6 files changed, 305 insertions, 0 deletions
diff --git a/content/JWT.md b/content/JWT.md
new file mode 100644
index 0000000..46da1a2
--- /dev/null
+++ b/content/JWT.md
@@ -0,0 +1,41 @@
+++
+title = "JWT"
+description = "JSON Web Token Documentation"
+weight = 4
+++
+> JSON Web Tokens are representations of claims, or authorization proofs that fit into the `Header` of HTTP requests.
+# How?
+JWTs are used as the [MAC](https://en.wikipedia.org/wiki/Message_authentication_code) of operations that require authorization:
+- block proposal
+- transaction proposal.
+They are send alongside the JSON request body in the `Header`;
+```html
+Authorization: Bearer aaaaaa.bbbbbb.ccccc
+```
+Gradecoin uses 3 fields for the JWTs;
+```json
+{
+"tha": "Hash of the payload, check invididual references",
+"iat": "Issued At, Unix Time",
+"exp": "Expiration Time, epoch"
+}
+```
+- `tha` is explained in [blocks](@/block_docs.md) and [transactions](@/transaction_docs.md) documentations.
+- `iat` when the JWT was created in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) format
+- `exp` when the JWT will expire & be rejected in [Unix Time](https://en.wikipedia.org/wiki/Unix_time)
+# Algorithm
+We are using [RS256](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1), `RSASSA-PKCS1-v1_5 using SHA-256`. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works [here](https://jwt.io/).
+# References
+- [RFC, the ultimate reference](https://tools.ietf.org/html/rfc7519)
+- [JWT Debugger](https://jwt.io/)
diff --git a/content/_index.md b/content/_index.md
new file mode 100644
index 0000000..d0be673
--- /dev/null
+++ b/content/_index.md
@@ -0,0 +1,98 @@
+++
+title = "Gradecoin"
+sort_by = "weight"
+++
+# Welcome to Gradecoin!
+Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming _production_ cryptography code.
+This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade.
+**A quick summary**: authenticate yourself to the system using public key encryption.
+Craft [Transaction](@/transaction_docs.md) proposals and tag them using [JWTs](@/JWT.md).
+When there are enough transactions then you can propose [Blocks](@/block_docs.md) in the same way.
+Blocks need to be _mined_ beforehand using Proof-of-work, or brute force.
+Gradecoin offers 3 endpoints at [/register](/register), [/block](/block) and [/transaction](/transaction). You can only send GET requests to /block and /transaction without authorization.
+The server is programmed in [RESTful](https://www.service-architecture.com/articles/web-services/representational_state_transfer_rest.html) architecture, there are no `DELETE`, `PUT` or `UPDATE` operations, though.
+Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round [Blake2s](https://www.blake2.net/) hashing which produces 256-bit (64 hexadecimal characters) output. The [target](https://wiki.bitcoinsv.io/index.php/Target) hash is _24 bits_ or _6 hexadecimal characters_ of 0. During testing, I could mine a block on average around 4-6 minutes.
+> We're expecting you to use existing tools and implementations. Standards are hard. [Don't roll your own crypto](https://www.reddit.com/r/crypto/comments/2coqsy/dont_roll_your_own/). Feel free to ask questions. Collaborate.
+You might ask,
+> But if nobody has any Gradecoin then how do we have transactions?
+There is a bank! Their public key is `31415926535897932384626433832795028841971693993751058209749445923` and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests _to_ yourself.
+# Coinbase
+The first transactions of a block is called the `coinbase`. They are the **author** of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin.
+# Public Key Signatures
+Gradecoin uses 2048 bit RSA keypairs.
+# Services
+## /register
+- Create your own 2048 bit RSA `keypair`
+- Download `Gradecoin`'s Public Key from [Moodle](https://odtuclass.metu.edu.tr/my/)
+- Encrypt your [JSON](https://www.json.org/json-en.html) wrapped `Public Key`, `Student ID` and one time `passwd` using Gradecoin's Public Key
+- Your public key is now in our database and can be used to sign your JWT's during requests
+- For more information, check the [register](@/register_docs.md) page
+## /transaction
+- You can offer a [Transaction](@/transaction_docs.md) with a POST request
+    - The request should have `Authorization`
+    - The request header should be signed by the Public Key of the `by` field in the transaction
+- Fetch the list of `Transaction`s with a GET request
+- For more information, check our [transaction](@/transaction_docs.md) page
+## /block
+- Offer a [Block](@/block_docs.md) with a POST request
+    - The request should have `Authorization`
+    - The `transaction_list` of the block should be a subset of pending transactions, available on [/transaction](/transaction)
+- Fetch the last accepted `Block` with a GET request
+- For more information, check our [block](@/block_docs.md) page
+    `Authorization`: The request header should have Bearer JWT.Token signed with Student Public Key
+## /user
+- Meant to be used in the browser, you can see the current list of users and their balance here
+# Questions
+## This all sound complicated!
+- I've drawn inspiration from [actual Bitcoin transactions](https://explorer.bitcoin.com/btc) and [warp](https://github.com/seanmonstar/warp/blob/master/examples/todos.rs). The simplicity of the system is how little interfaces it has.
+- Don't know where to start? Gradecoin uses RESTful API; simple `curl` commands or even your browser will work! [This website can help as well](https://curl.trillworks.com/).
+- [JWT Debugger](https://jwt.io) and the corresponding [RFC](https://tools.ietf.org/html/rfc7519).
+- Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair?
+- Check out [misc](@/misc_docs.md) for everything else you might be curious about.
+## How do you actually earn Gradecoin?
+- Register yourself to at [/register](@/register_docs.md)
+- Create transactions at [/transaction](@/transaction_docs.md)
+- Create blocks to commit transactions at [/block](@/block_docs.md)
+- See how everyone is doing and find people to trade with at [/user](/user)
+## I found a bug!
+Thank you! Please [let me know](mailto:yigit@ceng.metu.edu.tr) so we can solve it.
+## I hacked the server!
+That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it.
+## Submission?
+At the end of the _simulation_, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either;
+- c
+- c++
+- perl
+- rust
+- python
+- random assortment of bash scripts
+If your favourite programming language is missing please let me know 🤷?
+## Can my friends play?
+Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication.
+## How and or Why?
+- [Built](https://xkcd.com/2314/), [with](https://lofi.cafe/) [Rust](https://xkcd.com/2418/)
diff --git a/content/block_docs.md b/content/block_docs.md
new file mode 100644
index 0000000..92880b6
--- /dev/null
+++ b/content/block_docs.md
@@ -0,0 +1,43 @@
+++
+title = "Blocks"
+description = "Block Documentation"
+weight = 10
+++
+A block that was proposed to commit Transactions in `transaction_list` to the
+ledger with a nonce that made `hash` valid; 6 zeroes at the left hand side of the
+hash (24 bytes).
+We are _mining_ using [blake2s](https://www.blake2.net/) algorithm, which produces 256 bit hashes. Hash/second is roughly {{ exp(num="20x10", exponent="3") }} on my machine, a new block can be mined in around 4-6 minutes.
+# Requests
+## GET
+A HTTP `GET` request to [/block](/block) endpoint will return the latest mined block.
+## POST
+A HTTP `POST` request with Authorization using JWT will allow you to propose your own blocks.
+# Fields
+```
+transaction_list: [array of Fingerprints]
+nonce: unsigned 32-bit integer
+timestamp: ISO 8601 <date>T<time>
+hash: String
+```
+# Mining
+The _mining_ process for the hash involves;
+- Creating a temporary JSON object with `transaction_list`, `timestamp` and `nonce` values
+- Serializing it
+- Calculating blake2s hash of the serialized string
+If the resulting hash is valid, then you can create a `Block` JSON object with the found `nonce` and `hash`.
+# Hash
+```tha``` field in [jwt documentation](/jwt) in fact stands for "The Hash", in the case of a post request for a block, you need to use hash field of the block.
+[ISO 8601 Reference](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations)
diff --git a/content/misc_docs.md b/content/misc_docs.md
new file mode 100644
index 0000000..90ea514
--- /dev/null
+++ b/content/misc_docs.md
@@ -0,0 +1,17 @@
+++
+title = "Misc"
+description = "Documentation about everything else"
+weight = 10
+++
+We thought it might be good to explain some concepts you might have questions about.
+# Fingerprint
+## Definition
+A fingerprint is a 256 bit 64 character hexadecimal user identifier for users. Fingerprints are used in defining users in [transactions](@/transaction_docs.md) and [blocks](@/block_docs.md).
+## Fingerprint Generation
+A user's finger print is generated via applying SHA256 sum of the user's public RSA key.
diff --git a/content/register_docs.md b/content/register_docs.md
new file mode 100644
index 0000000..974fe37
--- /dev/null
+++ b/content/register_docs.md
@@ -0,0 +1,54 @@
+++
+title = "Register"
+description = "Register Documentation"
+weight = 3
+++
+POST request to `/register` endpoint
+Lets a user to authenticate themselves to the system.
+Only people who are enrolled to the class can open Gradecoin accounts.
+This is enforced with your Student ID (e123456) and a one time password you will receive.
+# Authentication Process
+> The bytes you are sending over the network are all Base64 Encoded
+- Gradecoin's Public Key (`gradecoin_public_key`) is listed on our Moodle page and [here](/gradecoin.pub). Download and load it it to your client.
+- Create a JSON object (`P_AR`) with your `metu_id` ("e"+`6 chars`) and `public key` in base64 (PEM) format (`S_PK`) [reference](https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem)
+```json
+{
+    "student_id": "e123456",
+    "passwd": "15 char secret",
+    "public_key": "---BEGIN PUBLIC KEY..."
+}
+```
+## Cipher Initialization
+> Since we are working with AES-128, both key and IV should be 128 bits (or 16 hexadecimal characters)
+- Pick a short temporary key (`k_temp`)
+- Pick a random IV [1](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Initialization_vector_(IV)) [2](https://en.wikipedia.org/wiki/Initialization_vector) (`iv`).
+## Encryption
+- Encrypt the serialized string of `P_AR` with 128 bit block [AES](https://en.wikipedia.org/wiki/Initialization_vector) in [CBC](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC) mode with [Pkcs7 padding](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Padding) using the temporary key (`k_temp`), the result is `C_AR`. Encode this with base64.
+- The temporary key you have picked `k_temp` is encrypted using RSA with [OAEP](https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding) padding scheme using SHA-256 with `gradecoin_public_key`, giving us `key_ciphertext`. Encode this with base64.
+- Base64 encode the IV (`iv`) as well.
+{% tidbit() %}
+The available tools and libraries might warn you about how using the primitives given above are "hazardous". They are, crypto is hard.
+{% end %}
+- The payload JSON object (`auth_request`) can be serialized now:
+```json
+{
+    "c": "C_AR",
+    "iv": "iv",
+    "key": "key_ciphertext"
+}
+```
+If your authentication process was valid, you will be given access and your public key fingerprint that is your address.
+You can now sign [JWTs](@/JWT.md) to send authorized transaction requests.
diff --git a/content/transaction_docs.md b/content/transaction_docs.md
new file mode 100644
index 0000000..05c1534
--- /dev/null
+++ b/content/transaction_docs.md
@@ -0,0 +1,52 @@
+++
+title = "Transactions"
+description = "Transaction documentation"
+weight = 6
+++
+A transaction request between `source` and `target` to move `amount` Gradecoin.
+# Requests
+## GET
+A HTTP `GET` request to [/transaction](/transaction) endpoint will return the current list of pending transactions.
