Pass the WGU Courses and Certificates Introduction-to-Cryptography Questions and answers with Dumpstech

HMAC (Hash-based Message Authentication Code) is a standard mechanism used to verify both integrity and authenticity of a message when two parties share a secret key. It combines a cryptographic hash function (such as SHA-256) with a secret key in a structured way that resists common attacks on naïve keyed-hash constructions. The sender computes an HMAC tag over the message and transmits the message plus tag. The receiver recomputes the HMAC using the same shared secret key and compares the result; if the tag matches, the receiver can be confident the message was not modified in transit and that it came from someone who knows the shared key. AES is an encryption algorithm primarily providing confidentiality; it can provide integrity only when used in authenticated modes (e.g., GCM) but “AES” alone is not the integrity component. An IV helps randomize encryption but does not validate integrity. TKIP is a legacy WLAN protocol component, not the general integrity verifier. Therefore, the correct component for verifying message integrity among the options is HMAC.

One-way client authentication is the method where the client (customer) proves its identity to the server (web service). In cryptographic terms, this is commonly implemented through client credentials such as client TLS certificates (mTLS from the server’s perspective) or through authentication protocols layered over TLS (for example, signed tokens), but the defining direction is that the client is the party being authenticated. In a strict TLS certificate-authentication framing, client authentication occurs when the server requests a client certificate during the handshake and the client demonstrates possession of the corresponding private key (via signature in handshake messages). The server then validates the client certificate chain and authorization policy. One-way server authentication, by contrast, authenticates only the server to the client and does not identify the customer. Mutual authentication authenticates both sides simultaneously; while it includes client authentication, it is broader than what the question asks. “End-to-end authentication” describes assurance between endpoints across intermediaries, but it is not the specific “customer authenticates to service” method in certificate-based terminology. Therefore, the best answer is one-way client authentication.

CBC mode introduces dependency between blocks to prevent the pattern leakage seen in ECB. It starts with a random (or unpredictable) IV for the first block. Before encrypting block 1, CBC XORs plaintext block 1 with the IV, then encrypts the result. For block 2 and onward, CBC XORs each plaintext block with the previous ciphertext block before encryption. This chaining means that changing one plaintext block affects that block’s ciphertext and also influences the next block’s computation. The IV ensures that encrypting the same message twice under the same key produces different ciphertexts (assuming a fresh IV). Option A (ECB) has no IV or chaining. OFB and CFB are feedback modes that effectively generate a keystream; they do use an IV, but the “uses the result to encrypt the next block” wording most directly matches CBC’s ciphertext-chaining description in standard teaching. CBC still requires integrity protection (e.g., HMAC or an AEAD mode) because it can be malleable without authentication. Therefore, the correct mode is Cipher Block Chaining (CBC).

With IPsec ESP in transport mode, the payload of the original IP packet (typically the transport-layer segment and higher) is encrypted and integrity-protected between the two endpoints—here, the corporate server and the remote client. Because encryption is applied by the sending endpoint and removed only by the receiving endpoint, intermediate routers, switches, and monitoring devices in either network cannot view the protected payload while it is in transit. They may see outer IP headers and certain metadata needed for routing, but not the encrypted content protected by ESP. As a result, the packet’s contents are inspectable only at the endpoints: before encryption on the sender (plaintext exists in memory/stack before IPsec processing) and after decryption on the receiver (plaintext is restored for the application). This is true whether the traffic traverses internal networks or the Internet; the cryptographic boundary is between the endpoints participating in the IPsec SA. Therefore, inspection of the actual content is possible only on the devices at headquarters and offsite, before sending and after receiving, not by in-transit networks.

Bitcoin’s proof of work (PoW) is designed so that finding a valid block is computationally difficult, but checking validity is computationally easy. Miners must repeatedly hash candidate block headers (double SHA-256) with different nonces until they find a hash value below a network-defined target. This trial-and-error search requires significant work and energy because the probability of success per attempt is extremely low at current difficulty levels. However, verification is straightforward: any node can hash the block header once (or a small number of times) and confirm the resulting hash meets the target threshold and that the block contents follow protocol rules. This “hard to produce, easy to verify” property is essential: it makes it expensive for attackers to rewrite history or outpace honest miners, while allowing all participants—even low-power devices—to validate blocks efficiently. Therefore, the primary characteristic of Bitcoin proof of work is that it is difficult to produce and easy to verify.

