← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 04 · Cyberspace Tech Solutions Cybersecurity Curriculum

Cryptography

~60 minutes of structured prep covering symmetric/asymmetric encryption, hashing, digital signatures, and PKI.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Understand cryptographic principles and their applications
  • Apply encryption techniques to secure data
  • Manage digital certificates, keys, and PKI infrastructure

Topics Covered

#TopicTimeType
1Core Concepts (Symmetric, Asymmetric, Hashing, PKI)10 minReading
2Interview Q&A (20 questions)20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4Encryption Type Matcher5 minSimulation
5Caesar Cipher Demo4 minSimulation
6Hash Properties Quiz3 minSimulation
7PKI Flow Builder3 minSimulation
💡 Cryptography is the backbone of every security protocol — TLS, HTTPS, SSH, VPNs, digital signatures. Expect heavy interview focus on these topics for any security role.
Core Concepts · ~10 min

Cryptography Fundamentals

Symmetric Encryption

Uses the same key for both encryption and decryption. Fast and efficient for large data volumes.

AlgorithmKey SizeStatusUse Case
AES128/192/256-bitSecure ✓File encryption, TLS bulk data, disk encryption
3DES112/168-bitLegacy ⚠Older banking systems
DES56-bitBroken ✗Deprecated — cracked in <1 day
ChaCha20256-bitSecure ✓Mobile TLS (Google, WhatsApp)
⚠️ Key distribution problem: How do you securely share the secret key over an insecure channel? This is solved by asymmetric encryption (Diffie-Hellman key exchange).

Asymmetric Encryption

Uses a key pair: a public key (shared freely) and a private key (kept secret). What one key encrypts, only the other can decrypt.

AlgorithmBasisKey SizeUse
RSAPrime factorisation2048–4096-bitKey exchange, digital signatures
ECCElliptic curves256-bit ≈ RSA 3072Mobile, TLS 1.3
Diffie-HellmanDiscrete logarithm2048+ bitKey exchange (no encryption)

Hash Functions

A hash function takes arbitrary-length input and produces a fixed-length digest. It is one-way — you cannot reverse it.

Deterministic
Same input → always same hash
One-Way
Cannot reverse hash → input
Avalanche Effect
1-bit change → entirely different hash
Collision Resistant
Two different inputs → different hash
Fixed Output
SHA-256 always = 256 bits
AlgorithmOutput SizeStatus
MD5128-bitBroken (collisions) — don't use for security
SHA-1160-bitBroken (SHAttered, 2017)
SHA-256256-bitSecure — standard choice
SHA-3256/384/512-bitSecure — different construction
bcrypt / scryptVariableSecure — use for passwords (slow by design)

Digital Signatures

Provide authenticity, integrity, and non-repudiation. Process:
1. Sender hashes the message → gets digest
2. Sender encrypts digest with their private key → signature
3. Receiver decrypts signature with sender's public key → gets digest
4. Receiver hashes the received message → compares digests. If equal → authentic & unaltered.

PKI (Public Key Infrastructure)

PKI is the framework of policies, procedures, hardware, and software that manages digital certificates and public keys.

ComponentRole
Root CATop-level trust anchor. Self-signed. Offline for security.
Intermediate CAIssues end-entity certificates on behalf of Root CA.
X.509 CertificateContains: public key, owner identity, issuing CA, validity period, serial number, signature.
CRLCertificate Revocation List — published list of revoked certs.
OCSPOnline Certificate Status Protocol — real-time revocation check.
HSMHardware Security Module — tamper-resistant device for key storage/operations.
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click to expand. Difficulty: Easy Medium Hard

1What is the difference between symmetric and asymmetric encryption?Easy
FeatureSymmetricAsymmetric
KeysOne shared keyPublic + Private key pair
SpeedFast (bulk data)Slow (key exchange/signing only)
Key sharingProblem — must share secretlyPublic key freely shareable
AlgorithmsAES, 3DES, ChaCha20RSA, ECC, DH
Use caseFile/disk/DB encryptionKey exchange, digital signatures, certificates
💡 TLS uses both: asymmetric for the handshake (key exchange) and symmetric (AES) for the bulk data transfer. This is called hybrid encryption.
2How does RSA encryption work at a high level?Hard
RSA (Rivest–Shamir–Adleman) is based on the mathematical difficulty of factoring the product of two large prime numbers.

