Encryption Basics | Werewolf-in-the-Middle
Made by Mozilla
Introduce the basics of surveillance and man-in-the-middle (MITM) attacks with this social activity adapted from the popular party game Werewolf.
Participate on the Web
21st Century SkillsCollaboration Communication Problem-solving Connect Evaluate Protect Share
- Understand and explain how intercepts and surveillance works online.
- Understand and explain man-in-the-middle (MITM) attacks.
- Evaluate and share strategies for secure communication online.
- Beginner web users
- Projected Internet-connected computer
- Werewolf-in-the-Middle cards
Get familiar with the foundations of today's activity:
Print enough Werewolf-in-the-Middle cards for your group.
2. Introduction10 minutes
Welcome learners and explain that today we're going to play a mash-up of two games: Telephone (a.k.a. The Whisper Game or Pass the Message) and Wereworlf. We're going to combine the two games to learn the basics of how "main-in-the-middle" (MITM) attacks intercept our un-encrypted communications online.
Why should we encrypt our communications? What would happen if we didn't encrypt? How does Encryption even work?
Questions like these are common ones when it comes to securing our data online. Generally, encryption helps us make sure people other than our intended recipients can read our communications. Many servcies already employ encryption on our behalf - you can see this when you visit a website with an address that begins with
https://instead of just
s. Services that use
https://scramble the information you send back and forth with them.
Here are a few other ways to think about encrytion from the Mozilla advocacy team's latest public awareness campaign:
Privacy Lets You Be You
Next, explain to participants that by looking at how MITM can take-over our unsecure communications online, we'll see the importance of encryption and help each other think of strategies to stay private, safe, and secure online.
Briefly explain each game, as well as the big ideas behind MITM attacks, to your learners. You might use language like this:
In Telephone, you and the other players line up or form a circle. The first person in the line or circle comes up with a message, like, "I love mango smoothies!" Then, the first person whipsers the message to the second person so no one else can hear it. The second person likewise passes the message down the line until it reaches the last player. That player repeats the message out loud so everyone can hear it. The group "wins" if the right message made it all the way down the line or across the circle. The group "loses" if the message has changed, but sometimes the last message is funny, so "losing" becomes a fun part of the game.
In Werewolf, there are two groups of players. There is a small, two-person group of werewolves. There is a large group of villagers including everyone else who is playing the game. There is also a judge or facilitator who runs the game and hands out cards beforehand to assign players their roles as werewolves or villagers. The judge tells the players when it is day or night. During the night, everyone except the werewolves has to close his or her eyes. The werewolves communicate silently and pick a villager to eat. During the day everyone opens his or her eyes, the faciltator says who got eaten, that player leaves the game, and everyone else tries to figure out who the werewolves are. During the day, the werewolves can lie and misdirect players into thinking other people are werewolves, too. The villagers can exile one person a day. The game ends when either the werewolves have eaten every villager or when the villagers have gotten rid of all the werewolves.
- Man-in-the-Middle (MITM) Attacks:
In a MITM attack, someone online practices surveillance to find out when you email someone else. Then, that person intercepts your message by grabbing it out of the data-stream connecting you and your recipient. If your message is not encrypted, that "man-in-the-middle" can read everything you wrote. If the message is encrypted well, even though that person has your message, he or she can't decipher it. In illustrations of MITM attacks, the sender is usually someone whose name begins with A, the recipient is someone whose name begins with B (since messages go from Point A to Point B), and the interceptor is someone whose name begins with M, for "man-in-the-middle." These attacks are dangerous because the people intercepting your information - often called bad actors - can steal personal and financial information from you, as well as impersonate you or your recipient and send false messages to get more private information from you.
Man in the middle attack, CC-BY-SA by Miraceti
While encryption can't solve every security problem imaginable, it does keep your information confidential. Even if a bad actor manages to grab a message from you and somehow corrupts or damages it before it gets to your intended receiver, the damaged message won't decrpyt correctly, letting you know there's been an attack or problem.
Encryption should be used with other security measures to make sure MITM attacks don't happen elsewhere. For example, you wouldn't want a bad actor to steal your account or public key and impersonate messages from you (as a sender, rather than interceptor), and you wouldn't want a bad actor to cut or otherwise control your access to the Internet itself.
If the message is encrypted well, even though that person has your message, he or she normally can't decipher it.
Take time to answer participants' questions about each game and the big ideas behind MITM attacks. When your learners seem comfortable with each part of the activity, go on to the next step.
3. Playing Encryption Werewolf-in-the-Middle30 minutes
Share the instructions with your learners and answer any questions they have about the game before the group begins play.
- Split the class into groups of six. If you wind up with one to five extra players, assign them in some equitable way to other groups or send them all to one group so it has seven to eleven players.
- Pass out the Werewolf-in-the-Middle cards. Each group of six players needs one set of cards. If you wind up with one to five extra players after making groups of six, include whichever extra hop, hub, or server cards and create a game of seven to eleven players.
- Explain that the "sender" in each group will begin the line and that he or she needs to come up with a simple message to whisper down the line.
- Explain that the "receiver" at the end of the line will say the message out loud when it gets to the end of the line.
- Explain that each person between the sender and receiver is a router, server, or phone line connected to the Internet, and that each of our online communications goes from hop to hop until it finds its way around the world to it receiver.
- Explain that one of the people in the middle of each line is a "bad actor" who wants to perform a MITM attack on the sender's whipsered message.
- The bad actor's job is to intercept and change the message before passing it along. However, in order to hide his or her identity, the bad actor can, twice per game, pass along the correct message.
- The rest of the group wants to whipser the correct message all the way down the line to the receiver.
- Sending one message to the receiver and hearing it out loud is one "turn" of the game.
- After each turn, the sender and receiver can talk with one another and pick a router, server, or phone line that they suspect to be the bad actor to kick off the Internet. Their goal is to identify and exile the bad actor.
- Only the sender and receiver can talk about who to exile from the Net. All other players must remain quiet during this part of the turn.
- Once a player is exiled, he or she leaves the line and can't participate in the game.
- A new turn begins when the sender whispers a new message down the line to test his or her information security.
- The game lasts for three turns.
- At the end of the game, each router, server, or phone line reveals his or her identity.
- The bad actor wins if he or she hasn't been exiled after three turns.
- The sender and receiver win if the bad actor has been exiled.
Try to run the game at least 3 times so that as many group members as possible get to be the sender and receiver.
After about 30 minutes of play, gather the group back together to reflect on what players learned.
4. Reflection and Assessment5 minutes
Take a few moments at the end of the lesson to gather together again as a whole group. Join in a facilitated conversation about encryption basics answering questions like these - or ask your own questions of the group!
- In your own words, how do MITM attacks work?
- How does sending un-encrypted information across the Internet help bad actors who perform MITM attacks?
- What are some ways you can think of to protect your information, even if it's interecepted?
- What questions do you have about how to make your own communications more secure?
Congratulate your players on working through the basics of encryption with games that teach the web. Encouarge them to grab extra sets of cards and to teach their friends how to play. Spread the word about the importance of encryption to online privacy, safety, and security!