Cryptography Basics for the ISC2 SSCP Exam: Encryption, Hashing, and Digital Signatures

Cryptography is one of those topics that can feel abstract until you understand how it protects real systems — and then it clicks. For the ISC2 SSCP exam, cryptography makes up 9% of the content, which means you can expect roughly 9 scored questions drawn from this domain. That might sound small, but these questions test implementation-level knowledge: not just what AES or RSA are, but how and why you’d use them, and what breaks when you don’t. Let’s break this down so you walk into the exam — and your IT career — with a clear mental model of how cryptography works.

Why Cryptography Matters on the SSCP Exam

The SSCP is designed for practitioners — people who implement and manage security controls, not just talk about them. The Cryptography domain (Domain 5) reflects that. You’re expected to understand symmetric and asymmetric encryption algorithms like AES and RSA, hashing functions like SHA-256 and MD5, how Public Key Infrastructure (PKI) ties it all together, and how TLS/SSL secures communications in transit. You’ll also need to understand key management principles, because even the strongest algorithm is worthless if keys are mishandled.

The exam uses Computerized Adaptive Testing (CAT) with 125 questions (100 scored, 25 unscored pretest items), a 180-minute time limit, and a passing score of 700 out of 1000. Questions in the cryptography domain often appear as scenarios — you’ll be asked which control solves a specific security problem, not just asked to define a term.

Symmetric vs. Asymmetric Encryption: Know the Trade-offs

This distinction is foundational and the exam will test it from multiple angles.

Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. The most important algorithm to know is AES (Advanced Encryption Standard), which operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits. AES is fast, efficient, and widely used for encrypting data at rest — think encrypted hard drives, database fields, and file storage.

The core challenge with symmetric encryption is key distribution: how do two parties securely share that secret key without an attacker intercepting it? This is where asymmetric encryption steps in.

Asymmetric Encryption

Asymmetric encryption uses a mathematically linked key pair: a public key that anyone can see, and a private key that only the owner holds. RSA is the classic algorithm here. If you encrypt data with someone’s public key, only their private key can decrypt it — ensuring confidentiality. If you encrypt (or sign) data with your private key, anyone with your public key can verify it came from you — enabling authentication.

Asymmetric encryption is computationally expensive, so in practice, systems like TLS use it only to securely exchange a symmetric session key, then switch to AES for the bulk of the communication. Understanding this hybrid approach is exactly the kind of implementation detail the SSCP exam probes.

Hashing: Integrity Without Encryption

Hashing is not encryption — and that distinction matters. A hash function takes input of any size and produces a fixed-length output (a hash or digest) that cannot be reversed. It’s a one-way transformation designed to verify integrity, not protect confidentiality.

The SSCP exam focuses on SHA-256 (part of the SHA-2 family, producing a 256-bit digest) as the current standard, and MD5 as a deprecated algorithm you should recognize as cryptographically broken — still seen in legacy systems but no longer trusted for security purposes. When you see MD5 on the exam, think: insecure, collision-vulnerable, not appropriate for security controls.

Salting and Password Hashing

One critical application of hashing is password storage. Storing plaintext passwords is never acceptable. Instead, systems store the hash of a password and compare hashes at login. The problem? If two users have the same password, their hashes match — making precomputed lookup tables (rainbow tables) effective.

Salting solves this by appending a unique random value to each password before hashing, so even identical passwords produce completely different hash outputs. This defeats rainbow table attacks and precomputed hash lookups. Modern systems like bcrypt and Argon2 build salting and computational cost into the algorithm itself, making brute-force attacks far more expensive.

Digital Signatures and PKI: Trust at Scale

Digital signatures combine hashing and asymmetric encryption to deliver three critical security services simultaneously: integrity (the message hasn’t been altered), authentication (the message came from a verified sender), and non-repudiation (the sender cannot deny having sent it).

Here’s how it works: the sender runs the message through a hash function, then encrypts that hash with their private key — this is the digital signature. The recipient decrypts the signature using the sender’s public key, computes their own hash of the received message, and compares the two. A match confirms integrity and authenticity. Notice that digital signatures do not provide confidentiality on their own — they don’t encrypt the message content.

PKI and the Role of Certificate Authorities

Public Key Infrastructure (PKI) is the framework that makes digital signatures trustworthy at scale. The core component is the Certificate Authority (CA) — a trusted entity that verifies identities and issues digital certificates that bind a public key to a verified identity. Think of a CA-issued certificate as a cryptographically signed ID card.

