This chapter covers the fundamental concepts of encryption, hashing, and digital signatures as they relate to Microsoft security and compliance. Understanding these building blocks is essential for the SC-900 exam, as encryption underpins many Microsoft 365 security features like BitLocker, Azure Information Protection, and Microsoft Purview Message Encryption. Approximately 10-15% of SC-900 exam questions touch on encryption fundamentals, either directly or as part of broader security scenarios. By the end of this chapter, you will be able to differentiate between symmetric and asymmetric encryption, explain hashing and digital signatures, and identify when each is used in Microsoft's security solutions.
Jump to a section
Imagine you need to send a confidential letter through an untrusted courier service. Encryption is like placing your message inside a tamper-evident envelope, then sealing it with a lock that only the intended recipient can open. The original text is the plaintext; the locked envelope is the ciphertext. The lock's unique key is the encryption key. If you use symmetric encryption, both you and the recipient share an identical key — like having two copies of the same lock key. If you use asymmetric encryption, you lock the envelope with the recipient's public key (a lock that anyone can use to seal, but only the recipient's private key can open). Hashing is like a tamper-evident seal that changes irreversibly if anyone tries to open the envelope; it's a one-way function. Digital signatures combine hashing and asymmetric encryption: you compute a hash of your message and then encrypt that hash with your private key, creating a signature that anyone can verify using your public key. This proves the message originated from you and hasn't been altered.
What Is Encryption and Why Does It Exist?
Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. The primary goal is to ensure confidentiality — only authorized parties with the correct key can reverse the process (decryption). Encryption exists to protect data at rest (stored on disks, databases), in transit (network communications), and in use (memory processing). Without encryption, any data intercepted or stolen would be immediately readable.
Symmetric Encryption: The Shared Secret
Symmetric encryption uses a single key for both encryption and decryption. Both sender and recipient must share this key securely before communication. Common symmetric algorithms include AES (Advanced Encryption Standard) with key sizes of 128, 192, or 256 bits, and 3DES (Triple Data Encryption Standard). AES-256 is the current standard for most Microsoft security products, including BitLocker and Azure Storage encryption.
How it works: - The sender encrypts plaintext with the shared key to produce ciphertext. - The ciphertext is transmitted over an insecure channel. - The recipient decrypts the ciphertext using the same shared key to recover plaintext.
Key characteristics: - Speed: Symmetric encryption is fast, suitable for bulk data encryption. - Key distribution problem: The shared key must be securely exchanged, which is a challenge over untrusted networks. - Scalability: Each pair of communicating parties needs a unique key; for n parties, n(n-1)/2 keys are needed.
Microsoft implementation: BitLocker Drive Encryption uses AES-128 or AES-256 to encrypt entire volumes. Azure Storage Service Encryption (SSE) uses AES-256 to encrypt data at rest.
Asymmetric Encryption: Public and Private Keys
Asymmetric encryption uses a pair of mathematically related keys: a public key and a private key. The public key can be freely distributed; the private key is kept secret. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. Common algorithms include RSA (Rivest-Shamir-Adleman) with key sizes of 2048 or 4096 bits, and Elliptic Curve Cryptography (ECC) with curves like P-256 or P-384.
How it works (encryption for confidentiality): - Bob generates a key pair: public key (PubBob) and private key (PrivBob). - Alice obtains Bob's public key (PubBob) from a trusted source (e.g., a certificate). - Alice encrypts her message with PubBob to produce ciphertext. - Only Bob can decrypt the ciphertext using his private key (PrivBob).
Digital signatures (authentication and integrity): - Bob computes a hash of his message, then encrypts that hash with his private key (PrivBob) to create a digital signature. - Bob sends the message and signature to Alice. - Alice decrypts the signature using Bob's public key (PubBob) to recover the hash. - Alice computes the hash of the received message independently. - If the two hashes match, the message is authentic and unaltered.
Key characteristics: - Slower: Asymmetric encryption is computationally expensive, so it is rarely used for bulk data. Instead, it is used for key exchange and digital signatures. - No key distribution problem: Public keys can be shared openly; only private keys must be kept secret. - Scalability: Each user needs only one key pair; n users require n key pairs.
Microsoft implementation: Azure Information Protection (AIP) uses asymmetric encryption for key management via Azure Key Vault. Microsoft Purview Message Encryption uses asymmetric keys for protecting email messages.
Hashing: The One-Way Street
Hashing is a cryptographic function that takes an input (any size) and produces a fixed-size output called a hash or digest. The hash is unique to the input; even a tiny change in the input produces a completely different hash (avalanche effect). Hashing is a one-way function — it is computationally infeasible to reverse the hash to recover the original input. Common hash algorithms include SHA-256 (Secure Hash Algorithm 256-bit), SHA-384, and SHA-512 (part of the SHA-2 family). SHA-1 is deprecated due to collision vulnerabilities.
How it works: - Input data is processed through the hash algorithm. - The output is a fixed-length string (e.g., 64 hex characters for SHA-256). - The hash is stored or transmitted as a fingerprint of the data.
Uses: - Data integrity: Compare computed hash with a known good hash to detect tampering. - Password storage: Store hash of password (plus salt) instead of plaintext. - Digital signatures: Hash is signed instead of the entire message.
Microsoft implementation: PowerShell uses SHA-256 for certificate validation. Azure AD uses SHA-256 for password hash synchronization.
Digital Signatures: Combining Hashing and Asymmetric Encryption
A digital signature provides authentication (proves the signer's identity), non-repudiation (signer cannot deny signing), and integrity (data has not been altered). The process: 1. Signer computes a hash of the message. 2. Signer encrypts the hash with their private key to create the signature. 3. Signer sends the message and signature to the recipient. 4. Recipient decrypts the signature using the signer's public key to retrieve the hash. 5. Recipient computes the hash of the received message. 6. If the two hashes match, the signature is valid.
Key components: - Private key: Used to sign; must be kept secret. - Public key: Used to verify; distributed via certificates. - Certificate: Binds a public key to an identity (e.g., a person or organization), signed by a Certificate Authority (CA).
Microsoft implementation: Microsoft 365 uses digital signatures for email (S/MIME) and code signing (Authenticode). Azure AD uses digital signatures in SAML tokens and OAuth 2.0 assertions.
Encryption in Transit vs. Encryption at Rest
Encryption in transit: Protects data as it moves across networks. Examples: TLS (Transport Layer Security) for web traffic, IPsec for VPNs. TLS uses asymmetric encryption to establish a session key, then symmetric encryption for bulk data. Microsoft 365 uses TLS 1.2+ for all connections.
Encryption at rest: Protects data stored on disk or in databases. Examples: BitLocker (full disk encryption), Azure Storage Service Encryption (SSE), Transparent Data Encryption (TDE) for SQL Server. Microsoft uses AES-256 as the default encryption algorithm.
Key Management in Microsoft 365
Microsoft provides several options for managing encryption keys: - Microsoft-managed keys: Microsoft generates, rotates, and manages keys. Used by default for Azure SSE, BitLocker, and Microsoft 365 service encryption. - Customer-managed keys (CMK): Customers create and manage their own keys in Azure Key Vault. Used for services like Azure Information Protection, Microsoft Purview Message Encryption, and Azure Storage. - Customer-provided keys (CPK): Customers supply their own keys for specific operations, such as encrypting blobs in Azure Storage. - Hold Your Own Key (HYOK): For Azure Information Protection, customers can retain keys on-premises, ensuring Microsoft cannot access decrypted content.
Encryption in Microsoft 365 by Service
Exchange Online: TLS for email in transit; BitLocker for mailbox databases at rest; S/MIME for end-to-end encryption.
SharePoint Online: TLS for data in transit; BitLocker for content databases; per-file encryption using a unique AES-256 key.
