AP Cybersecurity Unit 5: Securing Applications and Data

Unit 5: Securing Applications & Data

Cryptography, Encryption, Hashing, PKI & Application Security

“‹ Unit 5 Contents

Learning Objectives

By the end of this unit, you will be able to:

  • Identify common application and data vulnerabilities
  • Explain how symmetric encryption protects data confidentiality
  • Describe how hashing ensures data integrity
  • Explain asymmetric encryption and Public Key Infrastructure (PKI)
  • Describe strategies for protecting applications from attacks
  • Identify detection methods for application and data attacks
Encryption AES RSA Hashing SHA-256 Digital Signature PKI SQL Injection XSS

5.1 Application & Data Vulnerabilities

Applications and data are often the ultimate targets of cyberattacks. Understanding common vulnerabilities helps defenders prioritize protections and helps developers write more secure code.

Common Application Vulnerabilities

’‰ SQL Injection (SQLi)

Attackers insert malicious SQL code into input fields, which the application then executes against its database. This can allow attackers to:

  • View unauthorized data
  • Modify or delete database records
  • Execute administrative operations
  • Bypass authentication
// Vulnerable code (don't do this!):
query = "SELECT * FROM users WHERE name = '" + userInput + "'"

// If userInput = "'; DROP TABLE users; --"
// The query becomes:
SELECT * FROM users WHERE name = ''; DROP TABLE users; --'
// This deletes the entire users table!

— Cross-Site Scripting (XSS)

Attackers inject malicious scripts into web pages viewed by other users. The script runs in the victim's browser with access to their session.

  • Stored XSS: Malicious script is permanently stored on target server
  • Reflected XSS: Script is reflected off web server in error messages, search results
  • Impact: Session hijacking, credential theft, defacement

 Broken Authentication

Weaknesses in authentication mechanisms that allow attackers to:

  • Guess weak passwords
  • Exploit session management flaws
  • Use stolen credentials
  • Bypass authentication entirely

“‚ Insecure Direct Object References

Application exposes internal implementation objects (file names, database keys) that attackers can manipulate to access unauthorized data.

// URL pattern revealing user IDs:
https://example.com/user/profile?id=12345

// Attacker changes ID to access other profiles:
https://example.com/user/profile?id=12346
// Unauthorized access to another user's data!

Data Vulnerabilities

Vulnerability Description Impact
Data at Rest Unencrypted Stored data not encrypted Data theft if storage is compromised
Data in Transit Unencrypted Network traffic not encrypted Eavesdropping, man-in-the-middle attacks
Excessive Data Collection Collecting more data than needed Larger breach impact, privacy violations
Improper Data Retention Keeping data longer than necessary Increased risk window, compliance issues
Inadequate Access Controls Too many users with access to sensitive data Insider threats, accidental disclosure
’¡ Data States

Data exists in three states, each requiring protection:

  • Data at Rest: Stored on disks, databases, backups → Protect with encryption
  • Data in Transit: Moving across networks → Protect with TLS/HTTPS
  • Data in Use: Being processed in memory → Protect with access controls

5.2 Symmetric Cryptography

Symmetric Encryption uses the same key for both encryption and decryption. Both the sender and receiver must possess the shared secret key.
Plaintext → [‘ Secret Key + Encryption Algorithm] → Ciphertext

Ciphertext → [‘ Same Secret Key + Decryption Algorithm] → Plaintext

How Symmetric Encryption Works

Term Definition
Plaintext The original, readable message or data
Ciphertext The encrypted, unreadable output
Key Secret value used by the algorithm to transform plaintext to ciphertext (and back)
Algorithm Mathematical process that performs the encryption/decryption (e.g., AES)

Common Symmetric Algorithms

Algorithm Key Size Status
AES (Advanced Encryption Standard) 128, 192, or 256 bits ✔ Current standard; widely used; secure
3DES (Triple DES) 168 bits effective Legacy; being phased out
DES (Data Encryption Standard) 56 bits ΠDeprecated; too weak
ChaCha20 256 bits ✔ Modern; used in TLS
✔ Exam Tip

AES-256 is the gold standard for symmetric encryption. Remember: "AES" = Advanced Encryption Standard. It's used for encrypting files, disk encryption (BitLocker, FileVault), and securing network traffic.

