Security+ Lecture Notes – Encryption, PKI, Hashing, Authentication, Access Control, Networking

A comprehensive set of vocabulary flashcards covering encryption, PKI, hashing, authentication, access control, and networking concepts from the lecture notes.

Symmetric encryption

Encryption that uses a single shared private key on both ends; fast and suitable for bulk data.

Pre-Shared Key (PSK)

A secret key shared in advance used by symmetric encryption.

AES

Advanced Encryption Standard; symmetric cipher used for bulk data with 128/192/256-bit keys.

AES-256

AES variant with a 256-bit key length providing stronger security.

AES-512

Mentioned in notes as a larger-key option for AES; not a standard widely used variant.

RC4

A stream cipher; historically fast but now considered insecure for many uses.

DES

Data Encryption Standard; old symmetric cipher with a 56-bit key; now insecure.

3DES

Triple DES; applies DES three times for greater security; slower and being phased out.

Asymmetric encryption

Public-key cryptography using a key pair (public and private keys) for encryption and signatures.

Public Key Infrastructure (PKI)

Framework for managing digital certificates and public-key cryptography.

RSA

Widely used asymmetric algorithm; typically used with 2048–4096-bit keys for encryption and digital signatures.

RSA 2048-4096

RSA key size range commonly recommended for security; larger keys offer stronger protection.

Elliptic Curve Cryptography (ECC)

Public-key crypto based on elliptic curves; provides equivalent security with smaller key sizes (efficient for low-power devices).

Diffie-Hellman (DH)

Key exchange protocol that enables two parties to establish a shared secret; with ephemeral keys it provides forward secrecy.

Hashing

One-way function that produces a fixed-size digest; used to ensure data integrity.

MD5-128

128-bit hash; vulnerable to collisions and rainbow-table attacks; considered insecure.

SHA-1

Hash function in the SHA family; vulnerability to collisions; replaced by SHA-256/512 in secure systems.

SHA-256

256-bit hash function in the SHA-2 family; widely used for secure digests.

SHA-512

512-bit hash function in the SHA-2 family; provides very strong digests.

Key exchange

Process by which two parties establish a shared secret or session keys for encryption.

Private key

Secret key used in asymmetric cryptography; must be kept secure to maintain confidentiality and authenticity.

Public key

Publicly shared key used to encrypt data or verify signatures; paired with a private key.

MD5 weaknesses

MD5 is susceptible to collisions and birthday attacks, making it unsuitable for secure hashing.

Digital signatures

Cryptographic signatures that verify the sender's identity and data integrity using a private key.

Root CA

Root of trust in a PKI; typically offline and highly trusted; signs intermediate CAs or certificates.

Certification Authority (CA)

Entity that issues and signs digital certificates trusted by users.

Registration Authority (RA)

Entity that verifies identity information before a certificate is issued by a CA.

Certificate Signing Request (CSR)

Request sent to a CA to issue a certificate; includes identifiers like FQDN.

Fully Qualified Domain Name (FQDN)

Complete domain name for a device or service, including subdomain and top-level domain.

IPv4

Internet Protocol version 4 address format (e.g., 192.0.2.1).

IPv6

Internet Protocol version 6 address format; longer addresses and new features.

Digital Certificate

X.509 public key certificate binding a public key to an entity; signed by a CA.

X.509

Standard format for public key certificates used in PKI.

PKIX

PKI X.509 standard; defines certificate path validation and trust models.

PKCS

Public Key Cryptography Standards; a set of standards for PKI operations.

Self-Signed Certificate

Certificate signed by the entity itself rather than by a trusted CA; no external root of trust.

Certificate Revocation List (CRL)

List published by a CA of certificates that have been revoked before expiration.

Online Certificate Status Protocol (OCSP)

Protocol to check certificate revocation status in real time; stapling can optimize this.

OCSP stapling

Server provides OCSP response to clients, reducing certificate-status checks by clients.

Certificate pinning

Storing known-good certificates or public keys in a client to prevent MITM with forged certs.

Common Name (CN)

Primary domain name listed in a certificate's subject field.

Subject Alternative Name (SAN)

Additional hostnames or identities covered by a certificate.

Key Management Interoperability Protocol (KMIP)

Standard protocol for managing cryptographic keys across systems.

Trusted Platform Module (TPM)

Hardware-based root of trust embedded in a computer’s motherboard or chipset.

Hardware Security Module (HSM)

Removable or dedicated device that safeguards and manages cryptographic keys.

Key Escrow

Backup of cryptographic keys held by a trusted party for recovery purposes.

