ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security engineer encrypts 500-MB log archives before uploading them to Amazon S3. The current workflow uses RSA with 2048-bit keys to encrypt each file directly, resulting in multi-minute processing times and high CPU utilization. Management now demands equal or stronger confidentiality while reducing both encryption/decryption time and storage overhead. Which approach best satisfies these requirements?
Adopt AES-128 in ECB mode to benefit from faster symmetric encryption while maintaining adequate strength.
Use AES-256 in GCM mode to encrypt each file with a random 256-bit data key and protect that key using AWS KMS.
Increase the RSA key size to 4096 bits and continue encrypting each file directly with the larger key.
Switch to 3DES in CBC mode with a 168-bit key because the shorter key reduces CPU cycles.
Encrypting large files directly with RSA is inefficient because asymmetric operations on large integers are slow and each small plaintext block expands to the full modulus size. Switching to a symmetric algorithm such as AES eliminates the heavy public-key computations and keeps ciphertext almost the same size as the plaintext (plus a small tag).
Using AES-256-GCM meets every requirement: it provides 256-bit symmetric strength-well above the ≈112-bit strength of RSA-2048-while GCM adds authenticated-encryption integrity. AWS KMS can generate a random 256-bit data key, perform envelope encryption, and securely store the wrapped key.
Increasing the RSA key to 4096 bits would further slow processing and double ciphertext size. Triple DES is slower than AES, offers only about 112-bit effective strength, and uses 64-bit blocks that are less efficient. AES-128 in ECB would be fast and at 128-bit strength still exceeds RSA-2048's security, but ECB leaks plaintext patterns and lacks integrity protection, violating confidentiality goals. Therefore, AES-256-GCM with a KMS-wrapped data key is the best option.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-256 in GCM mode?
Open an interactive chat with Bash
What is AWS KMS and how does it assist with encryption?
Open an interactive chat with Bash
Why is RSA less efficient for encrypting large files?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .