Lesson 16: Encryption in the Cyber World
The internet is not secure by default — encryption is the 'lock' of digital information. In previous lessons we already met encryption as a concept: 'in transit' (TLS/VPN) versus 'at rest' (disk, database). This lesson opens the black box: how does encryption actually work? We'll meet two encryption
In brief: symmetric encryption uses one key and is fast, but it's hard to transfer that key safely. Asymmetric encryption uses a key pair (public+private) that solves the transfer problem, but is very slow. The solution: hybrid encryption — use asymmetric only to agree on a temporary secret key (or Diffie-Hellman, which creates a shared secret without ever sending it), then switch to fast symmetric encryption for the actual data. A hash is a one-way fingerprint of data; a digital signature is a hash encrypted with a private key, proving who sent it and that it wasn't altered. TLS assembles all of this into one protocol that runs every secure website.
- Symmetric Encryption
- The same key is used for both encrypting and decrypting — very fast, suited to transferring huge volumes of data (AES is today's leading standard). Security rests on keeping the key secret (Kerckhoffs's Principle), not on hiding the algorithm — unlike historical ciphers like the Caesar cipher, which relied on hiding the method itself.
- The Managerial Challenge: Symmetric Key Distribution
- Sending the key over an open network exposes it to theft. In a large organization, managing a separate key for every pair of users requires an enormous number of keys (for example, ~500,000 keys for 1,000 employees who need to communicate with each other). And exposing one key exposes all the data ever encrypted with it — past and future.
- Asymmetric Encryption (Public Key)
- A key pair: a public key visible to everyone, which anyone can use to encrypt a message for you; and a private key, kept secret, which alone can decrypt what was encrypted with the public one. Like a mailbox — anyone can insert a letter through the slot (public), but only the holder of the physical key (private) can open and read it. Solves the key-distribution problem — no need to pre-share a secret.
- Limitations of Asymmetric Encryption
- Significantly slower — requires 1,000-10,000× more processing power than symmetric encryption, and isn't efficient for large files or video streaming. The practical solution: use it only for the initial 'handshake' stage to exchange a symmetric key, not to encrypt the actual data.
- Hybrid Encryption
- The winning combination: use asymmetric encryption (like RSA) only to safely transfer a temporary secret key, then switch to fast symmetric encryption (like AES) for the actual heavy data transfer. The temporary key is used only for the current session and destroyed at its end — the result is both key-distribution security and maximum speed.
- Diffie-Hellman: a Shared Secret Without Sending It
- A mechanism letting two parties create a shared secret key, even if someone is listening to all communication between them. Each side adds its own 'private secret' that's never sent over the network, and after exchanging intermediate results, each side computes the same secret key. An eavesdropper sees only public information and intermediate results — not the private secrets. Diffie-Hellman doesn't encrypt the information itself — it only creates the shared key, which is then used with symmetric encryption.
- Hash Functions (Fingerprint)
- Easy to produce a hash from data, but impossible to reconstruct the original data from the output (one-directionality). Changing even a single bit of input completely changes the resulting hash. Used for storing passwords (only the hash is stored, never the password itself) and for checking the integrity of files downloaded from the internet.
- Digital Signature
- The signature doesn't hide the information — it proves who sent it and that it wasn't altered. Process: produce a hash (fingerprint) of the document, encrypt it with the sender's private key (this is the signature), and send the document plus the signature. The recipient verifies with the sender's public key. Changing one bit in the document breaks the signature entirely, and it grants non-repudiation — the sender can't later claim they didn't send it.
- TLS: Not an Algorithm, a Protocol
- TLS isn't a single algorithm but a framework bundling: a handshake (identification), agreement on a cipher suite, key exchange (asymmetric, like RSA or Diffie-Hellman), and actual data encryption (symmetric, like AES) — with Hash (like SHA-256) for integrity checks. HTTPS is the 'envelope' (the umbrella protocol); TLS is the secure 'engine' inside it; AES/RSA are the mathematical tools that do the actual work.
- Kerberos: Ticket-Based Organizational Authentication
- The central authentication system in Windows/Active Directory environments. The user receives a temporary 'ticket' from a central authority (the KDC) after initial authentication, and uses it to access resources without retyping the password — the password itself never travels over the network in the clear.