Asymmetric encryption — SY0-701
CompTIA Security+ SY0-701 reference: asymmetric encryption key pairs, which key does what, and the exam traps to avoid.
WHAT IT IS
Asymmetric cryptography uses two separate keys to exchange data: one key encrypts or digitally signs the data, and a different key decrypts the data or verifies the digital signature. The two keys form a key pair — a public key and its corresponding private key. The public key may be made public; the private key must be kept secret by its owner.
Sources: NIST SP 800-77 Rev. 1 (via CSRC Glossary, "asymmetric cryptography"); NIST SP 800-57 Part 1 Rev. 5 (via CSRC Glossary, "key pair", "public key", "private key")
Mental model
Think of a public key as a padlock anyone can snap shut, and the private key as the unique key only the owner holds. To send a secret message, you snap the recipient's public padlock onto it — only their private key opens it. To prove you wrote something, you use your own private key to stamp it — anyone with your public key can verify the stamp is genuine, but no one else can forge it.
This one frame explains both uses of the key pair: confidentiality (encrypt with public, decrypt with private) and authentication/non-repudiation (sign with private, verify with public).
When to use it
The exam regularly asks candidates to choose between asymmetric and symmetric approaches, or to identify which key performs which function. The table below captures the core decision:
| Goal | Key used to act | Key used to verify or reverse |
|---|---|---|
| Confidentiality — only the recipient can read the message | Sender encrypts with recipient's public key | Recipient decrypts with recipient's private key |
| Authentication / non-repudiation — prove who signed it | Signer signs with signer's private key | Anyone verifies with signer's public key |
Source: NIST SP 800-57 Part 1 Rev. 5 (via CSRC Glossary, "public key" — functions listed include verify signature, encrypt data, and compute shared secret; "private key" — functions listed include compute digital signature and decrypt data)
A digital signature, when properly implemented, provides origin authenticity, data integrity, and non-repudiation; it does not provide confidentiality.
Source: FIPS 186-5 (via CSRC Glossary, "digital signature")
Non-repudiation means protection against an individual falsely denying having performed a particular action.
Source: CNSSI 4009-2015 (via CSRC Glossary, "non-repudiation")
Asymmetric vs. symmetric at a glance
| Attribute | Asymmetric | Symmetric |
|---|---|---|
| Number of keys | Two (public + private) | One (shared secret key) |
| Key that must stay secret | Private key only | The single shared key |
| Key distribution challenge | Public key can be shared openly | Shared key must reach all parties securely |
| Typical use cases | Key exchange, digital signatures, authentication | Bulk data encryption |
Source: NIST SP 800-77 Rev. 1 (via CSRC Glossary, "asymmetric cryptography"); NIST SP 800-57 Part 1 Rev. 5 (via CSRC Glossary, "symmetric key" — "a single cryptographic key … not made public")
Key-pair operation flow
Every arrow label above is grounded in NIST SP 800-57 Part 1 Rev. 5 functions listed for the public key (verify signature; encrypt data) and private key (compute digital signature; decrypt data).
COMMON MISCONCEPTION
"The private key encrypts data for confidentiality."
It does not — and confusing the direction is the primary trap. For confidentiality, the sender uses the recipient's public key to encrypt; only the recipient's private key can decrypt. Private keys are used to sign (not to encrypt for confidentiality), and public keys verify those signatures.
A related misconception is that "public key" means "less secure." Security rests on the computational infeasibility of deriving the private key from the public key, not on keeping the public key hidden.
Source: NIST SP 800-56B Rev. 2 (via CSRC Glossary, "public key cryptography" — "deriving the private key from the public key is computationally infeasible"); NIST SP 800-57 Part 1 Rev. 5 (via CSRC Glossary, "private key" functions list)
How it shows up on the exam
The cognitive target for this concept is application — candidates are expected to map a described scenario (e.g., "only the intended recipient can read this message" or "prove the message was not altered and cannot be denied") to the correct key and operation.
Signal phrases to recognize:
- "Ensure only the recipient can read" → encrypt with recipient's public key
- "Prove the message came from a specific sender" → sign with sender's private key, verify with sender's public key
- "Non-repudiation" → digital signature; private key used to sign
- "Computationally infeasible to derive" → the security property that makes the public key safe to distribute
Candidates often confuse which key is used for signing versus encryption, or assume both operations use the same key. Working through the padlock analogy before answering helps anchor the direction.
Related concepts
- Public Key Infrastructure — the ecosystem of policies, procedures, and technologies that manages key pairs and digital certificates at scale
- Symmetric Encryption — the single-key alternative; understanding the contrast sharpens when to choose asymmetric
- Encryption Levels — where asymmetric encryption sits relative to transport, application, and file-level encryption decisions
Sources
Every claim on this page traces to the public exam blueprint and official documentation: