Understand encryption protocols (TLS/SSL, IPsec)

ResourcesSubject NotesInformation Technology ITLesson Plan

Cambridge International AS & A Level IT (9626) – Lecture Notes

Purpose: These notes are written to meet the 2025‑2027 Cambridge syllabus for AS (Topics 1‑11) and A‑Level (Topics 12‑21). Where a topic is not covered in detail, a brief outline and suggested activities are provided so teachers can fill the gap before the exam.

1. Topic‑by‑Topic Coverage Checklist

Topic (Syllabus code) Title (Syllabus) Coverage in these notes Gap / Issue Actionable suggestion
AS 1 Data processing and information ✓ (see Section 1) None Use the case‑study questions for AO3 practice.
AS 2 Hardware and software No material. Prepare a “starter slide” covering input, processing, output, storage, and examples of hardware vs. software.
AS 3 Systems of computers No material. Outline client‑server, peer‑to‑peer, cloud, and IoT architectures.
AS 4 Data representation No material. Include binary, hexadecimal, character encoding (ASCII/Unicode), and image/audio/video representation.
AS 5 E‑security – encryption, TLS/SSL, IPsec ✓ (see Sections 2‑4) Depth exceeds syllabus. Trim to core concepts; keep “extension” box for deeper study.
AS 6 Networks – types, topologies, protocols No material. Provide a concise overview of LAN, WAN, MAN, topologies, OSI model, and key protocols (TCP/IP, UDP).
AS 7 Database concepts No material. Introduce tables, fields, records, primary keys, relationships, and simple SQL SELECT statements.
AS 8 Spreadsheets No material. Cover cell references, formulas, functions, charts, and data validation.
AS 9 Multimedia – audio, video, animation No material. Explain sampling, bit rate, codecs, and basic editing tools.
AS 10 Web technologies No material. Outline HTML, CSS, client‑side scripting, and basic web‑server concepts.
AS 11 Project management & documentation No material. Introduce project life‑cycle, Gantt charts, risk registers, and user documentation.
A 12‑21 A‑Level extensions (e.g., advanced networking, security, data structures) None of the A‑Level topics are covered. Develop separate “A‑Level deep‑dive” modules for each required topic.

Use this checklist at the start of each term to verify that every syllabus requirement will be addressed before the examinations.

1. Data Processing and Information (AS 1)

1.1 Data vs Information – Sources & Uses

  • Data: raw, unprocessed facts (numbers, characters, images, sensor readings).
  • Information: data that have been organised, interpreted or presented so they become meaningful.

Typical sources

  • Direct: questionnaires, interviews, sensors, experiments.
  • Indirect: census records, web‑scraped data, third‑party databases, published statistics.

Classroom example: A Year 10 class surveys the devices students use at home. Raw responses (“iPhone 12”, “Windows 10 PC”) are data. After grouping into “mobile”, “desktop”, “tablet” and calculating percentages, the result is information that can guide the choice of learning apps.

1.2 Quality of Information

CriterionWhat it meansExample
AccuracyCorrectness of contentGPS coordinates to the nearest metre vs. kilometre.
RelevanceSuitability for the intended purposeStudent‑age data are relevant for a school‑attendance study but not for traffic‑flow analysis.
TimelinessHow up‑to‑date the information isFive‑year‑old traffic data are unsuitable for a real‑time navigation app.
CompletenessAll required data are presentA sales report missing the “region” field cannot be used for regional analysis.
ConsistencyUniform format and meaning across the datasetUsing both “USA” and “United States” for the same country creates inconsistency.

Evaluation prompt (AO3): For a given dataset, list two advantages and two disadvantages of each quality criterion. This develops the ability to analyse and evaluate information – a key exam skill.

1.3 Encryption – Need, Methods & Protocols (AS 5)

Why encrypt data?

  • Confidentiality – prevents unauthorised reading.
  • Integrity – detects unauthorised alteration.
  • Authentication – verifies the identity of the parties.
  • Non‑repudiation – provides proof of origin.

Encryption methods – syllabus focus

MethodKey typeTypical algorithm(s)Typical use‑case
Symmetric‑key Same secret key for encryption & de‑cryption AES, 3DES, ChaCha20 Bulk data transfer, VPN tunnels, disk encryption
Asymmetric‑key (public‑key) Public key encrypts, private key decrypts (and vice‑versa for signatures) RSA, ECC (ECDSA, ECDH) Key exchange, digital certificates, email encryption (PGP)
Hash functions (one‑way) None SHA‑256, SHA‑3 (MD5 deprecated) Data integrity checks, password storage, digital signatures

Summary box – core concepts required by the syllabus

  • Symmetric encryption is fast but requires a secure way to share the secret key.
  • Asymmetric encryption solves the key‑distribution problem but is slower; it is usually used to exchange a symmetric session key.
  • Hashes provide integrity verification but cannot be reversed.

