Security CompTIA + : Cryptography and PKI (7 of 7 Part Series) – ITU Online IT Training
+1 855.488.5327 customerservice@ituonline.com Mon – Fri: 9:00am – 5:00pm ET
Login To My Training Cart
PublishedSeptember 20, 2023
Last UpdatedMay 5, 2026
Cryptography and PKI

Security CompTIA + : Cryptography and PKI (7 of 7 Part Series)

Ready to start learning? Individual Plans →Team Plans →
In This Article
By ITU Online CompTIA Team
IT training provider since 2012, specializing in CompTIA, Cybersecurity, Project Management, Cisco, Microsoft, AWS, Azure, and Cloud certifications.
Published September 20, 2023 · Last updated May 5, 2026

Introduction

This is the final part of the 7-part CompTIA Security+ series, and it covers the domain that ties everything together: cryptography and PKI. If you understand how encryption, hashing, certificates, and key management work, you can answer a big chunk of the Security+ exam with confidence and make better decisions on the job.

Cryptography protects four core security goals: confidentiality, integrity, authentication, and non-repudiation. PKI, or public key infrastructure, gives organizations a way to trust identities in digital systems instead of relying on assumptions. That matters everywhere, from HTTPS websites and VPNs to secure email and signed software updates.

For readers searching for the best cryptography courses online free with certificate, this topic is also one of the most practical areas to study. You do not need a math degree to understand the exam objectives, but you do need to know which tool solves which problem. That includes when to use symmetric encryption, when to use public key cryptography, how hashes differ from encryption, and why certificate validation can fail.

Use this guide as both a study aid and a field reference. By the end, you should be able to explain the domain clearly, spot common exam traps, and apply the concepts in real security operations.

Cryptography does not make systems trustworthy by itself. It makes trust measurable, repeatable, and auditable.

Why Cryptography and PKI Matter in Security CompTIA+

Cryptography is the engine behind secure communication. When you log in to a bank portal, send a protected message, or connect to a VPN, cryptographic controls are working behind the scenes to keep data private and verify the other side is legitimate. That is why Security+ emphasizes the topic so heavily: it appears in network security, identity management, cloud security, and incident response.

PKI is what allows digital trust at scale. Instead of manually verifying every website, server, or user, PKI uses certificate authorities, trust chains, and digital certificates to prove identity. That is the foundation for browser padlocks, secure API connections, secure email, code signing, and many enterprise authentication workflows.

Here is why it shows up so often in operations:

  • HTTPS uses certificates to authenticate servers and encrypt traffic.
  • VPNs use cryptography to protect traffic between endpoints.
  • Secure email can rely on signatures and encryption for confidentiality and authenticity.
  • File protection often uses encryption for storage and hashing for integrity.

This domain also connects to compliance. HHS security guidance for HIPAA environments and GDPR expectations around data protection both push organizations toward encryption, access control, and strong identity verification. For exam purposes, the key point is simple: cryptography reduces risk, and PKI makes identity trustworthy.

Note

If a security control has to prove identity, protect data in transit, or support legal accountability, cryptography or PKI is usually part of the answer.

Cryptographic Fundamentals Every Security Professional Should Know

At the most basic level, cryptography turns plaintext into ciphertext. Plaintext is readable data. Ciphertext is scrambled data that should be useless without the proper key. Encryption is the process of transforming plaintext into ciphertext, and decryption reverses that process.

Example: if a file contains payroll data, encryption protects it on a laptop or in cloud storage. If someone steals the drive, the contents should remain unreadable without the key. That is data at rest. The same principle applies when the file is transmitted across a network, which is data in transit. Some newer security designs also protect data in use, such as confidential computing or enclave-based processing.

These are the core security properties to keep straight:

  • Confidentiality keeps data secret from unauthorized users.
  • Integrity ensures data has not been altered in transit or storage.
  • Authentication confirms identity.
  • Non-repudiation prevents a sender from credibly denying an action later.

One common misconception is that hashing and encryption are the same thing. They are not. Encryption is reversible with the proper key. Hashing is designed to be one-way. Another common exam term is cryptographic algorithm, which is simply another term for a cipher or algorithm that performs encryption or related operations. For exam preparation, remember that the algorithm is the method, and the key is the secret value that controls the result.

For a technical reference on encryption basics, NIST publishes widely used guidance on cryptographic concepts and secure implementation practices.

Symmetric Encryption and Its Practical Use Cases

Symmetric encryption uses one shared key for both encryption and decryption. That design is fast, efficient, and ideal for large data sets. In practice, this is why symmetric methods handle disk encryption, database protection, and bulk network traffic more efficiently than public key systems.

The most important symmetric algorithm for Security+ is AES, the Advanced Encryption Standard. AES is commonly used for full-disk encryption, secure file storage, and protecting data moving through enterprise systems. If you are encrypting gigabytes of data, AES is the kind of tool you want because it is far more efficient than RSA-style asymmetric operations.

Where Symmetric Encryption Fits Best

  • Full-disk encryption on laptops and servers.
  • Database encryption for sensitive records such as health or payment data.
  • Backup encryption for archives stored in the cloud or offline.
  • High-speed network protection where throughput matters.

The main weakness is key distribution. If both sides need the same key, you must get that key to the right people without exposing it. That is why many systems use asymmetric cryptography first, then switch to symmetric encryption for the session. In TLS, for example, public key methods help establish trust and exchange session material, while symmetric encryption handles the bulk data transfer.

For Security+ exam questions, watch for language like “large volumes of data,” “efficiency,” or “same key for both operations.” That almost always points to symmetric encryption. For official AES and cryptography implementation guidance, see NIST AES Project.

Asymmetric Encryption and Public Key Cryptography

Asymmetric encryption uses a key pair: one public key and one private key. The public key can be shared openly. The private key must remain protected. What one key encrypts, the other key decrypts, depending on the use case. This model solves the key distribution problem that symmetric encryption cannot solve alone.

RSA is the most commonly referenced asymmetric algorithm in Security+ content. It is often used for secure key exchange, authentication, and digital signatures. Asymmetric cryptography is slower than symmetric encryption, which is why it is not used to protect huge files directly. Instead, it is used to establish trust and exchange secrets.

Practical Uses of Asymmetric Cryptography

  • Certificate-based authentication for servers and sometimes users.
  • Secure email where the sender signs or encrypts messages.
  • Digital signatures for documents, software, and transactions.
  • Key exchange in TLS sessions and similar protocols.

Think of asymmetric encryption as a secure lockbox model. Anyone can lock the box with your public key, but only your private key can open it. That is why public key cryptography supports identity verification. If a system can decrypt or validate something using the corresponding public key, it proves the private key holder was involved.

For official background on public key cryptography and modern deployment patterns, IETF RFCs and vendor implementation guides such as Microsoft Learn are reliable references.

Hashing, Message Integrity, and Data Verification

Hashing is not encryption. A hash function takes input and produces a fixed-length output called a digest. The same input should always produce the same hash. Even a tiny change in the input should create a very different result. That makes hashing useful for integrity checks, password storage, and software verification.

Here is a simple example. If you download a Linux ISO or software patch, the vendor may publish a hash value. After download, you calculate the hash locally and compare it to the published one. If the values match, the file likely was not altered during transfer. If they do not match, the file may be corrupted or tampered with.

What Security Teams Use Hashing For

  • Password storage with salted hashes instead of plaintext passwords.
  • File integrity checks during incident response or software distribution.
  • Message verification in secure applications and APIs.
  • Digital forensics to prove evidence has not changed.

Two terms matter here. Collision resistance means it should be extremely hard to find two different inputs that produce the same hash. Salting adds unique random data to passwords before hashing, which protects against precomputed attacks such as rainbow tables. That is why password hashes should never be stored without a salt.

The password guidance from NIST SP 800-63 is a solid reference for understanding modern authentication and verifier practices. If you need the short exam answer: encryption protects secrecy, hashing protects integrity.

Hashes tell you whether data changed. They do not tell you who changed it. That is where signatures and certificates come in.

Digital Signatures and Non-Repudiation

Digital signatures use asymmetric cryptography to prove who created a message or file and to prove the content was not changed after signing. The sender signs data with a private key. Anyone with the corresponding public key can verify the signature. That creates both integrity and a strong form of authentication.

In business terms, digital signatures support non-repudiation. If a user signs a contract, approves a change, or signs a software package, the signature provides evidence that can be audited later. That matters in legal, financial, and regulated environments. It is also why signed updates are such a big deal: they help prevent malicious code from being accepted as legitimate.

Where You See Digital Signatures in the Real World

  • Signed PDF documents and electronic approvals.
  • Software signing for installers and updates.
  • Code signing in development pipelines.
  • Secure transactions in enterprise and government systems.

Do not confuse certificates with signatures. A certificate helps validate the signer’s identity. The digital signature is what proves the message or file has not changed and came from the associated private key holder. If a Security+ question asks what provides proof of origin and integrity, the best answer is often digital signature, not certificate.

For broader standards context, see ISO 27001 for information security management expectations and AICPA materials on trust and assurance concepts commonly referenced in audit-driven environments.

Public Key Infrastructure and the Certificate Lifecycle

Public key infrastructure is the system that manages certificates, public keys, and the trust relationships that make secure communication possible. PKI is not one tool. It is the framework that supports certificate issuance, validation, renewal, and revocation across an organization.

Three roles matter most. A certificate authority issues certificates. A registration authority verifies identity before issuance. A certificate subscriber is the person, server, or device that receives and uses the certificate. In many exam questions, these roles are mixed up on purpose, so keep them straight.

Certificate Lifecycle Steps

  1. Request a certificate with identity and key information.
  2. Validate the requester’s identity.
  3. Issue the certificate with the public key and identity fields.
  4. Use the certificate for authentication, encryption, or signing.
  5. Renew before expiration.
  6. Revoke if the key is compromised or no longer trusted.

Certificates typically contain the subject name, public key, issuer name, validity dates, and usage constraints. Trust comes from the chain of certification. A browser does not usually trust a server certificate directly. It trusts the root CA, which vouches for intermediate CAs, which vouch for the endpoint certificate.

Revocation matters. An expired or revoked certificate can break access immediately, and a misconfigured certificate can trigger browser warnings or failed API calls. For official certificate and PKI guidance, consult CISA and platform documentation from Microsoft or other vendor sources when implementing PKI in production.

Certificate Formats, Trust Models, and Common PKI Components

Administrators will run into multiple certificate formats, and each one exists for a reason. The Security+ exam does not expect you to memorize every file extension, but it does expect you to understand that certificates can be packaged differently for different platforms and applications. The important part is not the extension itself. It is what the certificate contains and how the trust chain is built.

PKI uses a hierarchical trust model most of the time. At the top is a root certificate, which is self-signed and highly protected. Below that are one or more intermediate certificates. At the edge are endpoint certificates used by servers, devices, or users. This structure limits exposure. If an intermediate certificate is compromised, the root can still remain protected offline.

Root Certificate Trusted anchor at the top of the chain; usually kept highly secured and rarely used directly.
Intermediate Certificate Issues certificates on behalf of the root and helps isolate trust and operational risk.
Endpoint Certificate Used by a server, application, or user to prove identity or support secure communication.

Trust anchors are the certificates a system already trusts, such as those in a browser or operating system trust store. If a certificate chain cannot be validated back to a trusted anchor, the connection should not be trusted. That is why certificate misconfiguration is such a common cause of production outages.

For technical standards and implementation guidance, IETF documents and vendor certificate stores are the most useful references. In operational environments, expired certificates are one of the easiest ways to create avoidable outages.

Key Management, Storage, and Cryptographic Best Practices

Strong cryptography fails quickly when key management is weak. If an attacker gets the key, the encryption is effectively broken for that attacker, even if the algorithm itself is sound. That is why key handling deserves as much attention as the algorithm choice.

Good key management includes secure generation, controlled distribution, storage, rotation, backup, and destruction. Private keys should be protected with strict access control and stored in systems designed for the job, such as hardware security modules or dedicated secure key stores. The exact technology may vary, but the principle does not: private keys must be harder to steal than the data they protect.

Best Practices for Managing Keys

  • Generate keys with strong randomness from trusted systems.
  • Restrict access to only the services and staff that truly need it.
  • Rotate keys on a schedule and after incidents.
  • Back up recovery material securely so certificates and encrypted data are not lost.
  • Destroy retired keys using documented and verifiable procedures.