Advantages and Challenges

✔ Advantages

  • Fast: Much faster than asymmetric encryption
  • Efficient: Low computational overhead
  • Scalable: Works well for large data volumes
  • Simple: Easier to implement

✘ Challenges

  • Key Distribution: How do you securely share the key?
  • Key Management: Need unique key for each pair of users
  • Scalability Problem: n users need n(n-1)/2 keys
The Key Distribution Problem: If Alice wants to send an encrypted message to Bob, they both need the same secret key. But how does Alice securely send Bob the key in the first place? If she sends it unencrypted, an attacker could intercept it. This problem is solved by asymmetric cryptography (covered in 5.4).

Real-World Uses

  • Full Disk Encryption: BitLocker, FileVault encrypt entire drives with AES
  • File Encryption: Password-protected ZIP files, encrypted documents
  • Database Encryption: Encrypting sensitive columns or entire databases
  • VPN Tunnels: After key exchange, bulk data encrypted with symmetric keys

5.3 Hashing for Data Integrity

Hashing is a one-way mathematical function that converts input data of any size into a fixed-length output (the "hash" or "digest"). The same input always produces the same hash, but you cannot reverse the process to get the original input.
Input Data → [Hash Function] → Fixed-Length Hash Value

"Hello World" → SHA-256 → "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"

Properties of Cryptographic Hash Functions

Property Description Why It Matters
Deterministic Same input always produces same output Enables verification
One-Way Cannot derive input from output Protects original data (passwords)
Avalanche Effect Tiny input change → completely different hash Detects any modification
Collision Resistant Extremely hard to find two inputs with same hash Ensures uniqueness
Fixed Output Output size is constant regardless of input size Efficient storage and comparison

Common Hash Algorithms

Algorithm Output Size Status
SHA-256 256 bits (64 hex chars) ✔ Secure; widely used
SHA-3 Variable (224-512 bits) ✔ Latest standard; secure
SHA-1 160 bits (40 hex chars) Deprecated; collisions found
MD5 128 bits (32 hex chars) ΠBroken; don't use for security

Hashing vs. Encryption

Critical Distinction
Aspect Hashing Encryption
Direction One-way (irreversible) Two-way (reversible)
Key Required No Yes
Output Size Fixed Varies with input
Purpose Integrity verification Confidentiality
Use Cases Passwords, file verification Protecting sensitive data

Uses of Hashing

 Password Storage

Systems store hashes of passwords, not passwords themselves. When you log in, your entered password is hashed and compared to the stored hash. Even if the database is stolen, attackers don't have actual passwords.

“ File Integrity Verification

Software downloads often include a hash value. After downloading, you can hash the file yourself and compare. If hashes match, the file wasn't corrupted or tampered with.

✔ Digital Signatures

Digital signatures hash a document, then encrypt the hash with a private key. Recipients can verify the signature to confirm the document hasn't been modified and came from the claimed sender.

The Avalanche Effect Demonstrated

Input: "Hello"
SHA-256: 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Input: "hello" // Just changed H to h
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

// Completely different hashes from a single character change!

5.4 Asymmetric Cryptography & PKI

Asymmetric Encryption uses a pair of mathematically related keys: a public key (shared freely) and a private key (kept secret). What one key encrypts, only the other can decrypt.
For Confidentiality:
Plaintext → [“ Recipient's Public Key] → Ciphertext
Ciphertext → [‘ Recipient's Private Key] → Plaintext

For Digital Signatures:
Hash → [‘ Sender's Private Key] → Signature
Signature → [“ Sender's Public Key] → Verified Hash

Symmetric vs. Asymmetric

‘ Symmetric

  • Same key encrypts and decrypts
  • Fast performance
  • Key distribution problem
  • Example: AES
  • Use: Bulk data encryption

 Asymmetric

  • Public/private key pair
  • Slower performance
  • Solves key distribution
  • Example: RSA, ECC
  • Use: Key exchange, signatures

Common Asymmetric Algorithms

Algorithm Key Size Use Cases
RSA 2048-4096 bits Key exchange, digital signatures, TLS
ECC (Elliptic Curve) 256-521 bits Mobile devices, IoT (smaller keys, same security)
Diffie-Hellman 2048+ bits Key exchange (establish shared secret)

How HTTPS Uses Both Types

’ TLS Handshake (Simplified)
  1. Browser connects to server; server sends its public key (in a certificate)
  2. Browser generates a random session key (symmetric)
  3. Browser encrypts session key with server's public key (asymmetric)
  4. Server decrypts with its private key to get session key
  5. Both parties now have same session key; all further communication encrypted with fast symmetric encryption

Result: Asymmetric solves key distribution; symmetric provides fast bulk encryption.