Teams: TLS for signaling and media; BitLocker for stored chat and files.
OneDrive for Business: TLS; BitLocker; per-file encryption.
Azure AD: TLS; hashing for passwords (SHA-256 with salt).
Common Exam Traps
Trap: Confusing hashing with encryption. Hashing is one-way; encryption is two-way. If the question says "reverse the process" or "decrypt," it cannot be hashing.
Trap: Thinking symmetric encryption is always weaker than asymmetric. Symmetric encryption (e.g., AES-256) is actually stronger per bit than asymmetric (e.g., RSA-2048). The weakness is key distribution, not the algorithm.
Trap: Assuming encryption alone provides integrity. Encryption provides confidentiality but not integrity unless combined with a MAC or digital signature.
Trap: Believing that public key encryption is used for bulk data. In practice, asymmetric encryption is only used for key exchange or signatures; bulk data uses symmetric encryption.
Summary of Key Terms
Plaintext: Original readable data.
Ciphertext: Encrypted unreadable data.
Key: Secret value used for encryption/decryption.
Symmetric encryption: Same key for both operations.
Asymmetric encryption: Public/private key pair.
Hash: Fixed-size output of a one-way function.
Digital signature: Hash encrypted with private key.
Certificate: Binds public key to identity.
TLS: Protocol for encrypting data in transit.
BitLocker: Full disk encryption in Windows.
Azure Key Vault: Cloud service for key management.
Symmetric Encryption: Encrypt and Decrypt
Alice and Bob agree on a shared secret key (e.g., 256-bit AES key). Alice uses this key and an encryption algorithm (e.g., AES-256-CBC) to convert her plaintext message into ciphertext. She sends the ciphertext to Bob over an insecure channel. Bob receives the ciphertext and uses the same shared key to decrypt it back to plaintext. The security relies entirely on keeping the shared key secret. If an attacker intercepts the key during exchange, they can decrypt all future communications. This is why symmetric encryption is often combined with asymmetric encryption for secure key exchange (e.g., in TLS).
Asymmetric Encryption: Generate Key Pair
Bob generates a key pair using an algorithm like RSA with a key size of 2048 bits. The private key is stored securely (e.g., in a hardware security module or Azure Key Vault). The public key is published in a digital certificate signed by a trusted Certificate Authority (CA). Alice retrieves Bob's certificate and extracts his public key. She uses this public key to encrypt a symmetric session key (e.g., random 256-bit AES key). Only Bob's private key can decrypt this session key. This step solves the key distribution problem: Alice can securely send a symmetric key to Bob without pre-sharing a secret.
Hashing: Compute and Verify Hash
Alice has a file she wants to ensure integrity. She runs the file through SHA-256 algorithm, which produces a 256-bit (32-byte) hash. She records this hash. Later, Bob downloads the file and computes the SHA-256 hash himself. If the hash matches Alice's recorded hash, the file has not been altered. If even one bit of the file changed, the hash will be completely different (avalanche effect). Hashing does not use a key; it is a deterministic function. Common attack: collision attack (finding two inputs with same hash). SHA-256 is currently collision-resistant.
Digital Signature: Sign and Verify
Bob wants to sign a contract. He computes a SHA-256 hash of the contract. Then he encrypts that hash with his private key (RSA-2048) to create the digital signature. Bob sends the contract and signature to Alice. Alice decrypts the signature using Bob's public key to recover the hash. She independently computes the SHA-256 hash of the received contract. If the two hashes match, Alice knows the contract came from Bob (authentication) and has not been altered (integrity). Non-repudiation: Bob cannot deny signing because only he has his private key.
TLS Handshake: Establish Secure Channel
Client connects to server over TLS 1.3. Server sends its certificate (containing public key). Client verifies certificate against a trusted CA. Client generates a random pre-master secret (symmetric key) and encrypts it with server's public key. Server decrypts pre-master secret with its private key. Both derive session keys from the pre-master secret. All subsequent data is encrypted symmetrically (e.g., AES-256-GCM). This hybrid approach leverages asymmetric encryption for secure key exchange and symmetric encryption for speed. Microsoft 365 enforces TLS 1.2+ for all connections.