Common mistakes include leaving private keys in plaintext files, sharing passwords for protected key stores, or failing to revoke compromised certificates. Another mistake is using the same key for too many purposes. Separation of duties matters here. A key used for code signing should not also be reused for unrelated encryption tasks.

NIST publishes detailed guidance on cryptographic practices, and OWASP is useful for understanding how poor key and secret handling shows up in application security failures.

Warning

If your key management is weak, your encryption controls are weaker than they look. The algorithm does not save you from exposed keys.

Common Cryptographic Protocols and Real-World Applications

Cryptography becomes real when it shows up in protocols. HTTPS is the clearest example. It combines TLS, certificates, asymmetric key exchange, symmetric session encryption, and integrity checks to secure browser sessions. If the certificate chain fails or the certificate expires, the secure connection breaks.

SSL/TLS is often used interchangeably in conversation, but Security+ expects you to understand the modern protocol family as TLS. TLS is what protects web logins, APIs, remote administration, and many messaging systems. VPNs use related cryptographic ideas to protect traffic between users and private networks.

Common Protocol Use Cases

  • HTTPS for web applications and portals.
  • VPNs for remote work and site-to-site connectivity.
  • Secure email for encrypted and signed communications.
  • Mobile device protection for app traffic and stored data.
  • Cloud security for encryption at rest, in transit, and sometimes in use.

These controls are not just technical preferences. They support risk reduction and compliance. Encrypted data lowers exposure in breach scenarios, and signed artifacts reduce the chance of tampered software reaching production. In regulated industries, the difference between “we had encryption” and “we had no usable key management” can become an audit finding.

For practical standards and defensive guidance, see CIS Controls and NIST. Both are useful when connecting Security+ knowledge to workplace controls.

Common Security CompTIA+ Exam Traps and How to Avoid Them

Most cryptography questions on Security+ are not about advanced math. They are about selecting the right control for the right problem. That means the exam often gives you two or three answers that sound close, then asks you to identify the best one. The trick is to know what each cryptographic tool actually does.

High-Frequency Confusions

  • Symmetric vs. asymmetric: symmetric uses one shared key; asymmetric uses a public/private key pair.
  • Hashing vs. encryption: hashing is one-way and for integrity; encryption is reversible and for confidentiality.
  • Digital signature vs. certificate: a signature proves origin and integrity; a certificate binds identity to a public key.
  • Confidentiality vs. integrity: confidentiality hides data; integrity proves it has not been changed.
  • Key exchange vs. data encryption: key exchange helps establish a session; symmetric encryption often protects the actual data.

Memorization helps, but recognition helps more. If a question says “large volumes of data that must be transferred efficiently,” think symmetric encryption. If it says “verify identity,” think certificates or digital signatures. If it says “detect changes to a file,” think hashing. If it says “prove the sender cannot deny the action,” think non-repudiation.

A useful shortcut is this: encrypt to hide, hash to verify, sign to prove, certificate to trust. That one line covers many exam scenarios and is easy to apply under time pressure. For workforce context, the NICE Framework maps these skills to real cybersecurity job tasks.

How to Study Cryptography and PKI for the Security CompTIA+ Exam

The best way to study this domain is to build relationships, not just definitions. You need to know which technology solves which problem, and you need to practice applying that knowledge to scenarios. If you can explain why a browser warns about an expired certificate or why a password hash needs a salt, you are in good shape.

A Practical Study Plan

  1. Create a comparison chart for AES, RSA, hashing, PKI, and digital signatures.
  2. Use flashcards for core terms like plaintext, ciphertext, certificate authority, and salting.
  3. Inspect certificates in a browser to see issuer, subject, and expiration fields.
  4. Review TLS behavior by checking how websites handle certificate warnings.
  5. Practice scenario questions that ask you to choose the best control for confidentiality, integrity, or authentication.

If you want free, authoritative study material, use official vendor and standards sources rather than random summaries. Microsoft Learn, AWS, and Cisco documentation are good for implementation examples, while NIST gives you the underlying security model.

If your goal is the best cryptography courses online free with practical value, focus on resources that let you inspect certificates, compare algorithms, and validate hashes yourself. That hands-on repetition is what makes the Security+ domain stick.

Key Takeaway

Study cryptography by matching the control to the problem: encryption for confidentiality, hashing for integrity, signatures for proof, and PKI for trust.

Conclusion

Cryptography and PKI are the backbone of secure digital systems. They protect data, verify identity, support non-repudiation, and make browser sessions, remote access, and signed software trustworthy. For Security+, this domain is not optional memorization. It is core material that shows up across the exam and in daily security work.

If you understand the difference between symmetric and asymmetric encryption, know when hashing is the right answer, and can explain how certificates build trust, you are already ahead of many candidates. More importantly, you are building the kind of judgment that security teams need when systems break, certificates expire, or traffic needs to be protected at scale.

Review the full 7-part series, revisit the scenarios you missed, and practice explaining these concepts out loud without notes. That is the fastest way to make them usable under exam pressure and in production environments. ITU Online IT Training recommends treating this topic as a working skill, not just a test objective.

Next step: go back through your Security+ notes and build one comparison sheet for encryption, hashing, signatures, and PKI. If you can explain each one in plain English, you are ready.

CompTIA® and Security+™ are trademarks of CompTIA, Inc.

,
[ FAQ ]

Frequently Asked Questions.

What is the main purpose of cryptography in cybersecurity?

Cryptography primarily aims to protect the confidentiality, integrity, authentication, and non-repudiation of data. It ensures that sensitive information remains private and unaltered during transmission or storage.

By applying techniques such as encryption, hashing, and digital signatures, cryptography helps organizations secure communications against unauthorized access and tampering. This foundation is essential for maintaining trust and compliance in digital environments.

How does Public Key Infrastructure (PKI) support secure communications?

PKI provides a framework for managing digital certificates and public-key encryption, enabling secure and trusted exchanges of information. It uses a combination of asymmetric key pairs—public and private keys—to facilitate encryption and digital signatures.

Through the issuance, management, and revocation of certificates by Certificate Authorities (CAs), PKI ensures that entities involved in communication are authentic. This infrastructure helps prevent impersonation, man-in-the-middle attacks, and unauthorized access.

What are some common cryptographic algorithms used in security applications?

Common cryptographic algorithms include symmetric encryption algorithms like AES (Advanced Encryption Standard), which are used for fast data encryption. Asymmetric algorithms such as RSA and ECC (Elliptic Curve Cryptography) are used for key exchange and digital signatures.

Hash functions like SHA-256 are employed to verify data integrity, while digital signature algorithms combine hashing with asymmetric encryption to authenticate the origin of data. Choosing the right algorithm depends on the specific security requirement and performance considerations.

What is the difference between symmetric and asymmetric encryption?

Symmetric encryption uses a single secret key for both encryption and decryption, making it fast and suitable for encrypting large amounts of data. Examples include AES and DES.

Asymmetric encryption, on the other hand, employs a key pair: a public key for encryption or verification and a private key for decryption or signing. It is commonly used for secure key exchange and digital signatures, with RSA being a popular example.

Why is key management critical in cryptography and PKI?

Effective key management ensures that cryptographic keys are generated, stored, distributed, and revoked securely. Poor key management can lead to unauthorized access, key compromise, or data breaches.

In PKI, key management involves managing certificates and private keys to maintain trust within the organization. Proper practices include regular key rotation, secure storage, and timely revocation of compromised keys, which are essential for maintaining the integrity of cryptographic systems.

Related Articles

Ready to start learning? Individual Plans →Team Plans →
Discover More, Learn More
Security CompTIA : Architecture and Design (4 of 7 Part Series) Learn essential security architecture and design principles to strengthen your understanding of… CompTIA Security Plus : Risk Management (6 of 7 Part Series) Learn essential risk management concepts to identify, assess, and respond to security… CompTIA Security+ Certification: Your Ultimate Guide (1 of 7 Part Series) Discover essential insights to help you understand, prepare for, and advance your… CompTIA Security+ Objectives : Threats, Attacks and Vulnerabilities (2 of 7 Part Series) Learn about threats, attacks, and vulnerabilities to strengthen your cybersecurity knowledge and… CompTIA Security +: Identity and Access Management (5 of 7 Part Series) Learn the essentials of Identity and Access Management and understand its critical… CompTIA Security Plus Study Guide: 5 Mistakes to Avoid Discover key strategies to avoid common study mistakes and enhance your Security+…
FREE COURSE OFFERS