Domain 1 of 5 · Chapter 3 of 4

Cryptography and PKI

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Encryption and key strength: symmetric, asymmetric, key length
  • Hashing, salting, key stretching, signatures, obfuscation
  • PKI: CAs, trust chains, certificates, revocation
  • Exam-pattern recognition: pick the right primitive

Symmetric encryption vs. asymmetric encryption vs. hashing

AspectSymmetric encryptionAsymmetric encryptionHashing
Keys usedOne shared secret key for both encrypt and decryptPublic/private key pair (encrypt with one, decrypt with the other)No key (keyed variants are MACs/HMAC)
ReversibleYes: ciphertext decrypts back to plaintextYes: ciphertext decrypts back to plaintextNo: one-way, cannot recover input
Relative speedFast; suited to bulk dataSlow; suited to small payloads and key exchangeFast
Security goalConfidentialityConfidentiality, key exchange, digital signaturesIntegrity (and password storage with salt)
Typical useEncrypting data at rest and in transitExchanging/wrapping a symmetric key, signingFile/download verification, password storage
Example algorithmsAES, ChaCha20RSA, ECC, Diffie-Hellman (key exchange)SHA-256, SHA-3

Decision tree

Must the data be read back later? No (integrity) Yes (confidentiality) Storing passwords? one-way fingerprint either way Large / bulk data? speed vs. key distribution Yes No Yes No No prior shared secret? key exchange / signatures Yes No* Salted hash + key stretching bcrypt / PBKDF2 / Argon2 Hash (SHA-2) integrity / tamper detection Asymmetric (RSA / ECC) Diffie-Hellman key exchange Symmetric (AES) shared-key, fast Hybrid in practice: asymmetric wraps a per-session symmetric key, then AES encrypts the payload. *A symmetric key already shared between bulk and exchange paths funnels back to AES.

Cheat sheet

  • Symmetric uses one shared key; asymmetric uses a public/private pair
  • Symmetric is fast for bulk data; asymmetric is slow and wraps keys
  • AES has a fixed 128-bit block; the key length changes rounds, not block size
  • Encrypt at the smallest scope that meets the requirement
  • Diffie-Hellman agrees a shared key; it is not a cipher
  • Key length only compares strength within an algorithm family
  • ECC reaches RSA-equivalent strength with a much shorter key
  • Hybrid crypto: asymmetric exchanges the key, symmetric encrypts the data
  • Hashing is one-way and keyless; it proves integrity, not confidentiality
  • SHA-2 is the default; SHA-1 is broken and a wrong answer
  • Salting defeats rainbow tables; key stretching slows each guess
  • PBKDF2 iterates an HMAC-based PRF to slow each derivation
  • HMAC gives keyed integrity and origin auth, but no non-repudiation
  • Digital signatures give integrity, authentication, and non-repudiation
  • FIPS 186-5 approves RSA, ECDSA, EdDSA; plain DSA is withdrawn
  • A CA binds an identity to a public key by signing the certificate
  • Offline root signs intermediates; intermediates issue leaf certs
  • Self-signed certs work internally but public clients reject them
  • A CSR sends the public key; the private key never leaves the subject
  • Wildcard covers one level of subdomains; SAN lists distinct names
  • CRL is a bulk periodic list; OCSP checks one cert in real time
  • OCSP stapling has the server attach the signed OCSP response
  • Key escrow enables recovery but concentrates decryption risk
  • Obfuscation: steganography, tokenization, and masking differ
  • Blockchain is an append-only ledger chained by hashes
  • Ephemeral DHE/ECDHE give forward secrecy; TLS 1.3 mandates it

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. FIPS 197: Advanced Encryption Standard (AES)
  2. NIST SP 800-57 Part 1 Rev. 5: Recommendation for Key Management
  3. FIPS 180-4: Secure Hash Standard (SHS)
  4. NIST SP 800-132: Recommendation for Password-Based Key Derivation (PBKDF2)
  5. FIPS 186-5: Digital Signature Standard (DSS)
  6. CompTIA Security+ (SY0-701) Certification