Secure Enclave

Dedicated secure environment (e.g., password management) within a device.

Bulk Encryption

Encrypting large amounts of data efficiently, typically with AES.

Private asymmetric key inefficiency

Asymmetric keys are computationally heavy; bulk data should be encrypted with a symmetric key.

Perfect Forward Secrecy (PFS)

Property ensuring session keys are ephemeral and not derived from server private keys.

Salting

Adding random data to passwords before hashing to defend against precomputed attacks.

Key stretching

Applying multiple rounds of hashing or derivation to slow offline attacks.

Steganography

Concealing information within ordinary media or cover text to hide its presence.

Data Masking

Redacting or obscuring sensitive data to protect privacy.

Tokenization

Replacing sensitive data with non-sensitive tokens; often reversible in controlled environments.

De-identification

Removing or masking personal identifiers from data sets.

TLS (Transport Layer Security)

Protocol that provides encryption for data in transit; successor to SSL.

Key Enclave

Memory-resident secure area for secrets like passwords within a device.

Wildcard certificate

Certificate that covers multiple subdomains using a wildcard in the CN (e.g., *.example.com).

Hard Authentication Tokens

Strong factors used for authentication, often cryptographic or token-based.

Certificate-based authentication

Authentication using digital certificates issued within PKI.

One-Time Password (OTP)

A password valid for only one login session or transaction.

FIDO

Fast Identity Online; standard for strong, phishing-resistant authentication.

U2F (Universal 2nd Factor)

Open authentication standard using hardware security keys for second factors.

Soft Authentication Tokens

Non-cryptographic or easily delivered tokens like SMS, email, or push notifications.

SMS

Short Message Service used as a soft authentication token.

Email

Email-based one-time codes or links used for authentication.

Phone call

Voice call delivering authentication codes or prompts.

Notification (push)

Push-based authentication prompt sent to a device.

Authenticator App

App-based codes (e.g., TOTP) used for multi-factor authentication.

Vulnerabilities: interception

Risk that tokens or codes can be intercepted during transmission.

Passwordless authentication

Authentication method that does not require a password (e.g., tokens, biometrics).

FRR (False Rejection Rate)

Probability of incorrectly rejecting a legitimate user.”

FAR (False Acceptance Rate)

Probability of incorrectly accepting an imposter; typically more problematic than FRR.

Discretionary Access Control (DAC)

Access rights are assigned by the resource owner; user-driven.

Mandatory Access Control (MAC)

System-enforced access control based on policy labels and classifications.

RBAC (Role-Based Access Control)

Access rights are granted based on user roles.

RUBAC (Rule-Based Access Control)

Access decisions driven by rules, often used with firewalls and policies.

ABAC (Attribute-Based Access Control)

Access determined by attributes (user, environment, resource).

Principle of least privilege

Give users the minimum permissions necessary to perform tasks.

Provisioning

Process of creating and issuing identities and credentials.

Deprovisioning

Removing access when an employee or contractor leaves or changes roles.

User Account Provisioning

Managing user identities, credentials, and access rights.

Privileged Access Management (PAM)

Policies and controls to prevent abuse of privileged accounts.

LDAP (Lightweight Directory Access Protocol)

Directory service protocol using distinguished names and attribute-value pairs.

SAML (Security Assertion Markup Language)

Open standard for exchanging authentication/authorization data between parties.

OAuth

Authorization framework for granting access to resources via tokens.

Single Sign-On (SSO)

Authentication allows access to multiple systems with one credential; Kerberos is common in enterprise SSO.

Kerberos

Network authentication protocol using tickets; enables SSO within a domain.

NGFW (Next-Generation Firewall)

Firewall with advanced features like application awareness and DPI.

Deep Packet Inspection (DPI)

Examines data packets beyond headers to enforce security rules.

Stateful firewall

Tracks connection state and context to make decisions.

Stateless firewall

Makes decisions without keeping track of past connections.

Web Application Firewall (WAF)

Firewall focused on protecting web applications from SQLi, XSS, CSRF, and similar attacks.

Unified Threat Management (UTM)

Single firewall appliance offering multiple security features (firewall, VPN, IDS/IPS, etc.).

DNS (Domain Name System)

Resolves domain names to IP addresses.

Secure Admin Workstation (SAW)

Dedicated, hardened workstation for administrative tasks.

Jump Server

Hardened intermediary server in a DMZ that administrators use to reach internal systems.

Network Access Control (NAC)

Controls access to network resources, often using 802.1X and posture checks.

802.1X

Port-based network access control protocol for authenticating devices on a LAN.