Digital Signatures

Digital Signature: A mathematical scheme that proves the authenticity (who sent it) and integrity (hasn't been modified) of a digital message or document.

How Digital Signatures Work

  1. Sender creates a hash of the document
  2. Sender encrypts the hash with their private key → This is the signature
  3. Sender sends document + signature
  4. Recipient decrypts the signature with sender's public key → Gets hash
  5. Recipient hashes the document themselves
  6. If hashes match → Document is authentic and unmodified

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework of policies, procedures, and technologies that manage digital certificates and public keys. PKI enables trusted communication between parties who have never met.

Key PKI Components

Component Function
Certificate Authority (CA) Trusted entity that issues digital certificates, vouching for the identity of certificate holders
Digital Certificate Electronic document binding a public key to an identity (like a digital passport)
Registration Authority (RA) Verifies identity of certificate requesters before CA issues certificate
Certificate Revocation List (CRL) List of certificates that have been revoked before expiration
’¡ The Trust Chain

When you visit an HTTPS website:

  1. Website presents its certificate (containing public key)
  2. Certificate is signed by a Certificate Authority
  3. Your browser has a list of trusted CAs built in
  4. Browser verifies the CA's signature on the certificate
  5. If valid, browser trusts the website's public key

5.5 Protecting Applications

Secure Development Practices

›¡ Input Validation

Never trust user input. Validate all input on the server side:

  • Check data type, length, format, and range
  • Reject or sanitize invalid input
  • Use allowlists (what's permitted) over blocklists (what's forbidden)

›¡ Parameterized Queries

Prevent SQL injection by using parameterized queries (prepared statements):

// Vulnerable (string concatenation):
query = "SELECT * FROM users WHERE name = '" + userInput + "'"

// Safe (parameterized query):
query = "SELECT * FROM users WHERE name = ?"
execute(query, [userInput])
// User input is treated as data, never as code

›¡ Output Encoding

Prevent XSS by encoding output before displaying user-supplied data:

  • HTML encode: < becomes <
  • JavaScript encode for JS contexts
  • URL encode for URL parameters

›¡ Principle of Least Privilege

Applications and database accounts should have minimum permissions needed:

  • Web app database user only needs SELECT, INSERT, UPDATE, DELETE
  • Not DROP TABLE, CREATE USER, or admin privileges
  • Limits damage if application is compromised

Application Security Controls

Control Protection Provided
Web Application Firewall (WAF) Filters malicious HTTP requests; blocks SQL injection, XSS attempts
HTTPS/TLS Encrypts data in transit; prevents eavesdropping
Session Management Secure session tokens; timeouts; secure cookies
Rate Limiting Prevents brute force attacks; limits request frequency
Content Security Policy (CSP) Controls which scripts can execute; mitigates XSS

Data Protection Strategies

’¾ Data Classification

Categorize data by sensitivity to apply appropriate protections:

  • Public: Can be freely shared
  • Internal: For internal use only
  • Confidential: Limited access, business-sensitive
  • Restricted/Secret: Highest protection, need-to-know basis

’ Encryption Strategy

  • At Rest: Full disk encryption (AES-256); database encryption
  • In Transit: TLS 1.3 for all network communications
  • Key Management: Secure key storage; regular rotation; access controls

“‹ Access Controls

  • Role-Based Access Control (RBAC): Permissions based on job role
  • Need-to-Know: Access only what's required for job
  • Regular Reviews: Audit who has access; remove unnecessary permissions

5.6 Detecting Attacks on Data & Applications

Application-Level Detection

Detection Method What It Detects
Web Application Firewall (WAF) Logs Blocked attack attempts (SQLi, XSS, etc.)
Application Logs Failed logins, errors, unusual requests
Database Activity Monitoring Unusual queries, large data exports, privilege escalation
File Integrity Monitoring (FIM) Unauthorized changes to application files or configurations
User Behavior Analytics (UBA) Anomalous user activity patterns