+## POST
+A HTTP `POST` request with Authorization using JWT to [/transaction](/transactions) will allow you to propose your own transactions.
+# Fields
+```
+by: Fingerprint
+source: Fingerprint
+target: Fingerprint
+amount: unsigned 16 bit integer
+timestamp: ISO 8601 <date>T<time>
+```
+# Hash
+`tha` field in [jwt documentation](@/JWT.md) in fact stands for "The Hash", in the case of a post request for a transaction, you need the Md5 hash of the serialized JSON representation of transaction. The resulting JSON string should look something like;
+```
+{"by":"foo","source":"bar","target":"baz","amount":2,"timestamp":"2021-04-18T21:49:00"}
+```
+Or; without any whitespace, separated with `:` and `,`.
+# Bank
+There is a `bank` account with Fingerprint `31415926535897932384626433832795028841971693993751058209749445923`
+{% tidbit() %}
+First 64 digits of Pi
+{% end %}
+This is the only account that will let you _withdraw_ from them.
+```
+by: this has to be your Fingerprint
+source: this can be either you or the bank
+target: this can be a valid fingerprint or yourself if source is the bank
+...
+```

diff --git a/content/JWT.md b/content/JWT.md new file mode 100644 index 0000000..46da1a2 --- /dev/null +++ b/content/JWT.md
@@ -0,0 +1,41 @@
	1	+++
	2	title = "JWT"
	3	description = "JSON Web Token Documentation"
	4	weight = 4
	5	+++
	6
	7	> JSON Web Tokens are representations of claims, or authorization proofs that fit into the `Header` of HTTP requests.
	8
	9	# How?
	10
	11	JWTs are used as the [MAC](https://en.wikipedia.org/wiki/Message_authentication_code) of operations that require authorization:
	12	- block proposal
	13	- transaction proposal.
	14
	15	They are send alongside the JSON request body in the `Header`;
	16
	17	```html
	18	Authorization: Bearer aaaaaa.bbbbbb.ccccc
	19	```
	20
	21	Gradecoin uses 3 fields for the JWTs;
	22
	23	```json
	24	{
	25	"tha": "Hash of the payload, check invididual references",
	26	"iat": "Issued At, Unix Time",
	27	"exp": "Expiration Time, epoch"
	28	}
	29	```
	30
	31	- `tha` is explained in [blocks](@/block_docs.md) and [transactions](@/transaction_docs.md) documentations.
	32	- `iat` when the JWT was created in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) format
	33	- `exp` when the JWT will expire & be rejected in [Unix Time](https://en.wikipedia.org/wiki/Unix_time)
	34
	35	# Algorithm
	36	We are using [RS256](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1), `RSASSA-PKCS1-v1_5 using SHA-256`. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works [here](https://jwt.io/).
	37
	38	# References
	39	- [RFC, the ultimate reference](https://tools.ietf.org/html/rfc7519)
	40	- [JWT Debugger](https://jwt.io/)
	41


diff --git a/content/_index.md b/content/_index.md new file mode 100644 index 0000000..d0be673 --- /dev/null +++ b/content/_index.md
@@ -0,0 +1,98 @@
	1	+++
	2	title = "Gradecoin"
	3	sort_by = "weight"
	4	+++
	5
	6	# Welcome to Gradecoin!
	7
	8	Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming _production_ cryptography code.
	9
	10	This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade.
	11
	12	A quick summary: authenticate yourself to the system using public key encryption.
	13	Craft [Transaction](@/transaction_docs.md) proposals and tag them using [JWTs](@/JWT.md).
	14	When there are enough transactions then you can propose [Blocks](@/block_docs.md) in the same way.
	15	Blocks need to be _mined_ beforehand using Proof-of-work, or brute force.
	16
	17	Gradecoin offers 3 endpoints at [/register](/register), [/block](/block) and [/transaction](/transaction). You can only send GET requests to /block and /transaction without authorization.
