An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

News | Oct. 17, 2019

Creating and Cracking NSA’s Codebreaker Challenge

By Betsy Stein NSA

More than 100 students packed into a classroom at Oregon State University (OSU) recently to get unique insight into NSA’s Codebreaker Challenge from its creator, Eric Bryant. 

Eric Bryant
Eric Bryant explains this year’s Codebreaker Challenge to students at Oregon State University.
Eric Bryant
Eric Bryant at OSU
Eric Bryant explains this year’s Codebreaker Challenge to students at Oregon State University.
Photo By: NSA
VIRIN: 191017-D-IM742-2002
Zander, a junior computer science major, was one of the students thrilled to get some inside scoop into the challenge and to learn a little more about NSA. “It’s definitely an amazing challenge – more in-depth than most Capture the Flag (CTF) events I’ve been to,” he said.  “It was great to hear more details about the challenge and how it was created.” 

OSU came out of nowhere last year to win the multitier cyber challenge created to introduce students to difficult problems like those NSA deals with every day. The school had more than 100 participants with 10 progressing to level five and two completing all seven levels, placing them in an elite group of just 20 others across the country to achieve the same. In its first foray into the challenge, OSU beat out past winners such as Georgia Institute of Technology (Georgia Tech) and Carnegie Mellon University. 

“I’m definitely excited,” said Yeongjin Jang, assistant professor of computer science at OSU and the force behind the school’s Codebreaker win. “I’ve created a new culture here with Codebreaker and hacking and now NSA has come to OSU. This will motivate other students to work toward cybersecurity and that’s important.”

The Secret to OSU’s Win

Jang, a self-professed hacker and champion in national hacking events, learned about the Codebreaker Challenge as a doctoral student at Georgia Tech. When he came to OSU in 2017, he hoped to bring the victory with him. He sings high praise of the Codebreaker Challenge and has incorporated it into several of his classes, including Cyber Attacks and Defense – where it’s 20 percent of the students’ grade. 

“The Codebreaker Challenge helps in developing the class and motivating students,” he said. “It’s a good practicum. It gives students a chance to implement what they have learned.”

And that is exactly what Bryant was hoping when he came up with the idea six years ago on a plane heading to a wedding. As the NSA Academic Liaison to his alma mater, Purdue University, Bryant wanted a better way to engage with students on campus.

“When we talked to students about what we do at NSA, there was a strong interest to learn and gain hands-on experience but no classes teaching what they needed to know,” Bryant said. “Reverse engineering in general is an area we found lacking across the schools we dealt with.”

For the first couple of years, the Codebreaker Challenge was small and targeted only to a handful of campuses, but in 2015 it was offered to all students at U.S.-based academic institutions.  “2015 was the breakout year when it really took off,” Bryant said. “That year we had over 2,200 students.”

What It Takes

The Codebreaker Challenge uses real world scenarios and requires technical skills such as software reverse engineering, cryptanalysis, exploit development, vulnerability analysis, and more. 

Eric Bryant
Eric Bryant speaks with students at Oregon State University, the winner of last year’s Codebreaker Challenge.
Eric Bryant
Eric Bryant at OSU
Eric Bryant speaks with students at Oregon State University, the winner of last year’s Codebreaker Challenge.
Photo By: NSA
VIRIN: 191017-D-IM742-2003
“Each year we want the problems to reflect real mission themes, and we also want it to be fresh,” Bryant said. One year the challenge involved disarming and “bricking” an IED before it exploded, reflecting NSA’s work supporting the warfighter. Last year the challenge delved into the modern world of block chain analysis and Ethereum smart contract development. This year’s challenge deals with an Android secure messaging app created by tech savvy terrorists to communicate. Students must develop capabilities to enable message spoofing, user masquerades, and message decryption to thwart the terrorists and foil the attack.

“This is what we call a nontraditional way of educating students about what we do at NSA,” Kathy Hutson, NSA’s Senior Strategist for Academic Engagement, told educators and administrators at OSU. “It’s a peek behind the curtain at NSA.” 
Bryant was impressed by OSU’s innovative approach to cybersecurity education and by the large number of students who attended his tech talk. “When I mentioned the school’s first place ranking last year, the students cheered as if they’d won a major sporting event,” he said. 

Tips from the Tech Talk

The students were interested to hear about Bryant and how he came to work at NSA from private industry because of the challenging mission and the work/life balance. They hung on his words when he spoke about the challenge and how a small cadre of passionate developers create it on their own time – outside of their normal work duties. 

Questions cropped up about some early kinks in the challenge – which are not unusual, Bryant said, and often keep the team up at night around the launch. Most students were interested to learn how to solve the last two steps in the 2018 challenge – except Andrew, an 18-year-old senior who was the only student at OSU to complete the challenge.

“Levels one through five weren’t that bad but problem six was definitely difficult,” Andrew said. “It took me about a month – it was always in the back of my mind. It required out-of-the-box thinking.”

He got through it and, as a result, was offered an internship at NSA last summer. Now he’s focused on the new challenge. 
“I like that it has a real world feel to it, most CTF’s are academic in nature,” he said. “I like that it’s an app – it has a cool vibe to it.” 

Although it was the first day of school and the challenge had only been live for a few days, Andrew had already made it past several levels and was about to hunker down and dedicate some serious time to it. 

Unfortunately, Bryant did not offer any clues in his tech talk. All he could offer was a brief video message from NSA’s Director GEN Paul Nakasone wishing the students luck and letting them know he’d be watching their progress.