Module 1: Secure Software Architecture

NSWSoftware EngineeringSyllabus dot point

Inquiry Question 1: How are secure systems designed?

Compare symmetric and asymmetric encryption, and describe their roles in securing data in transit and at rest

A focused answer to the HSC Software Engineering Module 1 dot point on encryption. Symmetric (AES) versus asymmetric (RSA), where each is used, how HTTPS combines them, the worked example, and the traps markers look for.

Generated by Claude OpusReviewed by Better Tuition Academy6 min answer

Have a quick question? Jump to the Q&A page

What this dot point is asking

NESA wants you to compare symmetric and asymmetric encryption on speed, key management, and typical use case, then explain how real systems combine both - especially HTTPS, the most-examined example.

The answer

Symmetric encryption

One shared key is used to encrypt and decrypt. The same key that scrambles the data unscrambles it.

  • Algorithm: AES (Advanced Encryption Standard) with key sizes of 128, 192, or 256 bits.
  • Speed: very fast, can encrypt gigabytes per second on commodity hardware.
  • Key management problem: both parties need the key before they can communicate. Distributing the key securely is the hard part.
  • Typical use: encrypting data at rest (databases, files), bulk encryption of session traffic once a session key has been established.

Asymmetric encryption

A key pair: a public key (shared with everyone) and a private key (kept secret by the owner). Data encrypted with the public key can only be decrypted with the private key.

  • Algorithm: RSA (typical key size 2048 or 4096 bits), or Elliptic Curve Cryptography (smaller keys, same security).
  • Speed: much slower than symmetric, roughly 1000x slower per byte.
  • Key management: solves the key exchange problem. You can publish your public key anywhere; only you can decrypt messages sent to it.
  • Typical use: key exchange, digital signatures, certificates.

The hybrid model: HTTPS

Real systems combine both. HTTPS is the canonical example: asymmetric encryption for the handshake (key exchange), then symmetric encryption for the bulk traffic. The diagram shows the four-step handshake.

TLS hybrid encryption handshake Two vertical lines representing browser and server. Step 1 shows the server sending its certificate containing the public key. Step 2 shows the browser generating a random session key and encrypting it with the public key. Step 3 shows the server decrypting the session key with its private key. Step 4 shows both sides exchanging data encrypted symmetrically with the session key. Browser Server 1. certificate with public key asymmetric (RSA) 2. generate random session key (symmetric AES key) 3. session key encrypted with public key only the server can decrypt 4. all traffic encrypted with session key symmetric (AES), fast

  1. The browser opens a TCP connection to the server.
  2. The server sends its TLS certificate, which contains its public key.
  3. The browser verifies the certificate against a list of trusted certificate authorities.
  4. The browser generates a random session key (symmetric).
  5. The browser encrypts the session key with the server's public key and sends it.
  6. The server decrypts the session key with its private key.
  7. All subsequent traffic in the session is encrypted with the symmetric session key.

Asymmetric encryption is used only for the handshake. The actual data is protected by fast symmetric encryption.

Worked code

A short Python example using the cryptography library:

from cryptography.fernet import Fernet

# Symmetric: AES under the hood
key = Fernet.generate_key()
cipher = Fernet(key)

message = b"transfer $5000 to account 123"
encrypted = cipher.encrypt(message)
decrypted = cipher.decrypt(encrypted)
assert decrypted == message

For asymmetric:

from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes

private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = private_key.public_key()

message = b"session key here"
encrypted = public_key.encrypt(
    message,
    padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
                 algorithm=hashes.SHA256(), label=None)
)
decrypted = private_key.decrypt(
    encrypted,
    padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
                 algorithm=hashes.SHA256(), label=None)
)
assert decrypted == message

Past exam questions, worked

Real questions from past NESA papers on this dot point, with our answer explainer.

2025 HSC5 marksCompare symmetric and asymmetric encryption. Explain how HTTPS uses both to secure a connection between a browser and a web server.
Show worked answer →

Symmetric encryption uses one shared key for both encryption and decryption. AES-256 is the standard. It is very fast, suitable for encrypting large amounts of data, but both parties need a secure way to exchange the key first.

Asymmetric encryption uses a key pair: a public key that anyone can use to encrypt, and a private key (kept secret) that only the owner can use to decrypt. RSA and Elliptic Curve are common. Asymmetric is much slower than symmetric, so it is not used for bulk data.

HTTPS combines both to get the best of each. When the browser connects to the server:

  1. The server sends its public key (inside a certificate signed by a trusted authority).
  2. The browser verifies the certificate, then generates a fresh random symmetric session key.
  3. The browser encrypts the session key with the server's public key and sends it. Only the server can decrypt it.
  4. From then on, all traffic in the session is encrypted with the symmetric session key using AES.

The asymmetric step solves the key-exchange problem. The symmetric step gives speed. Markers reward the comparison (speed, key management, use case), the explicit handshake steps, and naming AES and RSA.

Related dot points