	18	The server is programmed in [RESTful](https://www.service-architecture.com/articles/web-services/representational_state_transfer_rest.html) architecture, there are no `DELETE`, `PUT` or `UPDATE` operations, though.
	19
	20	Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round [Blake2s](https://www.blake2.net/) hashing which produces 256-bit (64 hexadecimal characters) output. The [target](https://wiki.bitcoinsv.io/index.php/Target) hash is _24 bits_ or _6 hexadecimal characters_ of 0. During testing, I could mine a block on average around 4-6 minutes.
	21
	22	> We're expecting you to use existing tools and implementations. Standards are hard. [Don't roll your own crypto](https://www.reddit.com/r/crypto/comments/2coqsy/dont_roll_your_own/). Feel free to ask questions. Collaborate.
	23
	24	You might ask,
	25
	26	> But if nobody has any Gradecoin then how do we have transactions?
	27
	28	There is a bank! Their public key is `31415926535897932384626433832795028841971693993751058209749445923` and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests _to_ yourself.
	29
	30	# Coinbase
	31	The first transactions of a block is called the `coinbase`. They are the author of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin.
	32
	33	# Public Key Signatures
	34	Gradecoin uses 2048 bit RSA keypairs.
	35
	36	# Services
	37	## /register
	38	- Create your own 2048 bit RSA `keypair`
	39	- Download `Gradecoin`'s Public Key from [Moodle](https://odtuclass.metu.edu.tr/my/)
	40	- Encrypt your [JSON](https://www.json.org/json-en.html) wrapped `Public Key`, `Student ID` and one time `passwd` using Gradecoin's Public Key
	41	- Your public key is now in our database and can be used to sign your JWT's during requests
	42	- For more information, check the [register](@/register_docs.md) page
	43
	44	## /transaction
	45	- You can offer a [Transaction](@/transaction_docs.md) with a POST request
	46	- The request should have `Authorization`
	47	- The request header should be signed by the Public Key of the `by` field in the transaction
	48	- Fetch the list of `Transaction`s with a GET request
	49	- For more information, check our [transaction](@/transaction_docs.md) page
	50
	51	## /block
	52	- Offer a [Block](@/block_docs.md) with a POST request
	53	- The request should have `Authorization`
	54	- The `transaction_list` of the block should be a subset of pending transactions, available on [/transaction](/transaction)
	55	- Fetch the last accepted `Block` with a GET request
	56	- For more information, check our [block](@/block_docs.md) page
	57
	58	`Authorization`: The request header should have Bearer JWT.Token signed with Student Public Key
	59
	60	## /user
	61	- Meant to be used in the browser, you can see the current list of users and their balance here
	62
	63	# Questions
	64	## This all sound complicated!
	65	- I've drawn inspiration from [actual Bitcoin transactions](https://explorer.bitcoin.com/btc) and [warp](https://github.com/seanmonstar/warp/blob/master/examples/todos.rs). The simplicity of the system is how little interfaces it has.
	66	- Don't know where to start? Gradecoin uses RESTful API; simple `curl` commands or even your browser will work! [This website can help as well](https://curl.trillworks.com/).
	67	- [JWT Debugger](https://jwt.io) and the corresponding [RFC](https://tools.ietf.org/html/rfc7519).
	68	- Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair?
	69	- Check out [misc](@/misc_docs.md) for everything else you might be curious about.
	70
	71	## How do you actually earn Gradecoin?
	72	- Register yourself to at [/register](@/register_docs.md)
	73	- Create transactions at [/transaction](@/transaction_docs.md)
	74	- Create blocks to commit transactions at [/block](@/block_docs.md)
	75	- See how everyone is doing and find people to trade with at [/user](/user)
	76
	77	## I found a bug!
	78	Thank you! Please [let me know](mailto:yigit@ceng.metu.edu.tr) so we can solve it.
	79
	80	## I hacked the server!
	81	That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it.
	82
	83	## Submission?
