Cryptography Fundamentals
Symmetric and asymmetric encryption, hashing, and the concepts behind data protection.
Cryptography is the toolkit Security+ (SY0-701) uses to enforce confidentiality, integrity, and authenticity. The exam rarely asks you to do math. Instead it tests whether you can pick the right tool for the goal: encryption to hide data, hashing to prove it was not changed, and signatures to prove who sent it. Learn which key does what and most questions become straightforward.
Core Idea
- Symmetric encryption uses one shared secret key for both encrypt and decrypt — it is fast and used for bulk data, but key distribution is the hard problem.
- Asymmetric encryption uses a mathematically linked public/private key pair — slower, but it solves key exchange and enables digital signatures.
- Hashing is not encryption: it is a one-way function that produces a fixed-length digest to verify integrity, and it can never be reversed back to the original.
Symmetric vs. Asymmetric Encryption
- Symmetric (secret-key): the same key encrypts and decrypts. It is fast and efficient for large volumes of data, so it protects the actual payload. The weakness is distributing the shared key securely. AES is the modern standard (128/192/256-bit); older/weaker examples are DES and 3DES.
- Asymmetric (public-key): a public key (shared freely) and a private key (kept secret) work as a pair. What one key locks, only the other can unlock. Anyone can encrypt to you with your public key, but only your private key decrypts. Examples: RSA and ECC (elliptic-curve, which gives equal strength with much smaller keys — ideal for mobile/IoT).
- Hybrid encryption combines both to get the best of each: use slow asymmetric encryption once to safely exchange a random symmetric (session) key, then use fast symmetric encryption for the bulk data. This is exactly how TLS works.
Hashing, Salting, and Integrity
- A hash is a one-way digest of fixed length (SHA-2, e.g., SHA-256, is the exam favorite; MD5 and SHA-1 are considered broken due to collisions). Change one bit of input and the whole digest changes.
- Hashing provides integrity, not confidentiality — you cannot "decrypt" a hash. You verify data by re-hashing it and comparing digests.
- A salt is a random value added to a password before hashing. It ensures identical passwords produce different hashes, defeating precomputed rainbow tables and making bulk cracking far harder.
- Key stretching (bcrypt, PBKDF2, scrypt, Argon2) deliberately slows down hashing by repeating it thousands of times, so brute-forcing stored passwords is impractical.
Digital Signatures and Key Exchange
- A digital signature is created by hashing a message and encrypting that hash with the sender's private key. Anyone with the sender's public key verifies it. Signatures provide integrity (data unchanged), authentication (proves the sender), and non-repudiation (the sender cannot deny it).
- Note the direction: you encrypt for confidentiality with the recipient's public key, but you sign with your own private key. Mixing these up is a classic trap.
- Diffie-Hellman (DH) is a key-exchange method that lets two parties agree on a shared symmetric key over an untrusted network without ever transmitting the key itself. ECDHE adds ephemeral (per-session) keys for perfect forward secrecy.
Encryption States and Supporting Concepts
- Data at rest (stored on disk/db): protect with full-disk or file/database encryption.
- Data in transit (moving over a network): protect with TLS, HTTPS, VPNs, IPsec.
- Data in use (in memory/being processed): the hardest state; protect with a secure enclave or homomorphic encryption.
- A nonce/IV (initialization vector) is a random value used once so encrypting the same plaintext twice yields different ciphertext.
- Hardware anchors: an HSM is a dedicated device for generating and storing keys; a TPM is a chip on the motherboard that stores keys for that specific machine (used for full-disk encryption); a secure enclave isolates crypto operations from the main CPU.
- Obfuscation hides meaning; steganography hides data inside other files (e.g., in an image); tokenization swaps sensitive data for a non-sensitive token mapped in a separate vault. Blockchain provides an immutable, distributed ledger using hashing.
High-Yield Exam Patterns
- If the question emphasizes speed or bulk data, the answer is symmetric/AES. If it emphasizes key exchange or two parties who never met, the answer is asymmetric.
- Non-repudiation is the giveaway word for digital signatures — hashing and symmetric encryption cannot provide it.
- Verify a signature with the sender's public key; decrypt confidential data with the recipient's private key.
- Salting defeats rainbow tables; key stretching slows brute-force attacks — know which mitigates which.
- TPM = tied to one machine; HSM = dedicated key-management appliance. ECC is chosen for low-power/mobile devices.
Common Traps to Avoid
- Do not say hashing "encrypts" data — it is one-way and provides integrity, not confidentiality.
- Do not confuse signing (private key) with encrypting-for-privacy (recipient's public key).
- Do not assume asymmetric encryption protects the whole payload — in practice it only exchanges the symmetric key (hybrid model).
- Do not confuse a salt (defeats rainbow tables) with a nonce/IV (ensures unique ciphertext per session).
- Do not treat tokenization and encryption as the same — tokenized data has no mathematical relationship to the original.
Flashcards
Card 1 of 14
Question
How many keys does symmetric encryption use, and what is its main weakness?
Click or press Space to reveal answer
Answer
One shared secret key for both encrypt and decrypt; its main weakness is securely distributing that key.
Keyboard: Space/Enter to flip • Arrow keys to navigate
Ready to Test Your Knowledge?
This quiz has 8 questions and each one has 4 options.
Quiz Details
8 Questions
Multiple choice with instant self-check
Final Review
See correct answers and explanations at the end
Build your own lesson in minutes.
Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.