Competencies: Security > Cryptography & PKI

Cryptography & PKI

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Symmetric Encryption	AES (128/192/256), modes of operation (CBC, GCM, CTR), key derivation (PBKDF2, scrypt, Argon2), block vs stream ciphers.	Critical	Security Engineer, DevSecOps, Backend Developer
Asymmetric Encryption	RSA, ECDSA, EdDSA, key exchange (DH, ECDHE, X25519), digital signatures, key sizes, performance tradeoffs.	Critical	Security Engineer, PKI Administrator, DevSecOps
Hash Functions	SHA-2, SHA-3, BLAKE2/3, collision resistance, preimage resistance, message authentication (HMAC), password hashing.	Critical	Security Engineer, Backend Developer, DevSecOps
TLS/SSL	Protocol versions, cipher suites, handshake process, certificate validation, mTLS, session resumption, TLS 1.3 improvements.	Critical	Security Engineer, Network Engineer, DevSecOps
X.509 Certificates	Certificate structure, extensions, subject/issuer, key usage, SAN, certificate chains, parsing with OpenSSL.	Critical	Security Engineer, PKI Administrator, DevSecOps
PKI Architecture	Root CA, intermediate CAs, certificate hierarchy, CA policy, CPS, trust anchors, cross-certification.	High	PKI Administrator, Security Architect
Certificate Lifecycle	CSR generation, issuance, renewal, revocation, CRL distribution, OCSP, OCSP stapling, certificate transparency.	High	PKI Administrator, Security Engineer, DevSecOps
ACME Protocol	Automated certificate issuance, Let’s Encrypt, certbot, cert-manager, DNS-01 vs HTTP-01 challenges, wildcard certs.	High	DevOps Engineer, SRE, Security Engineer
Hardware Security Modules (HSM)	Key protection, PKCS#11, cloud HSM (CloudHSM, Azure Key Vault HSM), FIPS compliance, root CA key protection.	Medium	PKI Administrator, Security Architect
Encryption Tools (age/GPG)	Modern file encryption (age), PGP/GPG for signing and encryption, key management, SOPS for secrets, Sigstore.	High	DevSecOps, Security Engineer, Systems Administrator
Disk Encryption	LUKS, dm-crypt, BitLocker, FileVault, FDE vs FBE, key escrow, TPM integration, recovery procedures.	High	Systems Administrator, Security Engineer
Quantum-Safe Cryptography	Post-quantum algorithms, NIST PQC standardization, lattice-based crypto, hybrid approaches, migration planning.	Low	Security Architect, Cryptographer

Topic

Description

Relevance

Career Tracks

Symmetric Encryption

AES (128/192/256), modes of operation (CBC, GCM, CTR), key derivation (PBKDF2, scrypt, Argon2), block vs stream ciphers.

Critical

Security Engineer, DevSecOps, Backend Developer

Asymmetric Encryption

RSA, ECDSA, EdDSA, key exchange (DH, ECDHE, X25519), digital signatures, key sizes, performance tradeoffs.

Critical

Security Engineer, PKI Administrator, DevSecOps

Hash Functions

SHA-2, SHA-3, BLAKE2/3, collision resistance, preimage resistance, message authentication (HMAC), password hashing.

Critical

Security Engineer, Backend Developer, DevSecOps

TLS/SSL

Protocol versions, cipher suites, handshake process, certificate validation, mTLS, session resumption, TLS 1.3 improvements.

Critical

Security Engineer, Network Engineer, DevSecOps

X.509 Certificates

Certificate structure, extensions, subject/issuer, key usage, SAN, certificate chains, parsing with OpenSSL.

Critical

Security Engineer, PKI Administrator, DevSecOps

PKI Architecture

Root CA, intermediate CAs, certificate hierarchy, CA policy, CPS, trust anchors, cross-certification.

High

PKI Administrator, Security Architect

Certificate Lifecycle

CSR generation, issuance, renewal, revocation, CRL distribution, OCSP, OCSP stapling, certificate transparency.

High

PKI Administrator, Security Engineer, DevSecOps

ACME Protocol

Automated certificate issuance, Let’s Encrypt, certbot, cert-manager, DNS-01 vs HTTP-01 challenges, wildcard certs.

High

DevOps Engineer, SRE, Security Engineer

Hardware Security Modules (HSM)

Key protection, PKCS#11, cloud HSM (CloudHSM, Azure Key Vault HSM), FIPS compliance, root CA key protection.

Medium

PKI Administrator, Security Architect

Encryption Tools (age/GPG)

Modern file encryption (age), PGP/GPG for signing and encryption, key management, SOPS for secrets, Sigstore.

High

DevSecOps, Security Engineer, Systems Administrator

Disk Encryption

LUKS, dm-crypt, BitLocker, FileVault, FDE vs FBE, key escrow, TPM integration, recovery procedures.

High

Systems Administrator, Security Engineer

Quantum-Safe Cryptography

Post-quantum algorithms, NIST PQC standardization, lattice-based crypto, hybrid approaches, migration planning.

Low

Security Architect, Cryptographer

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
PKI / X.509 Certificates	Advanced	Vault PKI engine — root CA, intermediate CA, certificate issuance for 802.1X, mTLS; OpenSSL for CSR generation, cert inspection, chain validation	Secrets Vault, PKI Reference	No ACME/Let’s Encrypt automation, no HSM integration
Encryption Tools (age/GPG)	Advanced	age encryption for SSH config and dotfiles; GPG key management; LUKS disk encryption; understand envelope encryption, key derivation	Secrets Management, dots-quantum	No PGP web of trust, no Yubikey/FIDO2 integration
Certificate Lifecycle Management	Advanced	Vault PKI — root/intermediate CA hierarchy, CRL distribution, OCSP concepts; certificate issuance, renewal, revocation for 802.1X clients; OpenSSL inspection	Secrets Vault, 802.1X Linux	No ACME automation (certbot/cert-manager), no certificate transparency monitoring
Cryptographic Protocols	Intermediate	TLS configuration for 802.1X, mTLS understanding; cipher suite awareness from CISSP	802.1X Linux, CISSP Study Guide	No hands-on cipher suite hardening, no TLS 1.3 deployment

Topic

Level

Evidence

Active Projects

Gaps

PKI / X.509 Certificates

Advanced

Vault PKI engine — root CA, intermediate CA, certificate issuance for 802.1X, mTLS; OpenSSL for CSR generation, cert inspection, chain validation

Secrets Vault, PKI Reference

No ACME/Let’s Encrypt automation, no HSM integration

Encryption Tools (age/GPG)

Advanced

age encryption for SSH config and dotfiles; GPG key management; LUKS disk encryption; understand envelope encryption, key derivation

Secrets Management, dots-quantum

No PGP web of trust, no Yubikey/FIDO2 integration

Certificate Lifecycle Management

Advanced

Vault PKI — root/intermediate CA hierarchy, CRL distribution, OCSP concepts; certificate issuance, renewal, revocation for 802.1X clients; OpenSSL inspection

Secrets Vault, 802.1X Linux

No ACME automation (certbot/cert-manager), no certificate transparency monitoring

Cryptographic Protocols

Intermediate

TLS configuration for 802.1X, mTLS understanding; cipher suite awareness from CISSP

802.1X Linux, CISSP Study Guide

No hands-on cipher suite hardening, no TLS 1.3 deployment