Security+ Cryptography Notes

Here are some things you need to know for the Security+ examination.


Formulas to determine the required number of keys to maintain secure communications:

Goals of Cryptography

Encryption Terminology

Encryption Algorithms:

Rijndael algorithm or Advanced Encryption Standard (AES)YesSymmetricAn encryption algorithm that Vincent Rijmen and Joan Daemen developed in January 2002 that is similar to the Data Encryption Standard, but uses 128-bit, 160-bit, 192-bit, 224-bit or 256-bit cipher blocks and is used in Wi-fi Protected Access version 2 (WPA2) communications
Data Encryption Standard (DES)NoSymmetricAn algorithm developed by IBM in 1977 that uses the Horst Feistel function for 16 rounds of encryption, using 64-bit cipher blocks with a 56-bit key. This was based on the Lucifer algorithm. This was considered a secure encryption standard until December 2001.
Tripple DES (3DES)Yes*SymmetricThis a modified version of DES encryption algorithm algorithm that Walter Tuchman and his associates at IBM developed in 1999 that uses 3 rounds of DES (i.e. 64-bit cipher blocks) to encrypt plain text, using 3 different keys, using one of the following 3 options:
  1. K1 ≠ K2 ≠ K3 ≠ K1 - Effectively 168-bit encryption (best option)
  2. K1 ≠ K2 & K1 = K3 ∴ K2 ≠ K3 - Effectively 112-bit encryption (subject to the meet-in-the-middle attackno more secure than regular DES)
  3. K1 = K2 = K3 - Effectively 56-bit encryption (just as insecure as regular DES)
Lucifer algorithmNoSymmetricThis was an encryption algorithm that Horst Feistel originally proposed on Tuesday, 01 May 1973, which used a 112-bit encryption key which became the basis for DES.
Blowfish (free)NoSymmetricThis was developed by Bruce Scheier in 1993 as an alternate to DES that has the following characteristics:
  • Uses a 64-bit block and variable key length from 32 bits to 448 bits
  • Is free (no license required)
  • Uses a Fiestel network
  • Optimized for performance on 32-bit processors
  • Combines substitution and transposition
Twofish (Free)YesSymmetricDeveloped by Bruce Scheier in 1998 as a replacement to DES which has the following characteristics:
  • Uses a 128-bit block size
  • Key sizes of 128 bits, 192 bits or 256 bits
  • Uses a Fiestel network
  • Combines substitution and transposition
This was 1 of 5 finalists for the Advanced Encryption Security competition, but lost to the Rijndael algorithm which became the selected algorithm.
Ron's Cipher version 4 (RC4)NoSymmetricThis is an encryption algorithm that Ron Rivest develped in 1987 as a trade secret, but was leaked to the public in 1994. This was one of the forerunners of RSA. This uses the XOR (⊕) function with a pseudorandom keystream on each character (byte) for encryption and decryption. The key length is variable from 40 bits to 2,048 bits. This was used with the following standards: While there are no known instances of anyone breaking RC4, some experts found vulnerabilities in RC4 in 2015 ∴ RC4 is considered insecure.
RSA (variable length)YesAsymmetricDeveloped by Ron Rivest, Adi Shamir and Leonard M. Adleman in the 1970s that creates key pairs (public & private), using very large prime numbers and uses variable length keys from 1,024 bits and 4,096 bits. Therefore, RSA requires more computing power
Quantum CryptographyYesSymmetric and AsymmetricThis employs quantum computing which is mostly theoretical that draws it strength from the weirdness or reality at small scales (≤ 100 μm) which results in Quantum Key Distribution (QKD) which uses a Quantum key that encodes and sends the information needed to decrypt a message in the fuzzy properties of particles, typically light particles. Therefore, it is not as susceptable as Elliptic Curve Cryptography (ECC) or RSA.
Elliptic Curve Cryptography (ECC)YesSymmetric and AsymmetricUses the mathematical properties of elliptic curves to produce public key cryptographic systems. The following formula is used to draw the curve:
y2 + axy + by = x3 + cx2 + dx + e   where a, b, c, d, and e, are real numbers.
Elliptic curve
Elliptic Curve Diffie-Hellman (ECDH)YesSymmetric and AsymmetricECDH works the same way as Diffie-Hellman (DH) as shown below, except that it adds the functionality of ECC for more secure communications. A group number of 14 (2,048-bit) or greater is considered secure. Higher number group numbers combines the ECC algorithm with the Diffie-Hellman algorithm to create a more secure algorithm. The higher the group number, the higher the security.
Diffie-Hellman (DH)YesSymmetric and AsymmetricDeveloped in 1976 by Ralph C. Merkle, Bailey Whitfield Diffie and Martin Hellman as the first practical way of sending private messages by using a shared secret over an unsecured communication channel. Asymmetric encryption is used as a technique in key exchange mechanism to share secret key, but does not use prime factorization (see below for concept). After the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.
Diffie-Hellman Process
The shared secret is the symmetric key that is used to encrypt the message.
Pretty Good Privacy (PGP)+NoSymmetric and AsymmetricDeveloped by Phil Zimmerman in 1991 that goes through the following process to encrypt the message:
  1. Generates a random key
  2. Encrypts data, using a random key
  3. Encrypts the key, using a public key
  4. Produces the encrypted message with the encrypted data and encrypted public key.
Pretty Good Privacy encryption
and goes through the following process to decrypt the message:
  1. Uses the private key to decrypt the original key and produce the encrypted data
  2. Uses the original key to decrypt the data. This relies on other encryption algorithms (e.g. RSA) to encrypt and decrypt the symmetric key the original message.
Pretty Good Privacy decryption
There are commercial versions of PGP which are patented! There may be some versions that are secure, but for the most part, including the original version, are insecure.
GnuPG (GPG)+
also known as OpenGPG+
NoSymmetric and AsymmetricThis works the same way that PGP works and relies on other encryption algorithms (e.g. RSA) to encrypt and decrypt the symmetric key the original message, except that it is Open Source and Free (no patent).
* 3DES is considered secure through ≥ 2030, iff option 1 is used.
+ PGP and OpenGPG both depend on other encryption algorithms to encrypt and decrypt the symmetric keys

