JT
JT Exams
Log inStart Free Trial
SecurityCISSP

Access Control and Cryptography Explained for CISSP

Two of the most heavily tested CISSP domains are Identity and Access Management and Security Architecture, and cryptography sits at the intersection of both. Getting authentication right determines who gets into your systems. Getting access control right determines what they can do once inside. Getting cryptography right determines whether the data they access is meaningfully protected. The CISSP tests these at a depth that goes well beyond recognizing that AES is symmetric: you need to understand trust models, federation protocols, key management, and why certain cryptographic choices fail.

8 min
3 sections · 7 exam key points

Access control models and authentication

Access control models define the rules by which subjects (users, processes) access objects (files, systems). Mandatory Access Control (MAC) uses security labels assigned by a central authority. Users cannot grant access to others beyond their own clearance level. MAC is used in government and military environments. Discretionary Access Control (DAC) lets the owner of a resource decide who else can access it. File system permissions on most operating systems are DAC. Role-Based Access Control (RBAC) assigns permissions to roles rather than individuals, and users receive access by being assigned to roles. Attribute-Based Access Control (ABAC) makes decisions based on multiple attributes: user attributes, resource attributes, and environmental conditions like time of day or location.

Authentication factors are categorized by what they use to prove identity: something you know (password, PIN), something you have (smart card, hardware token, smartphone), and something you are (fingerprint, iris scan, voice). Multi-factor authentication combines two or more different factor types. Combining a password with a PIN uses two things you know, which is not MFA. Combining a password with a phone-based OTP is MFA because it uses two different factor types.

Federation and Single Sign-On (SSO) extend authentication across organizational boundaries. SAML (Security Assertion Markup Language) is an XML-based standard used for web application SSO, particularly in enterprise environments. OAuth 2.0 is an authorization framework (not authentication) that allows third-party applications to access resources on behalf of a user without sharing credentials. OpenID Connect (OIDC) adds an identity layer on top of OAuth 2.0, enabling authentication. Kerberos is a ticket-based authentication protocol used in Windows Active Directory environments.

Cryptography: algorithms, key management, and PKI

Symmetric cryptography uses one key for both encryption and decryption. AES (Advanced Encryption Standard) is the current standard, used in 128, 192, and 256-bit key lengths. DES (56-bit) and 3DES are deprecated and should not be used in new systems. Stream ciphers encrypt one bit or byte at a time (RC4, now deprecated). Block ciphers encrypt fixed-size blocks (AES). Symmetric encryption is fast and suitable for bulk data encryption, but requires a secure mechanism to share the key with the other party.

Asymmetric cryptography uses a public key (shared freely) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the corresponding private key. Data signed with the private key can be verified by anyone with the public key. RSA and ECC (Elliptic Curve Cryptography) are the dominant asymmetric algorithms. ECC achieves the same security strength as RSA with much shorter key lengths, making it preferred for resource-constrained devices. Diffie-Hellman enables two parties to establish a shared secret over an untrusted channel without previously sharing a key.

Key management is where cryptography implementations most often fail in practice. A PKI (Public Key Infrastructure) provides the framework for issuing, managing, and revoking digital certificates. A Certificate Authority (CA) signs certificates to attest that a public key belongs to a specific entity. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) enable checking whether a certificate has been revoked before it expires. Key escrow stores copies of encryption keys with a trusted third party, enabling recovery if the original key is lost.

How to choose the correct answer

MAC: central authority assigns labels, no discretion. DAC: owner controls access. RBAC: permissions via roles. ABAC: multiple attributes drive decisions.

MFA: two different factor types (know, have, are). Two passwords = not MFA. Password + OTP = MFA.

SAML: enterprise SSO using XML assertions. OAuth: authorization (not authentication). OIDC: authentication on top of OAuth.

Symmetric (AES): same key, fast, key distribution problem. Asymmetric (RSA, ECC): key pair, slower, solves key distribution.

Sign with private key (proves identity, non-repudiation). Encrypt with public key (only private key holder can decrypt).

PKI: CA issues certificates. CRL/OCSP: check revocation. Certificate = trusted binding of public key to identity.

ECC: same security as RSA with shorter keys. Preferred for mobile and IoT due to lower computation requirements.

Key exam facts — CISSP

  • MAC: labels and clearances, used in classified government environments. No user discretion.
  • DAC: owner grants access to others. Most OS file systems use DAC.
  • RBAC: access through roles, not individual user. Simplifies administration in large organizations.
  • ABAC: most flexible model, policies based on user, resource, and environment attributes.
  • MFA factors: know (password), have (token), are (biometric). Must use different types, not two of the same.
  • Symmetric (AES): encrypt/decrypt same key. Asymmetric (RSA/ECC): public for encrypt, private for decrypt.
  • PKI CA: signs certificates vouching for identity. OCSP: real-time certificate validity check.

Common exam traps

Using two passwords (a password and a PIN) constitutes multi-factor authentication.

Multi-factor authentication requires using at least two different factor categories: something you know, something you have, or something you are. A password and a PIN are both 'something you know,' making them the same factor type. True MFA combines a password (know) with a physical token or phone OTP (have), or with a biometric (are).

Encrypting data with your private key provides confidentiality.

Encrypting with your private key creates a digital signature (proving you sent it, since only you have the private key), but it does not provide confidentiality. Anyone with your public key can decrypt it. To provide confidentiality, you encrypt with the recipient's public key so that only the recipient's private key can decrypt the message. Confusing encryption direction is a common CISSP trap.

A longer RSA key is always better than ECC for equivalent security.

ECC achieves equivalent security strength with much shorter keys than RSA. A 256-bit ECC key provides roughly the same security as a 3072-bit RSA key. ECC requires less computation, less power, and less bandwidth, making it significantly better for mobile devices, IoT, and TLS connections where handshake performance matters. Longer RSA keys provide more security but at the cost of performance.

Practice this topic

CISSPpractice questions

Test yourself on CISSP Access Control & Crypto

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

CISSP Security Domains

CISSP

Cryptography

Security+CISSP

PKI & Certificates

Security+CISSP

Identity & Access Mgmt

Security+CISSP