SkarpSkarp

Chapter 5 of 27

Cryptographic Building Blocks: Encryption, Hashing, and PKI Basics

Unpack the cryptographic tools that quietly protect data every day, from simple encrypted files to complex certificate-based authentication in large enterprises.

27 min readen

Why Cryptography Matters in Modern Security

Cryptography in the Bigger Picture

Cryptography is the toolbox that enforces many zero trust and security policies. It keeps secrets secret, proves identity, and detects tampering across modern IT systems.

Three Core Goals

Cryptography mainly supports: confidentiality (only the right people can read data), integrity (data is unchanged), and authentication/non-repudiation (proving who sent or signed something).

Three Building Blocks

In this module, you will focus on: encryption for confidentiality, hashing for integrity, and PKI (certificates and keys) for identity, trust, and digital signatures.

Hybrid Environments

In a hybrid environment (mix of cloud, mobile, IoT, OT, on‑prem), cryptography underpins HTTPS, VPNs, device certificates, disk encryption, and secure backups.

Exam Mindset

As you study, keep asking: which cryptographic building blocks are in play here, and what security goal are they supporting in this scenario?

Encryption Basics: Data at Rest and Data in Transit

What Is Encryption?

Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using a key and an algorithm so that only someone with the correct key can recover the original.

Core Terms

Plaintext is original data; ciphertext is scrambled output. The key is the secret value, and the cipher (algorithm) is the math procedure like AES or RSA.

Data at Rest

Data at rest is stored data: disks, SSDs, backups, cloud storage. It is protected by full‑disk encryption, encrypted databases, or encrypted storage buckets.

Data in Transit

Data in transit moves over networks: web traffic, VPN tunnels, email. HTTPS/TLS, IPsec, and SSL/TLS VPNs encrypt this traffic to protect confidentiality.

Exam Angle

When a question stresses confidentiality of stored or transmitted data, think encryption first, then decide whether the scenario uses symmetric or asymmetric keys.

Symmetric vs Asymmetric Encryption

Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and ideal for large data. Common example: AES used in disk encryption and VPNs.

Symmetric Challenge

The main problem with symmetric encryption is key distribution: how do you safely share the secret key with the other party without exposing it to attackers?

Asymmetric Encryption

Asymmetric encryption uses a key pair: a public key (shared) and a private key (secret). Algorithms include RSA and elliptic curve cryptography such as ECDSA and ECDH.

Asymmetric Use Cases

Asymmetric crypto is used for TLS handshakes, digital signatures, and securely exchanging symmetric keys. It is slower, so not used for large bulk data.

Hybrid Approach

Modern protocols combine both: asymmetric methods agree on a symmetric session key; then fast symmetric ciphers like AES encrypt the actual traffic.

Worked Scenarios: Choosing Symmetric or Asymmetric

Scenario: Disk Encryption

A stolen laptop needs its data protected. The best fit is symmetric encryption (AES) for full‑disk encryption because it is fast and handles large volumes of data.

Scenario: HTTPS

With HTTPS, the browser uses the server’s certificate and public key for asymmetric key exchange, then uses symmetric AES to encrypt the actual web traffic.

Scenario: Encrypted Email

To send a confidential email to Alice, you encrypt with Alice’s public key. Only her private key can decrypt. Under the hood, a symmetric key often encrypts the message body.

Mapping to Exam Cues

Large or fast bulk encryption → symmetric. Mentions of public key, private key, or certificate → asymmetric and PKI are involved in the solution.

Hashing and Integrity: Detecting Tampering

What Is Hashing?

Hashing uses a function that maps any input to a fixed‑size output called a hash or message digest. Cryptographic hashes like SHA‑256 support integrity, not confidentiality.

Hash Properties

Good hash functions are one‑way, deterministic, collision‑resistant, and show the avalanche effect where tiny input changes cause large, unpredictable hash changes.

Integrity Use Case

To check integrity, hash data when you send or store it, then hash again later. If the hashes match, the data is very likely unchanged.

Algorithms in 2026

SHA‑256/384/512 and SHA‑3 are current. SHA‑1 and MD5 are broken for collision resistance and should not be used for security‑critical integrity checks.

Exam Trap

Hashing alone does not provide confidentiality; it does not hide the original data. It only lets you detect whether the data has been modified.

Digital Signatures: Hashing + Asymmetric Crypto

What Is a Digital Signature?

A digital signature uses hashing plus asymmetric cryptography to provide integrity, authentication, and non‑repudiation for messages and files.

Signing Process

The sender hashes the message, then encrypts that hash with their private key. The result is sent as the digital signature alongside the original message.

Verification Process

The receiver decrypts the signature with the sender’s public key to get the original hash, hashes the received message, and compares the two hashes for a match.

Real-World Uses

Digital signatures are used in code signing, email signing (S/MIME, OpenPGP), and PDF document signing to prove origin and detect tampering.

