A lot of people walk into the SY0-701 exam able to recite that asymmetric encryption uses a key pair. Then a question asks "you want to send a confidential file to a coworker, which key do you use?" and the whole thing falls apart. The keys are not the hard part. The direction is.
Here is the trap in one sentence: the key you reach for depends on whether you are protecting confidentiality or proving who sent something. Those are two different goals, and they use the key pair in opposite directions. If you only memorized "public key and private key," you memorized the nouns and skipped the verbs.
Let me lay out both directions, because the exam tests both and it loves to mix them up.
Confidentiality: encrypt with the recipient's public key
You want only your coworker to read the file, so you encrypt it with their public key. Public keys are public on purpose, so anyone can grab one, including you. The math only works in one direction: anything locked with a public key can only be opened with the matching private key. Your coworker is the only person holding that private key, so they are the only one who can decrypt it.
Read that twice, because here is where people slip. They think "I am the sender, so I use my key." Wrong. For confidentiality you never touch your own keys. You use the recipient's public key. The real question is "who should be able to read this," and the answer is "the person whose private key opens it."
Authenticity and non-repudiation: sign with your own private key
Now flip the goal. You do not care about hiding the message. You care about proving it actually came from you and was not changed in transit. That is a digital signature.
To sign, you take a hash of the message and encrypt that hash with your own private key. Anyone can verify it using your public key. Because only you hold your private key, a signature that checks out against your public key could only have come from you. That gives you non-repudiation: you cannot credibly claim later that you did not send it.
Notice the direction is reversed from confidentiality. Confidentiality uses the recipient's keys. Signing uses your keys. Same key pair concept, opposite owner.
The one question that keeps it straight
I stopped memorizing four separate rules and started asking a single question: what am I protecting?
If the goal is "only the right person can read it," the answer involves the reader's keys. Lock with their public key, they open with their private key.
If the goal is "prove it came from me and was not tampered with," the answer involves my keys. Sign with my private key, anyone verifies with my public key.
Public keys encrypt and verify. Private keys decrypt and sign. The owner of the key pair flips depending on the goal, and that ownership is the part the exam is really testing.
What about both at once
Real systems usually want confidentiality and authenticity together, and yes, the exam will ask. You sign with your private key, then encrypt with the recipient's public key. The recipient decrypts with their private key, then verifies your signature with your public key. Two key pairs, four operations, but each step still follows the same logic: reader's keys for secrecy, sender's keys for proof.
One more thing that catches people. Asymmetric encryption is slow, so in practice it rarely encrypts a whole file. It encrypts a randomly generated symmetric key, and that symmetric key encrypts the bulk data. That is exactly what TLS does on every HTTPS connection. If a question mentions a "session key" or "wrapping a key," that hybrid model is what it is pointing at.
How to actually drill this
Definitions will not save you here, because the exam never asks "what is a public key." It hands you a scenario and asks you to pick the key, and those scenarios are written to punish anyone who skipped the direction. The only fix is reps on scenario-style questions until "what am I protecting" becomes the first thing you think.
That is the kind of distinction I built secplusmastery.com around, with practice questions phrased the way the real exam phrases them instead of the way a glossary does. If you want a quick gut check on where you stand before you grind, there is a free diagnostic at secplusmastery.com/diagnostic that will show you fast whether crypto direction is one of your weak spots.
Get the direction reflex down and a whole category of questions stops being scary. Public to lock, private to unlock. Private to sign, public to verify. Decide what you are protecting first, and the key picks itself.
Top comments (0)