Hands-On Intro to Internet Security: Lesson Plan

PROJECT BACKGROUND
This lesson plan was completed as the primary final deliverable for my senior year course in Teaching and Learning Undergraduate Science and Engineering. The course explored concerns in education philosophy and pedagogy and gave me a first hand opportunity to apply lessons learned from education research to develop and execute a lesson plan.

The course was taught by Rebecca Miller of the Harvard Graduate School for education.

INTRO

This slideshow offers a brief motivation for this lesson, including goals, methodology, and results.

Intro to Hands-on Internet Security

ABSTRACT

This lesson plan presents a series of three 1-hour activities that provide a hands-on introduction to internet security for undergraduates with no computer science or programming experience. Through group design challenges mediated by the instructor, students will design their own procedures for ensuring privacy and authentication goals based on public key encryption technology. They will build up conceptual knowledge from basic encryption to digital certificates and apply these ideas to practical, every-day browsing via exercises with Firefox. Two assessment opportunities are also provided to evaluate conceptual and practical understanding.

The lessons were designed for this audience based on principles of constructivist education, situated learning, and group learning. A major innovation is the use of custom Java applets designed to make encryption, decryption, key generation, and key hacking accessible operations for novice security students, so they may focus on security concepts rather than technical details of encryption.

TARGET AUDIENCE

This lesson intends to provide an introduction to internet security systems. This could fit either within a first or second year survey course of computer science topics or as a stand-alone mini-course.

Undergraduate students with basic computing skills are the primary audience. CS majors and non-majors are equally welcome. Absolutely no programming, computer science, or software engineering experience is necessary. Familiarity with some high-school mathematics like prime numbers and algebraic factorization is helpful, but not necessary for all components.

My basic assumptions about students’ existing knowledge are as follows:

Students have experience using the internet for e-commerce, e-mail, and other secured applications
Students have some familiarity with internet security risks (why a password is important, etc.)
Students have some familiarity with the definition of a prime number and the process of factorization

LESSON REQUIREMENTS: TIME, SPACE, AND PEOPLE

This lesson is designed to occur over the course of three (3) instructional periods (or days) lasting about 60 minutes each. Each day contains multiple activities, including whole class demonstrations, group design challenges, pair case studies, and group presentations to the class. It may be possible to use one or a few activities in isolation with some fine-tuning. However, the days are designed to flow well together and most of the documentation and advice given in this plan will assume all three periods will be used (so that a later activity can rely on knowledge gained in an early activity).

In terms of space and setting, the lesson should take place in a computer lab or studio space with plenty of room for students to work in pairs at a computer terminal. It is advantageous to have desktop computer stations (one per pair of students) already set up so that the Java applets can be pre-installed and ready to go. However, it could be possible to use student laptops and ask the students to pre-install the applets. Also, having access to a projector or large screen for group viewing is helpful for some demonstrations.

The lesson’s primary mode of instruction is a series of group design challenges that progressively build up knowledge of encryption and security processes that enable trustworthy communication between a “bank” and a “customer”. The lesson assumes that at least six and at most roughly twenty students are available, as the team-based exercises require substantial interaction with peers and the ability of the instructor to wander between groups and answer student-generated questions effectively. The instructor should be willing to allow students take charge of learning and feel comfortable answering detailed questions about internet security systems. For example, a capable instructor should be able to answer “what is a digital certificate?” and explain and justify all fields in a modern certificate.

INSTRUCTIONAL GOALS

The intention of this lesson is to elucidate the technical and logistical principles that enable trustworthy communications over the internet, with a concentration on identity verification (who am I exchanging data with?) and privacy (can anyone else see my data?). I hope to help students understand the why and how, with an emphasis on design considerations and practical applications. A major goal is to avoid getting bogged down in the implementation details (how encryption happens in the digital world) and focus on the reasoning behind the system (e.g. what assumptions are made about the keys that can unlock this system?).

A secondary goal of this lesson is to motivate students to take interest in security and computing. It is hoped that the active learning methodologies employed make the concepts accessible and welcoming to a broader audience than computing usually reaches, especially women and under-represented minorities.

LESSON MATERIALS

This lesson requires several documents and some Java software, both described below.

Documents
Four attached PDF documents provide all written material necessary for enacting this lesson.

Lesson Plan --- detailed overview of learning objectives, procedures, target audience, etc.

Instructor Guide --- provides a field guide for giving this lesson to students. Included are a detailed summary of all activities day-by-day and hints and tips as well as recap boxes to help the instructor summarize knowledge at the end of each activity.

Student Packet --- provides a ready-to-print packet to distribute to each student for the entire lesson. This includes instructions and workspace for all major activities of the lesson series.

Assessment --- provides the instructions and rubrics for each assessment exercise.

Reflective Essay --- provides a 3000 word essay offering detailed justification for this lesson.

Software
Software is provided as the file EasyRSA.zip, which you can download here (WARNING: 27 MB zip file).

This zip package includes the following:

• EasyRSA.jar - a java archive executable that launches four applets when double-clicked. These are:

o Encryption

Encrypts plain text ASCII message with given private key
Supports multi-line messages
Produces a very long decimal number

o Decryption

Decrypts cipher text (decimal number) given public key
Supports multi-line messages

o Key Generator

Generates key of given number of decimal digits (min=6,max=16)

o Key Hacker

Factorizes given public key using pre-generated lists of primes
Provides real-time clock to observe how long factorization takes

• primes*.txt - series of text files containing prime numbers (used for KeyHacker)

Instructions for installing and operating the Java applets are in the appendices of the Lesson Plan document.

JAVA APPLETS DEMO

I developed some custom Java applets for students to explore encryption and security in this lesson. My design goals were to make the processes interactive and easily accessible for novices.

A brief walk-through of the applets is shown in the screencast below. I showcase Key Generation, Encryption, Decryption, and Key Hacking all in separate applets. Sorry, no audio.