Six tickets. You are the on-call crypto engineer. Deprecated algorithms, code review catches, incident response, and architecture reviews — diagnose each correctly and prescribe the right fix.
6 Tickets~20 minApplied · Scored
Triage Rules
For each ticket: identify the failure (algorithm / mode / IV / key management), then pick the action that fixes the root cause.
Trap answers: "rotate the key more often" (doesn't fix architecture), "longer key" (rarely the answer), "switch cipher" (usually distractor), "compensating control" (avoid when the real fix is removing the bad option).
Score0 / 6
Question 1
Ticket #C-2001 — Priority: Urgent
Security scanner flagged your team's legacy inventory service: it's still negotiating SSL/TLS with 3DES-CBC and MD5. Your company's compliance framework requires modern ciphers. What's the correct remediation?
✎ Predict before reading options. Commit to your answer first.
Exam TipDeprecated algorithm in config = remove the option, not work around it.
Question 2
Ticket #C-2002 — Priority: High
Developer pushes new code: cipher = AES.new(key, AES.MODE_ECB); ct = cipher.encrypt(pad(data)). Code review comments — what's the issue, and how do you fix it?
✎ Predict before reading options. Commit to your answer first.
Exam TipECB in code review = block the merge. Require GCM (or XTS for disk, CBC+HMAC at minimum for legacy).
Question 3
Ticket #C-2003 — Priority: Medium
Penetration test finding: the company's encryption keys are stored as plaintext values in Terraform state files committed to a private Git repo. What's the triage?
✎ Predict before reading options. Commit to your answer first.
Exam TipSecrets in source control = treat as compromised. Rotate, move to KMS, scrub history, add scanning.
Question 4
Ticket #C-2004 — Priority: High
Incident response: an engineer's laptop was stolen from a conference. It contained a clone of the production database. The laptop has full-disk encryption (AES-256-XTS, BitLocker, TPM-backed key with user PIN). The laptop was powered off when stolen. Leadership asks: is this a disclosable breach?
✎ Predict before reading options. Commit to your answer first.
Exam TipEncrypted + keys separate + powered off = safe harbor. One of the AP exam's favorite scenarios.
Question 5
Ticket #C-2005 — Priority: Critical
Active incident: attacker captured HTTPS traffic between a customer and your payment app. Traffic was TLS 1.2 with AES-128-CBC-SHA1. Attacker claims to have decrypted it. Is this possible?
✎ Predict before reading options. Commit to your answer first.
Exam TipOld TLS + non-forward-secrecy = captured traffic can be decrypted if server key leaks. Always enable PFS (ECDHE).
Question 6
Ticket #C-2006 — Priority: Urgent
Database encryption review: a team lead proposes using 'the same AES-256 key for all customers, encrypted into the application JAR at build time.' What's wrong with this proposal, and what's the correct approach?
✎ Predict before reading options. Commit to your answer first.
Exam TipEnvelope encryption: per-record DEK, wrapped by master KEK in KMS, with separate KMS access audit trail.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.