WOLF//SEC
← Domain 1
OBJECTIVE 1.4 Explain

Explain the importance of using appropriate cryptographic solutions

Cryptography is the backbone of confidentiality, integrity, authentication, and non-repudiation. The exam expects you to know when to use each type, not how to implement the math.

Symmetric Encryption

One key encrypts and decrypts. Both parties must share the same secret key.

Algorithms:

  • AES (Advanced Encryption Standard) — The standard. 128, 192, or 256-bit keys. AES-256 is the gold standard for data at rest.
  • 3DES (Triple DES) — Legacy. Applies DES three times. Being phased out — slower and weaker than AES.
  • ChaCha20 — Stream cipher alternative to AES. Used in TLS 1.3 and WireGuard. Performs well on devices without AES hardware acceleration.

Strengths: Fast, efficient for bulk data encryption. Weakness: Key distribution problem — how do you securely share the key? This is what asymmetric crypto solves.

Use cases: Disk encryption (BitLocker, LUKS), database encryption, VPN tunnels, TLS session encryption (after key exchange).

Asymmetric Encryption

Two mathematically related keys: public key (shared openly) and private key (kept secret).

  • Encrypt with public key → only private key can decrypt (confidentiality)
  • Sign with private key → anyone with public key can verify (authentication, non-repudiation)

Algorithms:

  • RSA — Most widely deployed. Key sizes: 2048-bit minimum, 4096-bit recommended. Used for key exchange and digital signatures.
  • ECC (Elliptic Curve Cryptography) — Shorter keys for equivalent strength (256-bit ECC ≈ 3072-bit RSA). Preferred for mobile/IoT where compute is limited.
  • Diffie-Hellman (DH) — Key exchange protocol, not encryption. Allows two parties to establish a shared secret over an insecure channel. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is the modern variant used in TLS.

Strengths: Solves the key distribution problem. Enables digital signatures. Weakness: Slow — never used for bulk data. Used to exchange symmetric keys, which then do the heavy lifting.

Hashing

One-way function that produces a fixed-length digest from any input. Cannot be reversed.

Algorithms:

  • SHA-256 (SHA-2 family) — Current standard. 256-bit digest. Used in certificates, integrity verification, blockchain.
  • SHA-3 — Alternative to SHA-2, different internal design. Not a replacement — a backup if SHA-2 is ever broken.
  • MD5 — Broken. Collision attacks are trivial. Never use for security — only for non-security checksums.
  • SHA-1 — Deprecated. Collision demonstrated in 2017. Legacy systems still use it but it’s not acceptable for new deployments.

Use cases:

  • File integrity verification (compare hash before and after transfer)
  • Password storage (hash + salt, never plaintext)
  • Digital signatures (sign the hash, not the full document)

Key Concepts

  • Collision: Two different inputs producing the same hash. Fatal for a hash algorithm’s security.
  • Salt: Random value added to input before hashing. Prevents rainbow table attacks on password hashes. Each password gets a unique salt.
  • Key stretching: Deliberately slow hashing (PBKDF2, bcrypt, Argon2) to make brute-force attacks expensive.

Digital Signatures

Combine hashing and asymmetric encryption to prove integrity and authenticity:

  1. Sender hashes the message
  2. Sender encrypts the hash with their private key (this is the signature)
  3. Recipient decrypts the signature with sender’s public key
  4. Recipient independently hashes the message and compares

If hashes match: message is authentic (came from the signer) and has integrity (wasn’t modified).

PKI (Public Key Infrastructure)

The trust system that makes asymmetric crypto work at scale.

Certificate Authority (CA) — Trusted entity that issues digital certificates. Vouches for the binding between a public key and an identity.

Certificate chain:

  • Root CA (self-signed, offline, highly protected)
  • Intermediate CA (signs end-entity certs, protects root)
  • End-entity cert (your server’s cert)

Certificate types:

  • DV (Domain Validation) — CA verified domain ownership. Quick, cheap.
  • OV (Organization Validation) — CA verified the organization exists. More trust.
  • EV (Extended Validation) — Thorough vetting. Used for high-trust sites.
  • Wildcard — Covers *.domain.com. Convenient but single point of failure if compromised.
  • SAN (Subject Alternative Name) — Single cert for multiple specific domains.
  • Self-signed — Not issued by a CA. Used internally (lab environments, testing). Browsers don’t trust them.

Certificate lifecycle:

  • Issuance → Usage → Renewal → Revocation
  • CRL (Certificate Revocation List) — Published list of revoked certs. Can be stale.
  • OCSP (Online Certificate Status Protocol) — Real-time revocation checking. Faster than CRL.
  • OCSP Stapling — Server fetches its own OCSP response and presents it during TLS handshake. Reduces latency, improves privacy.

Key Management

The hardest part of crypto isn’t the algorithm — it’s managing the keys.

  • Key generation: Use cryptographically secure random number generators. Never reuse keys across systems.
  • Key storage: HSMs (Hardware Security Modules), TPMs, key vaults. Never in plaintext config files.
  • Key rotation: Regular replacement of keys. Limits the window of exposure if a key is compromised.
  • Key escrow: Third party holds a copy of the key. Controversial — creates a trust dependency.
  • Key destruction: Crypto-shred: destroy the key and the encrypted data becomes unrecoverable. Used for secure data disposal.

Cryptographic Use Cases

NeedSolution
Data at restAES-256 (symmetric)
Data in transitTLS 1.3 (ECDHE for key exchange, AES/ChaCha20 for encryption)
Email signingS/MIME or PGP (asymmetric + hashing)
File integritySHA-256 hash comparison
Password storagebcrypt/Argon2 (salted + stretched hash)
VPNIPSec (IKE for key exchange, ESP for encryption) or WireGuard (ChaCha20)
Code signingRSA/ECC digital signature on hash of binary
Disk encryptionAES-256 via BitLocker (Windows), LUKS (Linux), FileVault (macOS)

Blockchain and Steganography

Blockchain — Distributed, immutable ledger using chained hashes. Each block contains the hash of the previous block. Relevant to security for immutable audit logs and certificate transparency.

Steganography — Hiding data within other data (images, audio, video). Not encryption — the data is hidden, not scrambled. Exam questions will test whether you can distinguish steganography from encryption.

Offensive Context

Crypto fails at the implementation, not the math. Attackers don’t break AES-256 — they steal the key from a misconfigured environment variable, exploit a padding oracle, force a protocol downgrade to a weaker cipher suite, or intercept the key exchange. Understanding these attack paths is what makes your crypto deployment decisions meaningful. When the exam asks you to choose the “most secure” option, it’s testing whether you know where the real weaknesses are.