Data transmission: encryption (symmetric, asymmetric, public and private keys, SSL/TLS)

What you'll learn

This revision guide covers encryption methods used to secure data during transmission across networks. You'll understand the difference between symmetric and asymmetric encryption, how public and private keys work together to protect information, and the role of SSL/TLS protocols in creating secure connections. These concepts are essential for explaining how sensitive data remains confidential when transmitted over the internet.

Key terms and definitions

Encryption — the process of converting plaintext into ciphertext using an algorithm and a key, making data unreadable to unauthorised users

Decryption — the process of converting ciphertext back into plaintext using an algorithm and the correct key

Plaintext — the original, readable data before encryption has been applied

Ciphertext — the encrypted, unreadable data produced after encryption has been applied

Symmetric encryption — an encryption method that uses the same key for both encrypting and decrypting data

Asymmetric encryption — an encryption method that uses two different but mathematically related keys: a public key for encryption and a private key for decryption

Public key — a key that can be shared openly and is used to encrypt data or verify digital signatures

Private key — a key that must be kept secret and is used to decrypt data or create digital signatures

Core concepts

Why encryption is necessary

Data transmitted across networks can be intercepted by unauthorised parties. Without encryption, sensitive information such as passwords, credit card details, medical records, and personal messages would be vulnerable to attack.

Encryption protects data by transforming it into an unreadable format. Even if an attacker intercepts the transmission, they cannot understand the contents without the correct key.

Key reasons for using encryption:

• Protects confidentiality of sensitive data during transmission
• Prevents unauthorised access to personal or financial information
• Ensures compliance with data protection regulations
• Maintains trust in online services and e-commerce
• Protects against identity theft and fraud

Symmetric encryption

Symmetric encryption uses a single shared key for both encryption and decryption. Both the sender and receiver must possess the same key and keep it secret.

How symmetric encryption works:

1. The sender and receiver agree on a secret key (this must happen securely before transmission)
2. The sender uses the key and an encryption algorithm to convert plaintext into ciphertext
3. The ciphertext is transmitted across the network
4. The receiver uses the same key and algorithm to decrypt the ciphertext back into plaintext

Advantages of symmetric encryption:

• Fast encryption and decryption process
• Efficient for encrypting large amounts of data
• Requires less processing power than asymmetric encryption
• Suitable for encrypting files and bulk data transfers

Disadvantages of symmetric encryption:

• Key distribution problem: how do you securely share the key with the recipient?
• If the key is intercepted during distribution, security is compromised
• Each pair of users needs a unique key, leading to key management difficulties
• Not suitable for communication with unknown parties

Common symmetric encryption algorithms:

• AES (Advanced Encryption Standard) — widely used for securing sensitive data
• DES (Data Encryption Standard) — older algorithm, now considered insecure

Asymmetric encryption

Asymmetric encryption uses two mathematically related keys: a public key and a private key. Data encrypted with one key can only be decrypted with the other key in the pair.

How asymmetric encryption works:

1. The receiver generates a key pair: a public key and a private key
2. The receiver shares the public key openly (anyone can have it)
3. The receiver keeps the private key secret (never shared)
4. The sender encrypts the message using the receiver's public key
5. The encrypted message is transmitted across the network
6. Only the receiver can decrypt the message using their private key

Advantages of asymmetric encryption:

• Solves the key distribution problem — public keys can be shared openly
• No need to exchange secret keys in advance
• Enables secure communication with unknown parties
• Supports digital signatures for authentication
• Each user only needs one key pair, regardless of how many people they communicate with

Disadvantages of asymmetric encryption:

• Much slower than symmetric encryption
• Requires significantly more processing power
• Not efficient for encrypting large amounts of data
• More complex algorithms

Common asymmetric encryption algorithm:

• RSA (Rivest-Shamir-Adleman) — widely used for secure data transmission and digital signatures

Public and private keys in practice

Understanding the relationship between public and private keys is crucial:

Public key characteristics:

• Can be distributed freely to anyone
• Used by senders to encrypt messages
• Cannot decrypt messages that it encrypted
• Can verify digital signatures created with the corresponding private key

Private key characteristics:

• Must be kept completely secret by the owner
• Used to decrypt messages encrypted with the corresponding public key
• Can create digital signatures
• If compromised, all security is lost

Real-world scenario:

When you want to send a secure message to a bank:

1. The bank publishes its public key on its website
2. You download the bank's public key
3. You encrypt your message (containing account details) using the bank's public key
4. You send the encrypted message
5. The bank uses its private key to decrypt your message
6. Only the bank can read the message because only they possess the private key

Hybrid encryption approach

In practice, most secure systems use both symmetric and asymmetric encryption together to benefit from the strengths of each method.

How hybrid encryption works:

1. Asymmetric encryption is used to securely exchange a symmetric key
2. The symmetric key is then used to encrypt the actual data being transmitted
3. This combines the security of asymmetric encryption with the speed of symmetric encryption

This approach is used by SSL/TLS protocols.

SSL/TLS protocols

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over networks. TLS is the successor to SSL, though the term SSL is still commonly used.

