The two types of encryption — symmetric and asymmetric
Every encryption algorithm falls into one of two categories. Understanding the difference between them — and when each is used — is the foundation of everything else in cryptography.
Speed question: "Which encryption type is faster?" → Symmetric. Always.
Key exchange question: "Which solves the key distribution problem?" → Asymmetric.
In practice, most secure systems use both — asymmetric encryption to securely exchange a symmetric key, then symmetric encryption for the actual data. This is exactly how HTTPS/TLS works.
How HTTPS uses both types together
HTTPS is the clearest real-world example of asymmetric and symmetric encryption working together. Understanding this flow is directly tested on Security+:
From this point on, all traffic is encrypted with the fast symmetric session key. Asymmetric encryption was only used to safely exchange it.
Common encryption algorithms — the ones the exam tests
| Algorithm | Type | Key size | What you need to know |
|---|---|---|---|
| AES | Symmetric | 128, 192, or 256-bit | Current standard for symmetric encryption. Fast, secure. Used in WPA2, TLS, disk encryption. |
| DES | Symmetric | 56-bit | Old and broken — 56-bit key is too short. Appears on exam as an example of weak/legacy encryption. |
| 3DES | Symmetric | 112 or 168-bit | Applies DES three times to improve security. Legacy — being phased out in favor of AES. |
| RSA | Asymmetric | 2048-bit minimum | Most widely used asymmetric algorithm. Used for key exchange and digital signatures. Slow but trusted. |
| ECC | Asymmetric | 256-bit ≈ RSA 3072-bit | More efficient than RSA — same security with smaller keys. Used in mobile and IoT environments. |
| Diffie-Hellman | Asymmetric | Varies | Key exchange protocol — allows two parties to establish a shared secret over an insecure channel. |
| RC4 | Symmetric | 40–2048-bit | Stream cipher. Used in old WEP and SSL. Now considered insecure — appears on exam as weak/deprecated. |
Hashing — proving integrity, not confidentiality
Hashing is fundamentally different from encryption. Encryption is a two-way process — you encrypt data, then decrypt it later. Hashing is one-way — you put data in, get a fixed-length output (called a hash or digest), and you cannot reverse it to get the original data back.
Hashing is used to verify integrity — that data hasn't been altered. Password storage, file verification, and digital signatures all rely on hashing.
"hello" → SHA-256 → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 "Hello" → SHA-256 → 185f8db32921bd46d35cc8b2a3e2c6e8e2e89f1e1f2c3d4e5f6a7b8c9d0e1f2a Change one character → completely different hash output The original input cannot be recovered from the hash
| Hash Algorithm | Type | Output size | Status |
|---|---|---|---|
| MD5 | Hash | 128-bit | Broken — collision vulnerabilities. Use only for non-security checksums. |
| SHA-1 | Hash | 160-bit | Deprecated — collision attacks demonstrated. Being phased out. |
| SHA-256 | Hash | 256-bit | Current standard. Used in TLS, code signing, password storage. |
| SHA-3 | Hash | 224–512-bit | Newest SHA standard. Different internal design from SHA-2 family. |
| HMAC | Hash + Key | Varies | Hash + secret key combined. Provides both integrity and authentication. |
A collision attack is when two different inputs produce the same hash output. This breaks the integrity guarantee — an attacker could substitute a malicious file that produces the same hash as a legitimate one. This is why MD5 and SHA-1 are no longer trusted for security purposes.
Exam shortcut: MD5 and SHA-1 = weak/broken. SHA-256 and above = current standard.
Digital signatures — proving authenticity and non-repudiation
A digital signature uses asymmetric cryptography in reverse. Instead of the sender encrypting with the recipient's public key, the sender encrypts a hash of the message with their own private key. Anyone with the sender's public key can decrypt it and verify the hash matches — proving the message came from that sender and hasn't been altered.
Signing (sender): Message → Hash → Digest → Encrypt with private key → Signature Verifying (recipient): Signature → Decrypt with sender's public key → Digest Message → Hash → Digest If both digests match → message is authentic and unaltered
Digital signatures provide three security properties the exam tests directly: authentication (proves who sent it), integrity (proves it wasn't altered), and non-repudiation (the sender cannot deny sending it, because only their private key could have created the signature).
PKI — the trust system behind certificates
Public Key Infrastructure (PKI) is the framework of policies, roles, and technology that manages digital certificates and public keys. It answers the question that asymmetric encryption creates: "How do I know this public key actually belongs to who they say they are?"
Root CA (Certificate Authority — the ultimate trust anchor) ↓ signs Intermediate CA (issues certificates on behalf of root CA) ↓ signs End-Entity Certificate (the certificate on a website, device, or user) Your browser trusts a website's certificate because it was signed by an intermediate CA, which was signed by a trusted root CA that your OS or browser already trusts.
| PKI Term | What it means |
|---|---|
| CA (Certificate Authority) | Trusted entity that issues and signs digital certificates — e.g. DigiCert, Let's Encrypt |
| Root CA | The top-level CA whose certificate is self-signed and pre-trusted in browsers/OS |
| Intermediate CA | CA between root and end-entity — root CAs stay offline; intermediates do day-to-day signing |
| Digital Certificate | File containing a public key + identity info + CA signature, in X.509 format |
| CRL | Certificate Revocation List — list of certificates the CA has invalidated before expiry |
| OCSP | Online Certificate Status Protocol — real-time way to check if a certificate is revoked |
| CSR | Certificate Signing Request — sent to CA to request a certificate be issued |
Key cryptography terms — quick reference
Plaintext → The original readable data before encryption Ciphertext → The encrypted, unreadable output Key → The value used to encrypt or decrypt data Salt → Random data added to a password before hashing to prevent rainbow table attacks IV (Init Vector)→ Random value added to encryption to ensure identical inputs produce different outputs Key stretching → Running a weak key through many hash iterations to make brute force harder (PBKDF2, bcrypt) Steganography → Hiding data inside other files (images, audio) — obscures existence, not content Obfuscation → Making data harder to understand without fully encrypting it Perfect Forward Secrecy → Generates unique session keys so past sessions can't be decrypted if keys are compromised
Exam scenarios
Studying for Security+?
See the study guide, practice exams, and free course worth your time for SY0-701.