Symmetric vs. Asymmetric Encryption: A Security+ SY0-701 Primer

Cryptography is the engine underneath nearly every security control — HTTPS, VPNs, digital signatures, password storage, and disk encryption all depend on it. For the CompTIA Security+ SY0-701 exam, the single most important cryptographic distinction to master is between symmetric and asymmetric encryption, because it underlies questions across multiple domains: cryptography and PKI, network security, identity, and incident response.

TL;DR: Symmetric encryption uses the same key to encrypt and decrypt (fast, used for bulk data). Asymmetric encryption uses a key pair — a public key to encrypt, a private key to decrypt (slower, used for key exchange and digital signatures). Most real systems (HTTPS, TLS) combine both.

What is symmetric encryption?

Symmetric encryption uses a single shared key for both encryption and decryption. Anyone who possesses the key can encrypt or decrypt the data. This makes symmetric encryption extremely fast and efficient for encrypting large volumes of data — which is why it's the default for disk encryption, file encryption, and the bulk-data phase of TLS sessions.

The dominant symmetric algorithm on the Security+ exam is AES (Advanced Encryption Standard). Key facts about AES:

• Symmetric (same key for encrypt and decrypt)
• Block cipher (operates on fixed-size blocks of data)
• Key sizes: 128, 192, or 256 bits — larger keys are more secure
• NIST-approved and used in most modern encryption standards, including WPA2/WPA3 Wi-Fi security

Other symmetric algorithms you may encounter: DES (outdated, 56-bit key, no longer considered secure), 3DES (Triple DES, a stopgap improvement on DES, also being retired), and Blowfish/ChaCha20 (less common on the exam).

Exam tip: The Security+ exam frequently asks to identify symmetric vs. asymmetric algorithms. AES = symmetric. RSA, ECC, and Diffie-Hellman = asymmetric. This is one of the most commonly tested distinctions in the cryptography domain.

What is asymmetric encryption?

Asymmetric encryption uses a mathematically linked key pair: a public key and a private key. Data encrypted with the public key can only be decrypted by the corresponding private key, and vice versa. The public key is freely shared; the private key is kept secret by its owner.

This property enables two fundamental security operations:

• Encryption: The sender encrypts with the recipient's public key. Only the recipient (who holds the private key) can decrypt.
• Digital signatures: The signer encrypts a hash of the message with their private key. Anyone can verify the signature using the signer's public key, confirming both authorship and integrity.

Asymmetric algorithms are significantly slower than symmetric ones for bulk data. For this reason, they're used for key exchange and authentication — not for encrypting large files.

Common asymmetric algorithms for the SY0-701 exam:

• RSA — most widely known; used for key exchange and digital signatures; key sizes typically 2048 or 4096 bits
• ECC (Elliptic Curve Cryptography) — provides equivalent security to RSA with much smaller key sizes; more efficient, used heavily in mobile and IoT; underlies ECDSA (for signatures) and ECDH (for key exchange)
• Diffie-Hellman (DH) / ECDHE — a key exchange protocol (not encryption), used to establish a shared secret over an insecure channel; ECDHE adds ephemeral keys for perfect forward secrecy

How do symmetric and asymmetric encryption work together in TLS?

This is one of the most important real-world scenarios for the exam.

When your browser connects to an HTTPS website, TLS performs a hybrid operation:

1. Asymmetric phase (key exchange): The server presents its certificate (containing its public key). The browser uses asymmetric cryptography (e.g., ECDHE for key exchange, RSA/ECDSA for authentication) to establish a shared session key without transmitting it over the network.

1. Symmetric phase (bulk data): Once the session key is established, all subsequent data (the actual HTTP traffic) is encrypted with AES using that shared session key. AES is fast enough for real-time data.

The result: asymmetric cryptography solves the key distribution problem; symmetric cryptography provides the speed needed for actual data transfer. Neither alone is the complete solution.

What is perfect forward secrecy (PFS)?

Perfect forward secrecy means that if a server's long-term private key is later compromised, past session recordings cannot be decrypted retroactively. It is achieved by using ephemeral key pairs (new ones for each session) during key exchange — which is what the "E" in ECDHE means. The Security+ exam tests PFS as a feature of TLS 1.3 and as a reason to prefer ECDHE over static RSA key exchange.

Digital signatures and certificate authorities

Asymmetric cryptography is the foundation of digital signatures and the Public Key Infrastructure (PKI) that makes HTTPS trustworthy:

1. A certificate authority (CA) digitally signs a server's certificate using the CA's private key.
2. Your browser trusts the CA's public key (pre-installed in the OS/browser trust store).
3. The browser verifies the server's certificate using the CA's public key, confirming the server's identity.

This chain of trust — from the root CA down to the server certificate — is PKI. Understanding it is essential for the Identity and Access Management and Cryptography domains on SY0-701.

Frequently asked

Which encryption algorithm is symmetric?

AES is symmetric. It uses the same key for both encryption and decryption. This is the most tested symmetric algorithm on Security+.

What is the difference between RSA and ECC?

Both are asymmetric. RSA relies on the difficulty of factoring large prime numbers and uses larger key sizes (2048+ bits). ECC relies on elliptic curve discrete logarithm problems and achieves equivalent security with much smaller keys (256-bit ECC ≈ 3072-bit RSA), making it more efficient for constrained environments like mobile devices.

Which protocol uses TLS to encrypt web traffic?

HTTPS uses TLS (Transport Layer Security) to encrypt web traffic, protecting data in transit from eavesdropping and tampering. TLS is also used by SMTPS (email) and other application protocols.