Teaching Cryptography Using Hands-on Labs and Case Studies   

University of Tennessee at Chattanooga, Tuskegee University, and Southern Illinois University (was Southern Polytechnic State University)

Motivation

Cryptography is and continues to be a relatively weak area in the current information assurance curriculum at most schools, primarily due to the lack of hands-on exercises and materials. The hands-on exercises provided by this project include both the implementation of cryptographic algorithms and an examination of threats and attacks on various cryptographic techniques. The case studies provided by this project engage students using open-ended real-world scenarios, such as securing Blackberry devices, which challenge students to implement cryptographic techniques in realistic situations.

The Need for Hands-On Cryptography Education

Hands-on learning can be a highly effective pedagogical method because it engages students at a personal level. This sentiment is echoed by the saying of Confucius, “I hear and I forget. I see and I remember. I do and I understand.” However, current approaches to teach cryptography at the undergraduate level tend to focus primarily on the mathematical and algorithm aspects of cryptography. Therefore, there is a need to use hands-on learning to reinforce mathematical and theoretical aspects of cryptography education. The goal of this project is to design a collection of labs which allow students to gain hands-on experiences with cryptographic algorithms, especially increasing student awareness of possible threats and attacks to various cryptographic techniques.

The Need for Case Studies in Cryptography Education

At an event celebrating 30 years of public key cryptography in 2006, experts said that cryptography still lacked usability. Brian Snow, a retired technical director at the National Security Agency (NSA), notes that security products lack quality because they are poorly designed and often not designed in a secure way. Cryptography in real-world networks and systems has not been as effective as intended from a mathematical perspectives due to engineering challenges. Building real-world cryptographic systems is different than the abstract theories of cryptography based on pure mathematics. Designers and implementers face real- world constraints that often pose as engineering challenges. To prepare students for these real-world security challenges, we must teach cryptography in real-world settings. Therefore, there is a need to design and incorporate case studies in a cryptography curriculum that simulate and capture real-world cryptographic applications. The case studies approach is a good method to achieve this as it engages students in real-world settings, which will inspire creativity of students and train them to adapt cryptographic solutions to emerging areas.

 

Hands-on Labs

 

1.1 Lab on encryption using binary/byte addition

1.2 Encryption using binary Exclusive-OR (XOR)

1.3 Triple DES with CBC mode and Weak DES keys

2.1 Lab on RSA Encryption and Factorization Attacks

2.2 Attack on RSA encryption with short RSA modulus

3.1 Lab on hash generation and sensitivity of hash functions to plaintext modifications

4.1 Lab on Digital Signature Visualization

4.2 Lab on RSA Signature

4.3 Lab on Attack on Digital Signature/Hash Collision

a.        Programming Lab on Encryption Using Classical Techniques

In this project we will develop a program to encrypt plaintext text given a keyword.  The plaintext will be encrypted by Playfair cipher and the cipher text is displayed for a user. Playfair Cipher (description taken from William Stallings “Cryptography and Network Security, Principles and Practice) is the best-known multiple letter encryption cipher, which treats diagrams in the plaintext as single units and translates these units into cipher text diagrams.  (This cipher was actually invented by British scientist Sir Charles Wheatstone in 1854, but it bears the name of his friend Baron Playfair of St. Andrews, who championed the cipher at the British foreign office.)

View Labpdf

 

b.        Programming Lab on Frequency Analysis

This lab will introduce students to frequency analysis, a method used to decode ciphertext by studying the frequency of letters.

View Labpdf

c.        Programming Lab on Testing Different Modes in Symmetric Ciphers

This lab introduces students to various modes of operation in symmetric key cryptography, such as electronic cookbook (ECB), cipher-block chaining (CBC) and cipher feedback (CFB). Students must implement a symmetric key cipher, such as Data Encryption Standard (DES), triple DES, or Advanced Encryption Standard (AES) using several different modes of operation, and then investigate the properties of pattern preservation and error propagation for each mode.

View Lab: pdf

d.        Programming Lab on Short Message RSA Attacks and Padding

This lab will introduce students to attacks against the RSA encryption algorithm, and mechanisms that can be implemented to guard against such attacks. Students will be asked to implement both padding-based and timing-based attacks on the RSA algorithm.

View Lab: pdf

e.        Programming Lab on RSA Timing Attacks

A timing attack is an attack which cleverly uses the fourth dimension, time. If an algorithm is not specifically designed to thwart this attack, then an attacker can observe the required amount of time for a calculation to be done and monitor the differences in calculation times. For example, the calculation of converting a “0” in plain text to cipher text versus converting a “1” in plain text to cipher text may require less time. This measured amount of time can be used to rebuild the key or figure out the plain text.

View Lab: pdf

f. Programming Lab on Hash Function

This lab will introduce students to hash functions and how they provide for message integrity. Students will be asked to use hashing to detect if an ecrypted message has been tampered with. Students will also need to show that this integrity check can be bypassed by tampering with both the ciphertext and the hashcode.

View Lab: pdf

g.  Writing a Simple Certificate Authority  

Certificates, or to be more specific, public key certificates, provide a mechanism that allows a third party, or issuer, to vouch for the fact that a particular public key is linked with a particular owner, or subject.  Every certificate has a private key associated with it, and a chain of certificates is a list of certificates where each certificate other than the first one and the last one have had its private key used to sign the next certificate after it.  The first certificate, the root certificate, is normally self-signed; you have to accept it as trusted for the certificate chain to be valid.  The last certificate, or the end entity certificate, simply provides you with a public key you are interested in, which, assuming you accept the root certificate, you can regard as authentic.  The entity responsible for issuing the certificate is referred to as a certificate authority, or more commonly, CA. 

View Lab: pdf

h. Programming Lab on Digital Signature

Generate keys and a digital signature for data using the private key and to export the public key and the signature to files. Verify a digital signature by importing a public key and a signature that is alleged to be the signature of a specified data file and to verify the authenticity of the signature.

View Lab: pdf

 

Crypto Case 1: How Do You Secure BlackBerry Devices?

Crypto Case 2: Do You Trust Others in Virtual Environment?

Crypto Case 3: Ensure the validity of Forensic Evidence by Using a Hash Function

Crypto Case 4: How Do You Secure Patient Data?

Crypto Case 5: Is SSL/TLS Enough to Secure E-commerce?

 

 

 

People

 

Dr. Yang is the lead PI on this project. She obtained a Ph.D. in Computer Science from Florida International University in 2005 in the area of computer security. She is an Assistant Professor of Computer Science and Engineering at the University of Tennessee at Chattanooga. She is one of the major personnel who developed the undergraduate Information Security and Assurance (ISA) concentration, graduate ISA concentration, and secured the CAE/IAE at UTC. She has actively published hands-on pedagogical materials in information security and assurance. She also involved both undergraduate and graduate students in publishable research projects. She is an editor of the book on “Applied Cryptography for Cyber Security and Defence: Information Encryption and Ciphering”. She serves as project manager for the development of hands-on labs, case studies, and cryptography modules for this project. She will also coordinate the overall activities in this project, document the project progress, write the annual reports, evaluate and assess the project, and lead the dissemination efforts such as developing the website, organizing summer workshops, and presenting at conferences. Her email is Li-Yang (at) utc (dot) edu

 

Dr. Wang is a professor and Chair of the Department of Information Technology at Southern Polytechnic State University, and the founding director of the Center for Information Security Education, which was designated as a national CAE/IAE (Center of Academic Excellence in Information Assurance Education) for academic years 2008-2013 by NSA and DHS. Since 2002, Dr. Andy Ju An Wang has been teaching information security courses, both at the undergraduate and graduate levels. Dr. Wang brings an extensive background in academic and instructional computing as well as an outstanding record in teaching achievement. In 2004, he received the Teaching Award from the Center for Teaching Excellence at Southern Polytechnic State University. Dr. Wang currently serves as the principal investigator on an NSF CPATH project, and the PI of a Microsoft-funded Trustworthy Computing Curriculum Development project. Dr. Wang’s current interests are in the areas of information security, software engineering, and computer science education. He is the lead PI at SPSU. He will be responsible for implementation of proposed modules, evaluation, and dissemination efforts at SPSC.

 

Dr. Kizza is the director of CAE/IAE at UTC and has served as the department head of Computer Science and Engineering at UTC since the fall of 2009. He has written eight books on computer ethics, network security, and cyber-ethics and published several dozens of peer-reviewed journal and conference proceedings. He was appointed a United Nations Educational, Scientific and Cultural Organization (UNESCO) expert in Information Technology in 1994 and a recipient of the Fulbright scholarship in 2003 and 2006 respectively. He will implement cryptography modules in his IA courses, share his administrative experiences with Dr. Yang, and provide general guidance on the project management.

 

Dr. Chen obtained a Ph.D. in Computer Studies from the University of Southwestern Louisiana in 1993. He has been a faculty member of the Department of Computer Science at Tuskegee for more than 12 years. His teaching and research interests lie primarily in the area of Information Assurance and Network Security. Dr. Chen has successfully secured grants on information security and assurance from National Security Agency (NSA), and the National Science Foundation (NSF) CI-TEAM program. Dr. Chen is the lead PI at TU and will be responsible for implementation of proposed cryptography modules in his IA courses, organizing workshops, evaluation and dissemination efforts at TU.

 


 

 

Sponsored by NSF DUE - 0942581

 


 

Last Updated: July 9, 2013