Cryptography Essentials for Security Architects: What You Must Know Without Being a Mathematician

Hook / Why This Matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Cryptography is the most math-heavy topic in the CISSP, and also the one where architects make the most consequential mistakes. You do not need to implement AES. You do need to know when to use it, when not to, and why key management matters more than algorithm choice.

Core Concept Explained Simply

Cryptography provides four core security services: confidentiality, integrity, authentication, and non-repudiation. Different cryptographic mechanisms provide different combinations of these services, and choosing the right mechanism for the right requirement is the architect's job.

Symmetric Encryption

Symmetric encryption uses one key for both encryption and decryption. It is fast and efficient, making it the standard for encrypting bulk data. The primary algorithms you need to know are:

• AES (Advanced Encryption Standard): The current standard. Block cipher with 128, 192, or 256-bit keys.
• 3DES (Triple DES): Legacy algorithm, being phased out. Applies DES three times.
• Block vs. stream ciphers: Block ciphers encrypt fixed-size blocks of data. Stream ciphers encrypt one bit or byte at a time.
• Modes of operation: CBC, GCM, and CTR are the most important. ECB mode encrypts each block independently and leaks patterns. GCM provides both confidentiality and integrity (authenticated encryption).

The fundamental limitation of symmetric encryption is key distribution. Both parties need the same key, and transmitting that key securely is a challenge that asymmetric cryptography solves.

Asymmetric Encryption

Asymmetric encryption uses a key pair: a public key and a private key. Data encrypted with one key can only be decrypted with the other. It is much slower than symmetric encryption but solves the key distribution problem.

• RSA: The most widely used asymmetric algorithm. Used for encryption, digital signatures, and key exchange.
• ECC (Elliptic Curve Cryptography): Provides equivalent security to RSA with shorter key lengths, making it more efficient.
• Diffie-Hellman: A key exchange protocol that allows two parties to establish a shared secret over an insecure channel.

Hashing

Hash functions produce a fixed-length output (digest) from any input. They are one-way functions, meaning you cannot reverse the hash to recover the original data.

• SHA-2 and SHA-3: Current standards. SHA-256 and SHA-512 are the most common variants.
• MD5 and SHA-1: Deprecated for security use due to known collision vulnerabilities.
• Key properties: Collision resistance (hard to find two inputs with the same hash), preimage resistance (hard to find an input that produces a given hash).

Hashing provides integrity verification but not confidentiality. It tells you whether data has been modified, but it does not hide the data.

Digital Signatures

Digital signatures combine hashing and asymmetric cryptography to provide authentication, integrity, and non-repudiation in one mechanism. The signer hashes the message and encrypts the hash with their private key. The recipient decrypts with the signer's public key and compares hashes.

This is the only standard mechanism that provides non-repudiation, because only the private key holder could have created the signature.

HMAC vs. Digital Signatures

HMAC (Hash-based Message Authentication Code) uses a shared secret key with a hash function to provide integrity and authentication. However, because both parties share the same key, HMAC does not provide non-repudiation. Either party could have generated the HMAC.

Hybrid Cryptosystems

In practice, systems use both symmetric and asymmetric cryptography together. Asymmetric cryptography exchanges or protects the symmetric key, and the symmetric key encrypts the actual data. TLS, PGP, and S/MIME all work this way.

CISSP Lens

The exam tests your ability to match cryptographic mechanisms to security requirements:

• Need confidentiality? Use encryption (symmetric for data, asymmetric for key exchange).
• Need integrity? Use hashing or HMAC.
• Need authentication? Use digital signatures or HMAC.
• Need non-repudiation? Use digital signatures. This is the only answer.

Know that symmetric encryption is faster but has a key distribution problem. Know that digital signatures provide non-repudiation while HMAC does not. Know that encryption alone does not provide integrity unless you use authenticated encryption (like AES-GCM).

Real-World Scenario

A development team encrypted sensitive API payloads using AES in ECB (Electronic Codebook) mode. ECB encrypts each block independently with the same key, which means identical plaintext blocks produce identical ciphertext blocks. When security researchers analyzed the encrypted traffic, they could see patterns in the data that revealed structural information about the payloads.

The team switched to AES-GCM (Galois/Counter Mode), which solved two problems at once. GCM is a stream-oriented mode that does not leak patterns, and it provides built-in authentication, verifying both confidentiality and integrity of the ciphertext. An architectural review process that included cryptographic design review would have caught the ECB choice before deployment.

Common Mistakes and Misconceptions

• Using encryption for integrity. Standard encryption provides confidentiality, not integrity. Without authenticated encryption (GCM) or a separate integrity check, encrypted data can be tampered with without detection.
• Choosing algorithms based on key length alone. A 256-bit key with a weak algorithm is not necessarily stronger than a 128-bit key with a strong one. Algorithm family matters.
• Storing encryption keys alongside encrypted data. This defeats the purpose of encryption entirely.
• Using MD5 or SHA-1 for security-critical functions in new systems. Both have known collision vulnerabilities.
• Confusing encoding with encryption. Base64 is encoding, not encryption. It provides no confidentiality.

Actionable Checklist

• Inventory all cryptographic algorithms in use across your environment
• Verify no deprecated algorithms (DES, MD5, SHA-1, RC4) remain in production
• Confirm encryption keys are stored separately from encrypted data
• Check that authenticated encryption modes (GCM) are used where integrity matters
• Document your cryptographic standards in an organizational crypto policy
• Plan for algorithm agility to support future transitions (including post-quantum)

Key Takeaways

• Symmetric for speed, asymmetric for key exchange and signatures, hashing for integrity
• Digital signatures provide non-repudiation; symmetric encryption and HMAC do not
• Algorithm choice matters less than key management in practice
• Authenticated encryption (AES-GCM) handles confidentiality and integrity together
• Know what each mechanism provides and what it does not

Exam-Style Reflection Question

An organization needs to ensure that a message was sent by a specific individual and has not been modified. Which cryptographic mechanism best meets both requirements?

Answer: A digital signature. It provides authentication (verifying the sender), integrity (detecting modification), and non-repudiation (the sender cannot deny sending it). Encryption alone does not provide integrity or non-repudiation. HMAC provides integrity and authentication but not non-repudiation.