5.2 Exercise 1: Symmetric Cipher Triage

AP Cybersecurity · Unit 5 · Topic 5.2 · Exercise 1

Symmetric Cipher Triage

Eight scored scenarios. For each one, classify the failure: algorithm, mode, IV, or key management. Predict before looking at options — the exam rewards students who commit to a category first.

8 Questions~15 minScored

How This Exercise Works

1. Each scenario describes a real or realistic symmetric crypto failure.

2. Before reading options, decide: is the failure algorithm (DES/3DES/RC4), mode (ECB/reused IV), or key management (hardcoded/co-located/environment variable)?

3. Click your answer to get immediate feedback. Aim for 7/8 or better.

Score0 / 8
Question 1
A developer encrypts 10,000 user profile photos with AES-256 in ECB mode and uploads them to cloud storage. A researcher downloads two ciphertexts and can see the subject's silhouette in each image. AES-256 is widely considered unbreakable. What is the actual failure?
✎ Predict before reading options. Commit to your answer first.
Exam Tip'Identical plaintexts produce identical ciphertexts' = ECB failure. Pattern leakage. Textbook.
Question 2
A company encrypts their customer database with AES-256-GCM. The encryption key is stored in a file named crypto.conf on the same server as the database. Attackers compromise the server and immediately decrypt the entire database. What is the root cause?
✎ Predict before reading options. Commit to your answer first.
Exam TipKey next to data = useless encryption. Separate the key into a KMS/HSM/external trust boundary.
Question 3
Which of the following statements about AES are TRUE?

I. AES always uses a 128-bit block size regardless of key length.
II. AES-256 is more secure than AES-128 in all circumstances.
III. AES in GCM mode provides both confidentiality and integrity.
✎ Predict before reading options. Commit to your answer first.
Exam TipAES fixed block = 128 bits. Key varies. Mode matters. AES-128 already infeasible to brute force.
Question 4
A mobile banking app encrypts sensitive data stored locally using AES-256-GCM. A security researcher reverse-engineers the APK and finds the encryption key as a constant in the compiled binary. Within seconds they can decrypt every user's stored data. Which category applies?
✎ Predict before reading options. Commit to your answer first.
Exam TipHardcoded key in an app binary = key is public = no encryption. This is a key management category.
Question 5
A team migrating from TLS 1.0 discovers their load balancer still supports 3DES and RC4 cipher suites. The team lead says, 'these are encrypted so they should be fine.' Which is the correct response and why?
✎ Predict before reading options. Commit to your answer first.
Exam TipDES, 3DES, RC4, MD5, SHA-1 in modern contexts = deprecated. Flag them every time.
Question 6
A laptop containing patient records is stolen from a hospital employee's car. The laptop's drive is encrypted with BitLocker (AES-256-XTS) and was powered off at the time. The TPM-stored key is not recoverable without the user's PIN. Is the hospital required to report this as a HIPAA breach?
✎ Predict before reading options. Commit to your answer first.
Exam TipEncrypted data at rest + key stored separately = safe harbor under HIPAA and most state laws. Exam favorite.
Question 7
A web developer wants to encrypt user data in transit and asks which of these is the MODERN default choice for TLS 1.3:
✎ Predict before reading options. Commit to your answer first.
Exam TipTLS 1.3 = AEAD only. AES-GCM or ChaCha20-Poly1305. Anything else is old TLS.
Question 8
A junior developer proposes the following design: 'We'll generate a random AES-256 key when the application starts and use it to encrypt all sensitive database fields. We'll store the key in an environment variable.' Identify the most critical flaw.
✎ Predict before reading options. Commit to your answer first.
Exam TipEnvironment variables = near-ciphertext exposure. KMS-or-HSM is the right answer for production keys.

Exercise Complete

— / 8

AP Cybersecurity · Unit 5 · Lesson 5.2 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]