WGU Introduction-to-Cryptography - WGU Introduction to Cryptography HNO1

Asymmetric encryption (also called public key cryptography) uses a pair of mathematically related keys: a public key and a private key. One key is used to encrypt, and the other is used to decrypt, which is the defining “different keys” property asked in the question. In the common confidentiality use case, a sender encrypts a message using the recipient’s public key, and only the recipient can decrypt it using their private key. This solves the key distribution problem inherent in symmetric encryption, where both parties must securely share the same secret key in advance. Asymmetric systems also enable digital signatures: the private key signs (creates a signature) and the public key verifies it, providing authenticity and integrity. Symmetric encryption, by contrast, uses the same shared key for both encryption and decryption (even though internal round keys may exist, it is still one shared secret). “Private key” alone is not a full encryption type, and “secure” is a generic description rather than a cryptographic category. Therefore, the correct answer is D. Asymmetric.

Lightweight cryptography refers to cryptographic primitives and profiles engineered for environments where computational resources are constrained—limited CPU, memory, power, bandwidth, and code size—while still requiring robust security. Typical targets include IoT sensors, embedded controllers, smart cards, RFID, wearables, and many mobile or edge deployments. The design goals emphasize efficiency (low energy consumption, small silicon area for hardware, small firmware footprint) and practical performance under constraints, often while providing modern security properties like authenticated encryption (confidentiality + integrity) and secure hashing. Lightweight cryptography is not simply “stronger encryption”; it balances security with implementability in constrained systems. It is also not restricted to military settings and is not inherently outdated—many lightweight designs are modern and motivated by the rapid growth of IoT and pervasive computing. Because constrained devices are common entry points for attackers, having secure primitives that fit those devices is a critical part of contemporary security architecture. Therefore, the best description is cryptographic algorithms designed for resource-constrained environments.

WPA with TKIP was designed as an interim improvement over WEP while still using the RC4 stream cipher for compatibility with legacy hardware. TKIP addresses WEP’s major weaknesses by introducing per-packet key mixing, a message integrity mechanism (“Michael”), and replay protection. In TKIP, the encryption key used with RC4 is 128 bits. Practically, TKIP derives a per-packet RC4 key from a 128-bit temporal key (TK), the transmitter’s MAC address, and a sequence counter (TKIP Sequence Counter, TSC) to avoid the simple IV reuse patterns that made WEP easy to break. Even with these improvements, TKIP has known weaknesses and is deprecated in favor of WPA2/WPA3 using AES-based CCMP/GCMP. But strictly for the question asked, TKIP’s RC4 keying material is based on a 128-bit key size, not 40/56-bit legacy sizes and not 256-bit.

One-way server authentication is the standard model used by most TLS-enabled web services to prove the server’s identity to a client. In this model, the server presents an X.509 certificate during the TLS handshake. The client validates the certificate chain to a trusted root CA, checks hostname binding (CN/SAN), validates validity dates, and may check revocation status. If validation succeeds, the client gains cryptographic assurance that it is communicating with the holder of the private key corresponding to the server certificate’s public key, and that the certificate is issued to the expected domain/identity. This proves the server’s identity to the customer without requiring the customer to present a certificate. Mutual authentication would require both client and server to authenticate each other using certificates (commonly in certain enterprise APIs), but the question asks specifically about the web service proving its identity to the customer, which is satisfied by server-only authentication. One-way client authentication is the opposite direction (client proves identity to server). “End-to-end authentication” is a broader concept and not the specific TLS identity proof mechanism described here. Thus, one-way server authentication is the correct choice.

One-way client authentication is the method where the client (customer) proves its identity to the server (web service). In cryptographic terms, this is commonly implemented through client credentials such as client TLS certificates (mTLS from the server’s perspective) or through authentication protocols layered over TLS (for example, signed tokens), but the defining direction is that the client is the party being authenticated. In a strict TLS certificate-authentication framing, client authentication occurs when the server requests a client certificate during the handshake and the client demonstrates possession of the corresponding private key (via signature in handshake messages). The server then validates the client certificate chain and authorization policy. One-way server authentication, by contrast, authenticates only the server to the client and does not identify the customer. Mutual authentication authenticates both sides simultaneously; while it includes client authentication, it is broader than what the question asks. “End-to-end authentication” describes assurance between endpoints across intermediaries, but it is not the specific “customer authenticates to service” method in certificate-based terminology. Therefore, the best answer is one-way client authentication.

For Bitcoin, transactions are confirmed by inclusion in blocks, and the network targets an average block interval of about 10 minutes. That means transactions are “added” to the Bitcoin blockchain approximately every 10 minutes in the sense that a new block containing a batch of transactions is appended at that cadence. The 10-minute target is achieved by a difficulty adjustment mechanism that recalibrates mining difficulty roughly every 2016 blocks, aiming to keep the average interval stable despite changes in total network hash power. It is important to note that this is an average: blocks can be found faster or slower in the short term due to the probabilistic nature of proof-of-work mining. Other blockchains have different block times (seconds to minutes), but the question’s options and typical curriculum context align with Bitcoin’s 10-minute design. Therefore, the correct choice is approximately every 10 minutes.

OCSP is the primary online alternative to CRLs for checking whether a certificate has been revoked. With a CRL, a relying party periodically downloads a list of revoked certificate serial numbers published by the issuing CA (or CRL distribution point). That approach can be bandwidth-heavy, introduces latency between revocation and client awareness, and can result in clients using stale revocation data if updates are infrequent. OCSP improves this by allowing a client (or a server on the client’s behalf) to query an OCSP responder in near real time about the status of a specific certificate (good, revoked, or unknown). In practice, many TLS deployments use OCSP stapling, where the server periodically fetches a signed OCSP response from the CA’s responder and “staples” it to the TLS handshake, reducing client-side network calls and improving privacy (the CA doesn’t learn which site the client is visiting). Thus, OCSP provides a more timely, certificate-specific revocation status mechanism than CRLs while preserving the CA’s signed assurance.