What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Domain 3: Security Architecture10 min read

How to Solve Cryptography PBQs on Security+

Cryptography PBQs test your ability to select appropriate encryption algorithms, configure key lengths, and implement cryptographic solutions for specific use cases. This guide teaches you how to match cryptographic tools to security requirements.

Try a Free PBQ

Interactive simulation — no account required

What Is a Cryptography PBQ?

Cryptography PBQs present you with a security scenario and ask you to select or configure the appropriate cryptographic solution. You'll need to choose between symmetric and asymmetric encryption, select algorithm types, specify key lengths, and match cryptographic tools to use cases.

These questions test whether you understand when to use different cryptographic approaches. You might be asked to:

Select the correct algorithm for encrypting data at rest versus data in transit
Choose appropriate key lengths based on security requirements
Match hash algorithms to their use cases (password storage, integrity checking, digital signatures)
Configure encryption settings for a specific compliance requirement
Identify deprecated or weak cryptographic configurations

Know When to Use What

Symmetric encryption (AES) is fast and used for bulk data. Asymmetric encryption (RSA, ECC) is slow but solves key exchange. Hashing (SHA-256) provides integrity but isn't reversible. The exam tests your ability to select the right tool for each scenario.

The 4-Step Method for Cryptography PBQs

When selecting cryptographic solutions, work through these decisions:

Identify what you're protecting. Is this data at rest (stored on disk), data in transit (moving across a network), or data in use (being processed)? Each has different requirements.

Determine the security goal. Confidentiality (hide content) requires encryption. Integrity (detect tampering) requires hashing or MACs. Authentication (prove identity) requires digital signatures. Non-repudiation (prevent denial) requires digital signatures with proper PKI.

Choose the algorithm type. Symmetric for speed with pre-shared keys. Asymmetric for key exchange or digital signatures. Hash for integrity verification or password storage.

Verify the key length. AES-256 for sensitive data, AES-128 minimum. RSA-2048 minimum, 4096 for high security. SHA-256 or SHA-384 for hashing. Anything shorter may be flagged as weak.

Cryptographic Algorithms by Use Case

Match these algorithms to their appropriate scenarios:

AES (Symmetric)

Fast bulk encryption. Use for files, databases, disk encryption, VPN tunnels.

Key sizes: 128, 192, or 256 bits. AES-256 for sensitive data.

RSA (Asymmetric)

Key exchange, digital signatures, encrypting small data. Slower than symmetric.

Key sizes: 2048 bits minimum, 4096 for high security.

ECC (Asymmetric)

Same uses as RSA but with smaller keys for equivalent security. Better for mobile/IoT.

P-256 curve ≈ RSA-3072. P-384 for higher security.

SHA-256/384/512 (Hash)

Integrity verification, digital signatures, password hashing (with salt/stretching).

SHA-256 is standard. SHA-1 is deprecated. MD5 is broken.

Walkthrough: Selecting Encryption for Different Scenarios

A company needs to protect data in three scenarios. Here's how to select the right cryptographic approach for each:

Cryptographic Solution Selection

Match algorithms to security requirements

Data at Rest

Encrypt customer database stored on servers

Solution

Encryption

AES-256

256-bit

Key Storage

HSM

Fast symmetric encryption for large data volumes with hardware-protected keys

Data in Transit

Secure file transfer between office locations

Solution

Protocol

TLS 1.3

Key Exchange

ECDHE

Bulk Cipher

AES-256-GCM

256-bit

Asymmetric for secure key exchange, symmetric for fast bulk encryption

Software Integrity

Verify downloaded software hasn't been modified

Solution

Integrity

SHA-256

Authenticity

RSA / ECDSA

2048+ / P-256

Hash detects tampering, signature proves publisher identity

Types:

Symmetric

Asymmetric

Hash

Protocol

Analysis

Scenario 1 - Data at Rest: AES-256 is the standard for encrypting stored data. It's fast enough to encrypt entire databases without significant performance impact. The key must be stored securely, ideally in a Hardware Security Module (HSM).

