Cryptography
The mathematics that keeps secrets secret.
Overview
Cryptography questions on Security+ go beyond "AES is symmetric." You need to understand when and why to use different approaches, how PKI works end to end, and the difference between encryption and hashing. Answer the five questions below with enough depth to show understanding, not just memorisation.
Read before you answer
Cryptography is the practice of securing information by transforming it into a form that only authorised parties can read or verify. Security+ focuses on the practical application of cryptographic concepts rather than the mathematics underneath them. The two fundamental categories are: symmetric encryption, where the same key is used to encrypt and decrypt (fast, suitable for bulk data β examples: AES, 3DES, ChaCha20); and asymmetric encryption, which uses a mathematically linked key pair β a public key to encrypt (or verify) and a private key to decrypt (or sign). Asymmetric encryption is slower but solves the key distribution problem: you can freely share your public key without compromising your private key. RSA and ECC (Elliptic Curve Cryptography) are the primary asymmetric algorithms in use.
Hashing is a one-way function that produces a fixed-length output (digest) from any input. Unlike encryption, hashing cannot be reversed β the same input always produces the same hash, and any change to the input produces a completely different hash. Hashing is used to verify integrity (file checksums, password storage) and in digital signatures. Common algorithms include SHA-256 and SHA-3; MD5 and SHA-1 are cryptographically broken and should not be used for security purposes. Digital signatures combine hashing and asymmetric cryptography: a sender hashes a message and encrypts the hash with their private key. The recipient decrypts the hash with the sender's public key and verifies it matches the message β proving both integrity and authentication.
PKI (Public Key Infrastructure) is the framework of policies, processes, and technology used to create, manage, distribute, and revoke digital certificates. A digital certificate binds a public key to an identity, and is signed by a Certificate Authority (CA) that vouches for that binding. TLS (Transport Layer Security) β the protocol underlying HTTPS β uses PKI to establish encrypted connections and authenticate servers. Certificate revocation (via CRL or OCSP) handles the case where a certificate is compromised before its expiry. Key concepts for Security+ include: certificate chains, root CAs, intermediate CAs, the difference between DV/OV/EV certificates, and common TLS attack vectors including downgrade attacks and certificate pinning bypass.