Show understanding of digital certification

17.1 Encryption, Encryption Protocols and Digital Certificates

What is Encryption? 🔒

Encryption is like putting a secret message into a locked box. Only someone with the right key can open it and read the message. In computer science we use mathematical algorithms to create that lock and key.

Symmetric vs Asymmetric Encryption ⚔️

RSA – A Classic Asymmetric Algorithm 🔑

RSA uses two large prime numbers, \(p\) and \(q\). We compute:

1. Modulus \(n = p \times q\)
2. Euler’s totient \(\phi(n) = (p-1)(q-1)\)
3. Choose public exponent \(e\) such that \(\gcd(e,\phi(n)) = 1\)
4. Compute private exponent \(d\) where \(e \times d \equiv 1 \pmod{\phi(n)}\)

Encryption: \(c \equiv m^e \pmod{n}\) Decryption: \(m \equiv c^d \pmod{n}\)

Digital Signatures ✍️

A digital signature proves that a message came from a particular sender and hasn't been altered. The process:

1. Sender hashes the message: \(h = \text{Hash}(m)\)
2. Sender encrypts the hash with their private key: \(s = h^d \pmod{n}\)
3. Receiver decrypts the signature with the sender’s public key: \(h' = s^e \pmod{n}\)
4. Receiver hashes the received message and compares \(h'\) with the new hash. If they match, the signature is valid.

Digital Certificates 📜

A digital certificate is like a passport for a website or user. It binds a public key to an identity and is issued by a trusted authority (Certificate Authority – CA). Key fields in a certificate:

Public Key Infrastructure (PKI) 🔗

PKI is the system that manages digital certificates and keys. It includes:

• Certificate Authorities (CAs) – issue and revoke certificates.
• Registration Authorities (RAs) – verify identity before a CA issues a certificate.
• Certificate Revocation Lists (CRLs) – list of certificates that are no longer trusted.
• Online Certificate Status Protocol (OCSP) – real‑time certificate status checking.

Encryption Protocols – TLS/SSL 🌐

TLS (Transport Layer Security) is the modern successor to SSL. It ensures:

1. Confidentiality – data is encrypted.
2. Integrity – data cannot be tampered with unnoticed.
3. Authentication – the server (and optionally the client) proves its identity via certificates.

Typical TLS handshake steps:

1. Client → Server: Hello, list of supported cipher suites.
2. Server → Client: Hello, chosen cipher suite, server certificate.
3. Client verifies certificate, generates a pre‑master secret, encrypts it with the server’s public key, and sends it.
4. Server decrypts pre‑master secret, both parties derive session keys.
5. Secure communication begins using the session keys.

Real‑World Analogy: The Post Office 📬

Imagine you want to send a secret letter to a friend:

• You write the letter (message).
• You put it in a lockbox and lock it with a key only your friend has (asymmetric encryption).
• You give the lockbox to a trusted post office (CA) that stamps it with a seal (digital certificate) proving it really came from you.
• Your friend receives the box, checks the seal, unlocks it with their key, and reads the letter.

This is essentially what TLS does over the internet, but with computers and math instead of paper and lockboxes.

Key Takeaways for A-Level CS 📚

• Encryption protects data; digital signatures prove authenticity.
• Symmetric keys are fast but need secure exchange; asymmetric keys solve the key exchange problem.
• Digital certificates bind public keys to identities and are issued by trusted CAs.
• PKI manages the lifecycle of certificates and keys.
• TLS uses a combination of symmetric and asymmetric techniques plus certificates to secure web traffic.