Key generation:
  • Choose two large primes p and q
  • Compute n = p × q (public modulus)
  • Choose public exponent e (commonly 65537)
  • Compute private exponent d such that e×d ≡ 1 mod λ(n)
Encryption: C = M^e mod n (using public key)
Decryption: M = C^d mod n (using private key)
Security: Without knowing p and q, computing d from e and n is computationally infeasible for large keys (2048+ bits).
💡 RSA is being phased out in favour of ECC (Elliptic Curve Cryptography) which offers equivalent security with much smaller key sizes. RSA-2048 ≈ ECC-224 in security strength.
3What is a hash function and what properties must it have?Medium
A hash function takes arbitrary-length input and produces a fixed-length output (digest). Five essential properties:
  • Deterministic: Same input always produces the same hash.
  • One-way (Pre-image resistant): Cannot reverse a hash to find the input.
  • Collision resistant: Computationally infeasible to find two inputs with the same hash.
  • Avalanche effect: A tiny change in input produces a completely different hash.
  • Fixed output size: SHA-256 always produces 256 bits regardless of input size.
Uses: Password storage, file integrity verification, digital signatures, blockchain, MACs.
💡 Hashing ≠ encryption. You cannot "decrypt" a hash. That's why compromised hash databases require brute-force or rainbow table attacks.
4What is the difference between encryption and hashing?Easy
FeatureEncryptionHashing
Reversible?Yes (with key)No (one-way)
Key required?YesNo
Output sizeVariable (≈ input)Fixed
Use caseData confidentialityIntegrity, passwords, signing
ExamplesAES-256, RSASHA-256, bcrypt
💡 Never encrypt passwords — always hash them (with salt). Encryption is for data you need to read again. Hashing is for verification without disclosure.
5What is a digital signature and how does it work?Medium
A digital signature provides three guarantees: authenticity (proves who sent it), integrity (proves it wasn't changed), and non-repudiation (sender can't deny sending it).

How it works:
  1. Sender hashes the document (e.g., SHA-256)
  2. Sender encrypts the hash with their private key → this is the signature
  3. Receiver decrypts the signature with sender's public key → gets hash
  4. Receiver independently hashes the document → compares with decrypted hash
  5. If they match → authentic, unaltered, and from the claimed sender
💡 Remember: you encrypt with the private key when signing (not the public key). This is the reverse of normal encryption — anyone can verify with the public key.
6What is PKI (Public Key Infrastructure)?Hard
PKI is the complete framework — policies, procedures, hardware, software, and people — that creates, manages, distributes, uses, stores, and revokes digital certificates and manages public-key encryption.

Components:
  • CA (Certificate Authority): Trusted entity that issues and signs certificates
  • Root CA: Top of the trust chain; self-signed; kept offline
  • Intermediate CA: Issues end-entity certs; acts as buffer protecting Root CA
  • X.509 Certificate: Binds a public key to an identity
  • CRL / OCSP: Revocation mechanisms for compromised certificates
  • Registration Authority (RA): Verifies identity before CA issues certificate
💡 Your browser trusts websites because it has a built-in list of ~150 Root CAs. When a site presents a certificate, the browser validates the chain back to a trusted Root CA.
7What does a Certificate Authority (CA) do?Easy
A CA is a trusted third party that:
  • Verifies the identity of certificate applicants
  • Issues X.509 digital certificates binding identity to a public key
  • Digitally signs certificates with its own private key so others can verify them
  • Maintains revocation lists (CRL) and responds to OCSP queries
  • Manages certificate lifecycle (issue, renew, revoke)
Types of certificates: DV (Domain Validated), OV (Organization Validated), EV (Extended Validation — green bar). Well-known public CAs: DigiCert, Let's Encrypt, Comodo, GlobalSign.
8What is the difference between SHA-256 and MD5?Medium
FeatureMD5SHA-256
Output size128-bit (32 hex chars)256-bit (64 hex chars)
SpeedFastSlower
Collision resistanceBroken — collisions foundSecure — no known collisions
StatusDo NOT use for securityCurrent standard
Use todayNon-security checksums onlySignatures, TLS, integrity
💡 MD5 collision attacks were demonstrated as early as 2004. By 2012, the Flame malware forged an MD5-signed Microsoft certificate to spread as a Windows Update. Never use MD5 for security.
9What is a rainbow table attack and how is it mitigated?Medium
A rainbow table is a precomputed lookup table mapping common passwords to their hash values. Instead of brute-forcing in real-time, an attacker simply looks up the hash in the table to find the password instantly.

Example: MD5("password") = "5f4dcc3b..." is in every rainbow table.

Mitigation — Salting: Add a unique random value (salt) to each password before hashing: hash = SHA256(salt + password). The salt is stored alongside the hash. Since every user's salt is unique, precomputed rainbow tables are useless.
💡 bcrypt, Argon2, and scrypt automatically handle salting AND are intentionally slow (tunable work factor), making brute-force attacks computationally expensive.
10What is salting in cryptography?Easy
A salt is a random value added to a password (or data) before hashing. It is unique per user and stored in plaintext alongside the hash. Purpose:
  • Defeats rainbow table attacks (unique salt → unique hash even for identical passwords)
  • Prevents attackers from seeing that two users have the same password
  • Forces per-hash brute-force attempts even if the database is stolen
Example: User A and User B both use "password123".
Without salt: both have identical hashes → attacker cracks once, gets both.
With salt: A's hash = SHA256("xk92" + "password123"), B's hash = SHA256("m3p1" + "password123") → completely different hashes.
11How does TLS/HTTPS use cryptography?Hard
TLS (Transport Layer Security) is a hybrid cryptographic protocol:
  1. Handshake — Asymmetric phase: Client and server exchange certificates, agree on cipher suite, and use Diffie-Hellman (ECDHE) to derive a shared session key without transmitting it.
  2. Key derivation: Both sides independently compute the same symmetric session key from DH parameters.
  3. Data transfer — Symmetric phase: AES-GCM (or ChaCha20) encrypts all data using the session key. Much faster than asymmetric.
  4. MAC / AEAD: Each record is authenticated, preventing tampering.
TLS 1.3 (current standard) removed weak cipher suites (RC4, MD5, SHA-1, RSA key exchange), making it significantly more secure than TLS 1.2.
💡 ECDHE provides Perfect Forward Secrecy (PFS) — even if the server's private key is compromised in the future, past sessions cannot be decrypted.
12What is Diffie-Hellman key exchange?Hard
Diffie-Hellman (DH) allows two parties to establish a shared secret over an insecure channel without ever transmitting the secret. Analogy: mixing paint colours — each party adds a private colour to a shared public colour; the result is the same on both sides, but an eavesdropper can't determine the private colours from the mixture.

Math basis: Discrete logarithm problem. Given g^a mod p, it's computationally infeasible to find a.

ECDHE: Elliptic Curve DH with Ephemeral keys — provides Perfect Forward Secrecy (new key each session).
💡 DH doesn't encrypt or authenticate — it only establishes a shared key. Authentication (verifying who you're talking to) requires certificates (PKI).
13What is AES and why is it the standard?Medium
AES (Advanced Encryption Standard) was selected by NIST in 2001 after an international competition. It replaced DES. Key reasons it became the standard:
  • No known practical attacks against AES-128 or AES-256
  • Fast in both software and hardware
  • Hardware acceleration built into modern CPUs (AES-NI instructions)
  • Three key sizes: 128, 192, 256-bit — flexible security levels
  • Block cipher: operates on 128-bit blocks
  • Used everywhere: TLS, WPA2/3, BitLocker, 7-Zip, SSH, S/MIME
Modes of operation: ECB (insecure — identical plaintext blocks produce identical ciphertext), CBC, CTR, GCM (authenticated encryption — adds integrity check).
14What is an X.509 certificate and what does it contain?Medium
An X.509 digital certificate is a standardised document that binds a public key to an identity. Contents:
  • Version: Certificate format version (typically v3)
  • Serial Number: Unique identifier assigned by the CA
  • Subject: Identity the certificate is issued to (domain, organisation)
  • Subject Public Key: The public key itself
  • Issuer: The CA that signed this certificate
  • Validity period: Not Before / Not After dates
  • Signature algorithm: e.g., SHA256WithRSAEncryption
  • CA's digital signature: Proves the CA vouches for this certificate
  • Extensions: SANs, key usage, CDP (CRL Distribution Points)
15What is the difference between signing and encrypting a message?Medium
FeatureSigningEncrypting
Key usedSender's private keyRecipient's public key
Verified withSender's public key (by anyone)Recipient's private key (only recipient)
PurposeAuthenticity + integrity + non-repudiationConfidentiality
Readable?Yes (message is not hidden)No (message is hidden)
💡 You can do both — sign then encrypt — for a message that is both confidential AND authenticated. This is used in S/MIME email and PGP.
16What is a MitM attack against PKI and how is it prevented?Hard
An attacker intercepts a TLS connection and presents their own certificate to the client while impersonating the server. If the client trusts the attacker's CA (e.g., a rogue corporate CA installed on company devices), the attack succeeds — the client decrypts to the attacker, who re-encrypts to the real server.

Preventions:
  • Certificate Pinning: App hardcodes expected certificate or public key — rejects anything else
  • HSTS (HTTP Strict Transport Security): Browser remembers that site uses HTTPS only
  • CAA DNS records: Specify which CAs are authorised to issue certificates for your domain
  • Certificate Transparency (CT): All certificates logged publicly — abnormal certs are detectable
  • OCSP Stapling: Server proves its certificate is valid in real-time
17What is certificate pinning?Hard
Certificate pinning is a security technique where an application explicitly trusts only a specific certificate or public key, rather than any certificate signed by a trusted CA. This protects against rogue CA scenarios.