Encryption protocols required by the syllabus

ProtocolLayer (OSI)Typical use‑case
TLS/SSLPresentation / Session (above TCP)Secure web browsing, email (STARTTLS), FTP over TLS.
IPsecNetwork (IP layer)Site‑to‑site VPNs, remote‑access VPNs, protecting any IP traffic.

Practical examples

  • TLS: When a student logs into the school’s learning‑management system (LMS) via https://, TLS encrypts the HTTP traffic, ensuring passwords are not exposed on the network.
  • IPsec: The school’s two campuses are linked by an IPsec tunnel; all traffic between the campuses is encrypted, so a hacker on the public Internet cannot sniff internal emails or file shares.

Key‑management concepts (brief)

  • Pre‑shared key (PSK) – manually entered secret; simple but not scalable.
  • Public‑key infrastructure (PKI) – certificates issued by a Certificate Authority bind public keys to identities.
  • Diffie‑Hellman (DH) / Elliptic‑Curve DH (ECDH) – generate a shared secret over an insecure channel, providing forward secrecy.
  • Key‑derivation functions (KDF) – turn a shared secret into session keys (e.g., TLS PRF, HKDF in IKEv2).

Validation vs. Verification (required terminology in 1.4)

  • Validation: Checks that data entered or received meet defined rules before they are stored or processed (e.g., range checks, mandatory‑field checks).
  • Verification: Confirms that data have been transferred or stored correctly (e.g., checksums, CRC, cryptographic hash comparison).

1.4 Checking the Accuracy of Data (Validation / Verification)

TypePurposeTypical technique
Input validation Prevent incorrect or malicious data entry Range checks, format (regex) checks, mandatory‑field checks
Output verification Ensure data sent to another system are intact Checksums, CRC, cryptographic hash comparison
Cross‑validation Confirm consistency between data sources Re‑calculating totals, comparing with reference tables

Classroom example: A web form that records a student’s age should reject values below 0 or above 120 (range check) and verify that the submitted data match the hash sent back from the server (integrity verification).

2. TLS / SSL (AS 5 – Encryption protocols)

What is TLS/SSL?

Transport Layer Security (TLS) is the modern successor to Secure Sockets Layer (SSL). It sits above the transport layer (TCP) and below application protocols such as HTTP, SMTP or FTP, creating a secure point‑to‑point channel for a single session.

Simplified TLS Handshake (TLS 1.2 style)

  1. ClientHello – client sends supported TLS version, cipher suites, compression methods and a random value RC.
  2. ServerHello – server selects version and cipher suite, sends its random value RS.
  3. Server Certificate – server provides its X.509 certificate (contains public key Kpub).
  4. ServerKeyExchange (optional) – needed for (EC)DHE or other non‑RSA key‑exchange methods.
  5. Certificate Request (optional) – server asks client to authenticate.
  6. ServerHelloDone – end of server’s first round.
  7. Client Certificate (optional) – sent only if requested.
  8. ClientKeyExchange – client sends a pre‑master secret encrypted with Kpub (or completes the DH exchange).
  9. ChangeCipherSpec – both sides announce that subsequent records will be protected.
  10. Finished – each side sends a hash of the entire handshake to confirm integrity.

Key Derivation (syllabus‑level)

Both parties compute the master secret (MS) from the pre‑master secret (PM) and the two random values:

MS = PRF(PM, "master secret", R_C || R_S)

From MS the protocol derives separate session keys for encryption and integrity (or an AEAD tag).

Cipher‑suite components (what students must recognise)

  • Key exchange – e.g., ECDHE (provides forward secrecy).
  • Authentication – e.g., RSA or ECDSA (verifies server identity).
  • Bulk cipher – e.g., AES‑256‑GCM (encrypts data).
  • MAC / AEAD – e.g., GCM integrates authentication with encryption.

Key security features (exam‑relevant)

  • Forward secrecy via (EC)DHE.
  • Authenticated Encryption with Associated Data (AEAD) – provides confidentiality and integrity together.
  • Certificate validation (chain of trust, revocation checking – CRL/OCSP).
  • Version negotiation and cipher‑suite filtering to prevent downgrade attacks (TLS 1.3 removes legacy ciphers).

Common attacks & mitigations (brief)

AttackWhat it exploitsMitigation (syllabus level)
BEASTCBC mode padding oracle in TLS 1.0Use TLS 1.1+ or AEAD ciphers.
CRIME / BREACHCompression side‑channelDisable TLS compression.
HeartbleedBuffer‑overread bug in OpenSSLPatch libraries; replace vulnerable versions.
POODLESSL 3.0 fallback attackDisable SSL 3.0; enforce TLS 1.2+.

Case‑study (AO3)

Scenario: A school’s learning‑management system (LMS) uses HTTPS. Evaluate the advantages and disadvantages of using TLS 1.2 with ECDHE‑RSA‑AES256‑GCM versus TLS 1.3 with AES256‑GCM only.

