Encryption Basics for CompTIA A+ 220-1102

Symmetric encryption uses the same key for both encryption and decryption. Fast and efficient — used for bulk data encryption. Key distribution problem: both parties must securely exchange the key before communicating. If the key is intercepted, all encrypted data is compromised. Common symmetric algorithms: AES (Advanced Encryption Standard): most widely used. AES-128, AES-192, AES-256 (bit lengths). AES-256 considered quantum-resistant for now. Used in: BitLocker, WPA2/WPA3, TLS (for bulk data). DES (Data Encryption Standard): 56-bit key — considered broken, replaced by AES. 3DES (Triple DES): applies DES three times — slower, still used in legacy systems. RC4: stream cipher — used in older WEP and SSL, now deprecated. Blowfish/Twofish: alternatives to AES. Symmetric encryption use cases: full-disk encryption (BitLocker uses AES), file encryption, VPN data encryption.

Asymmetric encryption uses a key pair: a mathematically related public key and private key. Public key: shared openly with anyone — used to encrypt data or verify signatures. Private key: kept secret — used to decrypt data or create signatures. Properties: data encrypted with the public key can ONLY be decrypted with the corresponding private key. Data signed with the private key can be verified by anyone with the public key. Solves the key distribution problem — no need to share a secret key. Much slower than symmetric encryption — not used for bulk data. Common asymmetric algorithms: RSA: most widely used, based on prime factorization. Key sizes: 2048-bit minimum (4096-bit recommended). ECC (Elliptic Curve Cryptography): smaller keys with equivalent security — faster. Used in modern TLS, mobile devices. Diffie-Hellman: key exchange algorithm — establishes a shared secret over an insecure channel without transmitting the secret. DSA/ECDSA: digital signature algorithms.

TLS (Transport Layer Security) secures web traffic (HTTPS), email (SMTPS, IMAPS), VPNs, and more. TLS uses asymmetric encryption to establish a session key, then symmetric encryption for data transfer (hybrid approach). TLS handshake: Client hello (client sends supported TLS version, cipher suites, random number). Server hello (server selects cipher suite, sends certificate containing server's public key). Certificate verification (client verifies certificate against trusted Certificate Authorities). Key exchange (client and server use asymmetric cryptography to establish a shared symmetric session key). Data transfer (all subsequent traffic encrypted with the symmetric session key). SSL vs TLS: SSL (Secure Sockets Layer) is the predecessor to TLS. SSL 2.0, 3.0, TLS 1.0, 1.1 are all deprecated and insecure. TLS 1.2 and TLS 1.3 are current standards. Certificate: contains server's public key, signed by a Certificate Authority (CA) that browsers trust.

Digital signature: proves that a document was created by the private key holder and has not been modified. Process: sender hashes the document (creates a fixed-length digest), encrypts the hash with their private key (the signature), attaches the signature to the document. Recipient decrypts the signature with sender's public key, independently hashes the document, compares — if they match, the signature is valid. X.509 certificate: standard format for public key certificates. Contains: public key, owner's identity, issuer (Certificate Authority), validity period, digital signature by CA. Certificate Authority (CA): trusted third party that issues and signs certificates. Root CAs are pre-installed in browsers/OSes. PKI (Public Key Infrastructure): the system of CAs, certificates, and policies that makes asymmetric encryption practical at scale. Certificate revocation: CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) — check if a certificate has been revoked before trusting it.

Full-disk encryption: BitLocker (Windows, AES-256), FileVault (macOS, AES-128/256), dm-crypt/LUKS (Linux). File-level encryption: EFS (Windows NTFS), 7-Zip with AES-256. Email encryption: S/MIME (certificate-based), PGP/GPG (web of trust). VPN encryption: IPsec (AH + ESP), TLS (OpenVPN, SSTP), WireGuard (ChaCha20 cipher). Wi-Fi encryption: WEP (broken), WPA/TKIP (deprecated), WPA2/AES-CCMP (current minimum), WPA3/SAE (current best). Password hashing: bcrypt, scrypt, Argon2 — one-way functions; not encryption (cannot be reversed). MD5, SHA-1: deprecated for security use (collision vulnerabilities). SHA-256, SHA-3: current hash standards. HTTPS everywhere: HTTP uses port 80 (plaintext); HTTPS uses port 443 (TLS encrypted). Check for padlock icon in browser address bar.