Scenario 2 - Data in Transit: TLS combines multiple cryptographic primitives. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) exchanges keys securely without transmitting them. AES-GCM provides authenticated encryption for the actual data.

Scenario 3 - Integrity + Authenticity: A hash alone proves the file hasn't changed, but anyone can compute a hash. A digital signature proves the file came from the legitimate publisher and hasn't been modified. You need both.

Practice Cryptography Selection

Match algorithms to scenarios in interactive configurations.

Try a Free PBQ

Symmetric vs. Asymmetric: When to Use Each

Understanding when to use symmetric versus asymmetric encryption is fundamental to these PBQs:

Symmetric Encryption (AES, ChaCha20): - Same key encrypts and decrypts - Very fast, suitable for large data volumes - Problem: How do you securely share the key? - Use for: File encryption, database encryption, VPN data channels

Asymmetric Encryption (RSA, ECC): - Public key encrypts, private key decrypts (or vice versa for signatures) - Much slower than symmetric - Solves key exchange problem - Use for: Key exchange, digital signatures, encrypting small data (like symmetric keys)

Hybrid Approach (TLS, PGP): - Use asymmetric to exchange a symmetric key - Use symmetric for bulk data encryption - Gets the best of both: secure key exchange + fast encryption

Deprecated Algorithms to Avoid

These are always wrong answers on the exam for new deployments:

MD5 — Broken. Collisions can be generated easily. Never use for security purposes.
SHA-1 — Deprecated. Collision attacks demonstrated. Use SHA-256 or higher.
DES — 56-bit key is trivially crackable. Replaced by AES decades ago.
3DES (Triple DES) — Being phased out. Slower than AES with less security.
RC4 — Stream cipher with known weaknesses. Removed from TLS.
RSA-1024 — Too short. Minimum is RSA-2048, preferably 4096.
WEP/WPA with TKIP — Wireless encryption with known breaks. Use WPA2/WPA3 with AES.

Key Management Essentials

Encryption is only as secure as your key management:

Key Generation — Use cryptographically secure random number generators. Never use predictable sources.

Key Storage — Private keys and symmetric keys must be protected. HSMs provide hardware-based security. Key management services (KMS) handle this in cloud environments.

Key Rotation — Regularly change keys to limit the impact of potential compromise. Automated rotation reduces operational risk.

Key Escrow — Storing copies of keys with a trusted third party. Necessary for compliance but creates risk. Balance availability against security.

Key Destruction — When keys expire or systems are decommissioned, keys must be securely destroyed. Improper destruction leaves data vulnerable.

Frequently Asked Questions

What is a cryptography PBQ on the Security+ exam?

A cryptography PBQ asks you to select or configure cryptographic solutions for specific scenarios. You might choose between symmetric and asymmetric encryption, select appropriate algorithms and key lengths, or identify deprecated cryptographic configurations that need updating.

What is the difference between encryption and hashing?

Encryption is reversible—you can decrypt ciphertext back to plaintext with the correct key. Hashing is one-way—you cannot recover the original data from a hash. Use encryption when you need to retrieve the original data. Use hashing for integrity verification and password storage where you only need to compare, not retrieve.

When should I use AES vs RSA?

Use AES (symmetric) for encrypting large amounts of data—it's fast and efficient. Use RSA (asymmetric) for key exchange, digital signatures, and encrypting small data like symmetric keys. In practice, systems often use RSA to exchange an AES key, then AES for bulk encryption.

What key sizes should I use?

For AES: 256-bit for sensitive data, 128-bit minimum. For RSA: 2048-bit minimum, 4096-bit for high security or long-term protection. For ECC: P-256 curve minimum, P-384 for higher security. For hashing: SHA-256 or SHA-384. These provide adequate security through at least 2030.

Other PBQ Types

Firewall Configuration Log Analysis Network Diagrams PKI & Certificates

Practice What You've Learned

Apply these concepts with an interactive Cryptography simulation.

Try a Free PBQ →