5.3 Exercise 1: Hash Selection Triage

AP Cybersecurity · Unit 5 · Topic 5.3 · Exercise 1

Hash Selection Triage

Eight scenarios. For each one, pick the right hash algorithm or diagnose the failure. The exam rewards knowing which hash belongs where: SHA-256 for files, bcrypt/Argon2 for passwords, HMAC for API auth, digital signatures for non-repudiation.

8 Questions~15 minScored

How This Exercise Works

Predict first: For each scenario, identify the use case (file integrity / password storage / API auth / signature) before reading options.

Then classify: Is the algorithm modern (SHA-256/Argon2/bcrypt) or deprecated (MD5/SHA-1)? Is it right for the use case (password hashes must be SLOW)?

Score0 / 8
Question 1
A team is designing a new user authentication system. They need to pick an algorithm for storing passwords in the database. Which is the correct choice for a 2026 deployment?
✎ Predict before reading options. Commit to your answer first.
Exam TipPasswords in 2026 = Argon2id or bcrypt. Not SHA-family. Not encryption. Not MD5.
Question 2
A software distribution site publishes SHA-256 checksums for each downloadable ISO. A user downloads a Linux ISO and wants to verify its integrity. What does this use of SHA-256 actually protect against?
✎ Predict before reading options. Commit to your answer first.
Exam TipFile hash + trusted channel for the hash = integrity verification. Without trusted channel, integrity check is worthless.
Question 3
Consider the following statements about MD5. Which is TRUE?

I. MD5 is acceptable for file deduplication in a trusted environment where no one has incentive to craft collisions.
II. MD5 is acceptable for password hashing if combined with a strong salt.
III. MD5 is acceptable for digital signatures on short documents.
✎ Predict before reading options. Commit to your answer first.
Exam TipMD5 in non-security contexts = OK. MD5 anywhere security matters = broken.
Question 4
An API uses HMAC-SHA-256 to sign incoming requests. The API key is a shared secret between the client and the server. What security property does HMAC provide that plain SHA-256 does not?
✎ Predict before reading options. Commit to your answer first.
Exam TipPlain hash = integrity. HMAC = integrity + authenticity (requires shared key).
Question 5
A team needs to implement a download verification system. The downloads themselves are large (several GB each) and the verification step must be fast. Which architecture is best?
✎ Predict before reading options. Commit to your answer first.
Exam TipPublic download integrity = SHA-256 + trusted channel. Not password hash, not HMAC, not encryption.
Question 6
A team discovers their legacy JWT implementation uses HS256 (HMAC-SHA-256) with a 6-character ASCII shared secret. Which of the following represents the actual risk, and what is the correct fix?
✎ Predict before reading options. Commit to your answer first.
Exam TipHMAC secret must have ≥ 256 bits of entropy. Short ASCII secrets are brute-forceable.
Question 7
A 2017 Google attack (dubbed 'SHAttered') produced two different PDF files with the same SHA-1 hash. Which property of SHA-1 was definitively broken, and what is the practical consequence?
✎ Predict before reading options. Commit to your answer first.
Exam TipSHAttered (2017) = SHA-1 collision. Broke collision resistance, not pre-image. Migration to SHA-256 everywhere.
Question 8
Which statement most accurately characterizes the difference between integrity and authenticity?
✎ Predict before reading options. Commit to your answer first.
Exam TipIntegrity = not modified. Authenticity = came from expected sender. HMAC/AEAD/signatures provide both. Plain hash = integrity only.

Exercise Complete

— / 8

AP Cybersecurity · Unit 5 · Lesson 5.3 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]