Types:
  • Certificate pinning: Pin the exact certificate (must update app on renewal)
  • Public key pinning: Pin the public key hash (survives certificate renewals)
  • HPKP: HTTP Public Key Pinning header (deprecated — too risky if misconfigured)
Downside: If the pinned certificate/key changes and the app isn't updated, it will break — this has caused major production outages.
18What is a Hardware Security Module (HSM)?Hard
An HSM is a dedicated, tamper-resistant hardware device that safeguards and manages cryptographic keys and performs cryptographic operations (signing, encryption, decryption) without exposing the private key to the host system.

Key properties:
  • Physical tamper detection and response (zeroizes keys if tampered)
  • Keys never leave the HSM in plaintext
  • FIPS 140-2 / 140-3 certified (Level 2 or 3)
  • High-performance crypto operations (10,000+ RSA ops/sec)
Use cases: Root CA key storage, payment card processing (PCI-HSM), code signing, TLS offloading, blockchain key management.
💡 Cloud HSMs: AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM — allow organisations to have exclusive control of keys in the cloud.
19What is end-to-end encryption (E2EE)?Medium
E2EE ensures that only the communicating parties (sender and recipient) can read the messages. Even the service provider cannot decrypt the data in transit or at rest on their servers.

How it works: Each user has a key pair. Messages are encrypted with the recipient's public key. Only the recipient's private key (stored on their device) can decrypt it.

Examples: WhatsApp/Signal (Signal Protocol), iMessage, ProtonMail, PGP email.

Limitations: Does not protect against endpoint compromise (if the device is hacked, messages are readable). Does not protect metadata (who communicates with whom).
20What is homomorphic encryption?Hard
Homomorphic encryption (HE) allows computations to be performed on encrypted data without decrypting it. The result, when decrypted, matches what you would have gotten by operating on the plaintext.

Example: A hospital encrypts patient data, sends to a cloud analytics provider. Provider runs analysis on the ciphertext. Hospital decrypts the result — and gets the correct statistics — without the cloud provider ever seeing the data.

Types: Partially HE (supports one operation: add OR multiply), Somewhat HE (limited operations), Fully HE (any operations — still very slow).

Status: FHE is currently 1,000–10,000× slower than plaintext computation. Active research area — Microsoft SEAL, IBM HElib, Google's open-source libraries.
💡 This is often asked at senior/research-level positions. Knowing it exists and its tradeoffs is sufficient for most interview contexts.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after each submission.

Progress:
0 / 25
Simulation 1 · ~5 min

Encryption Type Matcher

Drag each scenario chip into the correct cryptography category.

Used to verify a file has not been tampered with
WhatsApp uses this so only sender/receiver can read messages
AES-256 encrypts a 10GB database backup
A server presents its certificate to prove its identity
A developer signs a software release to prove it's from them
Browser and server negotiate a shared session key via DH

🔑 Symmetric

🔐 Asymmetric

#️⃣ Hashing

✍️ Digital Signature

🏛️ PKI

Simulation 2 · ~4 min

Caesar Cipher Demo

Type plaintext and adjust the shift to see encryption in real-time. Use the decrypt button to reverse.

Khoor FbehuVhfxulwb
💡 Why Caesar cipher is weak: Only 25 possible shifts — brute force takes seconds. Modern ciphers (AES) use keys of 2^128 or 2^256 possible values — effectively unbreakable by brute force.
Simulation 3 · ~3 min

Hash Properties Quiz

Match each scenario to the hash property it demonstrates.

"The same input always produces the same hash — SHA256('hello') is always the same."
"Changing 'Hello' to 'hello' produces a completely different hash despite a single character change."
"Given a SHA-256 hash, you cannot work backwards to find what was hashed."
"It is computationally infeasible to find two different inputs that produce the same SHA-256 hash."
"SHA-256 always outputs exactly 256 bits whether the input is 1 byte or 1 terabyte."
Simulation 4 · ~3 min

PKI Flow Builder

Click the steps in the correct order of how TLS/HTTPS establishes a secure connection. Click a step to select it, then click another to swap.

Browser and server perform TLS handshake to derive session key
User's browser sends HTTPS request to the web server
Encrypted HTTPS session is established — data flows securely
Browser verifies certificate chain up to a trusted Root CA
Server sends its X.509 certificate containing its public key
✅ Correct order: Browser request → Server sends certificate → Browser verifies → TLS handshake → Encrypted session
🎉

Module 04 Complete!

You've completed all Cryptography content. Review any section via the sidebar.