Domain 1: General Security Concepts Module 6 of 61

Cryptographic Concepts and Methods

Security+ Domain 1 — General Security Concepts B — Zero Trust and Cryptography 14–18 minutes

What the Exam Is Really Testing

CompTIA does not expect you to perform cryptographic calculations. It expects you to make decisions.

Given a scenario, which cryptographic method should you use, and why?

You need to know when to use symmetric versus asymmetric encryption. You need to know the difference between hashing and encryption. You need to understand why digital signatures exist and how they work. And you need to recognize the common algorithms by name and know their purpose.

This is one of the densest topics on the exam. But the patterns are consistent and the decision framework is clear once you understand the fundamentals.

Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. The same key locks and unlocks the data.

Characteristics:

  • Fast and efficient — ideal for encrypting large volumes of data
  • The key must be shared securely between parties (the key distribution problem)
  • If the key is compromised, all data encrypted with that key is exposed
  • Used for bulk data encryption: disk encryption, database encryption, VPN tunnels

Common Symmetric Algorithms

  • AES (Advanced Encryption Standard): The standard for symmetric encryption. Available in 128, 192, and 256-bit key lengths. Used in nearly every modern encryption implementation
  • 3DES (Triple DES): Applies DES three times with different keys. Legacy algorithm being phased out in favor of AES
  • ChaCha20: Modern stream cipher, often paired with Poly1305 for authenticated encryption. Used in mobile and low-power environments

Block Ciphers vs. Stream Ciphers

Block ciphers encrypt data in fixed-size blocks (typically 128 bits). AES is a block cipher. Block ciphers can operate in different modes (CBC, GCM, CTR) that affect how blocks are chained together.

Stream ciphers encrypt data one bit or byte at a time, generating a continuous keystream. ChaCha20 is a stream cipher. Stream ciphers are faster for real-time data like voice or video.

For the exam: AES = block cipher. ChaCha20 = stream cipher. If the scenario involves encrypting large files at rest, think block cipher. If it involves real-time streaming data, think stream cipher.

Asymmetric Encryption

Asymmetric encryption uses a key pair: a public key and a private key. What one key encrypts, only the other can decrypt.

Characteristics:

  • Slower than symmetric encryption — not practical for bulk data
  • Solves the key distribution problem (public keys can be shared openly)
  • Enables digital signatures and key exchange
  • Used for: secure key exchange, digital signatures, certificate-based authentication

How the Key Pair Works

  • Encryption: Encrypt with the recipient's public key. Only the recipient's private key can decrypt. This provides confidentiality
  • Digital signatures: Sign with the sender's private key. Anyone with the sender's public key can verify. This provides authentication, integrity, and non-repudiation
Public key encrypts, private key decrypts = confidentiality. Private key signs, public key verifies = non-repudiation.

Common Asymmetric Algorithms

  • RSA (Rivest-Shamir-Adleman): The most widely used asymmetric algorithm. Supports both encryption and digital signatures. Key sizes typically 2048 or 4096 bits
  • ECC (Elliptic Curve Cryptography): Provides equivalent security to RSA with much smaller key sizes. A 256-bit ECC key provides comparable security to a 3072-bit RSA key. Preferred for mobile and IoT devices
  • Diffie-Hellman (DH): Used for key exchange, not encryption. Allows two parties to establish a shared secret over an insecure channel. The foundation of many VPN and TLS implementations

Hashing

Hashing is not encryption. This is one of the most important distinctions on the exam.

A hash function takes input of any size and produces a fixed-size output (the hash or digest). Hashing is a one-way function — you cannot reverse a hash to recover the original data.

