Exercises: Cryptography Fundamentals

These exercises move from definitions to judgment to design. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

A reminder that governs this whole set: you are learning to use cryptography correctly and to spot misuse, not to break ciphers. Where an exercise asks for a number (entropy, key size), show your reasoning. Where it asks for a judgment, the reasoning matters more than the verdict. Run nothing against systems you do not own.

Part A — Core vocabulary and guarantees ⭐

1.† In one sentence each, define plaintext, ciphertext, symmetric encryption, and asymmetric encryption, then write a single sentence that correctly uses all four in the context of sending an encrypted file to a colleague.

2. For each scenario, name the single cryptographic guarantee most needed — confidentiality, integrity, authenticity, or non-repudiation: (a) hiding card numbers in a stolen database; (b) proving a firmware image was not altered in transit; (c) proving a wire-transfer instruction came from a specific manager and that they cannot deny it; (d) letting two services confirm a message came from the other and was not tampered with, where either may later be trusted to deny nothing.

3. Explain why "we encrypted it" does not by itself guarantee that the data cannot be tampered with. What must be added, and what modern mechanism provides both at once?

4.† State Kerckhoffs's principle in your own words and explain why "proprietary encryption with a secret algorithm" is a red flag rather than a selling point.

5. Match each primitive to the guarantee(s) it provides: (a) AES-GCM; (b) SHA-256; (c) HMAC-SHA256; (d) an RSA digital signature; (e) bare AES-CBC with no integrity check.

Part B — Symmetric, asymmetric, and key sizes ⭐⭐

6.† Explain the key-distribution problem of symmetric encryption and exactly how asymmetric encryption solves it. Then explain why real systems still use symmetric encryption for the bulk of the work (hybrid encryption).

7. A team proposes encrypting a 2 GB nightly database backup directly with the recipient's RSA-3072 public key. Identify two things wrong with this plan and describe the correct (hybrid) approach step by step.

8.† Rank these key choices from weakest to strongest and label any that should be prohibited in a modern standard: AES-128, AES-256, RSA-1024, RSA-3072, ECC P-256, DES. For the comparable ones, state the rough equivalence between ECC and RSA key sizes.

9. Why is ECC preferred over RSA for mobile and IoT devices? Give the key-size comparison and one trade-off that makes ECC more sensitive to implementation mistakes.

10. ⭐ Calculation. Using the relationship $c = m^e \bmod n$ for textbook RSA with the tiny (insecure, illustrative) public key $e = 3$, $n = 33$, encrypt the message $m = 4$. Show the modular arithmetic. (This is a toy example to see the mechanism — real RSA uses 3072-bit numbers and padding.)

Part C — Hashing, salting, and password storage ⭐⭐

11.† List the three defining properties of a cryptographic hash function and, for each, name a security consequence if it failed.

12. Explain precisely why MD5 and SHA-1 must not be used where collision-resistance matters, but why MD5 may still be acceptable as a non-security checksum against accidental corruption.

13.† A web app stores passwords as SHA256(password) with no salt. (a) Name the two attacks this is vulnerable to. (b) Explain how a salt defeats one of them even though the salt is stored in plaintext. (c) Explain why switching to Argon2 (with a work factor) defeats the other.

14. Two users both choose the password Summer2026!. Under unsalted SHA-256, what does an attacker who steals the database immediately learn? Under per-user-salted Argon2, what do they learn? Explain the difference in one paragraph.

15. ⭐⭐ Severity triage. A breach exposes a password table. For each storage method, state how bad the incident is and your first containment action: (a) plaintext; (b) unsalted MD5; (c) salted bcrypt at a high work factor.

Part D — Analyze this (find the crypto mistake) ⭐⭐

16.† Code review. Find every cryptographic mistake in this (illustrative) Python-ish pseudocode and state the fix for each:

import random
def make_session_key():
    return str(random.random())            # (A)
def encrypt(data, key):
    cipher = AES.new(key, AES.MODE_ECB)    # (B)
    return cipher.encrypt(pad(data))
SECRET_KEY = "hunter2-prod-key"            # (C)  hard-coded
def store_password(pw):
    return hashlib.md5(pw).hexdigest()     # (D)

17. Code review. An engineer encrypts every message under one AES-GCM key and, "to keep it deterministic for caching," uses the constant nonce b"000000000000" for all of them. Which crypto rule is violated, and what can an attacker do as a result?

