Encryption, Digital Signatures, and Authentication

Encryption, digital signatures, and authentication are secure-access ideas. They are often taught together because they involve trust, keys, or identity. They solve different problems.

Before choosing one, identify the security question being asked. Is the problem that outsiders can read data, that a message may have been altered, or that a system needs to know who is logging in?

IdeaMain question
encryptionCan unauthorised people read the data?
digital signatureCan the receiver trust who produced the message and that it was not changed?
authenticationCan a user or system prove its identity now?

Big Picture

A common beginner mistake is to say “use encryption” for every security problem. Encryption is important, but it mainly protects confidentiality. It does not automatically prove that a user is allowed to log in, and it does not automatically keep a server available during a DoS attack.

First Decide the Goal

Use this quick distinction before writing an answer:

Problem in the scenarioMain idea to useSecurity goal
someone may read captured dataencryptionconfidentiality
someone may change or forge a messagedigital signatureintegrity and authenticity
someone is trying to log inauthenticationidentity checking before access
someone has logged in but wants to delete recordsauthorisationpermission after identity is known

Authorisation is not the main focus of this note, but it is useful because many students mix it up with authentication.

Encryption

Encryption converts plaintext into ciphertext using a key.

plaintext + encryption key -> ciphertext
ciphertext + decryption key -> plaintext
  • Plaintext is the readable original data.
  • Ciphertext is the unreadable encrypted form.
  • A key controls the encryption and decryption process.

If an attacker captures ciphertext but does not have the needed key, the message should not be readable.

Tiny Message Example

Suppose the plaintext is:

Meet at 3 pm

After encryption, the transmitted data may look like unreadable ciphertext:

X9Q-41A-ZT7...

The exact symbols are not important here. The key idea is:

without the right key -> captured data should not be understandable
with the right key -> receiver can recover the original message

This protects confidentiality. It does not by itself prove that the sender is honest, that the user is authorised, or that the server will stay available.

A useful exam phrase is:

Encryption protects the readability of data, not every aspect of security.

Symmetric Encryption

Symmetric encryption uses the same secret key to encrypt and decrypt.

same shared secret key
sender encrypts -> receiver decrypts

Strength:

  • efficient for encrypting data;
  • conceptually simple once both parties share the secret key.

Main difficulty:

  • the secret key must be delivered to the receiver safely;
  • if the key is stolen, anyone with the key can decrypt the messages.

Asymmetric Encryption

Asymmetric encryption uses a pair of keys:

  • a public key that can be shared;
  • a private key that must be kept secret.

The two keys are mathematically related, but one should not be practically derivable from the other.

High-level idea:

public key: can be distributed
private key: kept by the owner

This helps solve the key-sharing problem because the public key does not need to be kept secret.

When Each Key Idea Is Useful

At H2 level, students do not need to implement algorithms. The useful comparison is practical:

  • symmetric encryption is efficient once both sides already share the secret key;
  • asymmetric encryption helps when the parties need to communicate without first sharing the same secret key safely;
  • digital signatures use the public/private key idea for trust in message origin and integrity.

Symmetric Versus Asymmetric

FeatureSymmetric encryptionAsymmetric encryption
keyssame shared secret keypublic/private key pair
main challengesharing the secret key safelymanaging and trusting public keys
typical strengthefficient for bulk datauseful for key exchange and signatures
beginner phraseone shared secrettwo related keys

For H2 Computing, explain the key idea and trade-off. Detailed cryptographic algorithms are outside core scope.

Digital Signature

A digital signature provides evidence that:

  • the message came from the claimed sender;
  • the message has not been changed after signing.

It supports authenticity and integrity.

A digital signature is not the same as encrypting the whole message. A signed message might still be readable unless it is also encrypted.

Digital Signature Analogy

Think of a digital signature as a tamper-evidence and origin check for a message.

It is not mainly asking:

Can outsiders read this message?

It is asking:

Was this message changed?
Was it signed using the sender's private key?

That is why digital signatures are linked to integrity and authenticity, while encryption is linked to confidentiality.

