May 18, 2026
Security+ Crypto, PKI, Auth, and Access Control: The Study Playbook That Actually Sticks
Security+ can feel like a wall of acronyms until you learn the patterns: what problem each control solves, where it fits, and what failure looks like. Cryptography, PKI, authentication methods, and access control show up everywhere on SY0-701 because they are the foundation of modern security.
This post gives you a repeatable way to study these concepts so you can answer scenario questions quickly, not just recite definitions.
Security+ exam snapshot (SY0-701)
You do not need to memorize the exam brochure, but you do need to train for the constraints.
Item | What to expect |
|---|---|
Exam | CompTIA Security+ SY0-701 |
Question count | Up to 90 (multiple-choice + performance-based) |
Time limit | 90 minutes |
Passing score | 750 (on a scale of 100-900) |
Voucher price | $425 USD |
Why this matters for studying: your prep should prioritize (1) fast recognition of the best control in a scenario and (2) accuracy under time pressure.
The “4-layer” mental model (use this on every question)
When you see a scenario, force yourself to label it using this stack:
Identity - Who are you? (authentication)
Authorization - What are you allowed to do? (access control)
Protection - How is data protected in transit/at rest? (crypto)
Trust - How do we know keys and identities are real? (PKI)
Most Security+ questions in these topics are really asking: which layer is broken, and what control fixes it with the least disruption?
Cryptography: memorize less, recognize more
Crypto questions are rarely about doing math. They are about selecting the right tool.
The crypto decision tree you should drill
When a question mentions encryption, ask:
Is the goal confidentiality, integrity, non-repudiation, or key exchange?
Is it data in transit or at rest?
Is it one-to-one communication or broadcast/at-scale?
Use this cheat sheet (and turn it into flashcards):
Goal | Best-fit concept | Security+ phrasing to watch for |
|---|---|---|
Confidentiality | Symmetric encryption (AES) | “encrypt large files”, “disk/database encryption”, “fast” |
Secure key exchange + sessions | Asymmetric crypto (RSA/ECC) + symmetric session key | “negotiate a shared key”, “TLS handshake” |
Integrity | Hashing (SHA-256/SHA-3) | “verify file wasn’t modified”, “checksum”, “message digest” |
Integrity + authenticity | HMAC | “shared secret confirms message integrity” |
Non-repudiation | Digital signatures (asymmetric) | “prove sender signed”, “cannot deny”, “signed email” |
Password storage | Salted hash (not encryption) | “store passwords securely”, “rainbow tables” |
High-yield crypto mistakes CompTIA tests
Memorize these “trap patterns”:
Hashing is one-way. If the prompt says “decrypt a hash,” that is wrong. The right move is “compare hashes.”
Encryption is reversible. If the goal is to retrieve the original data later, you need encryption, not hashing.
Salting defeats precomputed attacks (rainbow tables). Pepper is an additional secret, but salting is the baseline.
Key length is not the only factor. Mode of operation, implementation, and key management matter, but Security+ usually wants the simplest correct statement.
Actionable drill (10 minutes)
Write four headings: Confidentiality, Integrity, Authentication, Non-repudiation.
Under each, list the crypto mechanism(s) that provide it.
Take 15 mixed practice questions and, for each, write just one line: “Goal = X, so control = Y.”
You are training recognition, not rewriting textbook notes.
PKI: understand the chain of trust (not just definitions)
PKI questions become easy when you visualize how trust flows.
The PKI story in 60 seconds
A Certificate Authority (CA) vouches for identities by issuing certificates.
A certificate binds a public key to an identity (person, device, service).
Clients trust a certificate when they can build a valid chain from that certificate up to a trusted root CA.
What to know cold for SY0-701
Certificate lifecycle and failure modes are tested more than obscure standards.
PKI concept | What it is | What CompTIA asks in scenarios |
|---|---|---|
CSR | Request to a CA to issue a cert | “generate a CSR”, “include SANs”, “request a web server certificate” |
OCSP / CRL | Status checking / revocation list | “check if cert is revoked”, “certificate was compromised” |
Root CA vs Intermediate CA | Trust anchor vs delegated issuer | “offline root CA”, “intermediate signed certs” |
Key escrow | Third party holds keys | “recover encrypted data”, “compliance requirement” |
Certificate pinning | App remembers expected cert/key | “prevent MITM even if CA is compromised” |
Practical PKI rule set for exam questions
If a private key is exposed, revoke the certificate and reissue.
If users see browser trust warnings, think: untrusted CA, expired cert, wrong hostname/SAN, or incomplete chain.
If the prompt says “ensure only the real server is being contacted,” the answer usually points to certificate validation (TLS + valid chain) or pinning.
Actionable drill (15 minutes)
Build a one-page “PKI incident response” map:
Private key compromised -> revoke cert -> issue new cert -> update services -> verify revocation checking
Cert expired -> renew/reissue -> deploy -> verify hostname/SAN
Wrong hostname -> fix SAN/CN -> redeploy
Then do 10 PKI questions and label which failure mode it is.
Authentication methods: pick the factor that matches the risk
Authentication questions are about factors and protocol fit.