  • Advantages (e.g., forward secrecy, reduced handshake latency, stronger cipher).
  • Disadvantages (e.g., older client compatibility, need for updated certificates).

3. IPsec (AS 5 – Encryption protocols)

What is IPsec?

IPsec is a suite of protocols that secures IP traffic at the network layer. It can protect all traffic between two hosts or between two networks, regardless of the application.

IPsec Modes (syllabus focus)

  • Transport mode – encrypts only the payload; original IP header stays visible. Used for end‑to‑end host communication.
  • Tunnel mode – encrypts the entire original IP packet and adds a new outer IP header. Used for site‑to‑site VPN gateways.

Core protocols

ProtocolFunctionSecurity services
AH (Authentication Header) Adds an Integrity Check Value (ICV) to the packet. Integrity, authentication, anti‑replay (no confidentiality).
ESP (Encapsulating Security Payload) Encrypts the payload and optionally adds an ICV. Confidentiality, integrity, authentication, anti‑replay.

Security Associations (SAs)

An SA is a unidirectional agreement that defines how traffic will be protected.

  • SPI – Security Parameter Index, identifies the SA in inbound packets.
  • Encryption algorithm (e.g., AES‑256‑GCM).
  • Integrity algorithm (e.g., HMAC‑SHA‑256).
  • Lifetime – expressed in seconds or bytes; after which re‑keying occurs.

Automated key exchange – IKEv2 (simplified)

  1. SA Initiation – initiator proposes cryptographic algorithms and SA parameters.
  2. Diffie‑Hellman exchange – both sides compute a shared secret gab.
  3. Authentication – mutual authentication using X.509 certificates or a pre‑shared key.
  4. SA establishment – each side derives inbound and outbound keys for ESP/AH from the shared secret.

Practical use‑case (AO3)

A multinational company links its London and Singapore offices via an IPsec tunnel in tunnel mode. Evaluate the security benefits (confidentiality, integrity, anti‑replay) and any operational drawbacks (e.g., increased latency, need for compatible routers).

4. Comparison: TLS/SSL vs. IPsec

AspectTLS/SSLIPsec
OSI layer Presentation / Session (above TCP) Network layer (IP)
Typical use‑case Secure web, email, FTP Site‑to‑site VPN, remote‑access VPN, protecting any IP traffic
Mode of operation Per‑session (handshake creates one SA) Transport or Tunnel mode; can protect multiple flows under a single SA
Key exchange RSA, (EC)DHE, (EC)ECDHE – negotiated in handshake Diffie‑Hellman/ECDH via IKEv2
Encryption algorithms AES‑GCM, ChaCha20‑Poly1305, etc. AES‑CBC/GCM, 3DES, etc.
Authentication Certificates (PKI) – server, optional client Certificates or pre‑shared keys; can also use EAP methods
Forward secrecy Provided when (EC)DHE/ECDHE is used Provided by DH/ECDH in IKEv2
Common attacks BEAST, POODLE, Heartbleed (implementation bugs) SA replay attacks, weak DH groups, mis‑configured policies

5. Optional Extension Activities (for motivated students)

  • Deep dive into TLS 1.3: Examine the reduced handshake, 0‑RTT data, and new cipher‑suite naming.
  • Implement a simple VPN using strongSwan or OpenVPN and compare its security model with IPsec.
  • Analyse a real‑world breach (e.g., the 2020 SolarWinds attack) and identify which encryption protocols failed or were absent.
  • Design a data‑quality audit for a school’s student‑information system, using the five quality criteria and providing a recommendation report.

6. Quick Reference Summary (Exam‑ready)

TopicKey points to remember
Data vs Information Data = raw facts; Information = processed, meaningful data.
Quality criteria Accuracy, relevance, timeliness, completeness, consistency – be ready to evaluate advantages/disadvantages.
Validation vs Verification Validation = check input meets rules; Verification = confirm data transferred correctly.
Symmetric encryption Fast, same secret key, e.g., AES.
Asymmetric encryption Solves key‑distribution, e.g., RSA/ECC; used for exchanging a symmetric session key.
TLS/SSL Transport‑layer security; handshake creates a master secret; provides confidentiality, integrity, authentication, and optional forward secrecy.
IPsec Network‑layer security; two modes (transport/tunnel); uses AH for integrity only, ESP for confidentiality+integrity; keys negotiated by IKEv2.
Comparison TLS protects individual sessions at the application level; IPsec protects all IP traffic between hosts or networks.

7. Next Steps for Teachers

  1. Use the Topic‑by‑Topic Checklist to schedule missing content before the end of the term.
  2. Integrate the case‑study questions into lesson activities to develop AO3 (analysis/evaluation) skills.
  3. Allocate practical sessions for the high‑weight AS topics (Spreadsheets, Databases, Multimedia, Web) early in the course.
  4. Reserve the Extension Activities for enrichment or for A‑Level students.

Create an account or Login to take a Quiz

42 views
0 improvement suggestions

Log in to suggest improvements to this note.