BitLocker: Encrypt Entire Volume
When BitLocker is enabled on a Windows volume, it creates a full volume encryption key (FVEK) that encrypts each sector using AES-128 or AES-256. The FVEK is itself encrypted by a volume master key (VMK). The VMK is protected by one or more protectors: TPM (Trusted Platform Module), recovery key, or PIN. During boot, the TPM validates the system integrity and releases the VMK, which decrypts the FVEK, allowing the OS to read encrypted data. Without the correct protector, the volume remains encrypted and inaccessible. BitLocker is used in Microsoft 365 to protect server disks.
Enterprise Scenario 1: Microsoft 365 Data Protection
A multinational corporation uses Exchange Online and SharePoint Online. All data in transit is protected by TLS 1.3. For data at rest, Microsoft uses BitLocker to encrypt physical disks at the datacenter level. Additionally, the organization enables Microsoft Purview Message Encryption to send sensitive emails externally. When a user sends an encrypted email, the Exchange Online service encrypts the message using a symmetric key, which is then encrypted with the recipient's public key (obtained via a certificate or a one-time code). The recipient can decrypt using their private key or a web-based portal. This hybrid approach ensures confidentiality even if the email is intercepted. The organization also uses Azure Information Protection with customer-managed keys stored in Azure Key Vault. This allows them to classify and encrypt documents, with the encryption keys under their control. A common mistake is misconfiguring the key vault permissions, causing users to be unable to decrypt protected documents. Best practice is to use a dedicated key vault per environment and enable soft-delete and purge protection.
Enterprise Scenario 2: Secure Remote Access with VPN
A company with 5,000 remote employees uses Azure VPN Gateway to connect to on-premises resources. The VPN uses IPsec with IKEv2, which employs asymmetric encryption (RSA or ECDSA) for authentication and Diffie-Hellman key exchange to negotiate symmetric session keys (AES-256). The gateway can be configured with custom IPsec/IKE policies to enforce specific algorithms. Performance considerations: symmetric encryption at 256-bit can handle high throughput, but the asymmetric handshake adds latency. Scaling: for large numbers of concurrent connections, the gateway SKU must be chosen appropriately (e.g., VpnGw3 supports up to 10 Gbps aggregate throughput). A frequent misconfiguration is using weak DH groups (e.g., DH Group 1) which are vulnerable to attack; Microsoft recommends DH Group 14 or higher. Another issue is certificate expiry: if the gateway's certificate expires, all VPN connections fail. Monitoring with Azure Monitor alerts on certificate expiration is critical.
Enterprise Scenario 3: Code Signing for Application Deployment
A software vendor signs their executables with a code signing certificate issued by a trusted CA (e.g., DigiCert). The signing process: the developer computes a hash of the executable and encrypts it with their private key (RSA-4096). The signature is embedded in the file. When a user downloads the executable, Windows checks the signature using the public key in the certificate. If the signature is valid and the certificate chain is trusted, Windows allows the installation. If the executable is modified after signing, the hash verification fails, and Windows warns the user. Common pitfalls: allowing the private key to be stored on a build server without protection (e.g., in a hardware security module). If the private key is compromised, attackers can sign malicious code. Microsoft recommends using Azure Key Vault to store code signing keys and using a secure build pipeline that never exposes the private key.
What SC-900 Tests on Encryption Fundamentals
SC-900 objective 1.1 (Describe the concepts of security, compliance, and identity) includes understanding encryption, hashing, and digital signatures. The exam expects you to:
Differentiate between symmetric and asymmetric encryption.
Identify the purpose of hashing (integrity) vs. encryption (confidentiality).
Understand that digital signatures provide authentication, integrity, and non-repudiation.