Memorize factors by examples
Something you know: password, PIN
Something you have: smart card, hardware token, authenticator app
Something you are: biometric
Somewhere you are: geolocation/IP-based restrictions
Something you do: behavior/keystroke dynamics
Common Security+ scenario matches
Scenario requirement | Strongest likely answer |
|---|---|
Stop password spray/credential stuffing | MFA + rate limiting + conditional access |
Admin access to servers | Phishing-resistant MFA (FIDO2/WebAuthn) + PAM |
Remote access for employees | VPN with certificate-based auth or SSO + MFA |
Legacy apps needing centralized login | SSO (SAML/OIDC) with MFA |
Wireless enterprise auth | 802.1X with RADIUS (EAP-TLS is strongest) |
Protocol cues (fast recognition)
SAML: enterprise SSO, web apps, “assertions,” IdP/SP language
OAuth 2.0: delegated authorization, “allow app to access my data”
OpenID Connect (OIDC): authentication layer on OAuth 2.0, “ID token”
RADIUS/TACACS+: centralized AAA for network access, devices, VPN/Wi-Fi
Kerberos: tickets, domain environments, time sync matters
Actionable drill (12 minutes)
Make a 2-column list:
Left: “Where is auth happening?” (Wi-Fi, VPN, cloud app, Windows domain, network device)
Right: “Best protocol/control” (802.1X/RADIUS, OIDC+MFA, Kerberos, TACACS+)
Then do 20 auth questions and force yourself to answer in this format: “Context -> Protocol -> Factor(s).”
Access control: translate business rules into technical controls
Security+ access control questions often hide the real requirement inside a business sentence.
The access control translation method
Take this sentence: “Only managers can approve refunds over $500, and approvals must be logged.”
Translate it into:
Subjects: managers
Objects: refund approval function
Action: approve
Constraint: over $500
Assurance: logging/auditing
Now the best-fit controls pop out: RBAC for role, policy constraint, and audit logging.
Know these models and when they show up
Model | What it means | Typical Security+ cue |
|---|---|---|
DAC | Owner decides | “file owner grants access” |
MAC | Labels/classifications | “Top Secret/Secret”, “clearance” |
RBAC | Roles drive access | “HR role”, “job function” |
ABAC | Attributes + policies | “time of day”, “device compliance”, “location”, “department + risk score” |
High-yield principles to apply in scenarios
Least privilege: start with minimum required permissions.
Separation of duties: prevent one person from completing an entire high-risk process.
Time-bound access: just-in-time access for admins reduces standing privilege.
Implicit deny: deny by default, allow explicitly.
Actionable drill (10 minutes)
Create 8 mini-scenarios (two sentences each) from your own experience:
Help desk password resets
HR payroll system
Developer access to production
Vendor access for maintenance
For each, pick:
RBAC or ABAC
One compensating control (logging, approval workflow, MFA)
You will remember controls better when you attach them to real workflows.
Put it together: a 7-day micro-schedule (45 minutes/day)
This is designed for retention and speed, not passive reading.
Day | Focus | What you do (45 minutes) |
|---|---|---|
1 | Crypto goals | 20 practice Qs + write “goal -> control” for each + 10 flashcards |
2 | Hashing vs encryption | 25 practice Qs + redo misses + 5-minute recap sheet |
3 | PKI chain + revocation | 15 PKI Qs + draw chain of trust + 10 flashcards |
4 | TLS and cert errors | 20 scenario Qs + label failure mode (expired, untrusted, hostname, revoked) |
5 | Auth factors + protocols | 25 practice Qs + build “context -> protocol -> factor” list |
6 | Access control models | 25 practice Qs + rewrite scenarios into subject/object/action/constraint |
7 | Mixed set + review | 40-question mixed drill + review every wrong answer into a single page |
Repeat the same 7-day cycle with new question sets until your wrong answers stop clustering.
Exam-day habits for these topics
Underline the goal: confidentiality vs integrity vs authentication vs authorization.
Watch for “best” vs “first”: “best” implies strongest long-term control, “first” implies triage.
Do not over-engineer: if the prompt is about password attacks, “add MFA” is usually more correct than “build a private CA.”
FAQ
How deep do I need to go on cryptographic algorithms for Security+?
Deep enough to choose the right tool in a scenario: symmetric vs asymmetric, hashing vs encryption, and when to use signatures/HMAC. You do not need to do calculations.
What is the most common PKI mistake students make?
They memorize terms (CA, CRL, OCSP) but cannot diagnose certificate failures. Train on failure modes: expired, revoked, untrusted issuer, wrong hostname, incomplete chain.
How do I decide between RBAC and ABAC on questions?
If the decision is mainly based on job role, use RBAC. If the decision depends on multiple attributes like device health, location, time, and risk score, ABAC is the better fit.
What is the fastest way to improve authentication questions?
Stop thinking of “MFA” as one thing. Identify the factor type and the protocol context (Wi-Fi, VPN, cloud app, domain). Then select the control that matches both.
Your next step
If you want this to stick, do one mixed set today focused on these four layers (identity, authorization, protection, trust) and force yourself to write the one-line “why” for every answer.
Start practicing today at study.cyberexamprep.com with unlimited questions across all CompTIA exams.