	84	At the end of the _simulation_, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either;
	85	- c
	86	- c++
	87	- perl
	88	- rust
	89	- python
	90	- random assortment of bash scripts
	91
	92	If your favourite programming language is missing please let me know 🤷?
	93
	94	## Can my friends play?
	95	Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication.
	96
	97	## How and or Why?
	98	- [Built](https://xkcd.com/2314/), [with](https://lofi.cafe/) [Rust](https://xkcd.com/2418/)


diff --git a/content/block_docs.md b/content/block_docs.md new file mode 100644 index 0000000..92880b6 --- /dev/null +++ b/content/block_docs.md
@@ -0,0 +1,43 @@
	1	+++
	2	title = "Blocks"
	3	description = "Block Documentation"
	4	weight = 10
	5	+++
	6
	7	A block that was proposed to commit Transactions in `transaction_list` to the
	8	ledger with a nonce that made `hash` valid; 6 zeroes at the left hand side of the
	9	hash (24 bytes).
	10
	11	We are _mining_ using [blake2s](https://www.blake2.net/) algorithm, which produces 256 bit hashes. Hash/second is roughly {{ exp(num="20x10", exponent="3") }} on my machine, a new block can be mined in around 4-6 minutes.
	12
	13	# Requests
	14
	15	## GET
	16	A HTTP `GET` request to [/block](/block) endpoint will return the latest mined block.
	17
	18	## POST
	19
	20	A HTTP `POST` request with Authorization using JWT will allow you to propose your own blocks.
	21
	22	# Fields
	23	```
	24	transaction_list: [array of Fingerprints]
	25	nonce: unsigned 32-bit integer
	26	timestamp: ISO 8601 <date>T<time>
	27	hash: String
	28	```
	29
	30	# Mining
	31	The _mining_ process for the hash involves;
	32	- Creating a temporary JSON object with `transaction_list`, `timestamp` and `nonce` values
	33	- Serializing it
	34	- Calculating blake2s hash of the serialized string
	35
	36	If the resulting hash is valid, then you can create a `Block` JSON object with the found `nonce` and `hash`.
	37
	38	# Hash
	39
	40	```tha``` field in [jwt documentation](/jwt) in fact stands for "The Hash", in the case of a post request for a block, you need to use hash field of the block.
	41
	42
	43	[ISO 8601 Reference](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations)


diff --git a/content/misc_docs.md b/content/misc_docs.md new file mode 100644 index 0000000..90ea514 --- /dev/null +++ b/content/misc_docs.md
@@ -0,0 +1,17 @@
	1	+++
	2	title = "Misc"
	3	description = "Documentation about everything else"
	4	weight = 10
	5	+++
	6
	7	We thought it might be good to explain some concepts you might have questions about.
	8
	9	# Fingerprint
	10
	11	## Definition
	12
	13	A fingerprint is a 256 bit 64 character hexadecimal user identifier for users. Fingerprints are used in defining users in [transactions](@/transaction_docs.md) and [blocks](@/block_docs.md).
	14
	15	## Fingerprint Generation
	16
	17	A user's finger print is generated via applying SHA256 sum of the user's public RSA key.


diff --git a/content/register_docs.md b/content/register_docs.md new file mode 100644 index 0000000..974fe37 --- /dev/null +++ b/content/register_docs.md
@@ -0,0 +1,54 @@
	1	+++
	2	title = "Register"
	3	description = "Register Documentation"
	4	weight = 3
	5	+++
	6
	7	POST request to `/register` endpoint
	8
	9	Lets a user to authenticate themselves to the system.
	10	Only people who are enrolled to the class can open Gradecoin accounts.
	11	This is enforced with your Student ID (e123456) and a one time password you will receive.
	12
	13	# Authentication Process
	14
	15	> The bytes you are sending over the network are all Base64 Encoded
	16
	17	- Gradecoin's Public Key (`gradecoin_public_key`) is listed on our Moodle page and [here](/gradecoin.pub). Download and load it it to your client.