Digital Signature Conceptual Flow

Sender:

message -> hash algorithm -> digest
digest + sender's private key -> digital signature
send message and digital signature

Receiver:

received message -> same hash algorithm -> new digest
digital signature + sender's public key -> sender's digest
compare both digests

If the digests match, the receiver has evidence that the message was not altered and that the signature was produced using the sender’s private key.

Why Hashing Appears in Signatures

A hash algorithm produces a fixed-size digest from a message.

Useful properties at this level:

  • the same message gives the same digest;
  • a changed message should give a different digest;
  • the digest is smaller than the original message.

The signature signs the digest rather than the whole message. This keeps the process practical and lets the receiver detect changes.

Signature Trace With a Small Message

Conceptual example:

Original message: Pay $20 to vendor A
Hash digest: H1
Digital signature: sender signs H1 with private key

If someone changes the message:

Changed message: Pay $200 to vendor A
Receiver hashes changed message -> H2
Receiver checks signature -> original signed digest H1
H1 and H2 do not match

The mismatch tells the receiver that the message content is not the same as the signed content.

What a Signature Does Not Do

A digital signature does not automatically hide the message. A signed message may still be readable if it is sent as plaintext.

A digital signature also does not decide whether the sender is allowed to perform an action. It gives evidence about message origin and whether the message changed. The receiving system may still need access control rules after that.

Authentication

Authentication is the process of proving identity.

Example:

user claims: I am Mei
system asks for evidence
user provides password and token code
system checks evidence
system accepts or rejects the claim

Authentication happens before access is granted. It is different from authorisation:

  • authentication asks “Who are you?”
  • authorisation asks “What are you allowed to do?”

Authorisation is useful context, but the core syllabus item here is authentication.

Authentication Versus Digital Signature

These two ideas both involve identity, but they are used differently.

SituationBetter termWhy
user is logging in nowauthenticationthe system is checking the current user’s identity
receiver checks who signed a message earlierdigital signaturethe receiver is checking message origin and integrity
user has logged in but tries to delete recordsauthorisationthe system must decide whether this authenticated user has permission

For this syllabus topic, authentication is core. Authorisation is included here only to prevent confusion.

Authentication Factors

FactorMeaningExample
knowledgesomething the user knowspassword, PIN
possessionsomething the user hassecurity token, phone authenticator app
inherencesomething the user isfingerprint, face recognition

Two-factor authentication uses evidence from two different factor categories. A password plus a one-time token is stronger than a password alone because stealing the password is not enough.

Choosing the Right Idea

ScenarioBest matching ideaReason
a message is intercepted on public Wi-Fiencryptionhides message contents
a document may have been altered after signingdigital signaturedetects change and supports sender authenticity
a user logs in to an email serverauthenticationproves current identity
a password is stolen by a keyloggertwo-factor authenticationpassword alone should not be enough
a website is overwhelmed by trafficnot encryptionavailability problem, not content secrecy problem

Mini Worked Comparison

Scenario:

A student sends a project file to a teacher.
The file contains private marks.
The teacher also wants to know whether the file was altered after the student sent it.

Reasoning:

NeedSuitable ideaWhy
prevent outsiders reading the marksencryptionprotects confidentiality during storage or transmission
detect whether the file was altereddigital signature or hash checksupports integrity
check that the student account is logging inauthenticationproves current identity before access

More than one security idea may be needed in the same real system. The key is not to claim that one idea solves all needs.

Common Mistakes

  • Saying encryption proves the sender’s identity.
  • Saying a digital signature keeps a message secret.
  • Forgetting that symmetric encryption has a key-distribution problem.
  • Saying a public key must be kept secret. The private key must be kept secret.
  • Mixing up authentication and authorisation.
  • Treating two-factor authentication as “two passwords”. Two factors should come from different categories.

Quick Check

PromptAnswer
Which idea protects data from being read by outsiders?encryption
Which key must be kept secret in asymmetric encryption?private key
Which idea checks that a message was not changed and came from the claimed sender?digital signature
Which process proves a user’s identity before access?authentication
Which factor is a fingerprint?inherence

Return to Network Security.