Algorithms & Exam Trap

RSA and ECDSA are common signature algorithms. Do not confuse cryptographic digital signatures with simple electronic signatures like typed names.

PKI Fundamentals: Certificates, CAs, CRLs, and OCSP

What Is PKI?

Public Key Infrastructure (PKI) is the system of technologies, policies, and roles used to manage public keys and digital certificates so entities can trust each other.

Digital Certificates

Certificates bind a public key to an identity like a domain or user. They contain subject, public key, issuer, validity dates, usage, and the issuer’s digital signature.

Certificate Authorities

CAs issue and sign certificates. Root CAs are highly trusted and self‑signed; intermediate CAs handle routine issuance. Trust stores contain trusted roots.

Revocation with CRLs

Certificate Revocation Lists (CRLs) are signed lists of revoked certificate serial numbers that clients can download from a CA to check certificate status.

Revocation with OCSP

Online Certificate Status Protocol (OCSP) lets a client query an OCSP responder in real time to learn if a specific certificate is good, revoked, or unknown.

TLS, VPNs, Email Security, and Code Signing: Mapping to Crypto

TLS / HTTPS Mapping

In TLS, PKI provides certificates, asymmetric crypto handles the handshake and key exchange, symmetric AES encrypts data, and hashing supports MACs and signatures.

VPNs Mapping

IPsec uses IKE with asymmetric methods to agree on keys, symmetric AES to encrypt ESP traffic, and hashing like SHA‑2 for integrity. SSL/TLS VPNs mirror HTTPS.

Email Security Mapping

S/MIME uses PKI and certificates for email encryption and signing. It relies on digital signatures and hybrid encryption with symmetric ciphers for the message body.

Code Signing Mapping

Code signing hashes the software and signs the hash with a private key. Clients verify with the corresponding public key in a certificate to trust the code.

Exam Strategy

For TLS, VPNs, email, and code signing, always map: which parts use symmetric encryption, which use asymmetric, how hashing is used, and what PKI elements appear.

Key Management Basics: Generating, Storing, and Rotating Keys

Why Key Management Matters

Even strong algorithms fail if keys are weak or exposed. Key management covers how keys are generated, stored, rotated, backed up, and eventually retired.

Key Generation

Keys should be generated using cryptographically secure randomness. Typical sizes: AES‑128/256, RSA‑2048+, and ECC with shorter but strong keys like 256‑bit curves.

Protecting Private Keys

Private keys are protected using TPMs, HSMs, OS key stores, and secure enclaves. They should be encrypted at rest and tightly access‑controlled.

Rotation and Expiration

Keys and certificates should be rotated regularly to limit damage from compromise and meet policy. Public TLS certificate lifetimes have been reduced over time.

Backup vs Non-Repudiation

Some encryption keys need escrow so data is not lost. Signature keys typically should not be escrowed to maintain strong non‑repudiation guarantees.

Thought Exercise: Map Scenarios to Crypto and PKI

Work through these scenarios in your head (or jot down answers). This will mirror how you reason through SY0-701 questions.

  1. Remote developer accessing a corporate Git server over the internet
  • Which cryptographic tools are in play? Identify:
  • Symmetric vs asymmetric roles.
  • PKI components.
  • Where hashing appears.
  • Hint: Think about HTTPS, SSH, and code integrity.
  1. Organization rolling out Wi-Fi with WPA3-Enterprise
  • What protects wireless data in transit?
  • How are users and devices authenticated?
  • Is there a role for certificates and a RADIUS server?
  1. Incident: A web server’s private key might be exposed
  • What immediate actions should the security team take regarding certificates and keys?
  • How do CRLs or OCSP fit in?
  • What else might need updating (think TLS sessions, key stores)?
  1. A compliance audit asks how you ensure backups have not been tampered with
  • Which cryptographic building block answers this?
  • Would you use encryption, hashing, or both? Why?

After you answer:

  • Compare your reasoning to these checkpoints:
  • Did you consistently separate confidentiality (encryption) from integrity (hashing) and authentication (PKI + signatures)?
  • Did you identify where symmetric vs asymmetric crypto is used in each flow?
  • Did you bring in PKI components (CAs, certificates, CRL/OCSP) where identity and trust were needed?

If some parts felt fuzzy, mark those; they will show up again in your spaced review and in the next mock exam to reinforce them.

Quick Check: Encryption and Hashing

Test your understanding of core distinctions.

A security engineer needs to verify that a large backup file stored in the cloud has not been modified, but the file does not need to be kept confidential. Which is the BEST primary control to meet this requirement?

  1. Encrypt the file using AES-256 with a strong key
  2. Compute and store a SHA-256 hash of the file and compare it during integrity checks
  3. Sign the file with the engineer’s private key using RSA
  4. Store the file on an encrypted volume managed by a hardware security module (HSM)
Show Answer

Answer: B) Compute and store a SHA-256 hash of the file and compare it during integrity checks

The requirement is strictly integrity, not confidentiality. Computing and comparing a SHA-256 hash directly addresses integrity. AES encryption and encrypted volumes protect confidentiality, not integrity by themselves. Digital signatures do provide integrity and non-repudiation but are more complex than necessary here; the question asks for the BEST primary control, which is a cryptographic hash.

