summaryrefslogtreecommitdiffstats
path: root/site/content
diff options
context:
space:
mode:
authoralpaylan2021-04-16 01:03:21 +0300
committeralpaylan2021-04-16 01:03:21 +0300
commitb4212a90caa899785402c06d57216e75de0f1c88 (patch)
tree8adbe6eb6b451eee20d181f26ab771e0c5a920ee /site/content
parent82864341afc78b23b358cd775c70ffbfa0d0303f (diff)
parent72f8ae422eeb03ed87c7819af5d5e25758267b03 (diff)
downloadgradecoin-b4212a90caa899785402c06d57216e75de0f1c88.tar.gz
gradecoin-b4212a90caa899785402c06d57216e75de0f1c88.tar.bz2
gradecoin-b4212a90caa899785402c06d57216e75de0f1c88.zip
Merge remote-tracking branch 'origin/main'
# Conflicts: # src/schema.rs
Diffstat (limited to 'site/content')
-rw-r--r--site/content/JWT.md41
-rw-r--r--site/content/_index.md85
-rw-r--r--site/content/block_docs.md30
-rw-r--r--site/content/register_docs.md39
-rw-r--r--site/content/transaction_docs.md26
5 files changed, 221 insertions, 0 deletions
diff --git a/site/content/JWT.md b/site/content/JWT.md
new file mode 100644
index 0000000..46da1a2
--- /dev/null
+++ b/site/content/JWT.md
@@ -0,0 +1,41 @@
1+++
2title = "JWT"
3description = "JSON Web Token Documentation"
4weight = 4
5+++
6
7> JSON Web Tokens are representations of claims, or authorization proofs that fit into the `Header` of HTTP requests.
8
9# How?
10
11JWTs are used as the [MAC](https://en.wikipedia.org/wiki/Message_authentication_code) of operations that require authorization:
12- block proposal
13- transaction proposal.
14
15They are send alongside the JSON request body in the `Header`;
16
17```html
18Authorization: Bearer aaaaaa.bbbbbb.ccccc
19```
20
21Gradecoin uses 3 fields for the JWTs;
22
23```json
24{
25"tha": "Hash of the payload, check invididual references",
26"iat": "Issued At, Unix Time",
27"exp": "Expiration Time, epoch"
28}
29```
30
31- `tha` is explained in [blocks](@/block_docs.md) and [transactions](@/transaction_docs.md) documentations.
32- `iat` when the JWT was created in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) format
33- `exp` when the JWT will expire & be rejected in [Unix Time](https://en.wikipedia.org/wiki/Unix_time)
34
35# Algorithm
36We are using [RS256](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1), `RSASSA-PKCS1-v1_5 using SHA-256`. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works [here](https://jwt.io/).
37
38# References
39- [RFC, the ultimate reference](https://tools.ietf.org/html/rfc7519)
40- [JWT Debugger](https://jwt.io/)
41
diff --git a/site/content/_index.md b/site/content/_index.md
new file mode 100644
index 0000000..4ad0544
--- /dev/null
+++ b/site/content/_index.md
@@ -0,0 +1,85 @@
1+++
2title = "Gradecoin"
3sort_by = "weight"
4+++
5
6# Welcome to Gradecoin!
7
8Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming _production_ cryptography code.
9
10This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade.
11
12**A quick summary**: authenticate yourself to the system using public key encryption.
13Craft [Transaction](@/transaction_docs.md) proposals and tag them using [JWTs](@/JWT.md).
14When there are enough transactions then you can propose [Blocks](@/block_docs.md) in the same way.
15Blocks need to be _mined_ beforehand using Proof-of-work, or brute force.
16
17Gradecoin offers 3 endpoints at [/register](/register), [/block](/block) and [/transaction](/transaction). You can only send GET requests to /block and /transaction without authorization.
18The server is programmed in [RESTful](https://www.service-architecture.com/articles/web-services/representational_state_transfer_rest.html) architecture, there are no `DELETE`, `PUT` or `UPDATE` operations, though.
19
20Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round [Blake2s](https://www.blake2.net/) hashing which produces 256-bit (64 hexadecimal characters) output. The [target](https://wiki.bitcoinsv.io/index.php/Target) hash is _24 bits_ or _6 hexadecimal characters_ of 0. During testing, I could mine a block on average around 2-7 minutes.
21
22> We're expecting you to use existing tools and implementations. Standards are hard. [Don't roll your own crypto](https://www.reddit.com/r/crypto/comments/2coqsy/dont_roll_your_own/). Feel free to ask questions. Collaborate.
23
24You might ask,
25
26> But if nobody has any Gradecoin then how do we have transactions?
27
28There is a bank! Their public key is `31415926535897932384626433832795028841971693993751058209749445923` and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests _to_ yourself.
29
30# Coinbase
31The first transactions of a block is called the `coinbase`. They are the **author** of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin.
32
33# Public Key Signatures
34Gradecoin uses 2048 bit RSA keyspairs.
35
36# Services
37## /register
38- Student creates their own 2048 bit RSA `keypair`
39- Downloads `Gradecoin`'s Public Key from [Moodle](https://odtuclass.metu.edu.tr/my/)
40- Encrypts their JSON wrapped `Public Key`, `Student ID` and one time `passwd` using Gradecoin's Public Key
41- Their public key is now in our database and can be used to sign their JWT's during requests
42
43## /transaction
44- You can offer a [Transaction](/transaction) - POST request
45 - The request should have `Authorization`
46 - The request header should be signed by the Public Key of the `by` field in the transaction
47- fetch the list of `Transaction`s - GET request
48
49## /block
50- offer a [`schema::Block`] - POST request
51 - The request should have `Authorization`
52 - The [`schema::Block::transaction_list`] of the block should be a subset of [`schema::Db::pending_transactions`]
53- fetch the last accepted [`schema::Block`] - GET request
54
55`Authorization`: The request header should have Bearer JWT.Token signed with Student Public Key
56
57# Questions
58## This all sound complicated!
