How is data kept confidential and authentic over a network, and how do symmetric and public-key encryption work?
Explain symmetric and public-key (asymmetric) encryption, digital signatures and common network threats and defences
A focused answer to the H2 Computing outcome on network security. Symmetric and public-key encryption, the key-distribution problem, digital signatures for authenticity, hashing, and common threats and defences.
Reviewed by: AI editorial process; not yet individually human-reviewed
Have a quick question? Jump to the Q&A page
Jump to a section
What this dot point is asking
SEAB wants you to explain symmetric and public-key encryption, digital signatures, and common network threats and their defences. The central idea is that encryption protects confidentiality while signatures and hashing protect authenticity and integrity - and that the two kinds of encryption are combined to get both security and speed.
The answer
Symmetric encryption
Symmetric encryption uses a single shared secret key for both encrypting and decrypting. It is fast and good for bulk data, but both parties must already share the key. That raises the key-distribution problem: how do you get the secret key to the other party over an insecure network without it being intercepted?
Public-key (asymmetric) encryption
Public-key encryption uses a key pair:
- a public key, shared openly, used to encrypt, and
- a private key, kept secret, used to decrypt.
What one key encrypts, only the other can decrypt. Because the public key can be published freely, anyone can encrypt a message that only the private-key holder can read - no secret travels, solving the key-distribution problem. The trade-off is that it is much slower than symmetric encryption.
Hybrid systems
Real systems combine both. In TLS (HTTPS), slow public-key encryption is used once to securely agree a symmetric session key, then fast symmetric encryption protects the actual data. This hybrid scheme gets the security of public-key exchange with the speed of symmetric encryption.
Hashing and digital signatures
A hash function maps data to a fixed-size value (a digest); any change to the data changes the hash, so it detects tampering (integrity).
A digital signature proves who sent a message and that it was unaltered:
- The sender hashes the message and encrypts the hash with their private key - the signature.
- The recipient decrypts the signature with the sender's public key to recover the hash, and independently hashes the received message.
- If the two hashes match, it proves authenticity (only the private-key holder could sign) and integrity (alteration would break the match).
Threats and defences
| Threat | Defence |
|---|---|
| Interception / eavesdropping | Encryption (HTTPS/TLS) |
| Man-in-the-middle | Certificates / authentication |
| Malware | Antivirus, updates, firewalls |
| Denial-of-service | Rate-limiting, filtering |
| Phishing | User education, authentication |
Examples in context
Example 1. The TLS handshake behind HTTPS. When you open a secure site, your browser and the server use public-key cryptography to verify the server's certificate and agree a symmetric session key, then encrypt all page data symmetrically for speed. This hybrid is why HTTPS is both secure and fast enough for everyday browsing.
Example 2. Verifying a software download. A publisher signs an installer with its private key and publishes the matching public key. Your system verifies the signature before installing, confirming the file genuinely came from the publisher and was not altered or replaced with malware in transit - authenticity and integrity in action.
Try this
Q1. In public-key encryption, which key encrypts a confidential message and which decrypts it? [2 marks]
- Cue. The recipient's public key encrypts; the recipient's private key decrypts.
Q2. Why is symmetric encryption used for bulk data even when public-key encryption is available? [1 mark]
- Cue. Symmetric encryption is much faster; public-key encryption is slow, so it is used only to exchange the symmetric session key.
Q3. How does a digital signature prove a message was not altered? [2 marks]
- Cue. The sender signs a hash of the message with their private key; the recipient verifies with the public key and rehashes - any alteration changes the hash, breaking the match.
Exam-style practice questions
Practice questions written in the style of SEAB exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.
Original6 marks(a) Distinguish between symmetric and public-key (asymmetric) encryption. (b) Explain the key-distribution problem with symmetric encryption and how public-key encryption solves it. (c) State which is typically faster and how real systems combine the two.Show worked answer →
(a) Symmetric encryption uses one shared secret key for both encryption and decryption. Public-key (asymmetric) encryption uses a key pair: a public key to encrypt and a mathematically related private key (kept secret) to decrypt; what one key encrypts, only the other can decrypt.
(b) The key-distribution problem: with symmetric encryption, both parties must already share the secret key, but sending it over an insecure network risks interception. Public-key encryption solves this because the public key can be shared openly - anyone can encrypt to the holder, but only the private-key holder can decrypt, so no secret needs to travel.
(c) Symmetric encryption is much faster for bulk data. Real systems (such as TLS/HTTPS) combine them: public-key encryption is used to securely exchange or agree a symmetric session key, then fast symmetric encryption protects the actual data. This is a hybrid scheme.
Markers reward the one-key-versus-key-pair distinction, the key-distribution problem solved by an openly shareable public key, and symmetric being faster with a hybrid (public-key to exchange a symmetric session key).
Original5 marks(a) Explain how a digital signature lets a recipient verify who sent a message and that it was not altered. (b) State one common network threat and a defence against it.Show worked answer →
(a) A digital signature uses the sender's private key. The sender computes a hash of the message and encrypts that hash with their private key - this is the signature. The recipient decrypts the signature with the sender's public key to recover the hash, and independently hashes the received message. If the two hashes match, it proves: authenticity (only the holder of the private key could have produced it, since it verifies with their public key) and integrity (any alteration would change the hash, breaking the match).
(b) A threat and defence (any one): interception/eavesdropping defended by encryption (HTTPS/TLS); a man-in-the-middle attack defended by certificates/authentication; malware defended by antivirus and updates/firewalls; a denial-of-service attack defended by rate-limiting and filtering; phishing defended by user education and authentication.
Markers reward the sign-with-private-key, verify-with-public-key flow over a hash giving authenticity and integrity, and one valid threat paired with an appropriate defence.
Related dot points
- Explain how DNS resolves domain names to IP addresses, and describe the HTTP/HTTPS request-response model and the client-server architecture
A focused answer to the H2 Computing outcome on DNS and the web. Resolving domain names to IP addresses through DNS, the HTTP and HTTPS request-response cycle, status codes, and the client-server model.
- Describe the layered TCP/IP model, the role of each layer, and how encapsulation passes data between layers
A focused answer to the H2 Computing outcome on the TCP/IP model. The application, transport, internet and link layers, the role of each, encapsulation of data into segments and packets and frames, and why layering matters.
- Explain packet switching, the structure of a packet, how routers forward packets, and contrast it with circuit switching
A focused answer to the H2 Computing outcome on packet switching. How data is split into packets, packet structure with headers, how routers forward packets hop by hop, and the contrast with circuit switching.
- Apply bitwise AND, OR, XOR, NOT and shift operations, and use masks to set, clear, toggle and test individual bits
A focused answer to the H2 Computing outcome on bitwise operations. The AND, OR, XOR and NOT operators, left and right shifts, and using masks to set, clear, toggle and test individual bits.
- Explain IPv4 addressing, the role of the subnet mask in separating network and host parts, and the motivation for IPv6
A focused answer to the H2 Computing outcome on IP addressing. The structure of an IPv4 address, how a subnet mask divides network and host bits, calculating hosts per subnet, and why IPv6 was introduced.