Quick Check: PKI and Certificates

Check your PKI fundamentals.

A company discovers that the private key for its public-facing web server certificate may have been exposed. Which action should the security team take FIRST to protect users?

  1. Increase the RSA key length for future certificates
  2. Immediately add the current certificate’s serial number to the CA’s CRL and issue a replacement certificate
  3. Extend the certificate’s expiration date to give more time for investigation
  4. Disable hashing algorithms weaker than SHA-256 on the web server
Show Answer

Answer: B) Immediately add the current certificate’s serial number to the CA’s CRL and issue a replacement certificate

If a private key is suspected to be compromised, the existing certificate must be revoked and replaced. Adding the certificate’s serial number to the CA’s CRL (and ensuring OCSP reflects the revocation) prevents clients from trusting it. Increasing key length or disabling weak hashes are good hardening steps but do not directly mitigate the immediate risk from a compromised key. Extending expiration would worsen the risk.

Core Crypto and PKI Terms Review

Flip these cards to reinforce key terminology before moving on.

Encryption
The process of transforming readable data (plaintext) into unreadable data (ciphertext) using a key and an algorithm so that only someone with the correct key can recover the original plaintext.
Symmetric encryption
A type of encryption that uses the same shared key for both encryption and decryption; it is fast and suitable for encrypting large amounts of data (e.g., AES).
Asymmetric encryption
A type of encryption that uses a key pair consisting of a public key and a private key; it is used for key exchange, digital signatures, and scenarios involving public keys and certificates (e.g., RSA, ECC).
Hash function
A one-way, deterministic function that maps input data of any size to a fixed-size output (hash or message digest) and is designed to be collision-resistant and to support integrity checking.
Digital signature
A cryptographic mechanism that combines hashing with asymmetric encryption by signing a hash with a private key to provide integrity, authentication, and non-repudiation.
Public Key Infrastructure (PKI)
The system of technologies, policies, roles, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public-private key pairs.
Digital certificate (X.509)
An electronic document that binds a public key to an identity (such as a person, device, or domain) and is digitally signed by a Certificate Authority to establish trust.
Certificate Authority (CA)
A trusted entity that issues and digitally signs digital certificates, vouching for the binding between public keys and identities.
Certificate Revocation List (CRL)
A digitally signed list published by a Certificate Authority that contains the serial numbers of certificates that have been revoked before their scheduled expiration.
Online Certificate Status Protocol (OCSP)
A protocol that allows clients to query an OCSP responder in real time to determine whether a specific digital certificate is valid, revoked, or unknown.

Key Terms

AES
Advanced Encryption Standard, a widely used symmetric block cipher commonly used with 128- or 256-bit keys for encrypting data at rest and in transit.
CRL
Acronym for Certificate Revocation List.
ECC
Elliptic Curve Cryptography, a family of asymmetric algorithms that provides strong security with shorter key lengths compared to RSA.
RSA
A widely used asymmetric cryptographic algorithm based on the difficulty of factoring large integers; used for encryption, key exchange, and digital signatures.
OCSP
Acronym for Online Certificate Status Protocol.
encryption
The process of transforming readable data (plaintext) into unreadable data (ciphertext) using a key and an algorithm so that only someone with the correct key can recover the original plaintext.
hash function
A one-way, deterministic function that maps input data of any size to a fixed-size output (hash or message digest) and is designed to be collision-resistant and to support integrity checking.
digital signature
A cryptographic mechanism that combines hashing with asymmetric encryption by signing a hash with a private key to provide integrity, authentication, and non-repudiation.
digital certificate
An electronic document that binds a public key to an identity (such as a person, device, or domain) and is digitally signed by a Certificate Authority to establish trust.
symmetric encryption
A type of encryption that uses the same shared key for both encryption and decryption; it is fast and suitable for encrypting large amounts of data (e.g., AES).
asymmetric encryption
A type of encryption that uses a key pair consisting of a public key and a private key; it is used for key exchange, digital signatures, and scenarios involving public keys and certificates (e.g., RSA, ECC).
Certificate Authority (CA)
A trusted entity that issues and digitally signs digital certificates, vouching for the binding between public keys and identities.
Public Key Infrastructure (PKI)
The system of technologies, policies, roles, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public-private key pairs.
Certificate Revocation List (CRL)
A digitally signed list published by a Certificate Authority that contains the serial numbers of certificates that have been revoked before their scheduled expiration.
Online Certificate Status Protocol (OCSP)
A protocol that allows clients to query an OCSP responder in real time to determine whether a specific digital certificate is valid, revoked, or unknown.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself