A Cryptic Education – Substitution and Steganography

As part of the digital technology curriculum, I’ve been tweaking  and testing some lessons on cryptography with my year 9 STEM ICT specialist class.

As an opener, we considered a scenario in which one needed to get a secret message to a friend but couldn’t use the now traditional suite of electronic methods available in the average teenager’s tool belt (perhaps their parents are aggressively monitoring their device use?).

The method had to be very low tech – a handwritten note passed through an intermediary.1

What if, I suggested, the intermediary 2 reads the note and then tells your parents or other people?

Students at this point very reasonably suggested that you hand-deliver the note yourself or, you know, just talk to the person, but I either offered believable excuses or hand-waved them off (depending who you ask).

Suggestions to circumvent Eve’s potential treachery included writing the message in another language, the ol’ lemon juice and fire trick, using the ASCII number representation of each letter 3 and… murder.

I’m reasonably sure the last suggestion was tongue-in-cheek, but I’m watching that particular student a little more closely now.

This is the second time I’ve covered crypto with students around this age and I’m always surprised at how rare it is to find a student familiar with substitution ciphers (commonly Caesar). I guess it’s not a popular option for primary – but it does afford me the a chance to get my students constructing their own cipher tools.

We move on from this to more philosophical ground (with one eye on my assassin student) as I pose the question: “Should we have a right to privacy?”

I’m heartened that after a few minutes conversation, students generally reach a consensus that, yes, people should be able to keep their information private if they wish – no secret fascists here.

To make everyone just a little bit uncomfortable I also force the students to confront the following:

  • If you aren’t doing anything wrong, why should you be able to hide what you do from the government?
  • Now we all agree that privacy is vitally important, how do you personally keep your own data safe?
  • Who knows what websites you visit?

I ask these because I feel it’s necessary to confront three important (in very different ways) concepts.

Where do we draw the line on what should be private?

Students generally fall somewhere in the middle of the spectrum from “Our glorious government intelligence agencies should know everything we think and do” through to “You kent trust the gub’mint! We gots to keep our precious datas safe from EVERONE!”

Which is also heartening, I guess. But they’re ultimately left with the uneasy feeling that there isn’t an easy answer to the question of how we (or our authorities) decide it’s okay to spy on a person’s private communication and the mechanism for doing so.

What action are you taking to keep your data/communication private?

None, that’s what.

Or at least, that’s what the average year 9 decides. They’re a little alarmed to realise that they don’t really think about it.

Who knows what websites you visit?

Students confidently assert that they just use incognito mode or delete their history if they wish to keep their browsing secret.

I point out that their ISP knows everything they do (with timestamps!) unless they first use a tunnel or VPN.

Also, any time they use a gated Internet connection – like the school – the IT staff can summon their browsing history at will.

Some students reconsider their life choices.

Back on track – Steganography

Now that my class has indulged my diversion, we get back on track. I mention that hiding messages – ala the lemon juice, and even arguably using another language – is considered steganography. In steganography, your message is only really secret if the method by which you hid it is kept secret too – if someone knows to look for something hidden, they’ll probably find it. One bright spark suggests writing an innocuous message and then putting the secret, inflammatory message in lemon on top, which is admittedly pretty clever. 4

(I don’t use the word obfuscate even though I want to because we just don’t have time to add it to our vocab list – but I think I regret that now. I’m a little tickled by the idea of my ex students wandering around, whipping out five dollar words they learned in ICT.)

We consider the idea of mirror writing – as that’s often trotted out as an example of keeping writing secret in the context of Leonardo da Vinci.

I’m pleased to note that a few students conclude that Leo probably didn’t use mirror writing to keep his work hidden, based on the fact that it’s not that hard to read backwards writing. A few hardened hold-outs insist that it would stop the average interloper casually reading over his shoulder, which is a fair assessment, but even they grudgingly give way when I point out that most people in his time were illiterate anyway, and he was (crucially) left-handed. We decide for now that his mirror writing was probably more for convenience than an effort to maintain secrecy. 5

As a final nail in the coffin of the effectiveness of mirror writing as a tool of secrecy, I display the following slide, with the commentary that it is actually pretty challenging to read mirror text fluently:


Taylor Swift lyrics, but backwards

This exercise is pretty mundane in and of itself, but in a class of competitive over-achievers, it is a thing of beauty.

All the students spontaneously and simultaneously break forth in a halting reading chant, reminiscent of early years primary students:


I secretly wish for someone important to barge into the room at this point and do a double take at our high-flying yet somehow remedial level reading students.

The competitive chant falls apart around 2/3 of the way through as a sufficiently large number of students realise I’ve tricked them into reading Taylor Swift lyrics under (somewhat) false pretences.

And with this, we’re pretty much out of time.

There’s an opportunity to recap concepts (privacy, hiding messages) before we’re done.

And after a whole lesson on cryptography, we haven’t actually covered any cryptography.

Boring ed stuff: LI 6 SC 7
Looking for a link to the slides? You can find it here.