Know that TLS is used for encryption in transit and that BitLocker is used for encryption at rest.
Recognize that Microsoft-managed keys are default, but customers can use their own keys (CMK, HYOK).
Common Wrong Answers and Why Candidates Choose Them
Confusing hashing with encryption: Many candidates see the word "secure" and choose hashing when the question asks about confidentiality. Hashing does not provide confidentiality; it is one-way. The exam will have questions like: "Which cryptographic technique ensures data has not been tampered with?" The correct answer is hashing (or digital signature), but candidates often choose encryption.
Selecting symmetric encryption for secure key exchange: Candidates know symmetric is fast, so they think it's used to exchange keys. In reality, asymmetric encryption is used for key exchange because it solves the key distribution problem. The exam may ask: "Which type of encryption is used to securely exchange a session key?" Answer: asymmetric.
Believing that encryption at rest uses TLS: TLS is for data in transit, not at rest. Candidates who memorize "TLS" as the encryption method may incorrectly apply it to storage. The exam will ask: "Which Microsoft technology encrypts data at rest on a Windows device?" Answer: BitLocker.
Assuming public keys are secret: Candidates may think both keys in asymmetric encryption are secret. Only the private key is secret; the public key is shared openly.
Specific Numbers and Terms That Appear on the Exam
AES-256: Standard symmetric algorithm for Microsoft 365.
SHA-256: Common hash algorithm used in Microsoft products.
RSA-2048: Typical key size for asymmetric encryption.
TLS 1.2/1.3: Protocols for encryption in transit.
BitLocker: Full disk encryption in Windows.
Azure Key Vault: Cloud service for key management.
Customer-managed keys (CMK): Customers manage their own keys.
Hold Your Own Key (HYOK): For AIP, keys stored on-premises.
Edge Cases and Exceptions
Encryption of data in use: Microsoft 365 offers Confidential Computing with Intel SGX enclaves, which encrypts data while being processed. This is less common on the exam but may appear as a scenario.
Key rotation: Microsoft automatically rotates managed keys every 90 days. Customer-managed keys must be rotated manually or via automation.
Double encryption: Some Azure services (e.g., Azure Storage) offer double encryption at rest (two layers of encryption) for extra security.
How to Eliminate Wrong Answers
If the question asks about "confidentiality," eliminate any option that mentions hashing or digital signatures (those provide integrity/authentication).
If the question asks about "integrity," eliminate encryption-only options.
If the question mentions "secure key exchange," the answer is asymmetric encryption.
If the question mentions "bulk data encryption," the answer is symmetric encryption.
If the question mentions "data in transit," look for TLS or IPsec.
If the question mentions "data at rest," look for BitLocker, SSE, or TDE.
If the question asks about "non-repudiation," the answer is digital signatures.
Encryption provides confidentiality; hashing provides integrity; digital signatures provide authentication, integrity, and non-repudiation.
Symmetric encryption (AES-256) is used for bulk data; asymmetric encryption (RSA-2048) is used for key exchange and digital signatures.
TLS encrypts data in transit; BitLocker and Azure SSE encrypt data at rest.
Microsoft-managed keys are default; customers can use CMK or HYOK for additional control.
SHA-256 is the standard hash algorithm in Microsoft 365; SHA-1 is deprecated.
Digital signatures work by encrypting a hash of the message with the signer's private key.
Azure Key Vault is the central service for managing encryption keys in Azure.
The exam tests differentiation between confidentiality, integrity, and authentication scenarios.
These come up on the exam all the time. Here's how to tell them apart.
Symmetric Encryption
Uses one key for both encryption and decryption.
Fast and suitable for bulk data encryption.
Key distribution is a challenge.
Algorithms: AES, 3DES, ChaCha20.
Key sizes: 128, 192, 256 bits (AES).
Asymmetric Encryption
Uses a public-private key pair.
Slow and used for key exchange or signatures.
No key distribution problem; public keys can be shared.
