Cryptography and PKI for CompTIA Security+ SY0-701
Cryptography is the backbone of modern security, ensuring confidentiality, integrity, authentication, and non-repudiation. For the Security+ SY0-701 exam, you must understand symmetric vs. asymmetric algorithms, hashing, digital signatures, and the Public Key Infrastructure (PKI). This guide breaks down each concept with real-world examples and exam-focused tips.
Symmetric Encryption
Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and efficient for bulk data encryption.
Common algorithms:
- AES (Advanced Encryption Standard): Block cipher, key sizes 128, 192, 256 bits. Used in WPA2, TLS, BitLocker.
- DES/3DES: DES is obsolete; 3DES uses three 56-bit keys but is deprecated due to slow performance and security concerns.
- RC4: Stream cipher, historically used in WEP and early TLS, now considered weak.
- Blowfish/Twofish: Blowfish is fast; Twofish is a stronger successor.
Real-world example: When you connect to a HTTPS website, TLS uses AES for encrypting the actual data after the handshake.
Exam tip: Know that AES is the standard. Remember key sizes: AES-128, AES-192, AES-256. 3DES is still exam-relevant but deprecated.
Asymmetric Encryption
Asymmetric encryption uses a key pair: a public key (shared) and a private key (secret). It solves the key distribution problem but is slower than symmetric.
Common algorithms:
- RSA: Based on factoring large primes. Key sizes 1024, 2048, 4096 bits. 2048+ is recommended.
- ECC (Elliptic Curve Cryptography): Smaller keys for equivalent security (e.g., 256-bit ECC ≈ 3072-bit RSA). Used in modern TLS, Bitcoin.
- Diffie-Hellman (DH): Key exchange protocol, not encryption. Used with RSA or ECC.
- ElGamal: Based on discrete logarithm, used in PGP.
Real-world example: When you send an encrypted email using PGP, your email client encrypts the symmetric key with the recipient's public key (RSA or ECC).
Exam tip: Understand that asymmetric encryption is used for key exchange, digital signatures, and non-repudiation. Know that ECC provides equivalent security with smaller keys.
Hashing
Hashing creates a fixed-length digest (hash) from input data. It is one-way: you cannot reverse the hash to get the original data.
Common algorithms:
- MD5: 128-bit hash, broken (collision attacks). Not used for security.
- SHA-1: 160-bit hash, deprecated due to collision attacks.
- SHA-2: Family including SHA-256, SHA-384, SHA-512. Current standard.
- SHA-3: Newest NIST standard, not yet widespread.
Real-world example: When you download a software ISO, the website provides a SHA-256 hash. You compute the hash of your download and compare; if they match, integrity is verified.
Exam tip: Know that hashing ensures integrity, not confidentiality. Passwords are stored as hashes (often with salt). SHA-256 is the most common exam answer.
Digital Signatures
A digital signature provides authentication, integrity, and non-repudiation. The sender signs a hash of the message with their private key; the receiver verifies with the sender's public key.
Process:
- Sender hashes the message.
- Sender encrypts the hash with their private key (signing).
- Receiver decrypts the signature with sender's public key to get the hash.
- Receiver hashes the message independently and compares.
Real-world example: Code signing certificates ensure that software comes from a trusted publisher and hasn't been tampered with. Windows uses Authenticode.
Exam tip: Digital signatures use asymmetric encryption but applied to the hash, not the whole message. They provide non-repudiation because only the sender's private key could have created the signature.
Public Key Infrastructure (PKI)
PKI manages digital certificates and public-key encryption. Components include Certificate Authority (CA), Registration Authority (RA), Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP).
Certificate types:
- Wildcard: *.example.com covers all subdomains.
- Subject Alternative Name (SAN): Allows multiple domains in one certificate.
- Self-signed: Not trusted by browsers; used for internal testing.
Certificate lifecycle:
- Certificate Signing Request (CSR) generated.
- CA validates identity and issues certificate.
- Certificate is installed and used.
- Expiration or revocation (via CRL or OCSP).
Real-world example: When you visit https://google.com, your browser checks the server's certificate against trusted CAs (e.g., DigiCert). It verifies the signature, expiration, and revocation status via OCSP.
Exam tip: Know the difference between CRL (list of revoked certs) and OCSP (real-time check). OCSP uses port 80 (HTTP) or 443 (HTTPS). Understand that PKI enables trust through a chain of trust from root CA to intermediate CA to end-entity.
What to Watch for on the Exam
- Symmetric vs. Asymmetric: Symmetric = fast, shared key; Asymmetric = slow, key pair. Hybrid encryption uses asymmetric to exchange a symmetric key.
- Key exchange: Diffie-Hellman is for key agreement; RSA can also exchange keys. Perfect Forward Secrecy (PFS) uses ephemeral Diffie-Hellman (DHE or ECDHE).
- Hashing vs. Encryption: Hashing is one-way, no key; encryption is two-way with a key.
- Digital signature vs. HMAC: HMAC uses a shared secret, no non-repudiation; digital signatures use asymmetric keys, provide non-repudiation.
- PKI terms: CA, RA, CRL, OCSP, CSR. Know that CRL is a list, OCSP is a protocol.
- Ports: LDAP (389), LDAPS (636), OCSP (80/443), S/MIME email (usually port 25/587 with SMTP).
- Steganography vs. cryptography: Steganography hides data; cryptography scrambles it.
Conclusion
Mastering cryptography and PKI is essential for the Security+ exam. Focus on understanding the purpose of each algorithm, the differences between symmetric/asymmetric/hashing, and the PKI components. Practice identifying when each is used in scenarios.
Ready to test your knowledge? Try our free Security+ practice questions covering cryptography and PKI at [PracticeExamLink]. Consistent practice will solidify these concepts for exam day.