainbow tables store chains created by alternating hash operations with reduction functions, allowing attackers to reconstruct candidate plaintexts that produce a given hash. This makes cracking fast,ifthe target hashes are unsalted and use a known, fast hash function. Salt defeats rainbow tables because the attacker would need separate tables for each salt value, which becomes infeasible when salts are unique and sufficiently large. A dictionary attack is related but typically computes hashes on the fly from a wordlist rather than using precomputed chain structures. A birthday attack targets collisions, not mapping to original data. Brute-force tries all candidates without precomputation. Because the question explicitly describes mapping hashed values back to original data via a precomputed approach, the correct choice is Rainbow table.

In AES, the number of rounds is explicitly tied to the key length. AES-128 uses 10 rounds, AES-192 uses 12 rounds, and AES-256 uses 14 rounds. The purpose of additional rounds is to increase diffusion and confusion, strengthening resistance against cryptanalysis as the key schedule and state transformations iterate more times. Although key length primarily affects brute-force resistance, AES’s designers and standardization parameters link longer keys with more rounds to maintain security margins across variants, especially considering differences in the key schedule structure. Thus, as key length increases from 128 to 192 to 256 bits, the number of rounds increases correspondingly from 10 to 12 to 14. This relationship is fixed by the AES specification and does not vary dynamically at runtime. Therefore, the correct correlation is that the number of rounds increases as the key length increases.

802.1X is a port-based network access control framework that enables centralized authentication using an authentication server (commonly RADIUS). EAP (Extensible Authentication Protocol) runs within 802.1X to support many credential types (password-based methods like PEAP, certificate-based methods like EAP-TLS, and others). WPA-Enterprise is the wireless security mode that explicitly uses 802.1X + EAP with an authentication server to perform per-user/per-device authentication and to derive dynamic session keys. By contrast, WPA-PSK uses a pre-shared key without an external authentication server; all users share the same PSK, which is weaker for enterprise identity management. WEP is an older mechanism using static keys and does not provide modern 802.1X/EAP enterprise authentication in the WPA-Enterprise sense. TKIP is an encryption/integrity protocol used under WPA, not the full authentication “standard” involving an authentication server. Therefore, the correct choice is WPA-Enterprise.

A brute-force attack exhaustively tries every possible key or password candidate until the correct one is found. Because it explores the full search space (or a very large portion of it), brute force is often the slowest method, especially when strong keys, long passwords, rate limits, and slow password hashing (bcrypt/Argon2) are used. By contrast, a dictionary attack reduces work by trying only common or likely passwords, often succeeding quickly against weak human-chosen secrets. Rainbow table attacks shift work into precomputation; once a table exists, lookup can be faster than brute-force—though salt and modern hashing defeat them. Birthday attacks are about finding collisions, not necessarily recovering a specific secret, and their expected work is about 2^(n/2) for an n-bit hash, which can be less than brute-force key search in many contexts. Therefore, among the listed options, brute-force generally takes the longest to succeed because it makes the fewest assumptions and does the most total work.

Cryptography must evolve because threats, computing capabilities, and attack techniques continuously change. Algorithms once considered safe can become vulnerable due to cryptanalysis, implementation attacks, protocol flaws, or sheer increases in available compute power. Examples include the deprecation of SHA-1 for signatures, weakening of RC4, and migration away from older TLS versions and weak cipher suites. Frameworks also need to adapt to new environments—cloud architectures, IoT deployments, mobile devices—and new adversary models, including the long-term risk posed by quantum computing to current public-key systems. Adaptation includes updating standards, increasing key sizes where needed, adopting modern primitives (AEAD modes, stronger KDFs), improving key management practices (rotation, hardware-backed storage), and refining operational guidance (certificate lifetimes, revocation strategies). A rigid structure that never changes would lock organizations into obsolete protections and accumulate risk. Standardizing obsolete techniques or complying with outdated standards is the opposite of sound security engineering. Therefore, cryptography frameworks must adapt over time to respond to emerging threats and vulnerabilities and to maintain effective protection as the landscape evolves.

The “Issued” stage in a certificate lifecycle indicates that the certificate has been generated and signed by the issuing CA and is now valid for use (subject to validity dates, policy constraints, and revocation status). At this point, the operational focus shifts from creating the certificate to making it available to the subject and relying parties. “Distribution” is the lifecycle activity most directly associated with an issued certificate: installing it on servers or endpoints, provisioning it into keystores, publishing it to directories if required, and ensuring the chain (intermediates) is accessible for validation. By contrast, “Creation” is earlier in the process (key generation, CSR creation, identity validation, issuance/signing). “Key recovery” and “key archiving” relate to private key management and escrow policies (often for encryption keys, not signing keys), and are governed by organizational policy and key management systems rather than the certificate’s issued state itself. A certificate can be distributed after issuance regardless of whether any key escrow features exist. Therefore, the operation that fits the certificate’s “Issued” stage best is distribution of the issued credential for operational use.