Domain 5 : Cryptography

Confidentiality

Ensures data is only accessible to authorized parties; achieved through encryption and access control.

Integrity

Guarantees that data has not been altered; verified with hashing, HMACs, and digital signatures.

Authenticity

Confirms the identity of the sender or system; uses digital certificates and authentication protocols.

Non-repudiation

Ensures actions cannot be denied later; achieved through digital signatures, HMAC, and audit trails.

PII (Personally Identifiable Information)

Data that can identify a person, such as name, SSN, or email.

PHI (Protected Health Information)

Health-related personal information protected under HIPAA.

IP (Intellectual Property)

Proprietary data such as designs, source code, or trade secrets that require confidentiality.

Hashing

A one-way function that converts data into a fixed-length string for verifying data integrity.

Salting

Adding random data to passwords before hashing to defeat rainbow table attacks.

Symmetric Encryption

Uses the same key to encrypt and decrypt data; faster but harder to scale securely.

Asymmetric Encryption

Uses a public/private key pair; enables secure key exchange and digital signatures.

ECC (Elliptic Curve Cryptography)

A lightweight asymmetric algorithm that offers strong encryption with smaller key sizes.

AES (Advanced Encryption Standard)

A symmetric block cipher standard commonly used for data at rest; strong and efficient.

RSA (Rivest-Shamir-Adleman)

A widely used asymmetric algorithm used for encryption and digital signatures.

HMAC (Hash-based Message Authentication Code)

Combines a shared secret with a hash function to verify message integrity and authenticity.

Digital Signature

A cryptographic method for verifying identity and message integrity using private/public key pairs.

TLS (Transport Layer Security)

A protocol used to encrypt data in transit, especially in web browsers and email.

IPsec (Internet Protocol Security)

A protocol suite used to secure network communication at the IP layer.

ESP (Encapsulating Security Payload)

IPsec protocol providing confidentiality through encryption.

AH (Authentication Header)

IPsec protocol providing integrity and authentication without encryption.

PGP (Pretty Good Privacy)

A tool that uses public-key cryptography to secure email communication.

Rainbow Table Attack

A precomputed table of hashes used to reverse unsalted password hashes.

Salting vs Hashing

Hashing is one-way; salting adds uniqueness to each hash to prevent reverse lookup attacks.

Certificate Authority (CA)

A trusted third party that issues and verifies digital certificates in a PKI.

Public Key Infrastructure (PKI)

A system that manages digital certificates and public-key encryption.

Key Revocation

The process of invalidating a certificate before its expiration; managed via CRL or OCSP.

Web of Trust

A decentralized trust model used in PGP and GPG instead of a central authority.

Forward Secrecy

A feature of secure protocols where each session uses a unique ephemeral key, preventing compromise of past sessions.

Key Escrow

A process where a third party securely stores encryption keys for recovery or legal access.

SHA1

Secure hash algorithm producing a 160-bit digest; now considered weak for collision resistance.

MD5

A legacy hashing algorithm producing a 128-bit hash; vulnerable to collisions and not secure.

Key Management Lifecycle

Includes generation, storage, distribution, rotation, revocation, and destruction of keys.

Quantum Cryptography

A field using quantum mechanics for secure key distribution and ultra-strong entropy.

PCI-DSS

A compliance standard that requires strong encryption (TLS, AES) when transmitting or storing credit card data.

ISO 27001

An international security framework that outlines best practices for cryptographic controls and key management.

Entropy

In cryptography, the amount of randomness used to generate secure keys; high entropy means better security.

Quantum Key Distribution

A cryptographic method using quantum mechanics to securely exchange keys with guaranteed detection of eavesdropping.

Cryptanalysis

The process of attempting to break cryptographic algorithms through analysis of ciphertexts and key weaknesses.

Man-in-the-Middle (MITM) Attack

An attack where the adversary intercepts and possibly alters communication between two parties.

Brute Force Attack

An attack that tries all possible key combinations until the correct one is found.

Downgrade Attack

An attack that forces a system to use a weaker, outdated cryptographic protocol or cipher.

WPA2-Enterprise

Wi-Fi encryption standard that uses 802.1X and RADIUS server for authentication.

WPA3

A newer wireless standard offering stronger encryption and protection from dictionary attacks.

RADIUS (Remote Authentication Dial-In User Service)

A protocol used for centralized authentication, often in enterprise WPA2/WPA3 wireless networks.

SFTP (Secure File Transfer Protocol)

A secure version of FTP that runs over SSH to encrypt data in transit.

FTPS (FTP Secure)

A version of FTP that uses TLS for encryption; often used in secure file transfers.

TLS 1.0/1.1

Deprecated versions of TLS with known vulnerabilities; must be disabled in favor of TLS 1.2+.

Initialization Vector (IV)

Random value used to ensure the same plaintext encrypts differently each time; prevents pattern analysis.

Audit Trail

A secure, chronological log that supports non-repudiation and incident investigation.

OCSP (Online Certificate Status Protocol)

A real-time protocol for checking if a certificate has been revoked.

CRL (Certificate Revocation List)

A list published by a certificate authority containing revoked certificate serial numbers.

Block Cipher

Encrypts data in fixed-size blocks (e.g., AES-128); more secure with proper mode and padding.

Stream Cipher

Encrypts data one bit or byte at a time (e.g., RC4); useful for real-time applications but less common now.

RC4

A deprecated stream cipher with known vulnerabilities; should not be used.

Perfect Forward Secrecy

A property that ensures session keys cannot be recovered even if long-term keys are compromised.