CISM Domain 3 - Cryptography MindMap

Download FREE Audio Files and Printable PDFs of our MindMaps

Your information will remain 100% private. Unsubscribe with 1 click.

Transcript

Introduction

Hey, I’m Nick from Destination Certification, and I’m here to help YOU pass the CISM exam.

In this video, we’re going to break down a full MindMap of some of the most important concepts in Cryptography from Domain 3— not just to help you memorize terms, but to really understand how they interconnect and why they matter.

This is the seventh of thirteen videos for domain 3. I have included links to the other MindMap videos in the description below. These MindMaps are one part of our complete CISM MasterClass.

Cryptography

Where can we start? Maybe from defining the term itself.

Cryptography forms the backbone of modern information security, transforming readable data into protected formats through mathematical algorithms. We use cryptographic techniques daily when shopping online, accessing bank accounts, or sending secure messages.

Cryptography services

Image of Cryptography Services - Destination Certification

Cryptographic services provide five fundamental security guarantees that protect our digital communications and stored data. Each service addresses specific security concerns, working together to create comprehensive protection for sensitive information. They mostly follow the same principles we already discussed all the way back in Domain 1, but let’s emphasize confidentiality and access control here.

Confidentiality

Confidentiality ensures that only authorized parties can read and understand protected information. Through encryption, we transform plaintext into ciphertext that appears random to anyone without the proper decryption key. This protection remains crucial whether data sits in storage, travels across networks, or processes in memory.

Access Control

Next, access control leverages cryptography to enforce authorization policies, ensuring resources remain available only to permitted users. Encryption keys act as digital locks, with key distribution determining who gains access to protected resources.

Algorithm Categories

After we understand these basic principles, it’s really important to understand algorithm categories.

Cryptographic algorithms fall into three main categories, each serving distinct security purposes with unique mathematical properties. Understanding when to apply symmetric, asymmetric, or hashing algorithms determines the effectiveness of your security implementation.

Symmetric

Image of Symmetric-Cryptography - Destination Certification

Starting with symmetric encryption - it uses the same secret key for both encryption and decryption operations, like a traditional lock where the same key opens and closes it. Organizations rely on symmetric encryption for bulk data protection because its mathematical simplicity enables hardware acceleration. The main challenge lies in securely sharing the secret key between parties before communication begins.

Advantages

Now you may be wondering why organizations use it? For one thing, symmetric encryption is very fast. 

Fast

It operates thousands of times faster than asymmetric methods, enabling real-time encryption of streaming data.

Strong

Additionally, modern symmetric algorithms like AES-256 provide computational security that resists all known cryptanalytic attacks.

Challenges

But, obviously, nothing is perfect and it has some challenges, starting with scalability. 

Scalability

Managing unique keys for every pair of communicating parties becomes exponentially complex as user numbers grow.

No authenticity, integrity or non-repudiation

Similarly, since both parties share the same key, symmetric encryption alone cannot prove which party created a message or detect tampering. Additional mechanisms like HMACs must supplement symmetric encryption to provide these security services.
Now that we’ve wrapped up symmetric, let’s add a bit of flavor by considering asymmetric cryptography. 

Asymmetric

Asymmetric cryptography revolutionized secure communications by using mathematically related key pairs where the public key encrypts and the private key decrypts. What are some of its advantages? 

Advantages

Well, symmetric algorithms offer significant performance and security benefits for bulk data encryption.

Solves key exchange dilemma

Another advantage is that public keys can be freely distributed without compromising security, allowing secure communication between parties who have never met. This fundamental capability enables e-commerce, secure email, and encrypted messaging applications.

Supports digital signatures

Private keys create unforgeable digital signatures that prove message origin and integrity. Reversing the encryption process, signing with the private key allows anyone with the public key to verify authenticity.

Challenges

Like any other method, asymmetric cryptography also has challenges, Starting with, the mathematical complexity that provides security also creates significant performance limitations.

Slowness

Asymmetric operations run thousands of times slower than symmetric encryption, making them impractical for large data volumes.

Resource intensive

It is also very resource-intensive. The complex mathematical operations demand significant CPU cycles and memory, impacting system performance and battery life.

Hashing

Moving on, cryptographic hash functions transform input data of any size into fixed-length outputs called digests or hashes.

One-way function

To put it plainly, hash functions work like digital meat grinders - easy to process forward but impossible to reverse. You cannot reconstruct the original data from its hash value, making hashes ideal for password storage where verification is needed without storing actual passwords.

Collision resistant

Another important trait is collision restraint. Finding two different inputs that produce the same hash output remains computationally infeasible with secure algorithms.

