Teaching Cryptography Using Handson Labs and Case StudiesUniversity of Tennessee at Chattanooga, Tuskegee University, and Southern Illinois University (was Southern Polytechnic State University) 
Motivation 

Cryptography is and continues to be a relatively weak area in the current information assurance curriculum at most schools, primarily due to the lack of handson exercises and materials. The handson exercises provided by this project include both the implementation of cryptographic algorithms and an examination of threats and attacks on various cryptographic techniques. The case studies provided by this project engage students using openended realworld scenarios, such as securing Blackberry devices, which challenge students to implement cryptographic techniques in realistic situations. 
The Need for HandsOn Cryptography Education 
Handson learning can be a highly effective pedagogical method because it engages students at a personal level. This sentiment is echoed by the saying of Confucius, “I hear and I forget. I see and I remember. I do and I understand.” However, current approaches to teach cryptography at the undergraduate level tend to focus primarily on the mathematical and algorithm aspects of cryptography. Therefore, there is a need to use handson learning to reinforce mathematical and theoretical aspects of cryptography education. The goal of this project is to design a collection of labs which allow students to gain handson experiences with cryptographic algorithms, especially increasing student awareness of possible threats and attacks to various cryptographic techniques. 
The Need for Case Studies in Cryptography Education 
At an event celebrating 30 years of public key cryptography in 2006, experts said that cryptography still lacked usability. Brian Snow, a retired technical director at the National Security Agency (NSA), notes that security products lack quality because they are poorly designed and often not designed in a secure way. Cryptography in realworld networks and systems has not been as effective as intended from a mathematical perspectives due to engineering challenges. Building realworld cryptographic systems is different than the abstract theories of cryptography based on pure mathematics. Designers and implementers face real world constraints that often pose as engineering challenges. To prepare students for these realworld security challenges, we must teach cryptography in realworld settings. Therefore, there is a need to design and incorporate case studies in a cryptography curriculum that simulate and capture realworld cryptographic applications. The case studies approach is a good method to achieve this as it engages students in realworld settings, which will inspire creativity of students and train them to adapt cryptographic solutions to emerging areas. 
Handson Labs 

1.1 Lab on encryption using binary/byte addition 1.2 Encryption using binary ExclusiveOR (XOR) 1.3 Triple DES with CBC mode and Weak DES keys 2.1 Lab on RSA Encryption and Factorization Attacks 2.2 Attack on RSA encryption with short RSA modulus 3.1 Lab on hash generation and sensitivity of hash functions to plaintext modifications 4.1 Lab on Digital Signature Visualization 4.3 Lab on Attack on Digital Signature/Hash Collision a. Programming Lab on Encryption Using Classical Techniques In this project we will develop a program to encrypt plaintext text given a keyword. The plaintext will be encrypted by Playfair cipher and the cipher text is displayed for a user. Playfair Cipher (description taken from William Stallings “Cryptography and Network Security, Principles and Practice) is the bestknown multiple letter encryption cipher, which treats diagrams in the plaintext as single units and translates these units into cipher text diagrams. (This cipher was actually invented by British scientist Sir Charles Wheatstone in 1854, but it bears the name of his friend Baron Playfair of St. Andrews, who championed the cipher at the British foreign office.) View Lab: pdf
b. Programming Lab on Frequency Analysis This lab will introduce students to frequency analysis, a method used to decode ciphertext by studying the frequency of letters. View Lab: pdf c. Programming Lab on Testing Different Modes in Symmetric Ciphers This lab introduces students to various modes of operation in symmetric key cryptography, such as electronic cookbook (ECB), cipherblock chaining (CBC) and cipher feedback (CFB). Students must implement a symmetric key cipher, such as Data Encryption Standard (DES), triple DES, or Advanced Encryption Standard (AES) using several different modes of operation, and then investigate the properties of pattern preservation and error propagation for each mode. View Lab: pdf d. Programming Lab on Short Message RSA Attacks and Padding This lab will introduce students to attacks against the RSA encryption algorithm, and mechanisms that can be implemented to guard against such attacks. Students will be asked to implement both paddingbased and timingbased attacks on the RSA algorithm. View Lab: pdf e. Programming Lab on RSA Timing Attacks A timing attack is an attack which cleverly uses the fourth dimension, time. If an algorithm is not specifically designed to thwart this attack, then an attacker can observe the required amount of time for a calculation to be done and monitor the differences in calculation times. For example, the calculation of converting a “0” in plain text to cipher text versus converting a “1” in plain text to cipher text may require less time. This measured amount of time can be used to rebuild the key or figure out the plain text. View Lab: pdf f. Programming Lab on Hash Function This lab will introduce students to hash functions and how they provide for message integrity. Students will be asked to use hashing to detect if an ecrypted message has been tampered with. Students will also need to show that this integrity check can be bypassed by tampering with both the ciphertext and the hashcode. View Lab: pdf g. Writing a Simple Certificate Authority Certificates, or to be more specific, public key certificates, provide a mechanism that allows a third party, or issuer, to vouch for the fact that a particular public key is linked with a particular owner, or subject. Every certificate has a private key associated with it, and a chain of certificates is a list of certificates where each certificate other than the first one and the last one have had its private key used to sign the next certificate after it. The first certificate, the root certificate, is normally selfsigned; you have to accept it as trusted for the certificate chain to be valid. The last certificate, or the end entity certificate, simply provides you with a public key you are interested in, which, assuming you accept the root certificate, you can regard as authentic. The entity responsible for issuing the certificate is referred to as a certificate authority, or more commonly, CA. View Lab: pdf h. Programming Lab on Digital Signature Generate keys and a digital signature for data using the private key and to export the public key and the signature to files. Verify a digital signature by importing a public key and a signature that is alleged to be the signature of a specified data file and to verify the authenticity of the signature. View Lab: pdf
Crypto Case 1: How Do You Secure BlackBerry Devices? Crypto Case 2: Do You Trust Others in Virtual Environment? Crypto Case 3: Ensure the validity of Forensic Evidence by Using a Hash Function Crypto Case 4: How Do You Secure Patient Data? Crypto Case 5: Is SSL/TLS Enough to Secure Ecommerce?


People 

Dr. Yang is the lead PI on this project. She obtained a Ph.D. in Computer Science from Florida International University in 2005 in the area of computer security. She is an Assistant Professor of Computer Science and Engineering at the University of Tennessee at Chattanooga. She is one of the major personnel who developed the undergraduate Information Security and Assurance (ISA) concentration, graduate ISA concentration, and secured the CAE/IAE at UTC. She has actively published handson pedagogical materials in information security and assurance. She also involved both undergraduate and graduate students in publishable research projects. She is an editor of the book on “Applied Cryptography for Cyber Security and Defence: Information Encryption and Ciphering”. She serves as project manager for the development of handson labs, case studies, and cryptography modules for this project. She will also coordinate the overall activities in this project, document the project progress, write the annual reports, evaluate and assess the project, and lead the dissemination efforts such as developing the website, organizing summer workshops, and presenting at conferences. Her email is LiYang (at) utc (dot) edu
Dr. Wang is a professor and Chair of the Department of Information Technology at Southern Polytechnic State University, and the founding director of the Center for Information Security Education, which was designated as a national CAE/IAE (Center of Academic Excellence in Information Assurance Education) for academic years 20082013 by NSA and DHS. Since 2002, Dr. Andy Ju An Wang has been teaching information security courses, both at the undergraduate and graduate levels. Dr. Wang brings an extensive background in academic and instructional computing as well as an outstanding record in teaching achievement. In 2004, he received the Teaching Award from the Center for Teaching Excellence at Southern Polytechnic State University. Dr. Wang currently serves as the principal investigator on an NSF CPATH project, and the PI of a Microsoftfunded Trustworthy Computing Curriculum Development project. Dr. Wang’s current interests are in the areas of information security, software engineering, and computer science education. He is the lead PI at SPSU. He will be responsible for implementation of proposed modules, evaluation, and dissemination efforts at SPSC.
Dr. Kizza is the director of CAE/IAE at UTC and has served as the department head of Computer Science and Engineering at UTC since the fall of 2009. He has written eight books on computer ethics, network security, and cyberethics and published several dozens of peerreviewed journal and conference proceedings. He was appointed a United Nations Educational, Scientific and Cultural Organization (UNESCO) expert in Information Technology in 1994 and a recipient of the Fulbright scholarship in 2003 and 2006 respectively. He will implement cryptography modules in his IA courses, share his administrative experiences with Dr. Yang, and provide general guidance on the project management.
Dr. Chen obtained a Ph.D. in Computer Studies from the University of Southwestern Louisiana in 1993. He has been a faculty member of the Department of Computer Science at Tuskegee for more than 12 years. His teaching and research interests lie primarily in the area of Information Assurance and Network Security. Dr. Chen has successfully secured grants on information security and assurance from National Security Agency (NSA), and the National Science Foundation (NSF) CITEAM program. Dr. Chen is the lead PI at TU and will be responsible for implementation of proposed cryptography modules in his IA courses, organizing workshops, evaluation and dissemination efforts at TU.


Sponsored by NSF DUE  0942581