Chapter 11 Β· Examples

Real-World & Exam Scenarios

Symmetric vs. asymmetric in practice, PGP email, HTTPS, and key escrow scenarios.

Example 1: Why Symmetric Keys Don't Scale

Scenario: A company has 5 executives who need to send encrypted messages to each other. They use symmetric encryption β€” every pair needs a unique key so no one else can decrypt their private conversations.
Key count calculation: 5 people = 10 unique key pairs needed. If the company grows to 100 employees: 4,950 keys. To 1,000 employees: nearly 500,000 keys. Each key must be generated, distributed securely, stored, and rotated.
Key point: Symmetric key distribution scales quadratically β€” it becomes completely unmanageable. Asymmetric encryption eliminates this: each person needs only one key pair, regardless of how many people they communicate with.

Example 2: HTTPS β€” Asymmetric and Symmetric Working Together

Scenario: You open your browser and connect to your bank's website. A padlock appears. What just happened cryptographically?
Behind the scenes (TLS handshake):
1. Bank's server sends its public key (in its certificate).
2. Your browser generates a random symmetric session key.
3. Browser encrypts the session key with the bank's public key and sends it.
4. Only the bank (with its private key) can decrypt and recover the session key.
5. Both sides now have the same symmetric session key.
6. All subsequent communication uses fast symmetric encryption with that session key.
Key point: HTTPS is hybrid encryption in action. Asymmetric for the key exchange (TLS handshake) β€” symmetric for the actual data. Every time you see a padlock, this exchange happened.

Example 3: PGP Email Encryption

Scenario: A security researcher wants to receive sensitive tips from whistleblowers via email, ensuring only they can read the messages.
Setup: The researcher generates a PGP key pair and publishes their public key on a keyserver and their website. Anyone wanting to send them an encrypted tip takes the researcher's public key, encrypts the message in their email client, and sends it. The message travels as encrypted ciphertext β€” unreadable by email servers, ISPs, or anyone who intercepts it.
Key point: PGP / GPG are practical implementations of asymmetric encryption for email. The sender uses the recipient's public key. Only the recipient's private key can decrypt. No pre-shared secret required.

Exam Scenario 1: "Which key encrypts? Which decrypts?"

Question: Bob wants to send Alice an encrypted message that ONLY Alice can read. Which key does Bob use to encrypt?

A) Bob's private key
B) Bob's public key
C) Alice's public key
D) Alice's private key

Answer: C β€” Alice's public key
To encrypt a message for Alice, use Alice's public key. Only Alice's private key can decrypt it. Bob's keys are used for signing (Bob's private key) or for others to send encrypted messages TO Bob (Bob's public key).

Exam Scenario 2: "Can you derive the private key from the public key?"

Question: An attacker intercepts Alice's public key. Can they use it to determine Alice's private key?

Answer: No β€” this is computationally infeasible.
Although the public and private keys are mathematically related (created from the same process using large prime numbers), it is computationally infeasible to reverse-engineer the private key from the public key. This one-way mathematical property is the foundation of asymmetric security. The public key can be safely distributed to everyone β€” that's its entire purpose.

Exam Scenario 3: "What is key escrow?"

Question: An organization requires that all employee private keys be stored in a secure vault accessible to IT management. What is this practice called?

A) Key rotation
B) Key escrow
C) Key stretching
D) Key distribution

Answer: B β€” Key escrow
Key escrow = storing copies of private keys with a trusted party. Enables data recovery if an employee leaves or loses their key. Controversial because it means a third party has your private key β€” must be protected with very strong access controls.