Security+ Study GuideCompTIA Security+ SY0-701

Security+ Cryptography: Symmetric, Asymmetric, Hashing, and PKI Explained

A clear guide to cryptographic algorithms, key exchange, digital signatures, certificates, and PKI for the CompTIA Security+ SY0-701 exam.

5 min read
1 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

A clear guide to cryptographic algorithms, key exchange, digital signatures, certificates, and PKI for the CompTIA Security+ SY0-701 exam.

Cryptography and PKI for CompTIA Security+ SY0-701

Cryptography is the backbone of modern security, ensuring confidentiality, integrity, authentication, and non-repudiation. For the Security+ SY0-701 exam, you must understand symmetric vs. asymmetric algorithms, hashing, digital signatures, and the Public Key Infrastructure (PKI). This guide breaks down each concept with real-world examples and exam-focused tips.

Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and efficient for bulk data encryption.

Common algorithms:

  • AES (Advanced Encryption Standard): Block cipher, key sizes 128, 192, 256 bits. Used in WPA2, TLS, BitLocker.
  • DES/3DES: DES is obsolete; 3DES uses three 56-bit keys but is deprecated due to slow performance and security concerns.
  • RC4: Stream cipher, historically used in WEP and early TLS, now considered weak.
  • Blowfish/Twofish: Blowfish is fast; Twofish is a stronger successor.

Real-world example: When you connect to a HTTPS website, TLS uses AES for encrypting the actual data after the handshake.

Exam tip: Know that AES is the standard. Remember key sizes: AES-128, AES-192, AES-256. 3DES is still exam-relevant but deprecated.

Asymmetric Encryption

Asymmetric encryption uses a key pair: a public key (shared) and a private key (secret). It solves the key distribution problem but is slower than symmetric.

Common algorithms:

  • RSA: Based on factoring large primes. Key sizes 1024, 2048, 4096 bits. 2048+ is recommended.
  • ECC (Elliptic Curve Cryptography): Smaller keys for equivalent security (e.g., 256-bit ECC ≈ 3072-bit RSA). Used in modern TLS, Bitcoin.
  • Diffie-Hellman (DH): Key exchange protocol, not encryption. Used with RSA or ECC.
  • ElGamal: Based on discrete logarithm, used in PGP.

Real-world example: When you send an encrypted email using PGP, your email client encrypts the symmetric key with the recipient's public key (RSA or ECC).

Exam tip: Understand that asymmetric encryption is used for key exchange, digital signatures, and non-repudiation. Know that ECC provides equivalent security with smaller keys.

Hashing

Hashing creates a fixed-length digest (hash) from input data. It is one-way: you cannot reverse the hash to get the original data.

Common algorithms:

  • MD5: 128-bit hash, broken (collision attacks). Not used for security.
  • SHA-1: 160-bit hash, deprecated due to collision attacks.
  • SHA-2: Family including SHA-256, SHA-384, SHA-512. Current standard.
  • SHA-3: Newest NIST standard, not yet widespread.

Real-world example: When you download a software ISO, the website provides a SHA-256 hash. You compute the hash of your download and compare; if they match, integrity is verified.

Exam tip: Know that hashing ensures integrity, not confidentiality. Passwords are stored as hashes (often with salt). SHA-256 is the most common exam answer.

Digital Signatures

A digital signature provides authentication, integrity, and non-repudiation. The sender signs a hash of the message with their private key; the receiver verifies with the sender's public key.

Process:

  1. Sender hashes the message.
  2. Sender encrypts the hash with their private key (signing).
  3. Receiver decrypts the signature with sender's public key to get the hash.
  4. Receiver hashes the message independently and compares.

Real-world example: Code signing certificates ensure that software comes from a trusted publisher and hasn't been tampered with. Windows uses Authenticode.

Exam tip: Digital signatures use asymmetric encryption but applied to the hash, not the whole message. They provide non-repudiation because only the sender's private key could have created the signature.

Public Key Infrastructure (PKI)

PKI manages digital certificates and public-key encryption. Components include Certificate Authority (CA), Registration Authority (RA), Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP).

Certificate types:

  • Wildcard: *.example.com covers all subdomains.
  • Subject Alternative Name (SAN): Allows multiple domains in one certificate.
  • Self-signed: Not trusted by browsers; used for internal testing.

Certificate lifecycle:

  1. Certificate Signing Request (CSR) generated.
  2. CA validates identity and issues certificate.
  3. Certificate is installed and used.
  4. Expiration or revocation (via CRL or OCSP).

Real-world example: When you visit https://google.com, your browser checks the server's certificate against trusted CAs (e.g., DigiCert). It verifies the signature, expiration, and revocation status via OCSP.

Exam tip: Know the difference between CRL (list of revoked certs) and OCSP (real-time check). OCSP uses port 80 (HTTP) or 443 (HTTPS). Understand that PKI enables trust through a chain of trust from root CA to intermediate CA to end-entity.

What to Watch for on the Exam

  • Symmetric vs. Asymmetric: Symmetric = fast, shared key; Asymmetric = slow, key pair. Hybrid encryption uses asymmetric to exchange a symmetric key.
  • Key exchange: Diffie-Hellman is for key agreement; RSA can also exchange keys. Perfect Forward Secrecy (PFS) uses ephemeral Diffie-Hellman (DHE or ECDHE).
  • Hashing vs. Encryption: Hashing is one-way, no key; encryption is two-way with a key.
  • Digital signature vs. HMAC: HMAC uses a shared secret, no non-repudiation; digital signatures use asymmetric keys, provide non-repudiation.
  • PKI terms: CA, RA, CRL, OCSP, CSR. Know that CRL is a list, OCSP is a protocol.
  • Ports: LDAP (389), LDAPS (636), OCSP (80/443), S/MIME email (usually port 25/587 with SMTP).
  • Steganography vs. cryptography: Steganography hides data; cryptography scrambles it.

Conclusion

Mastering cryptography and PKI is essential for the Security+ exam. Focus on understanding the purpose of each algorithm, the differences between symmetric/asymmetric/hashing, and the PKI components. Practice identifying when each is used in scenarios.

Ready to test your knowledge? Try our free Security+ practice questions covering cryptography and PKI at [PracticeExamLink]. Consistent practice will solidify these concepts for exam day.

Practise Security+ questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.