Properties of a good hash function:

  • Deterministic: Same input always produces the same hash
  • Fixed output size: Regardless of input length
  • One-way: Cannot reverse the hash to find the input
  • Collision resistant: Extremely difficult to find two different inputs that produce the same hash
  • Avalanche effect: A tiny change in input produces a completely different hash

Common Hash Algorithms

  • SHA-256: Part of the SHA-2 family. Produces a 256-bit hash. The current standard for integrity verification
  • SHA-3: The newest SHA standard. Uses a different internal structure (Keccak) than SHA-2. Not a replacement for SHA-2 but an alternative
  • MD5: Produces a 128-bit hash. Considered cryptographically broken due to collision vulnerabilities. Still seen in legacy systems for checksums but should not be used for security

HMAC (Hash-Based Message Authentication Code)

HMAC combines a hash function with a secret key. It provides both integrity verification and authentication — not just "has this data changed?" but "did the expected sender create this data?"

HMAC is used in protocols like TLS and IPsec to verify message integrity and authenticity.

Digital Signatures

A digital signature combines hashing and asymmetric encryption to provide three things:

  1. Authentication: Confirms the identity of the signer
  2. Integrity: Proves the data has not been altered since signing
  3. Non-repudiation: The signer cannot deny having signed

The process:

  1. The sender creates a hash of the message
  2. The sender encrypts the hash with their private key (this is the signature)
  3. The recipient decrypts the signature using the sender's public key
  4. The recipient independently hashes the received message
  5. If the two hashes match, the signature is valid
Digital signatures do not encrypt the message itself. They sign a hash of the message. The message can still be read by anyone — the signature just proves who sent it and that it was not altered.

Key Exchange and Key Stretching

Key Exchange

The key exchange problem: how do two parties agree on a shared symmetric key without an attacker intercepting it?

Solutions:

  • Diffie-Hellman: Mathematical key exchange over an insecure channel. Both parties contribute to generating a shared secret without ever transmitting it
  • RSA key exchange: One party encrypts the symmetric key with the other party's public key and sends it. Only the private key holder can decrypt it
  • ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): Uses ECC for key exchange with ephemeral (temporary) keys. Provides perfect forward secrecy — compromising one session key does not compromise past or future sessions

Key Stretching

Key stretching transforms a weak key (like a short password) into a stronger one by applying a hash function many times. This makes brute-force attacks significantly slower.

  • PBKDF2 (Password-Based Key Derivation Function 2): Applies a hash function thousands of times to a password plus a salt
  • bcrypt: Designed specifically for password hashing. Includes a configurable work factor that increases computation time
  • scrypt: Similar to bcrypt but also requires significant memory, making hardware-based attacks more expensive

Salting

A salt is a random value added to a password before hashing. Salting ensures that two users with the same password produce different hashes. This defeats precomputed hash attacks (rainbow tables).

Without salting, identical passwords produce identical hashes. An attacker with a rainbow table can reverse millions of common password hashes instantly. Salting eliminates this attack vector.

Blockchain and Open Public Ledger

A blockchain is a distributed, tamper-evident ledger that uses cryptographic hashing to chain blocks of data together. Each block contains a hash of the previous block, creating an unbroken chain.

  • Modifying any block would change its hash, breaking the chain
  • The ledger is distributed across many nodes, preventing single-point manipulation
  • Provides integrity and non-repudiation for transactions
  • Used in cryptocurrency, supply chain tracking, and digital identity

For the exam, understand that blockchain provides integrity through cryptographic hashing and distribution — not confidentiality. Public blockchains are transparent by design.

Steganography

Steganography is the practice of hiding data within other data — typically hiding a message within an image, audio file, or video file. Unlike encryption, which makes data unreadable, steganography makes data invisible.

  • Data is hidden in the least significant bits of image pixels
  • The file appears normal to casual inspection
  • Can be combined with encryption for both secrecy and concealment
  • Used by attackers to exfiltrate data and by organizations to watermark intellectual property
Encryption hides the meaning of the message. Steganography hides the existence of the message. They serve different purposes and can be combined.

