Lab 2: Cybersecurity
Students learn about various cybersecurity risks on the Internet and the basic concepts of cryptography. If nothing else, students should come away with an understanding of what public key cryptography means and why it's so important.
Pacing:
The 5 required lab pages could be split across 4–7 days (
145–290 minutes). Expected times to complete follow:
Prepare
- As you do Computing in the News with your students this week, look for news stories relating to issues of encryption. Highlight stories that might give students ideas for their research task at the end of the lab about innovations that need to transmit data securely.
- Students will read parts of Chapter 5 of Blown to Bits. Reading through the entire chapter will be helpful, especially to get a better understanding of the evolution of encryption methods and some details of public key encryption.
Lab Pages
-
Page 1: Cryptography.
-
Learning Goals:
- Understand what it means to encode and decode text.
- Understand the difference between symmetric and asymmetric cryptography.
- Understand how Caesar and substitution ciphers work.
- Be able to explain why these ciphers are examples of symmetric cryptography.
-
Tips:
- Most students will greatly enjoy encoding and decoding secret messages. Make sure that there is enough time planned in the lesson for this hands-on activity.
- It may be a good idea to suggest that for starters students try to encode/decode very short messages.
- Some students may get frustrated in the decoding process, not being able to crack their partner's code, even for short messages. Tell them that the challenging nature of decoding is to be expected and is actually one of the main take aways of this activity.
- Some students may find the ciphers discussed here too abstract. Let them encode/decode a simple message using the example ciphers given to gain some hands-on experience.
- Take some time to discuss the weaknesses of these ciphers and how they may be broken. Invite suggestions on how to improve on the security of such systems of cryptography.
-
Page 2: Caesar Cipher Project.
-
Learning Goals:
- Gain hands-on experience with cryptography.
- Implement a simple version of the Caesar Cipher.
-
Tips:
- You may want to direct students to the Oscar nominated movie "The Imitation Game", which tells the story of Alan Turing and his team of cryptographers who broke the Nazi encryption system "Enigma" based on the Vigenere Cipher. Students could research and discuss how this breakthrough ushered an era of research leading to the birth of modern Computer Science. (If your connection blocks YouTube, you can watch the trailer of "The Imitation Game" on scratch.mit.edu.)
-
Page 3: Public Key Encryption.
-
Learning Goals:
- Understand the basics of public key encryption, secure HTTP, and certificate authorities.
- Catch a glimpse into the ingenious method of public key cryptography.
- Understand why public key cryptography is an example of asymmetric cryptography.
- Appreciate how open standards help with Internet security.
-
Tips:
- It may seem nonintuitive that open standards help with Internet security. If you want to keep something a secret, shouldn't the method of keeping it secret be kept secret too? The answer is no, but this takes some thinking out. The reason is that complicated algorithms may have hidden bugs, so by publishing the algorithm openly, you invite everyone in the world to look for bugs.
- Why do we need Certificate Authorities? If you want to send a secure message to a personal friend, you can physically meet your friend or talk on the phone to exchange public keys. But if you want to send a secure message to a big institution (like your bank, Amazon, or Google), how do you know their public key? You can look on their web site, but until you've exchanged public keys, you can't be sure that what your browser shows you really is their web site. This is why we need Certificate Authorities. The public keys from Certificate Authorities are hardwired into your browser. Nevertheless, CAs have been compromised or spoofed; this is one of the weak links in Internet security. (The Wikipedia article on CA attacks is fairly readable if a student wants to study this question further.)
-
Page 4: Who Cares About Encryption?
-
Learning Goal:
- Understand that it is controversial to allow public access to secure encryption.
-
Tip:
- Encourage students to practice presenting and defending a point of view they would not necessarily agree with personally. This practice will sharpen their debating skills and empower them to anticipate the arguments and logic of opposing points of view in the future.
-
Page 5: Security Risks
-
Learning Goal:
- Understand various types of cybercrime including distributed denial-of-service attacks, phishing, and viruses.
-
Tips:
- Regarding the formative assessment question, "What is hacking? What do you know about it?" You may want to explain that "hacking" doesn't necessarily mean breaking into other people's computers, even though the media use it that way. A hacker is someone who tries to understand the details of a technology (computer, phone, train, washing machine, etc.). Someone whose goal is to break into other people's computers is better called a cracker.
-
Page 6: What Can You Do?
-
Learning Goal:
- Understand ways to protect against cybercrime including the use of antivirus software and firewalls.
-
Tips:
- Please do not overemphasize this page, on which the College Board preaches to students (through us) about password hygiene. The only really important idea on the page is in its first sentence: "It should not be the responsibility of the individual to ensure their safety online just as it's not their responsibility to do a safety inspection of every subway car before boarding." This is the Beauty and Joy of Computing, not the Fear and Trembling of Computing.
Related Resources
If you like reading Wikipedia articles, you may find these interesting and relevant:
Solutions
Correlation with 2020 AP CS Principles Framework
Computational Thinking Practices: Skills
- 5.E: Evaluate the use of computing based on legal and ethical factors.
- 6.B: Use safe and secure methods when using computing devices.
Learning Objectives:
- IOC-2.B: Explain how computing resources can be protected and can be misused. (5.E)
- IOC-2.C: Explain how unauthorized access to computing resources is gained. (5.E)
Essential Knowledge:
- IOC-2.B.1: Authentication measures protect devices and information from unauthorized access. Examples of authentication measures include strong passwords and multifactor authentication.
- IOC-2.B.2: A strong password is something that is easy for a user to remember but would be difficult for someone else to guess based on knowledge of that user.
- IOC-2.B.3: Multifactor authentication is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism, typically in at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).
- IOC-2.B.4: Multifactor authentication requires at least two steps to unlock protected information; each step adds a new layer of security that must be broken to gain unauthorized access.
-
IOC-2.B.5: Encryption is the process of encoding data to prevent unauthorized access. Decryption is the process of decoding the data. Two common encryption approaches are:
- Symmetric key encryption involves one key for both encryption and decryption.
- Public key encryption pairs a public key for encryption and a private key for decryption. The sender does not need the receiver's private key to encrypt a message, but the receiver's private key is required to decrypt the message.
- IOC-2.B.6: Certificate authorities issue digital certificates that validate the ownership of encryption keys used in secure communications and are based on a trust model.
- IOC-2.B.7: Computer virus and malware scanning software can help protect a computing system against infection.
- IOC-2.B.8: A computer virus is a malicious program that can copy itself and gain access to a computer in an unauthorized way. Computer viruses often attach themselves to legitimate programs and start running independently on a computer.
- IOC-2.B.9: Malware is software intended to damage a computing system or to take partial control over its operation.
- IOC-2.B.10: All real-world systems have errors or design flaws that can be exploited to compromise them. Regular software updates help fix errors that could compromise a computing system.
- IOC-2.B.11: Users can control the permissions programs have for collecting user information. Users should review the permission settings of programs to protect their privacy.
- IOC-2.C.1: Phishing is a technique that attempts to trick a user into providing personal information. That personal information can then be used to access sensitive online resources, such as bank accounts and emails.
- IOC-2.C.2: Keylogging is the use of a program to record every keystroke made by a computer user in order to gain fraudulent access to passwords and other confidential information.
- IOC-2.C.3: Data sent over public networks can be intercepted, analyzed, and modified. One way that this can happen is through a rogue access point.
- IOC-2.C.4: A rogue access point is a wireless access point that gives unauthorized access to secure networks.
- IOC-2.C.5: A malicious link can be disguised on a web page or in an email message.
- IOC-2.C.6: Unsolicited emails, attachments, links, and forms in emails can be used to compromise the security of a computing system. These can come from unknown senders or from known senders whose security has been compromised.
- IOC-2.C.7: Untrustworthy (often free) downloads from freeware or shareware sites can contain malware.