Common cryptographic use cases

Common Cryptographic Use Cases – SSCP Study Guide

Why Is This Important?

Cryptography is a foundational pillar of information security and a heavily tested domain on the SSCP (Systems Security Certified Practitioner) exam. Understanding common cryptographic use cases ensures you can identify which cryptographic technique to apply in a given scenario, why it is appropriate, and how it protects confidentiality, integrity, authentication, and non-repudiation. Real-world security decisions—from protecting data at rest to securing communications—depend on selecting the correct cryptographic mechanism.

What Are Common Cryptographic Use Cases?

Common cryptographic use cases refer to the practical, everyday applications of cryptographic algorithms and protocols in an enterprise environment. The major categories include:

1. Confidentiality (Encryption of Data at Rest and Data in Transit)
- Data at Rest: Full-disk encryption (e.g., BitLocker, LUKS), database encryption (TDE – Transparent Data Encryption), and file-level encryption protect stored data from unauthorized access.
- Data in Transit: TLS/SSL, IPsec VPNs, and SSH encrypt data as it moves across networks, preventing eavesdropping and man-in-the-middle attacks.

2. Integrity
- Hashing algorithms (SHA-256, SHA-3) generate a fixed-length digest of data. Any modification to the original data produces a different hash, allowing detection of tampering.
- HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to verify both integrity and authenticity of a message.

3. Authentication
- Digital certificates (X.509) and PKI (Public Key Infrastructure) verify the identity of users, servers, and devices.
- Challenge-response protocols use cryptographic operations to prove identity (e.g., Kerberos tickets, smart card authentication).
- Password hashing (bcrypt, scrypt, Argon2) stores credentials securely so that plaintext passwords are never retained.

4. Non-Repudiation
- Digital signatures (using RSA, DSA, or ECDSA) ensure that a sender cannot deny having sent a message. The sender signs with their private key, and recipients verify with the sender's public key.
- This is critical for legal documents, financial transactions, and audit trails.

5. Key Exchange
- Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) allow two parties to establish a shared secret over an insecure channel.
- This shared secret is then used to derive symmetric session keys for encrypted communication.

6. Secure Communications
- Email Security: S/MIME and PGP/GPG provide encryption and digital signing of emails.
- Web Security: HTTPS (HTTP over TLS) secures web traffic. Certificates issued by trusted CAs validate server identity.
- VPNs: IPsec (tunnel and transport modes) and SSL/TLS VPNs create encrypted tunnels for remote access and site-to-site connectivity.

7. Code Signing
- Software developers digitally sign executables, scripts, and updates so that end users and systems can verify that code has not been altered and originates from a trusted source.

8. Steganography (Supplementary Use Case)
- Hiding data within other media (images, audio, video). While not encryption per se, it is often combined with encryption to provide an additional layer of protection through obscurity.

How It Works – The Mechanics

Symmetric Encryption: A single shared key is used to both encrypt and decrypt data. Examples include AES-256 and 3DES. It is fast and efficient, making it ideal for bulk data encryption.

Asymmetric Encryption: A key pair (public and private) is used. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. RSA and ECC are common algorithms. Asymmetric encryption is computationally expensive, so it is typically used for key exchange, digital signatures, and encrypting small amounts of data.

Hybrid Approach: Most real-world systems (e.g., TLS) use asymmetric cryptography to securely exchange a symmetric session key, then use that symmetric key for the bulk of the communication. This combines the security of asymmetric cryptography with the speed of symmetric encryption.

Hashing: A one-way function that produces a fixed-size output. It is not reversible. Used for integrity checks, password storage, and digital signatures (the hash of a message is signed, not the entire message).

Mapping Use Cases to Security Goals

- Confidentiality → Symmetric encryption (AES), Asymmetric encryption (RSA, ECC)
- Integrity → Hashing (SHA-256), HMAC
- Authentication → Digital certificates, PKI, challenge-response
- Non-Repudiation → Digital signatures (private key signing)
- Key Management → Diffie-Hellman, ECDH, Key Escrow, Key Wrapping

Exam Tips: Answering Questions on Common Cryptographic Use Cases

Tip 1: Know Which Goal Each Mechanism Serves
The SSCP exam frequently presents scenarios asking you to choose the best cryptographic solution. Map each option to its primary security goal. For example, if the question asks about proving a sender's identity and ensuring they cannot deny sending a message, the answer involves digital signatures (non-repudiation), not just encryption.

Tip 2: Symmetric vs. Asymmetric – Know the Differences
If a question mentions speed, bulk data, or large volumes, think symmetric. If the question involves key distribution over an untrusted network, identity verification, or digital signatures, think asymmetric. If both are mentioned, consider the hybrid model.

Tip 3: Hashing Is Not Encryption
A common exam trap is confusing hashing with encryption. Hashing is a one-way function that cannot be reversed. It provides integrity, not confidentiality. If a question asks about protecting data from being read, hashing is the wrong answer.

Tip 4: Digital Signatures Use the Sender's Private Key
Remember: the sender signs with their private key, and the recipient verifies with the sender's public key. This is the opposite of encryption, where you encrypt with the recipient's public key and they decrypt with their private key. Exam questions often test whether you understand this distinction.

Tip 5: Understand PKI Components
Know the roles of Certificate Authorities (CAs), Registration Authorities (RAs), Certificate Revocation Lists (CRLs), and OCSP. Questions may ask you to identify the correct component responsible for issuing, revoking, or validating certificates.

Tip 6: Focus on Real-World Protocols
Expect scenario-based questions involving TLS, IPsec, S/MIME, PGP, SSH, and Kerberos. Understand what cryptographic operations each protocol performs and which algorithms they employ.

Tip 7: Key Management Is Critical
Many exam questions revolve around key lifecycle management—generation, distribution, storage, rotation, revocation, and destruction. Poor key management undermines even the strongest algorithm.

Tip 8: Watch for "Best" or "Most Appropriate" Language
The SSCP exam often asks for the best answer. Multiple options may seem partially correct. Choose the answer that most precisely addresses the specific security objective described in the scenario.

Tip 9: Remember Algorithm Deprecation
DES, MD5, SHA-1, and RC4 are considered deprecated or weak. If a question asks about a secure or recommended solution, choose modern algorithms such as AES-256, SHA-256/SHA-3, or RSA with adequate key length (2048-bit minimum).

Tip 10: Non-Repudiation Requires Asymmetric Cryptography
Symmetric encryption alone cannot provide non-repudiation because both parties share the same key. Only asymmetric mechanisms (digital signatures) can prove that a specific individual performed an action.