[ SENDER ]

1) User selects file to encrypt

2) System generates a random AES-256 key

3) File is encrypted using AES-GCM (outputs: ciphertext + nonce + tag)

4) AES key is encrypted using Receiver’s RSA Public Key

5) System computes SHA-256 hash of the ORIGINAL plaintext file

6) Hash is digitally signed using Sender’s RSA Private Key

7) System creates secure .enc package containing:

• RSA-encrypted AES key

• AES nonce (IV)

• AES-GCM ciphertext

• AES-GCM authentication tag

• Digital signature

• Original file extension (.pdf, .txt, .docx, etc.)

8) Sender transmits the encrypted .enc file

[ RECEIVER ]

--------------------------------

1) Receiver loads the .enc file

2) System extracts the components:

• RSA encrypted AES key

• nonce

• ciphertext

• tag

• digital signature

• file extension

3) AES key is decrypted using Receiver’s RSA Private Key

4) Ciphertext is decrypted using AES-GCM → restores plaintext

5) System generates SHA-256 hash of decrypted plaintext

6) Signature verification:

• Verify digital signature using Sender’s RSA Public Key

• Compare hash from signature with computed hash

7) If VALID → File is original & untampered

If INVALID → File was modified / corrupted

8) Save decrypted file with correct extension