A complete topic-by-topic study guide for the WGU HNO1 Cryptography OA — PKI, encryption algorithms, cipher modes, wireless security, hashing and more.

WGU HNO1 Cryptography OA: Complete Study Guide & Key Topics (2026)
Cryptography HNO1 OA Exam 2026

The HNO1 Cryptography objective assessment at WGU covers a broad slice of applied cryptography — from public key infrastructure to wireless security to blockchain. This guide walks through every major topic area the OA draws on, so you can study the concepts rather than memorise answers. Work through each section, make sure you can explain it in your own words, and you will be well prepared.

Public Key Infrastructure and Digital Certificates

PKI is the framework that binds public keys to identities through trusted certificate authorities. Make sure you understand the certificate lifecycle — creation, issuance, distribution, and revocation — and which operations belong to each stage.

  • Revocation: A Certificate Revocation List (CRL) publishes revoked certificates; the Online Certificate Status Protocol (OCSP) provides the same information in real time, on demand.
  • Trust: For a certificate to be meaningful, both parties — buyer and seller — must trust the root CA's public key.
  • Certificate formats: DER is binary-encoded; PEM is base64 text. Know the difference.
  • Authentication direction: One-way server authentication proves the server's identity to a client; one-way client authentication proves the client to the server; mutual authentication does both.

Symmetric vs Asymmetric Cryptography

This distinction underpins much of the exam. Symmetric encryption uses a single shared key — it is fast and well suited to bulk data. Asymmetric encryption uses a public/private key pair — slower, but it solves key distribution and enables digital signatures.

  • Confidentiality: To send someone a private message, encrypt with their public key; only their private key can decrypt it.
  • Digital signatures: Sign with your private key; anyone can verify with your public key. This proves integrity and authenticity.
  • Key exchange: To share a symmetric key securely, encrypt it with the recipient's public key.

Encryption Algorithms

Know the headline algorithms and their key and block sizes — this is heavily tested.

  • AES: 128-bit block size; key sizes of 128, 192, or 256 bits. More rounds are used as the key length increases.
  • 3DES: 64-bit block, effective key size around 112 bits; encrypts, decrypts with a second key, then encrypts again.
  • RC4: A stream cipher — it encrypts one bit at a time — which sets it apart from block ciphers like RC5 and RC6.
  • Skipjack: An 80-bit key operating on 64-bit blocks.
  • Lightweight cryptography is chosen when an embedded system has limited processing resources.

Cipher Modes of Operation

Block ciphers can be run in several modes, and the OA expects you to recognise how each behaves.

  • ECB: Each block is encrypted independently with the same key — simple but reveals patterns.
  • CBC: An initialization vector encrypts the first block, and each result feeds into the next.
  • CTR: Turns a block cipher into a stream cipher using a counter value and a nonce.
  • CFB and OFB: Feedback modes that also produce a stream-like output.

Wireless Security

  • WEP: Weak — uses a 24-bit initialization vector and a 40-bit RC4 key.
  • WPA with TKIP: Uses a 128-bit RC4 key and a message integrity check to guard against bit-flipping attacks.
  • WPA-Enterprise: Uses an authentication server with 802.1X and EAP, rather than a pre-shared key.

Hashing, Integrity and Salting

  • Hash functions verify integrity — a SHA hash produces a 160-bit output.
  • HMAC combines a hash with a secret key to verify both integrity and authenticity of a message.
  • Salting adds random data before hashing, so two users with the same password get different hashes. Bcrypt is a common salted password-hashing algorithm.

Cryptographic Attacks

  • Birthday attack: Finds two different inputs that produce the same hash (a collision).
  • Rainbow table: Maps precomputed hashes back to original values — salting defeats it.
  • Brute force: Tries every possibility; the most time-consuming attack.
  • Frequency analysis: Exploits how often characters appear to break substitution ciphers.

Classical Ciphers, IPsec and Blockchain

  • Classical ciphers: The Caesar cipher shifts letters; the Vigenère cipher uses a keyword for polyalphabetic substitution.
  • IPsec: The key-exchange handshake uses UDP port 500. With ESP in transport mode, packet content can be inspected at the endpoints — before sending and after receiving.
  • Blockchain: Bitcoin adds transactions roughly every 10 minutes; mining rewards decrease over time to cap supply; proof of work is designed to be hard to produce but easy to verify.

How to Approach the OA

Focus your revision on understanding why each mechanism works, not just what it is called. Be able to explain the difference between symmetric and asymmetric use cases, walk through the certificate lifecycle, and compare cipher modes. If you can teach each topic above to someone else, you are ready for the assessment.