59- I've drawn inspiration from [actual Bitcoin transactions](https://explorer.bitcoin.com/btc) and [warp](https://github.com/seanmonstar/warp/blob/master/examples/todos.rs). The simplicity of the system is how little interfaces it has.
60- Don't know where to start? Gradecoin uses RESTful API; simple `curl` commands or even your browser will work! [This website can help as well](https://curl.trillworks.com/).
61- [JWT Debugger](https://jwt.io) and the corresponding [RFC](https://tools.ietf.org/html/rfc7519)
62- Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair?
63
64## I found a bug!
65Thank you! Please [let me know](mailto:yigit@ceng.metu.edu.tr) so we can solve it.
66
67## I hacked the server!
68That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it.
69
70## Submission?
71At the end of the _simulation_, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either;
72- c
73- c++
74- perl
75- rust
76- python
77- random assortment of bash scripts
78
79If your favourite programming language is missing please let me know 🤷?
80
81## Can my friends play?
82Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication.
83
84## How and or Why?
85- [Built](https://xkcd.com/2314/), [with](https://lofi.cafe/) [Rust](https://xkcd.com/2418/)
diff --git a/site/content/block_docs.md b/site/content/block_docs.md
new file mode 100644
index 0000000..c1d61e9
--- /dev/null
+++ b/site/content/block_docs.md
@@ -0,0 +1,30 @@
1+++
2title = "Blocks"
3description = "Block Documentation"
4weight = 10
5+++
6
7A block that was proposed to commit Transactions in `transaction_list` to the
8ledger with a nonce that made `hash` valid; 6 zeroes at the left hand side of the
9hash (24 bytes).
10
11We are _mining_ using [blake2s](https://www.blake2.net/) algorithm, which produces 256 bit hashes. Hash/second is roughly 20x10^3 on my machine, a new block can be mined in around 4-6 minutes.
12
13# Requests
14
15## GET
16A HTTP `GET` request to [/block](/block) endpoint will return the latest mined block.
17
18## POST
19
20A HTTP `POST` request with Authorization using JWT will allow you to propose your own blocks.
21
22# Fields
23```
24transaction_list: [array of Fingerprints]
25nonce: unsigned 32-bit integer
26timestamp: ISO 8601 <date>T<time>
27hash: String
28```
29
30[ISO 8601 Reference](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations)
diff --git a/site/content/register_docs.md b/site/content/register_docs.md
new file mode 100644
index 0000000..83aef7f
--- /dev/null
+++ b/site/content/register_docs.md
@@ -0,0 +1,39 @@
1+++
2title = "Register"
3description = "Register Documentation"
4weight = 3
5+++
6
7POST request to /register endpoint
8
9Lets a user to authenticate themselves to the system.
10Only people who are enrolled to the class can open Gradecoin accounts.
11This is enforced with your Student ID and a one time password you will receive.
12
13# Authentication Process
14- Gradecoin's Public Key (`gradecoin_public_key`) is listed on our Moodle page.
15- You pick a short temporary key (`k_temp`)
16- Create a JSON object (`auth_plaintext`) with your `metu_id` and `public key` in base64 (PEM) format (`S_PK`) [reference](https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem)
17```json
18{
19 "student_id": "e12345",
20 "passwd": "15 char secret",
21 "public_key": "---BEGIN PUBLIC KEY..."
22}
23```
24
25- Pick a random IV.
26- Encrypt the serialized string of `auth_plaintext` with 128 bit block AES in CBC mode with Pkcs7 padding using the temporary key (`k_temp`), the result is `auth_ciphertext`. Encode this with base64.
27- The temporary key you have picked `k_temp` is encrypted using RSA with OAEP padding scheme
28using SHA-256 with `gradecoin_public_key`, giving us `key_ciphertext`. Encode this with base 64.
29- The payload JSON object (`auth_request`) can be serialized now:
30
31```json
32{
33 "c": "auth_ciphertext",
34 "iv": "hexadecimal",
35 "key": "key_ciphertext"
36}
37```
38
39If your authentication process was valid, you will be given access and your public key fingerprint that is your address.
diff --git a/site/content/transaction_docs.md b/site/content/transaction_docs.md
new file mode 100644
index 0000000..820c35f
--- /dev/null
+++ b/site/content/transaction_docs.md
@@ -0,0 +1,26 @@
1+++
2title = "Transactions"
3description = "Transaction documentation"
4weight = 6
5+++
6
7A transaction request between `source` and `target` to move `amount` Gradecoin.
8
9# Requests
10
11## GET
12A HTTP `GET` request to [/transaction](/transaction) endpoint will return the current list of pending transactions.
13
14## POST
15
16A HTTP `POST` request with Authorization using JWT to [/transaction](/transactions) will allow you to propose your own transactions.
17
18
19# Fields
20```
21by: Fingerprint
22source: Fingerprint
23target: Fingerprint
24amount: unsigned 16 bit integer
25timestamp: ISO 8601 <date>T<time>
26```