Lesson 2 of 6

CIE 0478 only Lesson 2

Encryption in Depth

CIE candidates must distinguish symmetric from asymmetric encryption, explain the key-distribution problem and walk through a full asymmetric exchange. OCR, AQA and Edexcel only require encryption as a high-level concept.

Hook

When you visit a website starting with https://, your browser and the server have to agree on a secret key without ever speaking before. They have never met, anyone could be listening, and yet within milliseconds they share a secret no eavesdropper can read. The trick that makes that possible is asymmetric encryption.

Key Terms

Plaintext

The original readable message before encryption.

Ciphertext

The scrambled output after encryption.

Key

A value used by the encryption algorithm to transform plaintext into ciphertext.

Symmetric encryption

The same key is used to encrypt and decrypt. Fast, but the key must be shared securely.

Asymmetric encryption

A pair of keys: a public key (shared with anyone) and a private key (kept secret).

Public key

Used to encrypt a message that only the matching private key can decrypt.

Private key

Kept secret. Used to decrypt messages encrypted with the matching public key.

Core Concept

Symmetric encryption

Both sides share one key. The sender uses it to encrypt; the receiver uses the same key to decrypt.

Plaintext   ----[ encrypt with KEY ]---->  Ciphertext
Ciphertext  ----[ decrypt with KEY ]---->  Plaintext

Strength: very fast.
Weakness: how do the two sides agree on KEY in the first place without an eavesdropper seeing it? This is the key-distribution problem.

Core Concept

Asymmetric encryption

Each user has two mathematically linked keys.

Public key

Shared openly. Anyone can use it to encrypt a message to you. They cannot use it to decrypt anything.

Private key

Kept secret on your device. Only this key can decrypt messages that were encrypted with the matching public key.

Alice wants to send a private message to Bob.

1. Bob shares his PUBLIC key with the world.
2. Alice encrypts her message with Bob's PUBLIC key.
3. The ciphertext travels across the internet.
4. Only Bob's PRIVATE key can decrypt it.

An eavesdropper who copies both the public key and the
ciphertext still cannot read the message.

Why this solves key distribution

Public keys can be shared openly because they cannot decrypt anything. There is nothing for an eavesdropper to steal.

Core Concept

Comparing the two

Symmetric

One shared key. Very fast. Hard to distribute the key safely. Used for the bulk of encrypted data.

Asymmetric

Public + private key pair. Slower (more maths). Solves the distribution problem. Used to set up a session, then symmetric takes over.

Real systems like HTTPS use asymmetric encryption to agree on a symmetric key, then switch to symmetric for speed.

Think Deeper

Beyond the basics

When you load an HTTPS page, your browser uses asymmetric encryption to agree a symmetric key with the server, then switches to symmetric encryption for the rest of the conversation. Why use both? Explain what would go wrong if HTTPS used only asymmetric, or only symmetric.

Asymmetric only: the maths behind public/private keys is slow. Encrypting every video frame, every image, every keystroke this way would make the web feel unusable.

Symmetric only: very fast, but how does your browser and the server agree on the secret key without a previous conversation? An eavesdropper would copy the key as it travelled and then read everything. This is the key-distribution problem.

Why combine them: asymmetric is used briefly at the start of the connection to safely exchange a fresh symmetric key. Once that key is in place, both sides switch to symmetric for speed. You get safe key distribution and fast bulk encryption together.

Compare

Symmetric vs asymmetric, side by side

Feature	Symmetric	Asymmetric
Number of keys	One shared key	Two: a public and a private key
Speed	Fast (cheap to compute)	Slow (expensive maths)
Key distribution	The hard problem - both sides need the same secret without anyone else seeing it	The public key can be shared freely; only the private key is secret
Best used for	Bulk data after a secure connection is established	Initial key exchange and digital signatures
Real example	AES inside a HTTPS session	RSA used to set up a HTTPS session

How real systems combine them

A real HTTPS session uses asymmetric encryption only at the start to share a fresh symmetric key safely. Everything after that is symmetric, because symmetric encryption is much faster. This is called a "hybrid" cryptosystem and is the answer to many CIE 6-mark questions.

