CompTIA Security+ SY0-701 Objective 1.4: Explain the Importance of Using Appropriate Cryptographic Solutions

Public Key Characteristics:

• Mathematically related to private key but computationally infeasible to derive
• Can be freely distributed and shared
• Used for encryption and signature verification
• Part of asymmetric cryptography systems
• Embedded in digital certificates

Private Key Characteristics:

• Must be kept secret and secure
• Used for decryption and digital signing
• Never shared or transmitted
• Protected by strong access controls
• Can be stored in hardware security modules

Key Escrow Process:

• Third-party storage of encryption keys
• Enables key recovery for authorized parties
• Used for law enforcement access
• Requires strong legal and technical controls
• Controversial due to privacy concerns

• Encrypts entire storage device
• Protects all data on the device
• Examples: BitLocker, FileVault, LUKS
• Transparent to applications
• Protects against physical theft

• Encrypts specific disk partitions
• More granular than full-disk encryption
• Allows mixed encrypted/unencrypted partitions
• Flexible deployment options

• Encrypts individual files
• Granular control over data protection
• Examples: EFS, GPG, individual file encryption
• Allows selective encryption

• Encrypts logical volumes
• Can span multiple physical disks
• Flexible storage management
• Examples: LVM encryption, storage arrays

• Encrypts database files or tables
• Protects structured data
• Examples: TDE, column-level encryption
• Maintains database functionality

• Encrypts individual database records
• Most granular database encryption
• Field-level protection
• Application-level implementation

Common Protocols:

• TLS/SSL: Secure web communications
• IPSec: Network layer encryption
• SSH: Secure shell connections
• VPN: Virtual private networks
• WPA3: Wireless network encryption

Characteristics:

• Uses public-private key pairs
• Slower than symmetric encryption
• Used for key exchange and digital signatures
• Examples: RSA, ECC, ElGamal
• Enables secure communication without pre-shared keys

Characteristics:

• Uses same key for encryption and decryption
• Faster than asymmetric encryption
• Used for bulk data encryption
• Examples: AES, 3DES, ChaCha20
• Requires secure key distribution

Methods:

• Diffie-Hellman: Secure key exchange protocol
• ECDH: Elliptic curve version
• RSA Key Exchange: Using RSA encryption
• Pre-shared Keys: Manually distributed keys

Common Algorithms:

• AES: Advanced Encryption Standard
• RSA: Rivest-Shamir-Adleman
• ECC: Elliptic Curve Cryptography
• SHA: Secure Hash Algorithm
• ChaCha20: Stream cipher

Security Considerations:

• Longer keys provide stronger security
• Must balance security with performance
• Minimum recommended lengths vary by algorithm
• AES-256, RSA-2048, ECC-256 are common
• Quantum computing may require longer keys

TPM Functions:

• Hardware-based security chip
• Secure key storage and generation
• Platform integrity measurement
• Remote attestation capabilities
• Used for BitLocker, secure boot

HSM Features:

• Dedicated hardware for cryptographic operations
• Tamper-resistant design
• High-performance cryptographic processing
• Used in enterprise and cloud environments
• FIPS 140-2 certified options available

KMS Functions:

• Centralized key lifecycle management
• Key generation, distribution, rotation
• Key escrow and recovery
• Integration with applications and services
• Compliance and audit capabilities

Secure Enclave Features:

• Isolated execution environment
• Hardware-based protection
• Used in mobile devices and processors
• Protects sensitive operations
• Examples: Intel SGX, ARM TrustZone

Steganography Methods:

• Hides data within other files
• Images, audio, video as carriers
• Least significant bit (LSB) techniques
• Can be used for malicious purposes
• Detection requires specialized tools

Tokenization Process:

• Replaces sensitive data with tokens
• Tokens have no mathematical relationship to original data
• Used for payment card data (PCI DSS)
• Maintains data format and length
• Irreversible process

Data Masking Techniques:

• Replaces sensitive data with realistic fake data
• Used for testing and development
• Maintains data relationships
• Static and dynamic masking options
• Preserves data format and structure

Hash Functions:

• One-way mathematical functions
• Fixed-length output regardless of input size
• Used for data integrity verification
• Examples: SHA-256, SHA-3, BLAKE2
• Vulnerable to collision attacks if weak

Salt Benefits:

• Random data added to passwords before hashing
• Prevents rainbow table attacks
• Each password gets unique salt
• Stored alongside hash
• Increases security of password storage

Digital Signature Process:

• Mathematical scheme for verifying authenticity
• Uses private key to sign, public key to verify
• Provides non-repudiation
• Ensures data integrity
• Used in PKI and blockchain

Key Stretching Methods:

• Increases computational cost of password attacks
• Examples: PBKDF2, bcrypt, scrypt, Argon2
• Makes brute force attacks impractical
• Configurable iteration counts
• Memory-hard functions resist hardware attacks

Blockchain Characteristics:

• Distributed ledger technology
• Immutable transaction records
• Cryptographic hash chains
• Consensus mechanisms
• Decentralized verification

Public Ledger Features:

• Transparent transaction history
• Anyone can verify transactions
• No central authority required
• Cryptographically secured
• Examples: Bitcoin, Ethereum blockchains

CA Functions:

• Issue and manage digital certificates
• Verify identity of certificate applicants
• Maintain certificate revocation lists
• Establish trust in public key infrastructure
• Examples: Verisign, DigiCert, Let's Encrypt

CRL Features:

• List of revoked certificates
• Published periodically by CAs
• Must be checked for certificate validity
• Can become large and unwieldy
• Being replaced by OCSP in many cases

OCSP Benefits:

• Real-time certificate status checking
• More efficient than CRLs
• Reduces bandwidth usage
• Faster revocation checking
• Can be cached for performance

Self-Signed Characteristics:

• Signed by their own private key
• No third-party verification
• Used for testing and internal systems
• Browsers show security warnings
• Not suitable for public-facing applications

Third-Party Benefits:

• Issued by trusted certificate authorities
• Identity verification by CA
• Trusted by browsers and applications
• Required for public-facing websites
• Provide warranty and support

Root of Trust Components:

• Foundation of PKI trust model
• Root CA certificates
• Embedded in operating systems and browsers
• Highly protected and validated
• Compromise affects entire trust chain

CSR Process:

• Contains public key and identity information
• Generated by certificate applicant
• Sent to certificate authority
• CA validates and issues certificate
• Private key remains with applicant

Wildcard Features:

• Cover multiple subdomains
• Use asterisk (*) in domain name
• Cost-effective for multiple subdomains
• Security risk if private key compromised
• Examples: *.example.com covers all subdomains