WGU WGU Introduction to Cryptography HNO1 Introduction-to-Cryptography Exam Dumps: Updated Questions & Answers (February 2026)

In a public key infrastructure, trust in a certificate ultimately depends on the relying party’s trust anchor set—typically the root CA certificates preinstalled in a customer’s browser/OS trust store. For customers to accept the company’s certificate as legitimate, the buyer (customer) must trust the root CA public key (or an intermediate chained to it) so they can validate the certificate chain and signatures. The seller (the company) also must trust and rely on the root CA public key to build and present a valid chain and to make operational decisions based on that CA’s issuance and revocation mechanisms; practically, the seller selects a CA whose root is widely trusted by customers. The cloud provider’s trust is not what makes the certificate valid to customers; the provider may terminate TLS or pass traffic through, but customer validation is based on the chain to a trusted root. Government agencies like the FTC are not part of the cryptographic trust path for TLS certificate validation. Therefore, among the given options, the correct pairing is the seller and the buyer, reflecting both the issuer selection/usage by the company and the relying-party validation by customers.

Digital signing of software typically works by hashing the application (or its manifest) and then using the publisher’s private key to create a digital signature over that digest. The private key is used because it is secret and uniquely controlled by the publisher; only the publisher should be able to produce a valid signature. Verifiers (customers) use the publisher’s public key to validate the signature and confirm that the digest matches the software they received. This yields two key properties: integrity (the software hasn’t been altered; any modification changes the digest and breaks verification) and authenticity (the signature proves it came from the private-key holder). Option A incorrectly describes symmetric stream encryption. Option C incorrectly generalizes private-key behavior as “block encryption.” Option D is wrong because verification uses the public key, not a private key; also, “encrypting with private key” in this context is better understood as signing, not confidentiality encryption. Therefore, the correct rationale is that the asymmetric private key is used to sign the file’s digest so the corresponding public key can verify integrity and authenticity.

A polyalphabetic substitution cipher uses multiple substitution alphabets rather than a single fixed mapping. The classic cipher that uses a keyword to select shifting alphabets across the message is the Vigenère cipher. In Vigenère, each plaintext letter is shifted by an amount determined by the corresponding key letter (repeating the keyword as needed). For example, a keyword like “YELLOW” is aligned under the plaintext; each key character defines a Caesar shift (A=0, B=1, …) applied to the plaintext character, producing ciphertext. This rotation of alphabets across positions makes Vigenère more resistant to simple frequency analysis than monoalphabetic substitution, because the same plaintext letter may encrypt to different ciphertext letters depending on its position relative to the key. The Pigpen cipher is a symbol substitution cipher, Caesar is monoalphabetic with a single shift, and Playfair is a digraph substitution cipher using a 5×5 key square, not the repeating-key polyalphabetic method described. Therefore, the correct cipher is Vigenère.

WEP (Wired Equivalent Privacy) uses the RC4 stream cipher and combines a per-packet Initialization Vector (IV) with a shared secret key to form the RC4 seed for that packet’s keystream. The IV in WEP is 24 bits long and is transmitted in the clear as part of the 802.11 frame so the receiver can reconstruct the same per-packet RC4 key stream. The short IV space (2²⁴ possible values) is a major design weakness: on a busy network, IVs repeat frequently, causing keystream reuse. Because RC4 is a stream cipher, keystream reuse enables attackers to derive relationships between plaintexts and recover keys with statistical attacks (notably the Fluhrer, Mantin, and Shamir (FMS) family of attacks and related improvements). WEP also uses a CRC-32 integrity check (ICV) that is not cryptographically strong and is vulnerable to modification attacks. The 24-bit IV length is therefore a key reason WEP is considered insecure and has been replaced by WPA/WPA2 mechanisms that use stronger key mixing, larger nonces/IVs, and robust integrity protection.

A true random number generator (TRNG) draws randomness from physical phenomena that are inherently unpredictable and not algorithmically reproducible. Because of this, it is nondeterministic: you cannot feed it the same “input” and expect the same output stream. TRNGs are often slower than PRNGs because they depend on collecting entropy from hardware sources and may require conditioning to remove bias. This aligns with option B: slow and nondeterministic, producing different results even under similar or repeated conditions. Option A describes a deterministic PRNG, where identical seeds yield identical sequences. Option C is unrelated; factorization is a hard math problem used in cryptography (e.g., RSA security assumptions), not a randomness generator definition. Option D describes a counter, which is deterministic and not random. In secure systems, TRNG output may seed a cryptographically secure PRNG to provide both unpredictability and high throughput; but the defining characteristic of a TRNG is nondeterminism from physical entropy. Therefore, option B is correct.