Cipher Modes

- Describes how an algorithm encrypts and decrypts data

Cryptography Concepts

Trust Models

Hashing Functions (fixed length)

Hashing AlgorithmSecure?Description
Message Digest version 5 (MD5)NoThe 5th edition of the original Message Digest algorithm that Ron Rivest in 1991 which is 128-bit function.

Secure Hash Algorithm (SHA)Version 1
Version 2
Version 3
Is like a signature for a data set. For example,
  • SHA-256 for "I'm going to lunch!"
    "1da8a8c7d34de4f64789fce41532d701e7329c6f8a936d50c84f45a7b631b657" and
  • SHA-256 for "I am going to lunch!" is "fb9c0f97bb45abc85b0869ff84d88720d88d9063c7e62e525838eb5adc672f74"
Version 3 has the following properties:
  • Designed as a replacement for version 2
  • Uses a completely different hash generation approach than version 2
  • Produces hashes of user-selected fixed length
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)Yes*Developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel in 1992 to work well with 32-bit processors.Types of RIPEMD:
  • RIPEMD-128
  • RIPEMD-160
  • RIPEMD-256
  • RIPEMD-320
Hash-based Message Authentication Code (HMAC)Yesused with asymmetric encryption algorithms
* if using 160+ bit

Principles of Digital signatures

Digital Certificate Principles

Digital Certificate Validation Principles

Certificate Types

Verification Types

  1. Domain Validation (DV) - Verify Domain Ownership
  2. Organizational Validation (OV) - Verify Business Name
  3. Extended Validation (EV) - Highest level that is often idicated by the name of the certificate holder in green next to the lock icon on a web browser. - This level of validation requires extensive investigation.

Certificate Formats

 Meanwhile, below is a table that may help clear things up a bit, regarding certificate formats.
Certificate Formats table

Other Cryptography Principles

Type of Attacks:

  1. Brute-force - Known as ciphertext attacks which involves guessing the password or its hash value to gain unauthorized access. For example, dictionary attacks are a form of brute-force attacks.
  2. key space Attacks - Use the set of all possible encryption keys that are usable with an algorithm.
  3. Knowledge-Based - requires knowledge of something
  4. There is more information on or you can send an email to Mike Chapple if you still have any questions about this content.

    The navigation options for this page are: