1.4 Cryptographic solutions
📘CompTIA Security+ SY0-701
1. Hashing
What it is:
- Hashing is a way to take any data (like a password, file, or message) and convert it into a fixed-length string of characters.
- The result is called a hash or digest.
- Hashes are one-way: you cannot get the original data back from the hash.
Why it’s important:
- Verifies integrity: if a file changes, its hash changes, showing tampering.
- Stores passwords securely: instead of storing passwords directly, systems store their hash.
Common algorithms:
- MD5 (less secure, fast)
- SHA-1 (obsolete, vulnerable)
- SHA-256 (secure, common today)
Example in IT:
- When users log in, the system hashes the password they enter and compares it with the stored hash. If they match, access is granted.
2. Salting
What it is:
- Salting adds a random value to data (like a password) before hashing.
- This ensures that even if two users have the same password, their hashes will be different.
Why it’s important:
- Prevents attacks like rainbow table attacks (precomputed lists of hashes for common passwords).
Example in IT:
- Password:
mypassword - Salt:
Xy9! - Hash(
mypassword+Xy9!) → stored hash
3. Digital Signatures
What it is:
- A digital signature proves authenticity and integrity of a message or file.
- Uses public-key cryptography (asymmetric encryption): private key signs, public key verifies.
Why it’s important:
- Ensures the message came from the claimed sender and wasn’t altered.
Example in IT:
- A software developer signs an update file. Your system verifies the signature before installing, ensuring it’s safe.
4. Key Stretching
What it is:
- Key stretching strengthens weak keys or passwords by making them harder to guess.
- It repeatedly hashes a password many times to slow down brute-force attacks.
Common techniques:
- PBKDF2
- bcrypt
- scrypt
Example in IT:
- A system uses bcrypt to hash passwords. Even if an attacker steals the hashes, guessing the original password takes much longer.
5. Blockchain
What it is:
- A blockchain is a decentralized, tamper-evident ledger.
- Data is stored in blocks; each block has a hash of the previous block.
Why it’s important:
- Data cannot be changed without changing all subsequent blocks, making it highly secure.
Example in IT:
- Cryptocurrency transactions: each transaction is recorded in a block linked to the previous one.
- Can also be used to verify software distribution, digital certificates, or audit logs.
6. Certificates
Certificates are files that verify identity or secure communication.
Types and concepts:
- CA (Certificate Authority):
- Trusted organization that issues digital certificates.
- Examples: DigiCert, Let’s Encrypt
- CRL (Certificate Revocation List):
- List of certificates that are revoked before expiry.
- OCSP (Online Certificate Status Protocol):
- Allows real-time verification if a certificate is still valid.
- Self-signed certificate:
- Generated by the organization itself.
- Not trusted by browsers by default but used internally.
- Third-party certificate:
- Issued by a trusted CA.
- Automatically trusted by systems and browsers.
- CSR (Certificate Signing Request):
- A request file sent to a CA to get a certificate issued.
- Contains the public key and organization information.
- Wildcard certificate:
- Covers multiple subdomains in a domain.
- Example:
*.example.comcoversmail.example.com,vpn.example.com, etc.
Example in IT:
- HTTPS websites use certificates to encrypt traffic.
- Mail servers use certificates for secure email.
- Internal applications can use self-signed certificates for encryption between servers.
Quick Summary Table for Exam
| Topic | Purpose / Function | Key Example in IT |
|---|---|---|
| Hashing | Ensure integrity, store passwords securely | SHA-256 password hashes |
| Salting | Make hashes unique, prevent rainbow table attacks | Password + random salt |
| Digital Signature | Verify authenticity and integrity | Signing software updates |
| Key Stretching | Make passwords harder to crack | bcrypt, PBKDF2 |
| Blockchain | Tamper-proof ledger | Cryptocurrency transactions |
| CA Certificate | Trust identity | HTTPS certificate from DigiCert |
| CRL | List of revoked certificates | CA publishes revoked certs |
| OCSP | Check certificate validity in real-time | Browser checks if HTTPS cert is valid |
| Self-signed certificate | Internal encryption | Internal server-to-server encryption |
| Third-party certificate | Trusted communication | Public website HTTPS |
| CSR | Request certificate from CA | Submit public key + org info |
| Wildcard certificate | Cover multiple subdomains | *.example.com |
✅ Exam Tips:
- Remember hashing ≠ encryption. Hashing is one-way; encryption is reversible.
- Salting always adds randomness to hashes.
- Digital signatures always involve private key to sign and public key to verify.
- Key stretching slows down attacks, especially against weak passwords.
- Blockchain ensures integrity and transparency.
- Know the differences between self-signed vs CA-signed certificates.
- Know CRL vs OCSP: one is a list, the other is real-time.
