4.5. Cryptographic Solutions
💡 First Principle: Cryptography provides mathematical guarantees — not just practical obscurity. When implemented correctly with appropriate key management, cryptographic protection of data at rest and in transit gives you provable confidentiality (an eavesdropper cannot read the ciphertext), integrity (tampering changes the output detectably), authentication (the key proves identity), and nonrepudiation (the private key proves the signer). Every cryptographic failure in production is either an implementation error, a key management failure, or use of a deprecated algorithm.
Cryptography is the most technically detail-heavy section of the CISSP. The exam tests algorithm selection, key length requirements, operational use cases, and critical failure modes. The depth required is not cryptographer-level — you will not derive algorithms — but you must know which algorithms are appropriate for which purposes and what the consequences of wrong choices are.
Why this matters: Cryptography questions are scenario-driven: "A company needs to ensure that financial transaction records cannot be tampered with, and that specific accountants can be held responsible for the transactions they approved. Which cryptographic mechanism achieves both?" (Answer: digital signatures — provides integrity AND nonrepudiation.)
⚠️ Common Misconception: "Digital signatures encrypt the full message for confidentiality." They do not. A digital signature is created by hashing the message and encrypting the hash with the sender's private key. The message itself is not encrypted — it remains readable. To achieve confidentiality AND authentication, you need both a digital signature AND message encryption.
