Talk crypto to me (before I go crazy)

cyberguyprcyberguypr Mod Posts: 6,927 Mod
Here's the thing, I officially started my CISSP studies back in June. My plan was to start easy by tackling the domains I felt more comfortable with: Telecom, BCP/DRP, and Access Control. Crypto and Software Dev Sec earned the last two spots as I knew those would be more difficult given my background.

My main sources have been the AIO, OIG, the Conrad 2E book and random NIST documents as well as websites/blogs. I'm also using the Clement Dupuis bootcamp (thanks Clement!), the paid CCCURE questions, and whatever questions come on the AIO CD (Total Tester?). So far I have covered all the domains but Software Dev Sec. All the tests I've taken put me anywhere between 80-95%. My strongest domains are Telecom, BCP/DRP, Access Control, and Governance & Risk.

Then there's Crypto. It's not that I don't like it, its that I absolutely hate it with a passion. I've dedicated more time to this domain than any other two combined. Tests put me anywhere between 65-75% for this domain. My issue is deciding if I want to keep investing time on this or just accept I can't be a master of all domains and move on. Many agree Crypto is not of the top 5 domains you must know so that makes me feel somewhat better.

Finally, I've spent a lot of time going through old posts here were people have failed and trying to learn from their experiences. A common theme that comes from the comments is "know the concepts, not the answers." I also like JD's comment "If you feel that you are ready to take the CISSP exam because you are getting good scores on practice exams, you are likely deceiving yourself. A better indication that you are ready for the exam is when you can give a 30-second speech on each topic in each domain of the CISSP CBK." I know I'm there with the vast majority of topics which leaves me to believe I may be over-thinking the whole crypto thing.

Ideas? Suggestions? Comments? Thanks in advance.


  • rwmidlrwmidl Member Posts: 807 ■■■■■■□□□□
    Funny I was talking to someone about Crypto and CISSP earlier. My thought re: crypto is this; if you don't either work with the technology daily, are a math guru or just plain smart, I think most people have a hard time with it. I did. Your dislike of crypto is probably up there with sub-netting (I hate it with a passion, mostly because I can't get it).

    My advice is this, don't spend all your time studying it. Make sure you are well enough versed in the other areas of the CBK. I recall Clement having a ppt up on the site about the 5-6 domains you "must" know. I can't recall if crypto is one of those or not. If you think you are ready, then take the test.
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • JDMurrayJDMurray Admin Posts: 12,878 Admin
    Probably most everybody taking the CISSP has one or two very weak domains. I can see where crypto and software app security would be a common pair because they both require detailed understanding of abstract systems that can hardly be related to anything in the real world. I will say that the crypto domains of the SSCP and CISSP do not require complex math to understand, otherwise I would have failed both cert exams for sure.

    It seems to me that you need to take a break from the reading and find videos that explain the basics and mid-level concepts in crypto. YouTube and SecurityTube are places to start. There might also be some good crypto lectures on the academic sites, like AcademicEarth.

    You don't need to score 100% to pass the CISSP exam, but you want to understand as much as you can about every possible topics too. You will never feel ready to take the CISSP; you just have to decide to do it.
  • emerald_octaneemerald_octane Member Posts: 613
    Whaaattt? Crypto is fun! (not) Crypto is tough but not unattainable. Subnetting is too. There are alot of moving parts but each moving part goes in sequence that you can only do one way and after you do the formula you have the answer (well, just for subnetting). For crypto, just focus on the key parts and specifically what separates one algorithm or method from another. As long as you know A) what it does, B) when and where it's best used, C) whether or not it's commonly used today.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    We will drown Crypto sorrows @ SANS Chicago!
  • !nf0s3cure!nf0s3cure Member Posts: 161 ■■□□□□□□□□
    As I said in an earlier post, I too think Crypto stuff is over the top, Subnetting umm not so sure. This is because at least we use subnetting to get a result, when was the last time soemone used a Crypto formula to select a product or to gain an outcome (Crypto guys sorry but it is true). No disrespect but it is just one of those things that are hard to grasp and and are not used as easily as other things or concepts. You just go by the Evaluated product list and select a Crypto to meet your requirements. But you need subnetting wether you select 'A' Networking product or 'B'. It has to be done and there is no way out. Not an expert myself but in sticky situations there are tools available that can assist. Not with Crypto.

    Basically just get the concept in the head, do not try to put it into a real life situation as this not what you will do in real life and the testing for most part will be round real life situations or there about.

    emerald_octane has got a real good pointer in the last lines. Very helpful!

    Now I wait to be corrected :)

    Still studying for next attempt...icon_study.gif
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    I can talk Crypto to you: I can't wait until I generate that SHA hash tonight for the most beautiful JPG of Wine. Just because your MD5 is weaker than my SHA, doesn't mean we can't have fun encrypting our async keys over the second VPN tunnel. Of course, I'd expect you to allow the first tunnel to form before we get down to transferring public keys.

    That's how my VPN tunnel rolls. Giggity.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • !nf0s3cure!nf0s3cure Member Posts: 161 ■■□□□□□□□□
    Now can you please DECRYPT your message so that we the 'Normal People' can understand it :)

    Good one Rougetadhg!icon_thumright.gif
  • ivx502ivx502 Member Posts: 61 ■■■□□□□□□□
    If you can understand the concept of Cesar shift you can get the basics of most Crypto. Think about encryption like a blender ingredients go in and blend together. Decryption is like adding a mesh filter to separate the ingredients. The speed of the blender could be the algorithm used to encrypt eg (DES, 3DES, MD5, SHA, ect) That was the way I understood it. I only took the SSCP and I plan on taking CISSP in a couple of years. Hope that helped.
Sign In or Register to comment.