Why is crypto the hardest Security+ domain?

Because the textbook treats it as a math topic when the exam treats it as a use-case decision. You don't need to compute RSA by hand — you need to know that RSA is asymmetric, used for key exchange and digital signatures, with 2048-bit minimum, and that ECC is the modern alternative. The decoder below is the framing that flips your study from 'memorize algorithms' to 'pick the right tool for the job.'

What's the simplest way to remember symmetric vs asymmetric?

Symmetric uses ONE key shared between sender and receiver — fast but the key-distribution problem is hard. Asymmetric uses TWO keys (public + private) — solves key distribution but is 100–1000× slower. Real-world: use asymmetric to exchange a symmetric key, then switch to symmetric for the bulk data. That's how TLS works.

Is AES-256 always better than AES-128?

Not in any practical way. AES-128 is computationally infeasible to brute-force with current technology (would take billions of years). AES-256 adds margin for quantum-computing futures, but for exam purposes both are 'strong symmetric.' The exam tests AES-128 vs AES-256 less than you'd think; it tests AES vs 3DES (3DES is deprecated) much more.

What's the difference between hashing and encryption?

Encryption is reversible — with the key, you get the plaintext back. Hashing is one-way — you cannot recover the input from the hash. Hashing proves integrity (did this file change?). Encryption provides confidentiality (can someone read this if they intercept it?). Mixing them up is the single most common exam mistake.

Where can I drill these as flashcards?

Free Sec+ crypto flashcards aligned to this exact decoder are at https://secplus.it-learn.io — free with a quick signup. Practice picking 'symmetric / asymmetric / hashing / digital signature' for a hundred scenarios and the exam questions become reflex.

Security+ Crypto Decoder — Symmetric vs Asymmetric vs Hashing on One Page

The crypto domain is where most Security+ candidates lose points. Not because the math is hard — the math isn’t even on the exam — but because the textbook teaches it as algorithm memorization when the exam tests use-case decisions.

Came from the IG reel? Scroll straight to the decoder. The whole crypto domain fits on one page.

The decoder — three columns, one decision

	Symmetric	Asymmetric	Hashing
Keys	1 shared key	2 keys (public + private)	No key
Reversible?	Yes (with key)	Yes (with private key)	No — one-way
Speed	Fast ⚡	Slow (100–1000×)	Fast ⚡
Used for	Bulk data encryption	Key exchange + digital signatures	Integrity + password storage
Common algos	AES, ChaCha20, 3DES (deprecated)	RSA, ECC, Diffie-Hellman, ECDH	SHA-256, SHA-3, bcrypt, Argon2
Key/output size	128 / 192 / 256 bit	2048 / 3072 / 4096 bit (RSA); 256+ (ECC)	256 / 384 / 512 bit

The single rule: use asymmetric to exchange a symmetric key, then switch to symmetric for the bulk data. That’s TLS in one sentence. That’s HTTPS in one sentence. That’s how every secure messaging app works.

When to use each — the exam-style decision tree

Do I need to recover the original data?
├─ YES → encryption
│   ├─ Many messages, same parties → symmetric (AES-256)
│   ├─ First contact / no shared secret → asymmetric (RSA / ECC)
│   └─ Both → hybrid (asymmetric for key, symmetric for data) ← TLS
│
└─ NO, just verify integrity / identity → hashing
    ├─ "Did this file change?" → SHA-256 or SHA-3
    ├─ "Is this password right?" → bcrypt / Argon2 (slow on purpose)
    └─ "Who signed this?" → digital signature (hash + asymmetric)

The algorithms worth memorizing

You don’t need to know every algorithm. You need to know which class each belongs to:

Symmetric (use for bulk data)

AES — current standard. AES-128 or AES-256. Block cipher. Fast in hardware.
ChaCha20 — modern stream cipher. Fast on mobile / no AES hardware acceleration.
3DES — deprecated. If you see it on the exam, it’s the wrong answer.
DES — broken. Same.
RC4 — broken. Same.

Asymmetric (use for key exchange + signatures)

RSA — the workhorse. 2048-bit minimum, 3072+ for new deployments.
ECC — Elliptic Curve. Smaller keys (256-bit ECC ≈ 3072-bit RSA in strength), faster.
Diffie-Hellman / ECDH — key exchange specifically (not encryption itself).
DSA / ECDSA — digital signatures specifically.

Hashing (use for integrity + passwords)

SHA-256, SHA-384, SHA-512 — current standards. SHA-2 family.
SHA-3 — newer alternative, different internal design. Same security goals.
MD5 — broken. Collision attacks. Wrong answer on the exam.
SHA-1 — broken. Same.
bcrypt, scrypt, Argon2 — slow on purpose. Use ONLY for password storage. Don’t use for general-purpose hashing — they’re tuned to be expensive.

The three exam traps

Trap 1 — “Encryption vs Hashing”

A password file should be hashed (not encrypted). If it’s encrypted, an attacker with the key gets all passwords. If it’s hashed (with salt), the attacker needs to crack each one.

Trap 2 — “Same algorithm, wrong purpose”

SHA-256 is a hashing algorithm. You cannot encrypt with it. You cannot decrypt with it. Questions like “encrypt this file with SHA-256” have no correct answer — the trick is to recognize the category error.

Trap 3 — “Diffie-Hellman ≠ encryption”

DH is a key exchange algorithm. It produces a shared secret over an untrusted channel. The shared secret is then used with AES (or similar) to actually encrypt data. Questions that ask “how is the data encrypted” should never answer “Diffie-Hellman.”

Digital signatures — the combo move

A digital signature is hash + asymmetric private key:

Hash the document → digest
Encrypt the digest with the sender’s private key → signature
Send the document + signature

The receiver:

Decrypts the signature with the sender’s public key → original digest
Hashes the document themselves → new digest
Compares. Match → document is authentic AND unchanged.

This is what makes digital signatures provide both authentication (who signed) and integrity (was it changed) in one operation. Most exam questions on digital signatures test whether you can identify all three properties at once.

The 5-minute drill

Print this cheat sheet. Cover the right side. For each algorithm, say out loud:

AES → symmetric → bulk data
RSA → asymmetric → key exchange + signatures
SHA-256 → hashing → integrity
bcrypt → hashing → passwords specifically
ECDH → asymmetric → key exchange specifically
ChaCha20 → symmetric → modern bulk data

Do this for 5 minutes a day for a week. The crypto domain becomes reflex.

Practice with free flashcards

🛡️ Studying for CompTIA Security+?

Practice with free flashcards, crypto-decoder drills, and exam-style scenarios at secplus.it-learn.io — aligned to the current SY0-701 objectives. Free with a quick signup.

The Sec+ crypto flashcard deck on secplus.it-learn.io is keyed off this exact decoder. Each card is a scenario (“you need to encrypt a 1 GB file across the internet between two parties who’ve never met”), and you pick the right tool. Practice 50 of those scenarios and the SY0-701 crypto questions are easy points.

🎯 Studying for any IT cert?

All the free cert-study tools — Network+, Security+, CCIE Security, CHFI, ECIH — live at study.it-learn.io. Flashcards, quizzes, calculators, mnemonics. Free with a quick signup.