All Introduction-to-Cryptography Test Inside WGU Questions

RC4 is unique among the RC family listed because it is a stream cipher. It generates a pseudorandom keystream and encrypts data by XORing that keystream with plaintext bytes (and decryption is the same XOR operation). This differs from RC5 and RC6, which are block ciphers: they encrypt fixed-size blocks of data through multiple rounds of operations (such as modular addition, XOR, and rotations) using a secret key. The stream-cipher design means RC4 historically fit protocols where data arrives continuously (e.g., early wireless and web encryption) and where simple, fast software implementation was desired. However, stream ciphers demand careful handling of nonces/IVs to avoid keystream reuse; reuse can catastrophically leak plaintext relationships. RC4 also has well-documented statistical biases in its keystream, leading to practical attacks in protocols like WEP and later concerns in TLS, which is why RC4 has been deprecated in modern security standards. Still, from a classification standpoint, “stream” is the distinguishing characteristic versus RC5/RC6 being block ciphers.

One-way client authentication is the method where the client (customer) proves its identity to the server (web service). In cryptographic terms, this is commonly implemented through client credentials such as client TLS certificates (mTLS from the server’s perspective) or through authentication protocols layered over TLS (for example, signed tokens), but the defining direction is that the client is the party being authenticated. In a strict TLS certificate-authentication framing, client authentication occurs when the server requests a client certificate during the handshake and the client demonstrates possession of the corresponding private key (via signature in handshake messages). The server then validates the client certificate chain and authorization policy. One-way server authentication, by contrast, authenticates only the server to the client and does not identify the customer. Mutual authentication authenticates both sides simultaneously; while it includes client authentication, it is broader than what the question asks. “End-to-end authentication” describes assurance between endpoints across intermediaries, but it is not the specific “customer authenticates to service” method in certificate-based terminology. Therefore, the best answer is one-way client authentication.

3DES (Triple DES) applies the DES block cipher three times to increase effective security, and its commonly cited valid key sizes correspond to how many independent DES keys are used. Two-key 3DES uses two 56-bit DES keys (K1 and K2) in an EDE sequence (Encrypt with K1, Decrypt with K2, Encrypt with K1), yielding 112 bits of keying material (ignoring parity bits). Three-key 3DES uses three independent 56-bit keys for a total of 168 bits of keying material, but that option is not listed here. A 56-bit key corresponds to single DES, not 3DES. 128-bit is associated with AES, not 3DES. 2,048-bit is typical for RSA keys, not symmetric ciphers. Therefore, among the choices provided, 112-bit is a valid 3DES key size. While 3DES is now deprecated for many uses due to its 64-bit block size and performance limitations, understanding its keying options remains important for legacy system assessment.

In a PKI environment, a digital certificate is the standard credential used to bind an identity (user, device, service) to a public key, with that binding vouched for by a Certificate Authority. For device authentication, the device typically proves possession of the private key corresponding to the certificate’s public key (for example, during a TLS handshake). As a second factor in a two-factor model, a certificate (often stored in a TPM, smart card, or secure enclave) represents “something you have”—a cryptographic credential anchored to hardware or a managed endpoint. The other listed options (symmetric encryption, asymmetric encryption, digital signature) are cryptographic operations or algorithm classes, not stand-alone authentication factors. A digital signature is a mechanism used within authentication flows, but it is not itself the credential that establishes an enrolled device identity within PKI. In practice, a certificate-based device factor is commonly paired with a knowledge factor (password/PIN) or a biometric factor to achieve true 2FA, but among these choices, the appropriate second form of authentication in PKI terms is the digital certificate.