Why cryptography matters in IT security
Every time you log into a website, send an email, or connect to a VPN, cryptography is working in the background to protect your data. Without it, anyone on the network could read your passwords, intercept your messages, or tamper with files in transit.
Cryptography provides three core security properties that you will see repeatedly on the Security+ exam:
Confidentiality → Only the intended recipient can read the data (encryption) Integrity → Data has not been altered in transit (hashing) Authentication → The sender is who they claim to be (digital signatures)
The two types of encryption
All encryption algorithms fall into one of two categories. Knowing the difference — and when each is used — is the most important cryptography concept on the Security+ exam.
Speed question: "Which type of encryption is faster?" — Always symmetric.
Key exchange question: "Which solves the key distribution problem?" — Always asymmetric.
Real-world systems use both together: asymmetric encryption to securely exchange a symmetric key, then symmetric encryption for the actual data. This is exactly how TLS/HTTPS works.
Common encryption algorithms
| Algorithm | Type | Key Size | What to know for the exam |
|---|---|---|---|
| AES | Symmetric | 128, 192, 256-bit | Current gold standard for symmetric encryption. AES-256 is used in government and enterprise. |
| DES | Symmetric | 56-bit | Outdated and broken — 56-bit key is too short. Replaced by 3DES, then AES. |
| 3DES | Symmetric | 112 or 168-bit | Applies DES three times. Deprecated — slower than AES and considered weak. |
| RSA | Asymmetric | 2048-bit minimum | Most common asymmetric algorithm. Used in TLS certificates and digital signatures. |
| ECC | Asymmetric | 256-bit typical | Same security as RSA with much smaller key sizes. Preferred for mobile and IoT. |
| Diffie-Hellman | Asymmetric | Varies | Used for key exchange only — not encryption. Allows two parties to establish a shared secret over an unsecured channel. |
Hashing — integrity, not encryption
Hashing is often confused with encryption but they are fundamentally different. Encryption is reversible — you can decrypt ciphertext back to plaintext with the right key. Hashing is a one-way function — it produces a fixed-length output called a digest, and you cannot reverse it to get the original input.
Input (any size) → Hash function → Fixed-length digest "password123" → SHA-256 → ef92b778... (64 hex characters) "password124" → SHA-256 → 9f7b3c2a... (completely different) Even a 1-character change produces a completely different hash (avalanche effect)
Hashing is used to verify integrity — that data has not been changed. Common uses include verifying file downloads, storing passwords securely, and detecting tampering.
| Hash Algorithm | Output Size | Status |
|---|---|---|
| MD5 | 128-bit (32 hex) | Broken — collision vulnerabilities. Do not use for security purposes. |
| SHA-1 | 160-bit (40 hex) | Deprecated — collision attacks demonstrated. Being phased out. |
| SHA-256 | 256-bit (64 hex) | Current standard. Part of SHA-2 family. Widely used in TLS and certificates. |
| SHA-3 | Variable | Newer standard with different internal design. Not yet as widely deployed. |
| bcrypt | 60 characters | Designed specifically for password hashing. Slow by design to resist brute force. |
Public and private keys — how the key pair works
Asymmetric encryption uses a mathematically linked key pair. What one key encrypts, only the other can decrypt. Understanding which key does what is a frequent exam question.
Encrypting data to send someone: Encrypt with their PUBLIC key → only their private key can decrypt Creating a digital signature: Sign with your PRIVATE key → anyone with your public key can verify Public key: share freely — it is meant to be public Private key: never share — keep it secret at all times
Encrypting to someone: use their public key. Only their private key can decrypt it.
Digital signature: sign with your private key. Anyone with your public key can verify the signature.
These rules are tested constantly on Security+. Memorize them.
Salting — protecting hashed passwords
When passwords are stored, they should never be stored in plaintext — they are hashed first. But identical passwords produce identical hashes, which makes them vulnerable to rainbow table attacks (pre-computed lists of hash values).
A salt is a random value added to the password before hashing. This ensures that even two users with the same password end up with completely different stored hashes, defeating rainbow table attacks.
Without salt: "password123" → SHA-256 → ef92b778... (same for every user) With salt: "password123" + "xK9p2m" → SHA-256 → a3f9c12e... "password123" + "q7rT4n" → SHA-256 → 7b2d8f1c... (different every time)
Exam scenarios
Studying for Security+?
See the best study guides, practice exams, and free resources for SY0-701.