Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.4 Domain 1 · General Security Concepts

Cryptographic Solutions

Explain the importance of using appropriate cryptographic solutions

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Cryptography provides four security properties: confidentiality (encryption), integrity (hashing), authentication (digital signatures), and non-repudiation (digital signatures). Three core mechanisms power everything:

Symmetric encryption — one key, fast (AES, DES, 3DES). Asymmetric encryption — key pair, slow (RSA, ECC). Hashing — one-way, fixed output (SHA-256, MD5). Plus PKI (certificate infrastructure), obfuscation (steganography, tokenization, data masking), and key management tools (TPM, HSM, secure enclave).

PKI (Public Key Infrastructure):

  • Public/private key pairs — public key encrypts or verifies; private key decrypts or signs. Never share the private key.
  • Certificate Authority (CA) — trusted entity that issues digital certificates. Root CA → Intermediate CA → End-entity certificate (chain of trust).
  • Certificate types — self-signed (internal use, not trusted by browsers), third-party (trusted CA), wildcard (*.example.com covers all subdomains).
  • CSR (Certificate Signing Request) — generated by the server; sent to CA for signing.
  • CRL & OCSP — Certificate Revocation List (batch) and Online Certificate Status Protocol (real-time) for checking revoked certs.
  • Key escrow — trusted third party holds a copy of encryption keys for recovery purposes.

Encryption Levels:

  • Full-disk encryption — encrypts entire drive (BitLocker, FileVault). Protects against physical theft.
  • Partition / Volume — encrypts specific partitions, not the whole disk.
  • File-level — encrypts individual files (EFS on Windows).
  • Database / Record-level — encrypts specific columns or rows in a database (credit card numbers, SSNs).

Key Management Tools:

  • TPM (Trusted Platform Module) — hardware chip on the motherboard. Stores encryption keys, supports BitLocker, measures boot integrity. Found in endpoints (laptops, desktops).
  • HSM (Hardware Security Module) — dedicated enterprise appliance for key generation, storage, and management. Used in data centers, CAs, and payment processing.
  • Key management system — centralized software for creating, distributing, rotating, and revoking keys.
  • Secure enclave — isolated processor area for sensitive operations (Face ID, Touch ID on Apple devices).

Obfuscation:

  • Steganography — hiding data within other data (message hidden in an image file). Data is concealed, not encrypted.
  • Tokenization — replacing sensitive data with a non-sensitive token (credit card number → random token). The mapping is stored in a secure vault.
  • Data masking — obscuring data in place (SSN displayed as ***-**-1234). Used in non-production environments.

Hashing + Salting: Hashing is one-way — you can't reverse SHA-256 back to the original. Salting adds a unique random value to each password before hashing, preventing rainbow table attacks. Key stretching (PBKDF2, bcrypt) makes hashing intentionally slow to resist brute force.

Digital Signatures: Created by hashing a message and encrypting the hash with the sender's private key. Provides integrity (hash verifies data unchanged), authentication (only the signer's private key could create it), and non-repudiation (signer cannot deny signing). Does NOT provide confidentiality.

Blockchain / Open Public Ledger: Distributed, immutable record. Each block contains a hash of the previous block. Used for cryptocurrency, supply chain verification, and tamper-evident logging.

PropertySymmetricAsymmetric
Keys One shared key Key pair (public + private)
Speed Fast (bulk data) Slow (small data, key exchange)
Use Case Encrypting files, disk, database Key exchange, digital signatures, TLS handshake
Examples AES-256, DES, 3DES, ChaCha20 RSA, ECC, Diffie-Hellman, DSA
ToolWhat It IsWhen to Use
TPM Chip on motherboard Endpoint encryption (BitLocker), boot integrity
HSM Dedicated hardware appliance Enterprise key management, CA operations, payments
Key Mgmt System Centralized software Key lifecycle: create, distribute, rotate, revoke
Secure Enclave Isolated processor area Biometrics (Face ID), sensitive mobile operations
Certificate TypeIssued ByUse Case
Self-signed The organization itself Internal testing, lab environments, internal services
Third-party Trusted public CA Public-facing websites, email, code signing
Wildcard CA (covers *.domain.com) Multiple subdomains on one certificate
Root Root CA (self-signed) Top of trust chain; stored in trusted root store
Key Takeaway

Passwords should be HASHED (one-way), not ENCRYPTED (reversible). If the exam says "encrypt passwords" — that's wrong. Encryption can be reversed with the key. Hashing cannot be reversed. Always hash + salt + key stretch for password storage.

A code review reveals that the application stores user passwords as SHA-256 hashes. No salt is used. The security engineer flags this as a critical vulnerability.

