Describe encryption methods (symmetric, asymmetric)

1. Data Processing and Information

1.1 Context – Why Encryption Is Needed

In today’s digital world personal data, financial records and confidential business information are constantly transmitted and stored. The Cambridge IT 9626 syllabus expects students to recognise that encryption is the primary technical control used to:

• Protect confidentiality – stop unauthorised parties from reading the data.
• Maintain integrity – detect any alteration of data in transit or at rest.
• Provide authentication – verify the identity of the sender or receiver.
• Ensure non‑repudiation – prevent a sender from denying that they sent a message.

These requirements arise from common e‑security threats such as eavesdropping, data‑breaches, man‑in‑the‑middle attacks and spoofing.

1.2 Uses of Encryption (Cambridge requirement)

• Secure e‑commerce transactions (online banking, shopping).
• Protecting stored data – e.g., databases, file systems, backup media.
• Virtual Private Networks (VPNs) and site‑to‑site links.
• Secure email and messaging (PGP, S/MIME, end‑to‑end chat).
• Digital signatures for software distribution and legal documents.
• Authentication of devices and users in wireless networks (WPA3, TLS client‑certificates).

1.3 Methods of Encryption

1.3.1 Symmetric (Secret‑Key) Encryption

Uses a single secret key for both encryption and decryption.

• Key characteristic: The same key must be known to both parties.
• Typical algorithms: AES, DES, Triple‑DES, Blowfish, RC4 (stream cipher).
• Mathematical form: \(C = E_{K}(P)\) and \(P = D_{K}(C)\)
• Key‑length recommendations (2024 guidance):
  • AES‑128 or AES‑256 for most applications.
  • Triple‑DES only where legacy support is required (effective security ≈ 112 bits).
  • RSA and Diffie‑Hellman keys are **not** used for symmetric encryption.
• Advantages:
  • Very fast – suitable for bulk data (e.g., file encryption, VPN payload).
  • Simple hardware/software implementation.
• Disadvantages:
  • Key‑distribution problem: the secret key must be exchanged over a secure channel.
  • Scalability: for n users, \(\frac{n(n-1)}{2}\) separate keys are required, which quickly becomes impractical.
  • Compromise of a single key endangers all data encrypted with that key.

1.3.2 Asymmetric (Public‑Key) Encryption

Uses a mathematically linked pair of keys: a public key for encryption and a private key for decryption.

• Key characteristic: Public key can be shared openly; private key is kept secret.
• Typical algorithms: RSA, ECC (Elliptic Curve Cryptography), Diffie‑Hellman (key exchange).
• Mathematical form: \(C = E_{K_{\text{pub}}}(P)\) and \(P = D_{K_{\text{priv}}}(C)\)
• Key‑length recommendations (2024):
  • RSA ≥ 2048 bits (or 3072 bits for long‑term security).
  • ECC ≥ 256 bits (provides comparable security to RSA‑3072 with smaller keys).
• Advantages:
  • No secure channel needed to distribute the public key.
  • Enables digital signatures → authentication & non‑repudiation.
  • Facilitates secure key exchange for symmetric algorithms.
• Disadvantages:
  • Computationally slower – usually applied to small data blocks or to encrypt a symmetric session key.
  • Longer key lengths are required for comparable security (e.g., 2048‑bit RSA vs. 128‑bit AES).
  • Private key must be protected (hardware security module, smart card, etc.).

1.3.3 Hashing (Integrity‑Only Method)

Although not an encryption technique, hashing is examined alongside it because it provides data integrity.

• Function: Produces a fixed‑length digest from any input (e.g., SHA‑256, SHA‑3, MD5).
• Properties: One‑way, collision‑resistant, deterministic.
• Typical use: Verifying file integrity, storing password hashes, creating digital signatures (hash + asymmetric encryption).

1.4 Encryption Protocols in Practice

1.4.1 TLS/SSL (Transport Layer Security / Secure Sockets Layer)

• Operates at the application layer (above TCP).
• Typical port: 443 (HTTPS).
• Handshake uses an asymmetric algorithm (RSA, Diffie‑Hellman, or ECC) to agree on or exchange a symmetric session key.
• All subsequent data are encrypted with a fast symmetric cipher (AES‑128/256, ChaCha20).
• Provides:
  • Confidentiality (encryption of payload).
  • Integrity & authenticity (HMAC or AEAD tags).
  • Server authentication via X.509 digital certificates (optional client authentication).

1.4.2 IPsec (Internet Protocol Security)

• Operates at the network layer – protects every IP packet.
• Two main modes:
  • AH (Authentication Header): integrity and authentication only; no confidentiality.
  • ESP (Encapsulating Security Payload): confidentiality, integrity and optional authentication.
• Key exchange is performed by IKE (Internet Key Exchange), which itself uses Diffie‑Hellman or RSA.
• Commonly used for VPN tunnels (site‑to‑site, remote‑access) and for protecting traffic between routers.

1.4.3 Comparison – TLS vs. IPsec

1.5 Hybrid Encryption – Step‑by‑Step Example (TLS Handshake)

1. Client obtains the server’s X.509 certificate containing the server’s public key.
2. Client generates a random symmetric session key (e.g., 256‑bit AES‑GCM).
3. Client encrypts the session key with the server’s public RSA key (or uses an ECDHE exchange to derive a shared secret).
4. Encrypted session key (or DH parameters) are sent to the server.
5. Server decrypts with its private key (or computes the shared secret) and obtains the same session key.
6. Both parties now use the symmetric key to encrypt/decrypt all subsequent application data, adding HMAC/AEAD tags for integrity.

1.6 Exam‑Style Illustrative Examples

• Database encryption: A retailer stores customer records in a MySQL database encrypted with AES‑256. The secret key is stored in a hardware security module (HSM) and accessed only by authorised DB‑admin accounts.
• Secure email (PGP): Alice encrypts the email body with Bob’s 2048‑bit RSA public key and signs the message with her own 2048‑bit RSA private key. Bob verifies the signature with Alice’s public key and decrypts the body with his private key.
• VPN tunnel (IPsec ESP): Two branch offices connect over the Internet. Each gateway runs IKEv2 to perform a Diffie‑Hellman exchange, derives a 256‑bit ESP key, and then encrypts all IP packets with AES‑128‑GCM in ESP mode.
• HTTPS connection: When you visit https://www.example.com, the browser performs a TLS 1.3 handshake, negotiates an AES‑256‑GCM session key, and then all HTTP traffic is encrypted, ensuring confidentiality, integrity and server authentication.
• Digital signature for software: A developer hashes the program with SHA‑256, then encrypts the hash with their 4096‑bit RSA private key. Users verify the signature by decrypting with the developer’s public key and comparing the resulting hash with a freshly computed SHA‑256 hash of the downloaded file.

1.7 Summary

Encryption underpins the protection of data confidentiality, integrity, authentication and non‑repudiation. Symmetric algorithms (e.g., AES) provide speed and efficiency but suffer from key‑distribution and scalability issues. Asymmetric algorithms (e.g., RSA, ECC) solve the distribution problem, enable digital signatures, and are used to exchange symmetric keys, though they are slower and require larger keys. Modern systems therefore adopt a hybrid approach**—using asymmetric techniques to establish a secure symmetric session key and then encrypting bulk data symmetrically. Understanding the characteristics, advantages, disadvantages, key‑length recommendations, and the practical protocols TLS/SSL and IPsec equips students to answer Cambridge AS & A Level IT exam questions and to design secure real‑world solutions.