How can I demonstrate SSL/TLS to 10 year olds?

A lesson or activity on the topic 'HTTP vs HTTPS" for 10 years old is not a lesson about cryptography. It's about privacy and staying "safe" on the web.

The EFF has a good educational material about HTTPS and Tor that you can use as inspiration (Tor is out of scope, but the part about HTTPS is relevant). The point is to explain the threats and how using HTTPS mitigates them.

As a demo, you can set up a wifi network and a laptop with Firesheep or another tool that visually displays HTTP interceptions: You can ask the kids to use their smartphones to browse websites in HTTP and compare with websites in HTTPS.

If you want to go into the details, you can tell that TLS guaranties the confidentiality, authenticity and integrity of the data coming from and to the websites. Explain those 3 words.

If you start talking about encryption keys or maths, you are going to far. But you may try to convince the teachers to do a second talk about the history of cryptography and cryptanalysis (it's usually a good way to introduce the topic).

This has no analog in Information Security as far as I know however I always thought it was a cool way to show how something could be delivered to Bob from Alice over an unsecured channel.

Alice puts her message in a box, locks the box and sends it to Bob over an insecure postal system. (The postage system cannot view the contents of the box since Alice has locked it.) Bob receives the box but cant unlock it. Bob then adds his own padlock to the box and sends it back to Alice. Alice then removes her padlock and sends it back to Bob. Now bob can unlock the box without any MITM being able to view the contents.

For authentication it would be easy enough to show -

• Client sends a message to server asking to connect
• Server sending back a piece of paper with its signature also signed by trusted third party (the teacher?).
• Client checks the teachers signature against its own copy. It now trusts the server.

You could then explain a man in the middle. I.e. the server can now sign all of its messages to prove it sent them. But the client has no way to prove its own messages to the server - so [other person] can change the clients message in passage. They can also read the messages from the server.

The best way i've found to describe public/private key cryptography to less technically minded people is to split it into two processes.

• Sending a message to someone encrypted with their public key is like posting a letter through a locked postbox. Anyone can post the letter but only the owner has the keys to open it and read the message.

• Signing a message with a private key is like having a locked display case. Again only the owner has the key. So you know anything in there was put there by them.

With a little woodwork and a couple of sheets of perspex it should be easy enough to throw together the above.

Diffie-Hellman is a bit harder. Unless your son is a mid-teen I imagine you might not want to go into any real detail here.

As for letting them try their own encryption a simple method would be a substitution cipher. Print out maps of characters in advance. If you wanted to demonstrate why these are no longer secure you could use frequency analysis to break a long message in front of them (either by hand or with software).