Algorithm confusion
Crypto algorithms have specific use cases (encryption, signing, hashing, key exchange) and security properties (symmetric vs asymmetric, deprecated vs current). The trap offers an algorithm that's correct for a different use case than the one in the stem.
The Trap in One Sentence
You picked the wrong crypto algorithm. AES vs DES, RSA vs ECC, SHA-256 vs MD5, symmetric vs asymmetric — each has a specific use case.
Pairs Candidates Confuse
Symmetric bulk encryption vs asymmetric key exchange / signing
Hash vs keyed authentication hash
Same purpose, different math — ECC for resource-constrained
Deprecated vs current
How to Avoid It
- →Memorize the 'job to be done': bulk encrypt = symmetric (AES); key exchange / signature = asymmetric (RSA/ECC); integrity = hash (SHA family).
- →If the stem mentions deprecated standards (MD5, DES, WEP), the answer is a modern replacement.
- →Distinguish encryption-at-rest, in-transit, and signing — each picks different algorithms.
Frequently Asked Questions
How do I recognize an algorithm-confusion trap in an exam question?
When the choices are crypto algorithm names (AES, RSA, SHA-256, ECC, MD5, etc.), the question is testing whether you match the algorithm to the specific cryptographic job — bulk encryption, key exchange, hashing, or signing. Picking an algorithm that's valid but for the wrong job is the miss.
What's the tell-tale stem phrasing that signals this trap?
Words anchoring a specific crypto operation: "encrypt large volumes," "exchange a session key," "verify message integrity," "sign a certificate." Map the operation to the job class (symmetric / asymmetric / hash) before reading choices. Stems mentioning key size or performance constraints usually narrow to one algorithm family.
If two algorithms both seem valid, how do I decide?
First match the job class: symmetric for bulk data, asymmetric for key exchange or signatures, hash for integrity. Inside the class, narrow by deprecation: AES beats DES, SHA-256 beats MD5, RSA 2048+ beats RSA 1024. Performance-sensitive scenarios favor ECC over RSA.
What's a real example of an algorithm-confusion trap?
Stem: "A web application needs to authenticate the identity of a user submitting a signed JWT. Which algorithm BEST supports this?" Choices: (a) AES-256, (b) RSA-2048, (c) SHA-256, (d) HMAC-SHA256. Asymmetric signing is what JWTs need for cross-party verification, so (b) is correct. AES is symmetric (wrong job class); SHA-256 alone is just hashing without a key; HMAC-SHA256 works for shared-secret JWTs but not cross-party.
How is algorithm-confusion different from protocol-confusion?
Algorithm-confusion is about cryptographic primitives (AES, RSA, SHA, ECC). Protocol-confusion is about higher-level protocols that USE those primitives (TLS, IPsec, SAML). A TLS question with cipher-suite choices is algorithm-confusion; a TLS-vs-IPsec question is protocol-confusion.
Why do item writers love this distractor mechanism?
Crypto is full of similar-sounding algorithm names and the difference between them matters for security guarantees. Item writers can construct distractors that are technically real algorithms but wrong for the use case, knowing candidates who only memorized names will miss the use-case fit.
Where does this trap show up most often?
Sec+ Domain 1 (General Security Concepts) and CISSP Domain 3 (Security Architecture and Engineering) feature it heavily. CEH and OSCP test it in offensive-vs-defensive crypto choices. CCSP and SC-100 emphasize KMS and HSM contexts where algorithm choice has cost and compliance implications.
How do I deliberately drill against this archetype?
Use the trap drill linked from the section above to focus reps on this pattern. Memorize the job-to-algorithm table: bulk encrypt = AES; key exchange = RSA or ECDH; signing = RSA or ECDSA; hashing = SHA-256 or SHA-3; password storage = bcrypt/argon2 (not SHA alone). Have the deprecated set (MD5, DES, SHA-1, RC4) tattooed in red.
Practice Against This Trap
28 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.
Run a Algorithm confusion trap drill →Related Traps
- Protocol confusionYou picked the wrong protocol from a similar set. TLS vs IPsec, SAML vs OAuth vs OIDC, RADIUS vs TACACS+ — they sit at the same layer but solve different problems.
- Legacy-vs-modernYou picked a legacy or deprecated practice. MD5, WEP, DES, single-factor — they used to be standard; the current standard isn't.
- Standard confusionYou conflated two similar standards. NIST RMF vs CSF, ISO 27001 vs 27002, SP 800-53 vs CSF — they overlap but aren't substitutes.