In this lesson, students learn about the relationship between cryptographic keys and passwords. Students explore the Vigenere cipher with a widget to examine how a cryptographic "key" can be used to encrypt and decrypt a message. Then, students use a tool that shows them about how long it would take to crack a given password using a standard desktop computer. Students experiment with what makes a good password and answer questions about the "human components" of cybersecurity.


For example, the Caesar Cipher is an encryption algorithm that involves shifting the alphabet; the amount of alphabetic shift used to encode the message is the key


Students will be able to:


Cryptography and encryption are important and far-reaching fields within computer science. This lesson begins to get students' feet wet with the human side of cybersecurity: choosing good passwords through an exploration of the classic Vigenere Cipher. We also learn that the Vigenere cipher is actually susceptible to frequency analysis (though at first glance it is not) and in subsequent lessons we will learn better methods that are used today. Strong encryption techniques are typically publicly known algorithms, but have mathematical properties which ensure that the original message cannot easily be retrieved. These techniques typically feature a secret "key" or piece of information that is used when encrypting the message. While the algorithm can be publicly known, the secret key is not.

The art of encryption is coming up with an algorithm that 1) makes the message undecipherable without the key and 2) is such that the key should only be discoverable through an exhaustive search of all possible keys, rather than through some other analytical technique. In this lesson we focus on making a good key, while in subsequent lessons we learn more about problems and algorithms that are computationally hard. Guessing a random sequence of 200 characters, for example, is computationally hard, because there is no known way to approach the problem besides trying the trillions and trillions of possible character combinations.


Getting Started

Discussion: Are there ethical reasons to try to crack secret codes?

There are situations in which cracking a code is ethical and important. Give students a few minutes to write down a response and discuss with a neighbor. Have students quickly share out reasons they came up with. There are a lot of different reasons that a person may want to crack a code. Some of them are more ethical (legal) than others.

Discussion: If random substitution is an algorithm for encryption, what is the key to a random subsitution cipher?

Answer: The key is the actual letter-to-letter mapping that was used to encode the message - it can also be used to decrypt.

Discussion: The Importance of a Good Key

Good encryption algorithms are publicly known, but use secret keys as an input to the algorithm. The task of cracking the encryption becomes not guessing the method but guessing the key. We want guessing the key to be computationally hard. This relates to the passwords you choose to use on a daily basis. Encryption algorithms are evaluated based upon the amount of time it would take a computer to crack the key. The Vigenere cipher cannot be cracked using frequency analysis (at first glance); it requires a "brute force" strategy of trying every combination.

Activity 1: Vigenere Cipher Widget

Hand out the "Exploring the Vigenere Widget" resource and have students open the "Vigenere Encryption Widget" and "Vigenere Decryption Widget." Have students work through the activities. They will encrypt and decrypt a message with the Vigenere widgets.

The Vigenere Cipher Explanation

The Vigenere Cipher is similar to the Caesar Cipher we used in the previous lesson. However, the substitution offset changes depending on the current character of the key. For example, consider using the message "TEST" with a secret key of "KEY" and think through the following steps.

  1. The first character of the key is "K," which is the eleventh letter of the alphabet, so our offset is 10 (since A gives a starting offset of 0). Shifting the first character of our message, "T," 10 places gives us the character "C" (note that underscores are considered a 27th "letter" of the alphabet in our Vigenere Cipher).
  2. The second character of the key is "E," which is the fifth letter of the alphabet, so our offset is 4. Shifting the second character of our message, "E," 4 places gives us the character "I."
  3. The third character of the key is "Y," which is the twenty-fifth letter of the alphabet, so our offset is 24. Shifting the third character of our message, "S," 24 places gives us the character "P."
  4. There is no fourth character of our key, so we instead return to the first character of the key, "K," which is the eleventh letter of the alphabet, so our offset is 10. Shifting the fourth character of our message, "T," 10 places gives us the character "C."
  5. Now that we're done encrypting the original message, we simply need to add the new characters together to get the ciphertext of "CIPC."

The process of decryption for a Vigenere Cipher is very similar to its process of encryption. The only difference is that the shifting is done in the other direction; for example, with a ciphertext character of "C" and a key character of "K," the deciphered character is obtained by a shift of -10, giving us "T."

Discussion: From what you've learned what are the properties of the Vigenère Cipher that make it harder to crack? In other words, if you had to crack a Vigenère cipher what would you do?

Some of the key points for discussion include:

Activity 2: Keys and Passwords

Remind the students that:

Cryptographic Keys and Your Passwords: If you have ever joined a website where you had to create an account to login, you also had to create a password. That password is used as a key to do a variety of things at that site, but mostly it's used to authenticate (prove) who you are. Open the "How Secure is my Password?" resource. Test some passwords out. Try answering the questions in the "Keys and Passwords" worksheet.

Ask the students to try the following:

Watch the following video as a class, and have students answer the following questions during or after the video.

  1. What is the difference is between "cracking" a code and "decrypting" a message?
  2. Knowing what you know now about frequency analysis, would you feel comfortable sending your password over the Internet using a substitution cipher? Why or why not.
  3. Using the Vigenere Cipher, does the length of the key matter? For example, if one key is length 5 and another is 20, does one produce a "better" encrypted message than the other, or is it basically the same? Explain your reasoning.
  4. Why is the Vigenere Cipher hard to crack?

Wrap Up

Before the Vigenere cipher was cracked, many governments openly used it. That is, they made no secret about the fact that they were using the Vigenere cipher - it was publicly known. In the modern day, it remains the case that most encryption techniques are publicly known.

Prompt: Why might it actually be a good thing that encryption algorithms are freely shared, so that anyone who wishes can try to crack them?

Possible responses include:

Here are some resources for the students to read about how not to get hacked.


Q1: (Choose two.) Why is the Vigenere Cipher hard to crack?

Q2: What problems exist with encryption schemes such as the Vigenere Cipher, even when strong encryption keys are used?

Q3: Why are computers better than humans at breaking encryptions such as the Vigenere?

Q4: Which makes for a password that is harder to crack?

Q5: Companies and organizations commonly require users to change their passwords frequently. Websites have password length and complexity requirements. Is it better to change your password frequently or to have a longer password? What level of security is appropriate to require of end users? Does this change, depending on the context (for example, employee or customer)?

Extended Learning

The students can learn more about different kinds of ciphers on Crypto Corner.

Assign each student a type of cipher. Students should then research the cipher, including information on its algorithm, its history, and what they would have to do to crack the cipher. They should present an example, and describe the process they follow in cracking the code.

Stories about cracking codes

Read Blown to Bits Chapter 5, Pages 161-165

Answer the following questions after reading

Possible Answer: This would weaken the public's trust in the Internet as an e-commerce vehicle. Any back door could probably be exploited by others. The government believed they could eventually break cryptography without a back door.

Have students find videos demonstrating these or other advanced encryption methods; ask them to describe each algorithm and what causes it to be "hard."

Standards Alignment