Common Misconception

"Asymmetric is always more secure than symmetric"

Both can be equally strong if the key length is large enough. The real difference is convenience: asymmetric solves the key-distribution problem, but at a cost in speed. Once a secure channel exists, symmetric is preferred for bulk data because it is much faster, not less safe.

Worked Exam Answer

A six-mark exam question with mark scheme

Question (CIE-style, 6 marks): A bank uses asymmetric encryption to start a secure connection with a customer's browser, then switches to symmetric encryption for the rest of the session. Explain why this hybrid approach is used.

Mark scheme - one mark per valid point, up to 6

Asymmetric encryption uses two keys, one public and one private.
The bank publishes its public key so anyone can encrypt a message that only the bank can decrypt.
This solves the key-distribution problem because no shared secret needs to be exchanged in advance.
Asymmetric encryption is computationally slow, so using it for every byte would make the connection feel sluggish.
Symmetric encryption uses one shared key and is much faster.
The customer's browser uses the asymmetric key to send a fresh symmetric key to the bank securely.
From that point on, both sides use the fast symmetric key to encrypt the rest of the conversation.

Think Deeper

Beyond the basics

A student says "we have asymmetric encryption now, so symmetric encryption is obsolete and should not be taught". Give two specific reasons this is wrong, and one situation where you would deliberately choose symmetric over asymmetric.

Two reasons it is wrong:
1. Speed. Symmetric encryption (AES) is hundreds of times faster than asymmetric (RSA). Encrypting a video call asymmetrically would melt the laptop.
2. Practical use today. Every HTTPS connection in the world uses symmetric encryption for the bulk of the data, not just the handshake. So far from obsolete, it is doing the heavy lifting on the modern internet.

When to choose symmetric deliberately: any situation where the two sides already share a secret, e.g. a school's intranet using a pre-shared key on staff laptops, or two servers in the same datacentre that have been configured with a shared key by the system administrator. There is no key-distribution problem to solve, so the slow asymmetric step is wasted.

Check Your Understanding

Q1. Which key encrypts a message sent to Bob?

Anyone can use Bob's public key to encrypt to him; only his private key decrypts.

Q2. What is the main weakness of symmetric encryption?

This is the key-distribution problem.

Q3. Why is asymmetric encryption usually combined with symmetric encryption in real systems?

Asymmetric solves the distribution problem; symmetric does the bulk work fast.

Lesson 1: Error Detection Lesson 3: Automated Systems

CIE 0478 - Lesson 2

Encryption in Depth

Starter activity

Pair students up. Each pair must agree a single shared secret word in front of the rest of the class, without writing anything down or whispering. Ask the class to attempt to guess each pair's word. Use this to demonstrate the key-distribution problem: you cannot share a symmetric key safely in the open. Then introduce public/private keys as the maths-based solution.

Lesson objectives

Define plaintext, ciphertext and key.

Describe symmetric encryption and explain its main weakness (the key-distribution problem).

Describe asymmetric encryption and explain how a public/private key pair makes safe key exchange possible.

Walk through an asymmetric exchange between two parties and identify which key is used at each step.

Explain why real systems combine asymmetric and symmetric encryption.

Key vocabulary

plaintextciphertextkeysymmetricasymmetricpublic keyprivate keykey pairkey distributionHTTPSeavesdropper

Discussion questions

Why is it safe to publish your public key but not your private key?

If asymmetric encryption is more secure, why do real systems still use symmetric for the bulk of data?

How might quantum computers eventually threaten current asymmetric algorithms?

Exit tickets

Define plaintext, ciphertext and key. [3 marks]

Explain the difference between symmetric and asymmetric encryption. [2 marks]

Describe how Alice can send a private message to Bob using asymmetric encryption. [4 marks]

Homework suggestion

Research the padlock icon in your browser's address bar. Find a real website and explain in 200 words: which keys are involved when you first connect, what a digital certificate is, and how your browser knows whether to trust the site. Include one screenshot of a certificate from a real site.

Classroom tools