Using ASP-based message encryption project to teach information security concepts

Journal of Information Systems Education, 2002 by Cao, Qidong, Davis, John S, Bai, Xue, Katter, Orlando E

ABSTRACT

Information security h as emerged as one of the most important subjects of information system (MIS) majors. This paper describes the use of a message encryption project based on Microsoft Active Pages (ASP) that encourages MIS students to explore some of the technical aspects of information security in some depth. This project served as a valuable pedagogical tool. Students having only limited programming and database experience benefited significantly from this course.

Keywords: Network security, client-side / server-side scripts, encryption, ASP.

1. INTRODUCTION

As computer network becomes an important part of the business world as well as our daily life, information security should be taught not only to the computer science students, but also to the business students. Hands-on projects, which are technical but simple to implement, can help motivate the MIS students explore the technical concepts in information security. On this basis, the authors assigned to MIS students a course project to develop a Web application providing message encryption. This project is simple enough for them to implement, as it requires elementary programming skills, which they already got from other courses. The project on the other hand lets the students explore, in some depth, some of the technical aspects of information security. The rest of this paper is organized as follows. Section 2 describes a doable project for business students. Section 3 provides an overview of message encryption. Section 4 presents an example of a student project. This is followed by discussion on pedagogical approach and a summary of student feedback in Section 5. S ection 6 concludes b y reviewing important aspects of the project.

2. A DOABLE INFORMATION SECURITY PROJECT

The choice of project was motivated by a desire to provide hands-on experience to students having limited technical backgrounds while requiring limited technical support. Because encryption plays such an important role in information security as discussed in the next section, the project provides students an opportunity to set up message encryption.

Choosing a web application reduces requirements for technical support. A typical message encryption project involves software running on client and server computers and requires substantial support of system administrators (because students and instructors lack necessary server and network permissions). However, the student project requires nothing more than maintaining student Web accounts that are already available.

This project is appropriate for the technical skills of most business students. Many business students know basic techniques for web site development. To prepare them for this project requires only introducing them to ASP, including methods for connecting Web pages to databases. Because the code for ASP applications is more readable than other programming languages, students have no serious problems becoming familiar with it. Also, as students present their projects, other students can easily learn the different techniques used by different students to implement information security.

3. AN OVERVIEW OF MESSAGE ENCRYPTION

An overview of message encryption may help explain the basis for the student project. There are two major classes of encryption algorithms (Stallings 2000): conventional encryption and public-key encryption. Conventional encryption uses one secret key for both encryption and decryption. This key is shared by message sender and recipient. Some popular conventional encryption algorithms are DES (FIPS PUB 1977), IDEA (Lai 1991), Blowfish (Schneier 1993), RCS (Rivest 1994), CAST-128 (Adams 1997), RC2 (Rivest 1998) and TDEA (FIPS PUB 1999).

Public-key encryption generates keys in pairs. If one key is used to encrypt a message into a ciphertext, another key can decrypt the ciphertext into the original plaintext. Public-key encryption was first publicly proposed by Diffie and Hellman (1976). The most popularly adopted public-key encryption algorithm is the RSA encryption algorithm (Rivest 1978). The public-key encryption algorithms are largely used for digital signature and key distribution due to their heavy computational burden.

As a simplified system, the course project uses the conventional encryption algorithm without any requirements for key distribution. (Secret keys can be delivered in person within the class.) Students develop their own encryption algorithms that have to include all three basic operations: substitution, transposition, and exclusive or. Advanced students who are interested in more sophisticated encryption algorithms are referred to Web sites where free source code of some popular conventional encryption algorithms is available.

4. AN EXAMPLE OF STUDENT PROJECT

Students develop Web applications that can transmit encrypted messages back and forth between client and server computers. For example, one student developed a grade report system. It is based on a two-way Web site that allows a student to enter his/her unique user id and course ID (password) for retrieving his/her grade information from a database. The user IDs and grades have to be encrypted before transmission over the Internet. To complete this project the student creates his/her Web site that connects to a small database, and then adds encryption/decryption functions to the Web site. Interested readers may view or download this project (http://www.birdnest.org/caoql/encryption/). In the home page of this Web site, a hyperlink ("Grades") activates the grade report system. This system includes two ASP pages (index.asp and grades.asp) that connect to a Microsoft Access single-table database. This database stores for each student the user ID, the course ID, name and grades. The course IDs are encrypted before leaving the client computer. The grades from the database are encrypted before being sent from the Web server. Figure 1 shows cooperation between client and server computers.