Cryptography, Hashes, Signatures, PKI, and Certificate Decision Rules
Key Takeaways
- Encryption provides confidentiality; hashing provides integrity; digital signatures provide integrity, signer authentication, and non-repudiation support.
- Symmetric encryption is fast for bulk data, while asymmetric cryptography supports key exchange, signatures, and public key trust.
- PKI binds public keys to identities through certificates, certificate authorities, and trust chains.
- Certificate problems often involve expiration, name mismatch, untrusted issuer, revocation, or missing private key protection.
- Password hashing should use salts and slow password hashing algorithms rather than reversible encryption.
Cryptography, Hashes, Signatures, PKI, and Certificates
Start with the security goal. If the goal is secrecy, think encryption. If the goal is detecting modification, think hashing or signatures. If the goal is binding a public key to a name, think certificates and PKI.
| Mechanism | Primary purpose | Key exam phrase |
|---|---|---|
| Symmetric encryption | Confidentiality with one shared secret key | Fast bulk encryption |
| Asymmetric encryption | Public/private key operations | Key exchange, encrypt to public key |
| Hashing | Integrity check with one-way digest | Same input should produce same digest |
| Salted password hash | Password storage defense | Same passwords should not have same stored hash |
| Digital signature | Integrity plus signer authentication | Sign with private key, verify with public key |
| Certificate | Binds public key to identity | Issued by CA, subject name, validity period |
Decision Rules
| Requirement | Best answer direction |
|---|---|
| Encrypt a large database backup efficiently | Symmetric encryption |
| Safely establish a session key with a remote website | Asymmetric key exchange leading to symmetric session encryption |
| Verify a downloaded file did not change | Hash comparison |
| Prove a code package came from the developer and was not modified | Digital signature |
| Bind a web server public key to a domain name | Certificate |
| Store passwords securely | Salted, slow password hashing |
| Destroy recoverability of encrypted data quickly | Destroy the encryption key |
PKI Pieces
| Component | Role |
|---|---|
| Certificate authority | Issues and signs certificates |
| Registration authority | Validates identity before certificate issuance in some PKI designs |
| Certificate | Contains subject, public key, issuer, validity, and extensions |
| Private key | Must be protected; compromise breaks trust for that certificate |
| CRL or OCSP | Supports revocation checking |
| Root CA | Trust anchor that must be protected carefully |
| Intermediate CA | Issues certificates without exposing the root CA directly |
Certificate Failure Clues
| Browser or service clue | Likely issue |
|---|---|
| Certificate expired yesterday | Validity period problem |
| Certificate is for app.example.com but user visits payroll.example.com | Name mismatch |
| Issuer is not trusted | Missing or untrusted CA chain |
| Private key was exposed | Revoke and replace certificate |
| Certificate was revoked | Do not trust even if dates look valid |
| Self-signed certificate on public site | Trust warning unless explicitly trusted |
Trap Callout: Hashing Is Not Encryption
A hash is one-way. You do not decrypt a hash to recover the original file or password. Password systems compare a new hash of the submitted password with the stored salted hash. If the scenario requires recovery of original data, hashing is the wrong answer.
Scenario Walkthrough
A software team publishes an installer and wants customers to know the installer has not been altered and came from the team. A plain hash can detect accidental or malicious modification, but anyone could publish a new hash next to a tampered file. A digital signature is stronger because the team signs the package with its private key and customers verify with the corresponding public key through a trusted certificate.
Quick Drill
| Scenario | Best concept |
|---|---|
| Need fast encryption for a disk volume | Symmetric encryption |
| Need to verify who signed a document | Digital signature |
| Need to prove a web public key belongs to a domain | Certificate |
| Need to detect file tampering | Hash |
| Need to check whether a certificate should no longer be trusted | Revocation |
A team needs customers to verify that a software update came from the publisher and was not modified. Which control best meets both goals?
A browser warns that a certificate is valid for files.example.com, but the user visited pay.example.com. What is the most likely problem?
Which cryptographic mechanisms primarily support integrity? Choose two.
Select all that apply