Pattern Recognition

Security+ questions on cryptography follow these patterns:

  • Algorithm selection: "Which algorithm should be used to encrypt data at rest?" AES (symmetric, fast, bulk encryption)
  • Symmetric vs. asymmetric: "Two parties need to exchange a key securely." Diffie-Hellman or RSA key exchange (asymmetric solves the key distribution problem)
  • Hashing vs. encryption: "Verify that a file has not been tampered with." Hashing (integrity verification, not confidentiality)
  • Digital signature purpose: "Prove who sent a document." Digital signature (authentication + integrity + non-repudiation)
  • Key stretching triggers: "Protect weak passwords against brute force." bcrypt, PBKDF2, or scrypt

Trap Patterns

Common wrong answers and why they are wrong:

  • Confusing hashing with encryption: Hashing is one-way and verifies integrity. Encryption is two-way and provides confidentiality. You cannot "decrypt" a hash
  • Thinking asymmetric is always better: Asymmetric is slower and used for key exchange and signatures. Symmetric is used for actual data encryption. They work together
  • Confusing MD5 with SHA-256: MD5 is broken and should not be used for security purposes. SHA-256 is the current standard. If MD5 appears as the correct answer, the question is about legacy or checksum contexts
  • Mixing up public and private key roles: Encrypt with public key for confidentiality. Sign with private key for non-repudiation. Reversing these is a common trap

Scenario Practice

Question 1

A company needs to encrypt a large database of customer records at rest. Performance is a critical concern because the database handles thousands of transactions per second during peak hours.

Which cryptographic approach is MOST appropriate?

A. RSA encryption with 4096-bit keys for maximum security strength
B. AES-256 symmetric encryption for efficient bulk data protection
C. SHA-256 hashing to verify the integrity of all database records
D. Diffie-Hellman key exchange to establish encryption for each transaction

Answer & reasoning

Correct: B

Bulk data encryption requires symmetric encryption for performance. AES-256 is the industry standard for encrypting data at rest. RSA is too slow for bulk encryption. SHA-256 is hashing, not encryption. Diffie-Hellman is for key exchange, not data encryption.

Question 2

A software company distributes updates to its customers over the internet. The company needs to ensure that customers can verify the update came from the company and was not modified during download.

Which cryptographic method should be applied to the software updates?

A. Encrypt each update using AES-256 before distributing to all customers
B. Apply a digital signature using the company's private key to each update
C. Hash each update with MD5 and publish the hash on the company website
D. Use symmetric key encryption with a shared key sent to all customers

Answer & reasoning

Correct: B

A digital signature provides authentication (proves the update came from the company), integrity (proves the update was not modified), and non-repudiation. Customers verify the signature using the company's public key.

Encryption protects confidentiality but does not prove origin. MD5 is cryptographically broken. Sharing a symmetric key with all customers defeats the purpose.

Question 3

A security team discovers that an attacker has been exfiltrating sensitive data from the network. Network monitoring shows no unusual traffic patterns, and DLP tools have not triggered any alerts. A forensic analyst finds hidden data embedded within image files that were uploaded to a public image-sharing service.

Which technique did the attacker use to evade detection during data exfiltration?

A. Symmetric encryption to make the data unreadable during transmission
B. Steganography to conceal the data within seemingly normal image files
C. Hashing to disguise the data as integrity verification checksums
D. Asymmetric encryption to protect the data with public key cryptography

Answer & reasoning

Correct: B

The key detail is that the data was hidden within image files and evaded detection. Steganography hides data within other files (images, audio, video) so that the carrier file appears normal. DLP tools did not trigger because the traffic looked like normal image uploads.

Encryption would make data unreadable but would not hide it within images. Hashing does not conceal data.

Key Takeaway

Cryptography on the Security+ exam is about choosing the right tool for the job. Symmetric encryption (AES) handles bulk data efficiently. Asymmetric encryption (RSA, ECC) solves key distribution and enables digital signatures. Hashing (SHA-256) verifies integrity. Digital signatures provide authentication, integrity, and non-repudiation. Key stretching protects weak passwords. Salting defeats rainbow tables. Know which tool serves which purpose, and you will navigate cryptography questions with confidence.

Next Module Module 7: Public Key Infrastructure (PKI)