In digital forensics, investigators must preserve evidence integrity and demonstrate an unbroken chain of custody. Creating a cryptographic hash (such as SHA-256) of the original drive and then hashing the forensic bitstream image provides a strong mathematical assurance that the copy is an exact, bit-for-bit replica. Because secure hash functions are designed so that any tiny change in data produces a dramatically different digest, matching hashes indicate the image contains identical data to the source at the time of acquisition. This is critical in legal and investigative contexts: analysis is performed on the copy, not the original, to avoid altering evidence. If the hashes match, the investigator can testify that the evidence examined is identical to what was collected, supporting admissibility and credibility. Hashing does not prove who created files, nor does it directly show whether someone “opened the drive”; it specifically validates the integrity and equivalence of the captured image. Therefore, hashing both artifacts is done to verify that the original and the bitstream copy are identical.

3DES (Triple DES) commonly uses an Encrypt–Decrypt–Encrypt (EDE) sequence. In the two-key form, it encrypts with key K1, decrypts with key K2, then encrypts again with K1. In the three-key form, it encrypts with K1, decrypts with K2, then encrypts with K3. The EDE construction was chosen partly for backward compatibility: if K1=K2=K3, the scheme reduces to single DES, allowing older systems to interoperate in constrained ways. AES and IDEA do not use an EDE triple-stage process as their defining structure; they are single-pass block ciphers with internal rounds. DES is a single-pass algorithm (one key) rather than a triple application with multiple keys. Therefore, the algorithm described—encrypt with one key, decrypt with another, encrypt with the first—is 3DES. Although now considered legacy, it remains a classic example of increasing effective security by applying a block cipher multiple times with independent keys.

ECB is the simplest block cipher mode: each plaintext block is encrypted independently using the same key and the block cipher primitive. There is no IV and no chaining, so identical plaintext blocks produce identical ciphertext blocks. This property leaks patterns and structure in the plaintext, which is why ECB is generally considered insecure for most real-world data beyond tiny, random-looking inputs. For example, images encrypted with ECB often reveal outlines because repeated pixel blocks map to repeated ciphertext blocks. Option A describes CTR mode, option C describes CBC mode, and option B resembles feedback-based modes. ECB’s independence also means it can be parallelized, but the pattern leakage is a severe weakness. Modern practice prefers authenticated encryption modes (like GCM) or, at minimum, modes with IVs and chaining (like CBC with proper padding and MAC). Therefore, the correct statement is that ECB encrypts each block with the same key and each block is independent of the others.

A salt is a unique, random value stored alongside a password hash and combined with the password during hashing. Its main security benefit is that it ensures identical passwords do not produce identical hashes across different accounts or systems. If two users choose the same password, their stored hashes will differ because their salts differ, which directly prevents attackers from spotting shared passwords by comparing hashes. Salts also defeat precomputation attacks such as rainbow tables, because an attacker would need to regenerate tables for each possible salt value—a task that becomes infeasible when salts are large and unique per password. Salt does not enforce password complexity rules (that’s a policy/validation function), does not guarantee users choose different passwords, and does not prevent password reuse across sites. The correct statement is that salt makes the resulting hash different even for the same password, improving resistance to offline cracking at scale and eliminating the “same hash = same password” shortcut attackers rely on.

RC4 is unique among the RC family listed because it is a stream cipher. It generates a pseudorandom keystream and encrypts data by XORing that keystream with plaintext bytes (and decryption is the same XOR operation). This differs from RC5 and RC6, which are block ciphers: they encrypt fixed-size blocks of data through multiple rounds of operations (such as modular addition, XOR, and rotations) using a secret key. The stream-cipher design means RC4 historically fit protocols where data arrives continuously (e.g., early wireless and web encryption) and where simple, fast software implementation was desired. However, stream ciphers demand careful handling of nonces/IVs to avoid keystream reuse; reuse can catastrophically leak plaintext relationships. RC4 also has well-documented statistical biases in its keystream, leading to practical attacks in protocols like WEP and later concerns in TLS, which is why RC4 has been deprecated in modern security standards. Still, from a classification standpoint, “stream” is the distinguishing characteristic versus RC5/RC6 being block ciphers.