18.† Spot the protocol smell. A vendor advertises: "All data secured with our proprietary military-grade 4096-bit hashing algorithm — even we can't decrypt it!" Identify at least three things wrong or confused in that one sentence.

19. Analyze the cert error. A user reports their browser warns that meridianbank.example's certificate "is not trusted." List four distinct causes that could produce this warning, and for each say whether it is more likely an attack or an operational mistake.

20. ⭐⭐ A log shows a software update was installed because its digital signature verified correctly, yet the update was malicious. The signature really was valid. Explain how both statements can be true, and what it tells you about the limits of signature verification.

Part E — Write it / design it ⭐⭐–⭐⭐⭐

21.† Write the standard. Draft a one-paragraph encryption standard snippet for a small company covering: symmetric algorithm + key size, hashing algorithm, password storage, asymmetric key sizes, randomness source, and one key-management rule. Make it specific enough that an engineer could not drift into a weak choice.

22. Design it. You must let customers upload sensitive documents that are encrypted at rest and readable only by an authorized reviewer. Sketch the cryptographic design: what is encrypted with what, where the keys live, and how you would not store the key next to the data. Identify the residual risk.

23. Write the policy line. Write a single, testable policy sentence that would have prevented the expired-certificate outage from the chapter's War Story. (Hint: it should be about inventory, automation, and alerting, not about cryptography.)

24. ⭐⭐⭐ Design it. Design password storage for a new service expecting credential-stuffing attacks. Specify the algorithm, salting, work factor philosophy (how you would choose and revisit it), and one defense that lives outside the hash (forward-reference Chapter 16 ideas if you like). Defend each choice.

25. Crosswalk. In two or three sentences, connect this chapter's encryption standard to a specific PCI-DSS requirement area (protection of stored cardholder data; protection of data in transit) without inventing exact sub-requirement numbers. Why does an auditor want this document to exist?

Part F — CTF-style challenge ⭐⭐⭐

26.† The identical ciphertexts. During an investigation you obtain a database of "encrypted" records. You notice that many records share byte-for-byte identical ciphertext blocks, and that records you know contain the same field value (e.g., the same ZIP code) always produce the same encrypted block. (a) What mode of operation was almost certainly used? (b) What can you infer about the plaintext without possessing the key? (c) Is the cipher "broken," and what is the actual defect? (d) What single configuration change fixes it?

Part G — Interleaved & forward-looking ⭐⭐

27. (Interleaved with Ch.1, 3.) Map each cryptographic control to the leg(s) of the CIA triad it serves and classify it by function (preventive/detective/corrective): (a) AES-256 encryption of backups; (b) a SHA-256 file-integrity check that alerts on change; (c) salted Argon2 password storage.

28. (Interleaved with Ch.2.) A threat actor steals a code-signing private key. Using the kill-chain mindset from Chapter 2, explain why this is so valuable to the attacker and which later defensive ideas (key protection, pipeline integrity) reduce the damage.

29. (Forward-looking.) This chapter mentioned "harvest now, decrypt later" only by implication: an adversary records today's encrypted traffic hoping to decrypt it once computing advances. Write two sentences predicting why this makes long-lived secrets riskier than short-lived ones, and why "crypto-agility" might matter (you will meet post-quantum cryptography later in the book).

30. ⭐⭐⭐ Open reflection. The chapter claims "essentially every real-world crypto failure is a failure of implementation, configuration, or operation, not broken math." Pick a real public crypto failure you have heard of (a breach, a weak-password dump, a certificate outage) and classify it against the §4.7 catalog. Did the math break, or did people?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor. Do not run cryptographic attacks against any system you do not own or are not explicitly authorized to test.