Scenario
Password Storage Review
E-commerce app · 50,000 users · SHA-256 hashes · No salt
Developer"I used SHA-256 to hash all passwords. SHA-256 is strong — it's used everywhere. What's the problem?"
Security Engineer"The problem is you didn't salt them. Without a salt, every user with the password 'Password123' has the exact same hash. An attacker with a rainbow table — a precomputed database of hash-to-password mappings — can crack thousands of accounts in seconds."
Developer"So I just add a salt? Like a fixed string at the beginning?"
Security Engineer"A unique salt per user. If everyone shares the same salt, you've just created a slightly harder rainbow table problem. And switch from raw SHA-256 to bcrypt or PBKDF2 — they include built-in salting and key stretching, which makes each hash computation intentionally slow. That's your defense against brute force."
Compensating Control

Defense layers for password storage: Hash (one-way) + unique salt per user (defeats rainbow tables) + key stretching via bcrypt/PBKDF2 (defeats brute force). All three together. Missing any one layer creates a vulnerability.

Real Talk — Career Context

This mistake is extremely common in production code. Many developers use raw SHA-256 or even MD5 for passwords because they learned "hashing is one-way." That's true but insufficient. The Security+ exam and real-world security both require understanding why salting and key stretching matter.

On the exam: If a question describes password hashing without salting, the vulnerability is always "rainbow table attack." The fix is always "add a unique salt per user." If they ask about brute force resistance, the answer is "key stretching."

Your database stores 50,000 user passwords in plaintext. The CTO demands immediate remediation. Two developers propose different approaches:

Option A
Encrypt with AES-256

Use symmetric encryption (AES-256) to encrypt all passwords. Fast, strong algorithm. If the database is stolen, passwords are protected. But the encryption key must be stored somewhere — if the key is compromised, all passwords are exposed.

Option B
Hash with Salt (bcrypt)

Use bcrypt to hash each password with a unique salt. One-way transformation — cannot be reversed. Even if the database is stolen, the passwords cannot be recovered. Key stretching makes brute force impractical.

Option B is correct — passwords must NEVER be encrypted, only hashed

Option B: Encryption is reversible — anyone with the key can decrypt all passwords. That key becomes a single point of failure. Hashing is one-way — even with full database access, attackers cannot reverse the hash back to the password. With bcrypt's built-in salting and key stretching, rainbow tables and brute force are both mitigated.

Option A's kernel of truth: AES-256 is an excellent algorithm — for encrypting data that needs to be read back (files, database fields, communications). But passwords are verified by comparing hashes, not by decrypting. You never need to see the original password, so reversibility is a liability, not a feature.

On the exam: "encrypt passwords" is always the wrong answer. "Hash with salt" is always correct. This is one of the most testable distinctions in cryptography.

TPM vs. HSM
TPM is a chip on the motherboard — found in laptops and desktops, supports BitLocker and boot integrity. HSM is a dedicated hardware appliance — used in data centers for enterprise key management, CA operations, and payment processing. The exam will describe a scenario and expect you to pick the right tool. Endpoint encryption? TPM. Enterprise-wide key management for a CA? HSM.
Why it's tempting: Both are "hardware that stores keys." But TPM is endpoint-level; HSM is enterprise-level.
Obfuscation vs. Encryption
Steganography and data masking HIDE data — the data is concealed but not mathematically transformed. Encryption TRANSFORMS data mathematically so it's unreadable without the key. Steganography can be defeated by analyzing the carrier file. Encryption requires the key to break. The exam tests whether you understand that obfuscation is NOT the same as encryption.
Why it's tempting: Both make data "unreadable" to casual observers. But encryption provides mathematical security; obfuscation provides obscurity.
Digital Signatures Provide Confidentiality
WRONG. Digital signatures provide integrity (data wasn't modified), authentication (verifies who signed it), and non-repudiation (signer cannot deny it). They do NOT provide confidentiality — the message is not encrypted by signing. To get confidentiality, you must encrypt the message separately. If the exam asks "which property does a digital signature NOT provide?" — the answer is always confidentiality.
Why it's tempting: "Signing" sounds protective, so people assume it covers everything. It covers three of four properties — not confidentiality.
Exam Signal

Salting is one of the most frequently tested crypto concepts. The exam will describe a scenario where passwords are hashed but vulnerable to rainbow tables, then ask what's missing. The answer is salting. If they ask how to make brute force attacks slower, the answer is key stretching (PBKDF2, bcrypt). Know the difference: salting defeats precomputed attacks; key stretching defeats brute force.

Quick Check — End of 1.4
Which of the following adds extra random data before applying a one-way transformation algorithm?
  • A Key stretching
  • B Data masking
  • C Steganography
  • D Salting

Correct: D. Salting adds unique random data to each input before hashing (a one-way transformation). This ensures identical inputs produce different hashes, defeating rainbow table attacks. Key stretching (A) makes hashing slower, not random. Data masking (B) obscures data for display. Steganography (C) hides data within other data. Only salting adds random data before a one-way transformation.

Related Topics
→ 1.2 Fundamental Security Concepts (CIA) → 1.3 Change Management
← 1.3 Change Management ← Domain 1 Hub Next →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.