Purpose of SSL/TLS:

• Encrypts data transmitted between a web browser and a web server
• Authenticates the identity of websites
• Ensures data integrity (data hasn't been tampered with during transmission)
• Provides secure connections for online banking, shopping, and email

How to identify SSL/TLS connections:

• The URL begins with https:// instead of http://
• A padlock icon appears in the browser address bar
• The browser may show a green address bar or "Secure" indicator

How SSL/TLS works (simplified handshake process):

1. Client Hello: The browser requests a secure connection from the server
2. Server Hello: The server responds and sends its digital certificate containing its public key
3. Certificate Verification: The browser verifies the certificate is valid and issued by a trusted Certificate Authority
4. Key Exchange: The browser generates a symmetric session key, encrypts it using the server's public key, and sends it to the server
5. Session Key Decryption: The server uses its private key to decrypt and obtain the symmetric session key
6. Secure Communication: Both browser and server use the shared symmetric key to encrypt all further communication during that session

Benefits of SSL/TLS:

• Protects sensitive data like passwords and credit card numbers
• Prevents man-in-the-middle attacks
• Builds user trust and confidence
• Required for PCI DSS compliance (payment card industry standards)
• Improves search engine rankings

Certificate Authorities (CA):

A Certificate Authority is a trusted organisation that issues digital certificates to verify the identity of websites. When a browser sees a certificate from a trusted CA, it knows the website is legitimate.

Trusted CAs include:

• DigiCert
• Let's Encrypt
• GlobalSign
• Comodo

Worked examples

Example 1: Explaining symmetric vs asymmetric encryption

Question: A company needs to send confidential employee data to its overseas office every day.

(a) Describe how symmetric encryption could be used to protect this data. [3 marks]

(b) Explain one problem with using symmetric encryption in this scenario. [2 marks]

Mark scheme answer:

(a)

• The company and overseas office agree on/share a secret key [1 mark]
• The secret key is used with an encryption algorithm to convert the plaintext data into ciphertext [1 mark]
• The overseas office uses the same key to decrypt the ciphertext back into plaintext [1 mark]

(b)

• The secret key must be securely shared between both locations [1 mark]
• If the key is intercepted during distribution/transmission, an unauthorised person could decrypt all the data [1 mark]

Example 2: Public and private keys

Question: Explain how public and private keys are used to send a secure message from Person A to Person B. [4 marks]

Mark scheme answer:

• Person B generates a pair of keys: a public key and a private key [1 mark]
• Person B shares their public key with Person A (or makes it publicly available) [1 mark]
• Person A encrypts the message using Person B's public key [1 mark]
• Person B uses their private key to decrypt the message/only Person B's private key can decrypt the message [1 mark]

Example 3: SSL/TLS identification and purpose

Question:

(a) State two ways a user can identify that they are using a secure SSL/TLS connection. [2 marks]

(b) Describe the role of SSL/TLS when a customer makes an online purchase. [3 marks]

Mark scheme answer:

(a) Any two from:

• The URL begins with https:// [1 mark]
• A padlock icon appears in the browser address bar [1 mark]
• The browser displays "Secure" or similar indicator [1 mark]
• Green address bar (accept similar descriptions) [1 mark]

(b)

• SSL/TLS encrypts the data transmitted between the customer's browser and the online shop's server [1 mark]
• This prevents unauthorised parties from reading sensitive information such as credit card details or passwords [1 mark]
• SSL/TLS authenticates the website's identity/verifies the website is legitimate, protecting customers from fake websites [1 mark]

Common mistakes and how to avoid them

• Confusing which key encrypts and which decrypts in asymmetric encryption: Remember that in asymmetric encryption, the public key encrypts and only the corresponding private key can decrypt. The sender uses the receiver's public key, not their own.

• Thinking both symmetric and asymmetric encryption use the same key: Symmetric uses one shared key; asymmetric uses a mathematically related pair (public and private keys). Learn the prefix: "sym-" means same.

• Stating that public keys must be kept secret: Public keys are designed to be shared openly — that's the whole point. Only private keys must be kept secret.

• Confusing SSL and TLS as different protocols: While technically TLS replaced SSL, they serve the same purpose. In exam answers, you can refer to SSL/TLS or just SSL when discussing secure web connections, as the term is still widely used.

• Not explaining the complete encryption process: When asked to describe how encryption works, include the key, the algorithm, and the transformation from plaintext to ciphertext (or vice versa for decryption). Don't just say "the data is encrypted."

• Forgetting to mention Certificate Authorities when explaining SSL/TLS: The role of CAs in verifying website identity is an important part of how SSL/TLS provides authentication, not just encryption.

Exam technique for encryption questions

• "Describe" questions require a detailed explanation: When asked to describe symmetric or asymmetric encryption, explain the step-by-step process including who has which keys and what happens to the data. Aim for 2-3 marks per method.

• "Explain" questions need reasons or consequences: Don't just state what happens — explain why it's important or what the benefit/problem is. For example, "The public key can be shared openly" (describe) versus "The public key can be shared openly, which solves the key distribution problem because no secret information needs to be exchanged in advance" (explain).

• Use correct technical terminology: Always use terms like plaintext, ciphertext, public key, private key, encryption, and decryption. Avoid vague terms like "scrambled" or "mixed up."

• Draw clear distinctions between methods: When comparing symmetric and asymmetric encryption, create a clear contrast. Use phrases like "whereas," "in contrast," or "on the other hand" to show you understand the differences.

Quick revision summary

Encryption converts plaintext into ciphertext to protect data during transmission. Symmetric encryption uses one shared secret key for both encryption and decryption — it's fast but has key distribution problems. Asymmetric encryption uses public/private key pairs — the public key encrypts, only the corresponding private key decrypts. This solves key distribution but is slower. SSL/TLS protocols use hybrid encryption (combining both methods) to create secure HTTPS connections, encrypting data between browsers and servers while authenticating website identity through certificates issued by Certificate Authorities.