What cryptography is on the Security+ exam?

SY0-701 expects symmetric and asymmetric algorithms (AES, RSA, ECC), hashing (SHA-2, HMAC), password protection (salting, bcrypt, PBKDF2), and concepts such as digital signatures, PKI, and key exchange.

Is AES symmetric or asymmetric?

AES is symmetric: the same key encrypts and decrypts. RSA and ECC are the common asymmetric algorithms, used for key exchange and digital signatures.

What is the difference between hashing and encryption?

Encryption is reversible with a key and protects confidentiality. Hashing is one-way and proves integrity. Passwords are hashed with a salt, never encrypted.

Why are MD5 and SHA-1 not recommended?

Both are broken; practical collisions have been demonstrated, so they should not be used for security. Use SHA-2 or SHA-3 instead.

Offline·Progress will sync once you are back on the network.

Free cheat sheet

Security+ Cryptography Cheat Sheet (SY0-701)

The cryptography you need for the CompTIA Security+ SY0-701 exam in one place: symmetric versus asymmetric, the common algorithms, hashing, and the core concepts. Free, no account. Download the PDF or study it here.

Last updated June 2026

Free PDF: Security+ cryptography cheat sheetAlgorithms, hashing, and key concepts on one page. Print it, pin it.

The three families at a glance

Symmetric, asymmetric, and hashing compared
Aspect	Symmetric	Asymmetric	Hashing
Keys	One shared secret key	Public and private key pair	No key (one-way)
Reversible?	Yes, with the key	Yes, with the private key	No
Speed	Fast	Slow	Fast
Main use	Bulk data encryption	Key exchange and signatures	Integrity and passwords
Examples	AES, ChaCha20	RSA, ECC, Diffie-Hellman	SHA-256, SHA-3

Go deeper on symmetric vs asymmetric encryption and hashing vs encryption.

Symmetric (secret key) algorithms

One shared key encrypts and decrypts. Fast, so it does the bulk work of encrypting data.

AESAdvanced Encryption Standard. Block cipher with 128-bit blocks and 128, 192, or 256-bit keys. The modern standard for data at rest and in transit.
ChaCha20Fast modern stream cipher, common on mobile and in TLS. Usually paired with Poly1305 for authentication.
3DESTriple DES applies DES three times. Legacy and being retired because it is slow and weaker than AES.
DESData Encryption Standard. A 56-bit key that is broken by brute force. Do not use.
RC4Legacy stream cipher with known weaknesses. Prohibited in TLS.
Blowfish / TwofishOlder block ciphers. Twofish was a finalist in the AES competition.

Asymmetric (public key) algorithms

A public and private key pair. Slower, so it is used for key exchange and digital signatures, not bulk data.

RSAEncryption and digital signatures. Its strength comes from the difficulty of factoring large numbers. Common key sizes are 2048, 3072, and 4096 bits.
ECCElliptic Curve Cryptography. Matches RSA strength with much smaller keys, so it is efficient for mobile and IoT.
Diffie-Hellman (DH)Key exchange: two parties agree on a shared secret over an open channel. ECDH is the elliptic-curve version.
DSA / ECDSADigital Signature Algorithm and its elliptic-curve form. Used for signatures only, not encryption.

Hashing algorithms

One-way functions that produce a fixed-length digest. They verify integrity and cannot be reversed.

SHA-2Secure Hash Algorithm 2, including SHA-256, SHA-384, and SHA-512. The current standard for integrity.
SHA-3The newest SHA family, built on a different internal design (Keccak) than SHA-2.
SHA-1A 160-bit hash that is deprecated; practical collisions have been demonstrated. Do not use for security.
MD5A 128-bit hash that is broken; collisions are trivial. Use only for non-security checksums.
HMACHash-based Message Authentication Code. Combines a hash with a secret key to prove both integrity and authenticity.

Password protection

Passwords are hashed, never encrypted. These techniques make cracking slow and rainbow tables useless.

SaltA unique random value added to each password before hashing, so identical passwords produce different hashes and precomputed (rainbow table) attacks fail.
bcrypt / scrypt / Argon2Slow, salted password hashing functions built to resist brute force. Argon2 is the modern recommendation.
PBKDF2Password-Based Key Derivation Function 2. Repeats a hash many times (key stretching) to slow down guessing.
Key stretchingDeliberately repeating a hash to make each guess expensive, raising the cost of brute force.

Core concepts

The ideas that tie the algorithms together, and the ones the exam tests most.

Digital signatureSign with your private key; anyone verifies with your public key. Provides integrity, authentication, and non-repudiation.
Hybrid encryptionAsymmetric crypto exchanges a symmetric session key, then symmetric crypto encrypts the data. This is how TLS works.
PKIPublic Key Infrastructure. A certificate authority (CA) issues and signs certificates, a CSR requests one, and revocation is checked with a CRL or OCSP.
Perfect forward secrecyEphemeral keys (DHE or ECDHE) ensure that compromising a long-term key cannot decrypt past sessions.
IV / nonceA unique value used once per encryption so identical plaintext does not produce identical ciphertext.
Block vs stream cipherBlock ciphers (AES) encrypt fixed-size blocks; stream ciphers (ChaCha20) encrypt a continuous stream a bit or byte at a time.

Cryptography is a third of Domain 1

Memorizing the list is step one. SecPlus Mastery teaches when to use each algorithm and drills it with over 1,000 practice questions, mock exams, and spaced review across all five SY0-701 domains.

Create a free account See plans

Security+ cryptography FAQ

What cryptography is on the Security+ exam?
SY0-701 expects symmetric and asymmetric algorithms (AES, RSA, ECC), hashing (SHA-2, HMAC), password protection (salting, bcrypt, PBKDF2), and concepts such as digital signatures, PKI, and key exchange.
Is AES symmetric or asymmetric?
AES is symmetric: the same key encrypts and decrypts. RSA and ECC are the common asymmetric algorithms, used for key exchange and digital signatures.
What is the difference between hashing and encryption?
Encryption is reversible with a key and protects confidentiality. Hashing is one-way and proves integrity. Passwords are hashed with a salt, never encrypted.
Why are MD5 and SHA-1 not recommended?
Both are broken; practical collisions have been demonstrated, so they should not be used for security. Use SHA-2 or SHA-3 instead.

Keep studying: full practice test, ports cheat sheet, and the acronyms glossary.

Aligned to the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.