Indicators of Application Attacks

š¨ Signs of SQL Injection Attempts

  • Requests containing SQL keywords: SELECT, UNION, DROP, etc.
  • Single quotes, double dashes (--), or semicolons in input
  • Database errors returned to users
  • Unusual database query patterns in logs

š¨ Signs of Data Exfiltration

  • Large data transfers during off-hours
  • Unusual access to sensitive databases
  • Bulk downloads of records
  • Access from unusual locations or devices

Scenario: Detecting a Data Breach

Ž Scenario 5A: Database Attack Detection

Your SIEM alerts show:

  • 3:00 AM: Multiple failed login attempts to database admin account
  • 3:15 AM: Successful login to database admin account
  • 3:17 AM: Query executed: SELECT * FROM customers
  • 3:18 AM: 500MB data exported to external IP address
  • 3:20 AM: Admin account password changed
š¨ Analysis

Attack Timeline:

  1. Attacker attempted brute force against admin account
  2. Eventually succeeded (weak password or credentials obtained elsewhere)
  3. Immediately queried all customer data
  4. Exfiltrated data to external location
  5. Changed password to maintain access and lock out defenders

Response: Disable compromised account immediately; block external IP; begin incident response; assess scope of data breach; notify affected parties per regulations.

✔ Exam Tip

The AP exam may present log data and ask you to identify the attack type, timeline, and appropriate response. Practice reading timestamps, identifying anomalies, and correlating events across multiple log sources.

Unit 5 Practice Questions

1 Multiple Choice

Which type of encryption uses the same key for both encryption and decryption?

  • A) Asymmetric encryption
  • B) Symmetric encryption
  • C) Hashing
  • D) Public key encryption

Answer: B

Explanation: Symmetric encryption uses the same secret key for both encryption and decryption. Both sender and receiver must have the shared key. AES is a common symmetric algorithm. Asymmetric (public key) encryption uses different keys for encryption and decryption.

2 Multiple Choice

What is the PRIMARY purpose of hashing?

  • A) To encrypt data for confidentiality
  • B) To verify data integrity
  • C) To compress data for storage
  • D) To authenticate users

Answer: B

Explanation: The primary purpose of hashing is to verify data integrity-ensuring data hasn't been modified. The same input always produces the same hash, so any change to the data results in a completely different hash. Hashing is one-way and cannot be reversed to reveal original data.

3 Multiple Choice

An attacker inserts ' OR '1'='1 into a login form's username field. What type of attack is this?

  • A) Cross-site scripting (XSS)
  • B) SQL injection
  • C) Buffer overflow
  • D) Man-in-the-middle

Answer: B

Explanation: This is a classic SQL injection attack. The input ' OR '1'='1 modifies the SQL query to always return true, potentially bypassing authentication. The single quote closes the username string, and the OR condition makes the WHERE clause always true.

4 Multiple Choice

In asymmetric encryption, if Alice wants to send a confidential message to Bob, which key should she use to encrypt it?

  • A) Alice's public key
  • B) Alice's private key
  • C) Bob's public key
  • D) Bob's private key

Answer: C

Explanation: To send a confidential message, Alice encrypts with Bob's public key. Only Bob's private key (which only he has) can decrypt it. This ensures only Bob can read the message. If Alice used her own keys, Bob couldn't decrypt it.

5 Multiple Choice

Which entity in PKI is responsible for verifying identities and issuing digital certificates?

  • A) Root server
  • B) Certificate Authority (CA)
  • C) Web browser
  • D) DNS server

Answer: B

Explanation: A Certificate Authority (CA) is the trusted entity that verifies identities and issues digital certificates. The CA vouches that a public key belongs to a specific entity, enabling trust between parties who have never met.

6 Multiple Choice

Which defense is MOST effective against SQL injection attacks?

  • A) Firewall rules
  • B) Antivirus software
  • C) Parameterized queries
  • D) Strong passwords

Answer: C

Explanation: Parameterized queries (prepared statements) separate SQL code from user data, treating input as data rather than executable code. This prevents attackers from injecting malicious SQL commands regardless of what input they provide.

7 Multiple Choice

Digital signatures provide which two security properties?