Bit-flipping exploits target encryption modes or protocols that do not provide strong integrity, allowing attackers to modify ciphertext so that predictable changes occur in plaintext after decryption. To defend against this, protocols add an integrity mechanism that detects tampering. In WPA (including enterprise deployments), TKIP introduced a Message Integrity Check (MIC) called “Michael.” The MIC is computed over the frame contents (with additional fields) and verified by the receiver; if an attacker flips bits in transit, the MIC verification fails, and the frame is rejected. While AES (used by WPA2’s CCMP) also provides integrity via authenticated encryption, the option presented that directly names the tamper-detection mechanism associated with guarding against bit-flipping is MIC. A pre-shared key is an authentication/keying method (and not enterprise-mode anyway), and a “global encryption key” would be the opposite of what you want—global/static keys worsen security. Therefore, the intended mechanism that mitigates bit-flipping by detecting unauthorized modifications is the Message Integrity Check.

IPsec’s initial key exchange is commonly performed using IKE (Internet Key Exchange), which negotiates Security Associations (SAs), authenticates peers, and establishes shared keys for ESP/AH protection. The traditional and default transport for IKEv1 and IKEv2 is UDP port 500. During negotiation, peers exchange proposals (crypto suites), perform Diffie–Hellman to derive key material, and authenticate using pre-shared keys, certificates, or EAP methods. If a firewall blocks UDP 500, the IKE negotiation cannot begin, preventing IPsec tunnels from forming. In many real deployments, NAT traversal is also used; in that case, traffic typically shifts to UDP 4500 (NAT-T) after detection of NAT, but UDP 500 is still required for the initial exchange and NAT detection in many configurations. TCP 500 is not standard for IKE. Port 443 is associated with HTTPS/TLS and some SSL VPNs, not IPsec IKE. Therefore, among the options provided, the firewall must allow UDP 500 for IPsec key exchange to succeed.

For Bitcoin, transactions are confirmed by inclusion in blocks, and the network targets an average block interval of about 10 minutes. That means transactions are “added” to the Bitcoin blockchain approximately every 10 minutes in the sense that a new block containing a batch of transactions is appended at that cadence. The 10-minute target is achieved by a difficulty adjustment mechanism that recalibrates mining difficulty roughly every 2016 blocks, aiming to keep the average interval stable despite changes in total network hash power. It is important to note that this is an average: blocks can be found faster or slower in the short term due to the probabilistic nature of proof-of-work mining. Other blockchains have different block times (seconds to minutes), but the question’s options and typical curriculum context align with Bitcoin’s 10-minute design. Therefore, the correct choice is approximately every 10 minutes.

A VPN (Virtual Private Network) is designed to create a secure, private communication channel over an otherwise untrusted or shared infrastructure. Historically and conceptually, VPNs were built to allow organizations and users to transmit sensitive traffic across the public Internet while maintaining confidentiality, integrity, and authenticity. The “virtual” aspect means the network behaves like a private link, but the underlying transport is typically a public network where attackers could potentially observe or tamper with traffic. VPN technologies such as IPsec and SSL/TLS-based VPNs encapsulate packets and apply encryption and authentication so that the payload and session metadata are protected even when traversing public routing domains. Options like “encrypted” and “protected” describe properties of the VPN tunnel itself rather than the underlying network it traverses; the VPN provides encryption/protection precisely because the medium is not inherently secure. “Private” would describe a dedicated internal network, which generally does not require a VPN to achieve basic confidentiality. Therefore, VPNs were originally designed to tunnel through public networks.

In the TLS handshake, the ClientHello message is the client’s opening negotiation message and includes the client’s supported cryptographic capabilities. A key part of ClientHello is the offered cipher suites list, which advertises combinations of key exchange, authentication, encryption, and integrity/AEAD algorithms the client is willing to use. The server responds with ServerHello, selecting one of the offered cipher suites (in TLS 1.2 and earlier) and confirming protocol parameters. Forward secrecy is a property achieved by using ephemeral key exchange (e.g., (EC)DHE), not a specific message that “sends a list.” “Integrity check” is a security goal/mechanism, not the negotiation step. While TLS 1.3 changes the structure of negotiation (cipher suite list still appears in ClientHello but only covers AEAD and hash; key exchange is negotiated via extensions), the fundamental idea remains: the client proposes supported cipher suites in ClientHello, and the server picks compatible parameters. Therefore, the process that sends the list of supported cipher suites is the ClientHello.