Skip to main content
QLDDigital SolutionsSyllabus dot point

How is data kept secure as it is stored and exchanged between digital systems?

Explain and apply data security techniques including encryption (symmetric and asymmetric), hashing, authentication and secure transmission to protect data confidentiality, integrity and availability

A focused answer to the QCE Digital Solutions Unit 4 dot point on data security. Symmetric and asymmetric encryption, hashing, the CIA triad, authentication and HTTPS, and how QCAA expects you to secure a data exchange solution in IA3.

Generated by Claude Opus 4.76 min answer

Reviewed by: AI editorial process; not yet individually human-reviewed

Have a quick question? Jump to the Q&A page

Jump to a section
  1. What this dot point is asking
  2. The CIA triad
  3. Encryption
  4. Hashing
  5. Authentication and secure transmission
  6. How this appears in IA3

What this dot point is asking

QCAA wants you to explain how data is protected, both at rest and in transit, and to apply appropriate security techniques in a solution. You must understand encryption (symmetric and asymmetric), hashing, authentication, and secure transmission, and relate them to the confidentiality, integrity and availability of data. Because Unit 4 solutions exchange data over networks, security is a core design concern, not an afterthought.

The CIA triad

Security goals are summarised as three properties:

  • Confidentiality: only authorised parties can read the data (achieved by encryption and access control).
  • Integrity: data is not altered without detection (achieved by hashing and checksums).
  • Availability: authorised users can access the data when needed (achieved by backups and resilient systems).

Every security technique maps to one or more of these, so naming the property is how you justify a design choice.

Encryption

Encryption transforms readable plaintext into unreadable ciphertext using a key. Only someone with the correct key can reverse it.

  • Symmetric encryption uses the same key to encrypt and decrypt (for example AES). It is fast, good for bulk data, but both parties must already share the secret key, which is itself a distribution problem.
  • Asymmetric encryption uses a key pair: a public key encrypts and a matching private key decrypts (for example RSA). Anyone can encrypt with your public key, but only you can decrypt with your private key, so no shared secret is needed up front.

In practice systems combine both: asymmetric encryption securely exchanges a symmetric session key, then fast symmetric encryption protects the actual data. This is exactly what HTTPS does.

Hashing

A hash function maps any input to a fixed-length fingerprint. A good cryptographic hash (such as SHA-256) is deterministic, fast to compute, and infeasible to reverse, and changing one bit of input changes the whole output.

import hashlib

password = "Sunshine2026!"
digest = hashlib.sha256(password.encode()).hexdigest()
print(digest)   # 64-character hex fingerprint

Two uses dominate:

  • Password storage: store the hash, not the password. At login, hash the entered password and compare digests, so the real password is never stored. A per-user random salt is added before hashing to defeat precomputed-table attacks.
  • Integrity checks: hash a file or message; if the recomputed hash differs, the data was altered.

Authentication and secure transmission

Authentication verifies who a user is before granting access. Techniques range from passwords (something you know) to tokens and multi-factor authentication (adding something you have or are). Authorisation then controls what an authenticated user may do.

Secure transmission protects data in transit. HTTPS uses TLS to authenticate the server with a certificate and encrypt the connection, so data exchanged over the network cannot be read or tampered with by an eavesdropper. Any data exchange in a Unit 4 solution should use HTTPS rather than plain HTTP.

How this appears in IA3

IA3 solutions exchange data, so markers expect you to identify the security risks, apply appropriate techniques (encrypted transmission, hashed passwords, validated input, access control) and justify each against confidentiality, integrity or availability. Name the technique, name the property it protects, and explain the threat it mitigates; a vague claim that the solution is "secure" earns nothing without that reasoning.

Exam-style practice questions

Practice questions written in the style of QCAA exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.

2021 QCAA6 marksA mobile app lets car owners remotely unlock their cars by entering a username and password. Account data includes full name, date of birth, home address, driver licence number, and vehicle make, model, colour and registration. Analyse the information and evaluate risks to data confidentiality, integrity and availability for this app. Justify your response with three examples.
Show worked answer →

This question maps directly onto the CIA triad, with 3 marks for evaluating each risk and 3 marks for a justified example of each. Address all three properties.

Confidentiality: the risk is that an unauthorised person observes the data in transit. Example: the login password could be intercepted unless it is encrypted, exposing the account [1 mark evaluate plus 1 mark example].

Integrity: the risk is that data is corrupted, lost or maliciously manipulated. Example: an altered record could cause the wrong car to be unlocked, or a hacker could change details to cause harm [1 plus 1].

Availability: the risk is that someone interferes with transmission so data packets do not reach the destination. Example: blocking the unlock request could lock the owner out, or an attacker could exploit downtime to access and steal the car [1 plus 1].

Markers reward naming each property, stating the threat, and tying a concrete example from the scenario to each.

2021 QCAA2 marksIn an online silent auction, items are posted on a public website and participants post secret bids that others cannot see. Recommend one encryption method to securely store auction data and justify your response.
Show worked answer →

One mark is for a valid encryption method and one for an effective justification, so name a specific algorithm and explain why it suits storing sensitive data.

A high band response recommends AES (Advanced Encryption Standard) [1 mark]. Justify it by contrasting strength: AES supersedes DES and 3DES, using 128 bit blocks with 128, 192 or 256 bit keys, whereas DES and 3DES use smaller 64 bit blocks and are older ciphers that can be cracked in as little as a day. A weak cipher would let an attacker read the auction data before the bids are revealed, so AES protects the confidentiality of the stored data [1 mark].

Any defensible modern symmetric cipher with a sound justification earns the marks; the key is linking the choice to the confidentiality requirement.

2024 QCAA2 marksA school navigation app stores user data and supports third-party content sharing. Recommend a data security strategy for the app and provide an example to justify your response.
Show worked answer →

One mark is for recommending an appropriate security strategy and one for justifying it with an example.

A high band response recommends access control [1 mark]: limiting user access to specific features and data based on roles and permissions. Justify with a concrete example, e.g. school administration staff, students and visitors are each granted different levels of access, so a visitor cannot reach administrative data or another user's personal information [1 mark].

Other defensible strategies, such as encrypting data in transit with HTTPS/TLS, hashing and salting stored passwords, or authentication, also earn the marks provided the example shows how the strategy reduces a real risk to the data.