  • A) Confidentiality and availability
  • B) Authentication and integrity
  • C) Encryption and compression
  • D) Speed and efficiency

Answer: B

Explanation: Digital signatures provide authentication (proves who sent the message, since only the sender has the private key) and integrity (proves the message hasn't been modified, since any change would invalidate the signature).

8 Free Response

Explain the difference between symmetric and asymmetric encryption. For each type:

(a) Describe how keys are used

(b) Give one advantage

(c) Give one common use case

(d) Explain how they work together in HTTPS

Sample Response:

Symmetric Encryption:

(a) Uses the same secret key for both encryption and decryption. Both parties must possess and protect this shared key.

(b) Advantage: Very fast and efficient, making it suitable for encrypting large amounts of data.

(c) Use case: Full disk encryption (like BitLocker) uses AES symmetric encryption to protect all data on a drive.

Asymmetric Encryption:

(a) Uses a mathematically related pair of keys-a public key (shared freely) and a private key (kept secret). What one key encrypts, only the other can decrypt.

(b) Advantage: Solves the key distribution problem. You can share your public key openly; only you can decrypt messages encrypted with it.

(c) Use case: Digital signatures use asymmetric encryption to prove authenticity and integrity of documents.

(d) Working Together in HTTPS:

HTTPS uses asymmetric encryption to securely exchange a symmetric session key. The server sends its public key (in a certificate); the browser encrypts a random session key with this public key; the server decrypts it with its private key. Now both have the same session key, and all further communication uses fast symmetric encryption. This combines the security of asymmetric key exchange with the speed of symmetric data encryption.

9 Free Response

A web application is vulnerable to SQL injection. Explain:

(a) What SQL injection is and how it works

(b) What an attacker could accomplish with this vulnerability

(c) Two specific defenses the development team should implement

Sample Response:

(a) SQL Injection Explained:

SQL injection is an attack where malicious SQL code is inserted into input fields (like login forms or search boxes). If the application directly includes user input in database queries without proper sanitization, the attacker's SQL code becomes part of the query and executes on the database. For example, entering ' OR '1'='1' -- in a username field could modify a login query to bypass authentication by making the WHERE condition always true.

(b) Potential Attacker Actions:

  • Bypass authentication and log in as any user (including admin)
  • Read sensitive data from the database (customer records, passwords)
  • Modify or delete database records
  • Execute administrative operations on the database
  • In severe cases, gain access to the underlying server

(c) Two Defenses:

1. Parameterized Queries (Prepared Statements): Instead of concatenating user input into SQL strings, use parameterized queries that treat user input as data, not code. The database processes the query structure separately from the parameters, making it impossible for input to modify the query logic.

2. Input Validation: Validate all user input on the server side. Check data type, length, format, and range. Reject or sanitize input containing SQL keywords, special characters, or patterns that don't match expected input. Use allowlists to define what valid input looks like rather than trying to block all bad input.

10 Free Response

Explain how digital signatures work to provide authentication and integrity. Include the role of hashing and asymmetric encryption in your answer.

Sample Response:

Creating a Digital Signature:

  1. The sender creates a hash of the document using a cryptographic hash function (like SHA-256). This creates a fixed-length "fingerprint" of the document.
  2. The sender encrypts this hash using their private key. This encrypted hash is the digital signature.
  3. The sender transmits both the original document and the signature.

Verifying a Digital Signature:

  1. The recipient decrypts the signature using the sender's public key (which is freely available). This reveals the original hash.
  2. The recipient independently hashes the received document using the same hash algorithm.
  3. The recipient compares the two hashes: the one from the decrypted signature and the one they calculated.

What This Proves:

Authentication: If the signature decrypts correctly with the sender's public key, it must have been encrypted with the corresponding private key. Since only the sender has that private key, this proves the sender created the signature.

Integrity: If the calculated hash matches the hash from the signature, the document has not been modified. Any change to the document-even a single character-would produce a completely different hash (avalanche effect), causing the comparison to fail.

Role of Each Technology:

Hashing: Creates a unique fingerprint of the document. The one-way nature ensures the fingerprint can be verified but not reverse-engineered. The avalanche effect ensures any modification is detected.

Asymmetric Encryption: The private/public key pair enables anyone to verify the signature (using the public key) while ensuring only the sender could have created it (using their private key).

AP Cybersecurity Study Guide | APCSExamPrep.com

AP® is a registered trademark of the College Board, which was not involved in the production of this guide.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com