The current version of the CompTIA Security+ exam objectives, SY0-701, has shifted focus from the previous version, SY0-601. This change reflects advancements in Internet technology and current cybersecurity best practices. As a result, some deprecated cryptographic algorithms (DES and 3DES) and embedded technologies (such as cipher modes of operation and hash padding) from the SY0-601 exam objectives have been removed.

What hasn’t changed are exam objectives focused on three fundamental cryptographic technologies: symmetric key cryptography, asymmetric cryptography, and one-way hashing algorithms.

Symmetric Key Cryptography

Symmetric key encryption uses one key for encryption and decryption. Symmetric ciphers are used to process large amounts of data quickly.

There are two types of symmetric key algorithms: block ciphers and stream ciphers.
Symmetric block ciphers are single key ciphers developed and optimized to encrypt/decrypt fixed-sized data blocks. This makes them particularly useful for processing many types of stored data, such as files and directories.

Symmetric stream ciphers do not work on a block basis but expect a stream of data and convert one bit (or one byte) of data at a time. They are used to encrypt and decrypt continuously produced data, such as audio and video.

The symmetric encryption standard algorithm covered in Security+ is the Advanced Encryption Standard (AES) selected by NIST in 2001. AES is a variant of the Rijndael block cipher developed by cryptographers Joan Daemen and Vincent Rijmen. The AES cipher was chosen due to a competition organized by the National Institute of Standards and Technology (NIST). Fifteen candidate algorithms were evaluated, and the Rijindael cipher was selected based on security, efficiency, and flexibility.

Asymmetric Key Cryptography

Asymmetric encryption, also known as public-key cryptography, is a method of encryption that uses two mathematically related keys: a public key and a private key. The public key can be shared freely, while the private key must be kept secret. Data encrypted with one key can only be decrypted with the other.

Due to the complexity of the math underlying these algorithms, asymmetric encryption is slower than symmetric encryption and not ideal for encrypting large amounts of data. The two asymmetric algorithms that are discussed in the Security+ objectives are:

• Rivest, Shamir, Adelman (RSA) cipher (2,048-bit or better)
• Elliptic Curve Cryptography (ECC) cipher (256-bit or better)

The RSA Algorithm is named after Ron Rivest, Adi Shamir, and Leonard Adleman, who published it in 1977. Its security relies on the practical difficulty of factoring the product of two large prime numbers. If a large enough key is used, no published methods can defeat the system.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security compared to other cryptosystems like RSA. Elliptic curve cryptography algorithms entered wide use from 2004 to 2005.

Two asymmetric algorithms are discussed to highlight the differences and importance of key length. Longer keys require more memory space to store the key value and may require more computing power to execute algorithms (more CPU cycles and, as a result, more power). The RSA (2,048-bit minimum key length) and ECC (256-bit minimum key length) ciphers have different recommended key lengths, which results in different deployment requirements.

One-way Hashing Algorithms

While encryption standards have changed over time, hashing algorithms are vital to ensuring data integrity remains the same. These algorithms don’t change because hashing can serve either cryptographic (confidentiality) or non-cryptographic functions (integrity). Hashing algorithms take variably sized input, called an initialization vector, and the hash function produces a fixed-size hash digest or checksum. Hashing is described as one way because there is no way to reproduce the input from the digest.

The two hashing algorithms covered in the Security+ exam objectives are MD5 and SHA (SHA256 using SHA3).

The Message-Digest Algorithm 5 (MD5), developed by Ronald Rivest in 1991, generates an output known as a digest that is always 128 bits in size. In 1993, researchers demonstrated the ability to create a “pseudo-collision” within the MD5 compression function, producing two distinct initialization vectors that yield the same digest. This finding rendered the algorithm unsuitable for cryptographic systems as it potentially compromised confidentiality. MD5 is widely recognized as the most used message digest for non-cryptographic purposes such as verifying file integrity.

The Secure Hash Algorithms (SHA) are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). The first version of the 160-bit SHA hash function was published in 1993. The current algorithm, SHA-3, was chosen based on a competition in 2012. In most implementations, the SHA3 function is executed using the command SHA256 or SHA512, where 256 or 512 are output sizes measured in bits.