	18	- Create a JSON object (`P_AR`) with your `metu_id` ("e"+`6 chars`) and `public key` in base64 (PEM) format (`S_PK`) [reference](https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem)
	19	```json
	20	{
	21	"student_id": "e123456",
	22	"passwd": "15 char secret",
	23	"public_key": "---BEGIN PUBLIC KEY..."
	24	}
	25	```
	26
	27	## Cipher Initialization
	28
	29	> Since we are working with AES-128, both key and IV should be 128 bits (or 16 hexadecimal characters)
	30
	31	- Pick a short temporary key (`k_temp`)
	32	- Pick a random IV [1](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Initialization_vector_(IV)) [2](https://en.wikipedia.org/wiki/Initialization_vector) (`iv`).
	33
	34	## Encryption
	35	- Encrypt the serialized string of `P_AR` with 128 bit block [AES](https://en.wikipedia.org/wiki/Initialization_vector) in [CBC](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC) mode with [Pkcs7 padding](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Padding) using the temporary key (`k_temp`), the result is `C_AR`. Encode this with base64.
	36	- The temporary key you have picked `k_temp` is encrypted using RSA with [OAEP](https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding) padding scheme using SHA-256 with `gradecoin_public_key`, giving us `key_ciphertext`. Encode this with base64.
	37	- Base64 encode the IV (`iv`) as well.
	38
	39	{% tidbit() %}
	40	The available tools and libraries might warn you about how using the primitives given above are "hazardous". They are, crypto is hard.
	41	{% end %}
	42
	43	- The payload JSON object (`auth_request`) can be serialized now:
	44
	45	```json
	46	{
	47	"c": "C_AR",
	48	"iv": "iv",
	49	"key": "key_ciphertext"
	50	}
	51	```
	52
	53	If your authentication process was valid, you will be given access and your public key fingerprint that is your address.
	54	You can now sign [JWTs](@/JWT.md) to send authorized transaction requests.


diff --git a/content/transaction_docs.md b/content/transaction_docs.md new file mode 100644 index 0000000..05c1534 --- /dev/null +++ b/content/transaction_docs.md
@@ -0,0 +1,52 @@
	1	+++
	2	title = "Transactions"
	3	description = "Transaction documentation"
	4	weight = 6
	5	+++
	6
	7	A transaction request between `source` and `target` to move `amount` Gradecoin.
	8
	9	# Requests
	10
	11	## GET
	12	A HTTP `GET` request to [/transaction](/transaction) endpoint will return the current list of pending transactions.
	13
	14	## POST
	15
	16	A HTTP `POST` request with Authorization using JWT to [/transaction](/transactions) will allow you to propose your own transactions.
	17
	18	# Fields
	19	```
	20	by: Fingerprint
	21	source: Fingerprint
	22	target: Fingerprint
	23	amount: unsigned 16 bit integer
	24	timestamp: ISO 8601 <date>T<time>
	25	```
	26
	27	# Hash
	28
	29	`tha` field in [jwt documentation](@/JWT.md) in fact stands for "The Hash", in the case of a post request for a transaction, you need the Md5 hash of the serialized JSON representation of transaction. The resulting JSON string should look something like;
	30
	31	```
	32	{"by":"foo","source":"bar","target":"baz","amount":2,"timestamp":"2021-04-18T21:49:00"}
	33	```
	34
	35	Or; without any whitespace, separated with `:` and `,`.
	36
	37	# Bank
	38
	39	There is a `bank` account with Fingerprint `31415926535897932384626433832795028841971693993751058209749445923`
	40
	41	{% tidbit() %}
	42	First 64 digits of Pi
	43	{% end %}
	44
	45	This is the only account that will let you _withdraw_ from them.
	46
	47	```
	48	by: this has to be your Fingerprint
	49	source: this can be either you or the bank
	50	target: this can be a valid fingerprint or yourself if source is the bank
	51	...
	52	```