InterviewStack.io LogoInterviewStack.io

Asymmetric Cryptography and Public Key Infrastructure (PKI) Questions

Solid grasp of public-key algorithms including RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange. Understand key generation processes, mathematical principles underlying their security, and why larger keys are needed compared to symmetric cryptography. Know digital signatures, signature verification, and their role in authentication. Understand PKI architecture including certificate authorities (CAs), trust models, certificate chains, revocation mechanisms, and certificate validation. Be able to discuss modern PKI standards and practices.

MediumTechnical
47 practiced
For a high-scale web service handling millions of TLS connections per day, evaluate revocation strategies including CRLs, OCSP, OCSP stapling, short-lived certificates, and certificate pinning. Recommend a practical combination to balance latency, privacy, scalability, and timely revocation and explain operational considerations for implementation and monitoring.
HardSystem Design
47 practiced
Design a scalable PKI to provision and manage identities for tens of millions of IoT devices. Devices are low-resource, may be manufactured offline, and require secure boot, OTA updates, and robust revocation. Cover provisioning models (per-device credentials, group credentials, hardware-rooted identities), CA hierarchy, HSM placement, certificate lifetimes, offline revocation handling, privacy, and cost-effective operational concerns.
MediumTechnical
50 practiced
Given a TLS 1.2 handshake where the client receives a server certificate, enumerate the precise steps the client must perform to validate that certificate. Include chain building with intermediates, signature verification on each certificate, extension checks (basicConstraints, keyUsage, EKU), hostname verification, revocation checks, and treatment of missing or expired intermediates.
HardTechnical
42 practiced
A major intermediate CA in your corporate PKI was compromised and used to issue fraudulent certificates. As the lead cryptographer, outline a comprehensive incident response plan covering detection, containment, revocation and blacklisting strategy, re-issuing keys and certificates, root or intermediate replacement, coordinating with browser/OS vendors, using CT/OCSP to propagate revocation, and legal/audit actions.
MediumTechnical
47 practiced
Write pseudocode for a constant-time modular exponentiation routine suitable for RSA exponentiation that reduces timing leakage. Explain how your method ensures a constant control flow and avoids branching on secret exponent bits, and discuss the performance trade-offs compared to a naive square-and-multiply implementation.

Unlock Full Question Bank

Get access to hundreds of Asymmetric Cryptography and Public Key Infrastructure (PKI) interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.