Fixed output

Finally, hash functions always produce the same size output regardless of input length, like SHA-256's consistent 256-bit digest.

Digital Signature

Image of Digital-Signature - Destination Certification

Now that we’ve wrapped up algorithm categories, let’s move on to digital signatures. Now, how do these work exactly?

Digital signatures combine hashing with asymmetric cryptography to create tamper-evident seals on electronic documents. The signer's private key encrypts a hash of the message, producing a signature that anyone can verify using the corresponding public key. The key for digital signature is to be able to guarantee integrity, authenticity and non-repuditation. You already know a lot about these and, if you don’t or need a reminder, I recommend you take a look at the first MindMap of Domain 1.

Digital Certificates

Similarly, digital certificates bind public keys to identities through trusted third-party verification, functioning like cryptographic passports. X.509 certificates contain the subject's public key, identity information, and the certificate authority's digital signature validating this binding. How exactly do these work?

Key Management

Effective key management encompasses the complete lifecycle of cryptographic keys from creation to destruction. Poor key management undermines even the strongest encryption algorithms, making proper procedures essential for maintaining security.

Generation

To understand how these keys work, let’s first think about generation.

Cryptographic key generation requires high-quality randomness to prevent predictability that attackers could exploit. Hardware random number generators use physical phenomena like electronic noise or radioactive decay to produce truly random bits. Software generators must gather entropy from multiple unpredictable sources including mouse movements, keyboard timings, and system interrupts.

Storage

Image of Key Storage - Destination Certification

Storage is another important issue.

Secure key storage protects cryptographic keys from unauthorized access while maintaining availability for legitimate use. Keys stored in plaintext files or source code create critical vulnerabilities that attackers routinely exploit. Hardware security modules and trusted platform modules provide tamper-resistant storage with cryptographic processors that never expose keys in plaintext. Software-based key stores use key encryption keys and access controls to protect stored keys at rest.

TPM

One form of storage is TPM, or Trusted Platform Modules.

Trusted Platform Modules are specialized chips that generate and store cryptographic keys in tamper-resistant hardware.

HSM

Secondly, Hardware Security Modules provide dedicated cryptographic processing and key storage with physical tamper detection and response capabilities.Now that we understand how keys are stored, how can we distribute them? 

Distribution

Key distribution remains one of cryptography's fundamental challenges, requiring secure channels to share secret keys without interception. Most broadly, there are two main distribution types, starting with out-of-band. 

Out-of-band

Out-of-band distribution uses separate communication channels from the encrypted data path, like exchanging keys via courier while data travels over networks. This physical separation prevents attackers monitoring one channel from obtaining both keys and encrypted data.

In-band

Next up, In-band distribution sends keys through the same channel as encrypted data, typically protected by key encryption keys. Now that you understand how keys are distributed, another curious feature is re-keying.

Re-keying

Regular key rotation limits the damage from potential key compromise and reduces the amount of data encrypted under any single key. Think of cryptographic wear like overusing a password — the more it’s used, the easier it is to crack. That’s why standards require you to swap keys regularly, keeping the math fresh and the attackers frustrated.

Disposition

Image of Disposition - Destination Certification

Key disposition ensures cryptographic keys are properly destroyed when no longer needed, preventing future unauthorized decryption of archived data. Simply deleting key files leaves recoverable traces on storage media that forensic tools can reconstruct. Secure disposition requires overwriting key material multiple times or using cryptographic erasure where encryption keys protect other keys. Regulatory compliance often requires documented proof of key destruction with specific retention periods before disposal.

Crypto-shredding

Crypto-shredding destroys data by eliminating the decryption keys, rendering encrypted data permanently inaccessible.

Key destruction

Secure key destruction overwrites memory and storage locations multiple times to prevent key recovery through forensic analysis.

And with that, we’ve cleared up key disposition. 

Recovery

Sounds like we can wrap up this video - I think? The keys has been disposed off already. Oh no, actually, there’s one last thing we have to discuss and that is key recovery.

Key recovery mechanisms balance security with business continuity, ensuring critical data remains accessible despite key loss or personnel changes. Overall, the key issue organizations face is navigating the delicate balance between preventing permanent data loss and creating backdoors that attackers might exploit.

Image of next mindmap - Destination Certification

And that is an overview of Cryptography within Domain 3, covering the most critical concepts you need to know for the exam.

Something really cool we are providing with these MindMap videos is a completely FREE downloadable version of all the MindMaps in PDF format. We even include a blank version of each MindMap in case you want to print them out and take notes as you listen along. Link to download the MindMaps is in the description below.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies

Master CISM from the ground up


Learn more about our CISM MasterClass