Algorithms: RSA, ECC, DSA.
Key sizes: 2048, 4096 bits (RSA); 256, 384 bits (ECC).
Mistake
Encryption and hashing are the same thing.
Correct
Encryption is a two-way function (you can decrypt with the key), while hashing is one-way (you cannot reverse the hash to get the original input). Encryption provides confidentiality; hashing provides integrity.
Mistake
Symmetric encryption is less secure than asymmetric encryption.
Correct
AES-256 (symmetric) is considered more secure per bit than RSA-2048 (asymmetric). The security of symmetric encryption depends on key secrecy, not algorithm weakness. Asymmetric encryption is slower and used primarily for key exchange.
Mistake
Public keys must be kept secret.
Correct
Public keys are designed to be shared openly. Only private keys must be kept secret. Public keys are distributed via certificates and can be freely exchanged.
Mistake
TLS encrypts data at rest.
Correct
TLS (Transport Layer Security) encrypts data only while it is in transit over a network. For data at rest, technologies like BitLocker or Azure Storage Service Encryption are used.
Mistake
Digital signatures use encryption of the entire message.
Correct
Digital signatures encrypt only the hash of the message (using the private key), not the message itself. The message may be sent in plaintext alongside the signature. Encryption of the message is separate (confidentiality).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Encryption is a reversible process that transforms plaintext into ciphertext using a key; it provides confidentiality. Hashing is a one-way function that produces a fixed-size digest from any input; it provides integrity. You can decrypt encrypted data with the correct key, but you cannot reverse a hash to recover the original input. On the SC-900 exam, if the question involves reversing the process or keeping data secret, choose encryption. If it involves detecting tampering or verifying integrity, choose hashing.
Microsoft 365 uses BitLocker Drive Encryption (AES-256) for physical disks in datacenters, and per-file encryption using a unique AES-256 key for each file in SharePoint Online and OneDrive for Business. For Azure services, Azure Storage Service Encryption (SSE) uses AES-256. These are all symmetric encryption. The exam may ask: 'Which technology encrypts data at rest in Microsoft 365?' The correct answer is BitLocker for disks or SSE for storage.
A digital signature provides authentication (proves the signer's identity), integrity (ensures the message hasn't been altered), and non-repudiation (the signer cannot deny signing). It is created by encrypting a hash of the message with the signer's private key. On the exam, if a question asks for a method to prove who sent a message and that it hasn't been changed, choose digital signature.
Microsoft-managed keys are generated, stored, and rotated by Microsoft automatically. They are used by default for most services. Customer-managed keys (CMK) allow customers to create and manage their own keys in Azure Key Vault, giving them control over key lifecycle and access. CMK is used for services like Azure Information Protection and Microsoft Purview Message Encryption. The exam may ask: 'Which key management option gives the customer full control over encryption keys?' Answer: customer-managed keys.
TLS (Transport Layer Security) is a cryptographic protocol that provides encryption in transit. It is used for securing web traffic (HTTPS), email (SMTP over TLS), and other network communications. Microsoft 365 uses TLS 1.2+ for all data moving between clients and servers. The exam may ask: 'Which protocol encrypts data in transit?' Answer: TLS.
Azure Key Vault is a cloud service for securely storing and managing cryptographic keys, secrets, and certificates. It is used to protect encryption keys for services like Azure Information Protection, BitLocker, and SQL Server TDE. Key Vault supports hardware security modules (HSMs) for FIPS 140-2 Level 2 or Level 3 compliance. On the exam, if a question asks where to store encryption keys in Azure, the answer is Azure Key Vault.
Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and suitable for bulk data. Asymmetric encryption uses a public-private key pair; data encrypted with the public key can only be decrypted with the private key. It is slower and used for key exchange and digital signatures. The exam may ask: 'Which type of encryption is used to securely exchange a session key?' Answer: asymmetric encryption.
You've just covered Encryption Fundamentals for SC-900 — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?