CISSP Flashcards: Cryptography, Encryption Types, Hashing, Digital Signatures, PKI

Symmetric encryption uses the same key for both encryption and decryption, making it fast and efficient for large data volumes. Examples include AES, DES, 3DES, and Blowfish. The challenge is key distribution since both parties must securely share the secret key. Asymmetric encryption uses a mathematically related key pair: a public key for encryption and a private key for decryption. Examples include RSA, Elliptic Curve Cryptography, and Diffie-Hellman. Asymmetric is slower but solves the key distribution problem.

The Advanced Encryption Standard, or AES, is a symmetric block cipher that replaced the Data Encryption Standard in 2001 after a public competition. AES supports key lengths of 128, 192, and 256 bits, operates on 128-bit blocks, and uses substitution-permutation network rounds. AES-256 is considered secure against all known attacks including quantum computing threats for the foreseeable future. It is the mandatory encryption standard for US government classified information and is widely used in TLS, VPNs, disk encryption, and wireless security.

Hashing is a one-way mathematical function that converts input of any size into a fixed-length output called a digest or hash value. Unlike encryption, hashing is irreversible and you cannot recover the original data from the hash. Hashing verifies integrity: if the data changes, the hash changes. Common algorithms include SHA-256 producing a 256-bit digest and SHA-3. MD5 and SHA-1 are deprecated due to collision vulnerabilities. Hashing is used for password storage, digital signatures, file integrity verification, and blockchain.

A digital signature is created by hashing a message and then encrypting the hash with the sender's private key. The recipient decrypts the signature using the sender's public key and compares the resulting hash to a fresh hash of the received message. If they match, the signature is valid. Digital signatures provide three security services: integrity because any modification changes the hash, authentication because only the sender's private key could have created the signature, and non-repudiation because the sender cannot deny signing since only they possess the private key.

A Public Key Infrastructure, or PKI, is the framework of policies, procedures, and technologies that manages digital certificates and public-private key pairs. Core components include the Certificate Authority, or CA, which issues and signs digital certificates; the Registration Authority, or RA, which verifies identity before certificate issuance; the Certificate Revocation List, or CRL, which lists revoked certificates; and the Online Certificate Status Protocol, or OCSP, which provides real-time certificate validity checking.

Diffie-Hellman is an asymmetric key agreement protocol that allows two parties to establish a shared secret key over an insecure channel without ever transmitting the key itself. Each party generates a private value, computes a public value using modular arithmetic, and exchanges public values. Each party then combines the other's public value with their own private value to independently derive the same shared secret. This shared secret is then used as a symmetric encryption key.

A block cipher encrypts data in fixed-size blocks, typically 128 bits for AES. If the data is not an exact multiple of the block size, padding is added. Block ciphers process each block independently or chained together depending on the mode of operation, such as CBC or GCM. A stream cipher encrypts data one bit or byte at a time, generating a continuous keystream that is combined with plaintext using XOR. Stream ciphers like ChaCha20 are faster and suitable for real-time communications. Block ciphers are generally considered more secure and versatile.

A rainbow table is a precomputed lookup table of hash values for common passwords and their plaintext equivalents. An attacker who obtains a database of hashed passwords can look up each hash in the table to find the matching password almost instantly, bypassing the need to crack each hash individually. The defense is salting: adding a unique random value to each password before hashing so that identical passwords produce different hashes. With a salt, rainbow tables become useless because the attacker would need a separate table for every possible salt value. ---