Show understanding of how encryption works

Published by Patrick Mutisya · 14 days ago

Cambridge A-Level Computer Science 9618 – Encryption, Encryption Protocols and Digital Certificates

17.1 Encryption, Encryption Protocols and Digital Certificates

Learning Objective

Show understanding of how encryption works, the difference between symmetric and asymmetric techniques, common encryption protocols and the role of digital certificates in establishing trust.

1. What is Encryption?

Encryption is the process of converting readable data (plaintext) into an unreadable form (cipher‑text) using an algorithm and a key. Decryption reverses the process using the appropriate key.

2. Types of Encryption

FeatureSymmetric EncryptionAsymmetric Encryption
Key usageSame key for encryption and decryptionPair of keys – public (encryption) and private (decryption)
SpeedFast – suitable for large data volumesSlower – typically used for small data (e.g., keys)
Key distributionRequires a secure channel to share the secret keyNo need to share secret; public key can be widely distributed
Typical algorithmsAES, DES, Triple‑DES, BlowfishRSA, Diffie‑Hellman, ECC (Elliptic Curve Cryptography)

3. Symmetric Encryption Example – AES

The Advanced Encryption Standard (AES) works on 128‑bit blocks and supports key lengths of 128, 192 or 256 bits. The encryption process can be expressed as:

\$C = \text{AES}_K(P)\$

where \$P\$ is the plaintext block, \$K\$ is the secret key and \$C\$ is the resulting cipher‑text block.

4. Asymmetric Encryption Example – RSA

RSA relies on the mathematical difficulty of factoring large composite numbers.

  1. Generate two large primes \$p\$ and \$q\$.

  2. Compute \$n = p \times q\$ and \$\phi(n) = (p-1)(q-1)\$.

  3. Select an encryption exponent \$e\$ such that \$1 < e < \phi(n)\$ and \$\gcd(e,\phi(n)) = 1\$.

  4. Compute the decryption exponent \$d\$ as the modular inverse of \$e\$ modulo \$\phi(n)\$: \$d \equiv e^{-1} \pmod{\phi(n)}\$.

The public key is \$(e, n)\$ and the private key is \$(d, n)\$. Encryption and decryption are performed as:

\$C \equiv P^{\,e} \pmod{n}\$

\$P \equiv C^{\,d} \pmod{n}\$

5. Hybrid Encryption – Combining the Best of Both Worlds

Because symmetric encryption is fast and asymmetric encryption solves the key‑distribution problem, many protocols use a hybrid approach:

  • Generate a random session key (symmetric).

  • Encrypt the session key with the recipient’s public key (asymmetric).

  • Transmit the encrypted session key together with the cipher‑text produced using the session key.

6. Common Encryption Protocols

6.1 Secure Sockets Layer / Transport Layer Security (SSL/TLS)

SSL/TLS provides confidentiality, integrity and authentication for data transmitted over the Internet.

  1. Handshake – negotiates protocol version, cipher suite and authenticates the server (and optionally the client) using digital certificates.

  2. Key exchange – typically uses Diffie‑Hellman or RSA to securely share a symmetric session key.

  3. Data transfer – encrypted with a symmetric algorithm (e.g., AES‑GCM).

6.2 IPsec (Internet Protocol Security)

IPsec secures IP packets at the network layer. It defines two main modes:

  • Transport mode – encrypts only the payload of the IP packet.

  • Tunnel mode – encrypts the entire original IP packet and adds a new outer header.

Key exchange is usually performed with IKE (Internet Key Exchange), which uses Diffie‑Hellman and digital certificates.

6.3 PGP (Pretty Good Privacy) / OpenPGP

PGP combines symmetric encryption for message content with asymmetric encryption for the session key. It also provides digital signatures for authentication.

7. Digital Certificates and Public Key Infrastructure (PKI)

A digital certificate binds a public key to an entity’s identity. It is issued by a trusted Certificate Authority (CA) and contains:

  • Subject name (e.g., domain name or individual)

  • Public key

  • Serial number and validity period

  • CA’s digital signature

The CA’s signature is created by hashing the certificate data and encrypting the hash with the CA’s private key. Verification is performed by decrypting the signature with the CA’s public key and comparing the resulting hash to a newly computed hash of the certificate.

Suggested diagram: Structure of an X.509 digital certificate showing fields such as version, serial number, issuer, validity period, subject, subject public key info, and signature.

8. Trust Chains

Certificates are arranged in a hierarchy:

  1. Root CA – self‑signed certificate, trusted implicitly by operating systems and browsers.

  2. Intermediate CAs – certificates signed by the root or another intermediate CA.

  3. End‑entity (leaf) certificate – signed by an intermediate CA and used by a server or user.

During a TLS handshake, the server presents its leaf certificate together with any intermediate certificates needed to build a chain up to a trusted root.

9. Summary Checklist

  • Understand the difference between symmetric and asymmetric encryption.

  • Know the basic steps of RSA key generation and encryption/decryption.

  • Recognise why hybrid encryption is used in practice.

  • Identify the main stages of the TLS handshake.

  • Explain the purpose of digital certificates and how a CA’s signature provides trust.

10. Practice Questions

  1. Explain why a 256‑bit AES key is considered more secure than a 128‑bit key, and discuss the practical implications for performance.

  2. Given \$p = 61\$, \$q = 53\$, and \$e = 17\$, calculate the RSA modulus \$n\$, \$\phi(n)\$, and the private exponent \$d\$.

  3. Describe the role of the Diffie‑Hellman key exchange in establishing a TLS session key.

  4. Outline the steps a client takes to verify a server’s digital certificate during a TLS handshake.