When your browser connects to a website over HTTPS, it’s verifying the server’s certificate was signed by a trusted CA, confirming the server is who it claims to be. If the certificate is expired, self-signed, or issued by an untrusted CA, you get a warning — because the chain of trust is broken. The SSCP exam expects you to understand this certificate lifecycle: issuance, renewal, revocation (via CRL or OCSP), and the hierarchical structure of root CAs, intermediate CAs, and end-entity certificates.

Test Your Knowledge

Let’s check your understanding with two reworded practice questions modeled after what you’ll see on the SSCP exam.

Question 1: You are reviewing your organization’s authentication system and discover that all users who chose the password “Password123” have identical entries in the password database. Which security control would have prevented this?

• A) Encrypting the password database with AES-256
• B) Requiring passwords to be at least 12 characters
• C) Adding a unique random value to each password before hashing
• D) Using MD5 instead of SHA-256 for hashing

Answer: C. Adding a unique random salt to each password before hashing ensures that even identical passwords produce different hash outputs. This defeats precomputed lookup tables and rainbow table attacks. Option D would actually make things worse — MD5 is a broken algorithm and should never be used for password hashing.

Question 2: A legal team needs to prove that a specific employee sent a contract electronically and cannot claim otherwise. Which cryptographic mechanism directly supports this requirement?

• A) Symmetric encryption of the document
• B) A digital signature applied with the employee’s private key
• C) Storing the document hash in a database
• D) Encrypting the document with the recipient’s public key

Answer: B. Digital signatures provide non-repudiation — because only the employee holds their private key, a valid signature proves they sent the document and they cannot credibly deny it. Option D provides confidentiality but not non-repudiation. Option C provides integrity but not authentication or non-repudiation.

Want more practice? Certcy has 110+ questions like these — download free and start studying today.

Key Study Tips for the SSCP Cryptography Domain

• Know the purpose, not just the name. For every algorithm, ask: does it provide confidentiality, integrity, authentication, or non-repudiation? The exam will give you a scenario and ask which tool fits.
• Memorize the algorithm pairings. AES = symmetric encryption. RSA = asymmetric encryption. SHA-256 = modern hashing. MD5 = broken, avoid. TLS = combines all of the above.
• Understand the digital signature workflow step by step. Draw it out: hash the message → encrypt the hash with private key → recipient decrypts with public key → compare hashes. Know which key does what.
• Don’t confuse encryption with hashing. Encryption is reversible with the right key. Hashing is one-way. This is a favorite exam trick.
• Study PKI as a system. Know what CAs do, what certificates contain, how revocation works (CRL vs. OCSP), and why the chain of trust matters.

Frequently Asked Questions

How many cryptography questions will I see on the SSCP exam?

The Cryptography domain accounts for 9% of the SSCP exam. With 100 scored questions, you can expect approximately 9 questions from this domain. However, cryptographic concepts also appear in other domains — for example, TLS and VPNs show up in Network Security, and encryption of data at rest appears in Systems Security. A strong understanding of cryptography pays dividends across the entire exam.

What’s the difference between a digital signature and a digital certificate?

A digital signature is a cryptographic mechanism applied to a specific piece of data to prove its origin and integrity — it’s created by encrypting a hash with a private key. A digital certificate is a document (standardized as X.509) issued by a Certificate Authority that binds a public key to a verified identity. Digital certificates often contain digital signatures from the CA that issued them, which is how you know the certificate itself is legitimate.

Is MD5 still relevant for the SSCP exam?

Yes, but not as a recommended algorithm. MD5 is tested because it’s widely seen in legacy environments and you need to recognize its weaknesses — specifically, it’s vulnerable to collision attacks, meaning two different inputs can produce the same hash. On the exam, if a question asks which hashing algorithm is most secure or appropriate for a new system, the answer will not be MD5. SHA-256 or SHA-3 are the correct modern choices.

Do I need hands-on cryptography experience before taking the SSCP?

The SSCP requires at least one year of cumulative paid work experience in one or more of its seven domains (though a relevant degree can waive this requirement). For the cryptography domain specifically, you don’t need to be a cryptographer — but you should understand how these algorithms are applied in real environments: configuring TLS on a web server, managing certificates in a PKI, or selecting the right hashing algorithm for a password storage policy. Conceptual knowledge alone won’t be enough for scenario-based questions.

Ready to put this knowledge to the test? Practice SSCP cryptography questions with Certcy — our AI-personalized study plans identify your weak spots and serve up the right questions at the right time. With gamified learning, spaced-repetition flashcards, and expert-written questions across all 7 SSCP domains, Certcy is the study partner that keeps you on track from day one to exam day. Download Certcy free and start building the confidence you need to hit that 700 passing score.