diff options
Diffstat (limited to 'site/content')
-rw-r--r-- | site/content/JWT.md | 38 | ||||
-rw-r--r-- | site/content/_index.md | 61 |
2 files changed, 93 insertions, 6 deletions
diff --git a/site/content/JWT.md b/site/content/JWT.md index 91a7a73..f55ab17 100644 --- a/site/content/JWT.md +++ b/site/content/JWT.md | |||
@@ -4,8 +4,38 @@ description = "JSON Web Token Documentation" | |||
4 | weight = 5 | 4 | weight = 5 |
5 | +++ | 5 | +++ |
6 | 6 | ||
7 | Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod | 7 | > JSON Web Tokens are representations of claims, or authorization proofs that fit into the `Header` of HTTP requests. |
8 | tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At | 8 | |
9 | vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd | 9 | # How? |
10 | ubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. | 10 | |
11 | JWTs are used as the [MAC](https://en.wikipedia.org/wiki/Message_authentication_code) of operations that require authorization: | ||
12 | - block proposal | ||
13 | - transaction proposal. | ||
14 | |||
15 | They are send alongside the JSON request body in the `Header`; | ||
16 | |||
17 | ```html | ||
18 | Authorization: Bearer aaaaaa.bbbbbb.ccccc | ||
19 | ``` | ||
20 | |||
21 | Gradecoin uses 3 fields for the JWTs; | ||
22 | |||
23 | ```json | ||
24 | { | ||
25 | "tha": "Hash of the payload, check invididual references", | ||
26 | "iat": "Issued At, Unix Time", | ||
27 | "exp": "Expiration Time, epoch" | ||
28 | } | ||
29 | ``` | ||
30 | |||
31 | - `tha` is explained in [blocks](@/block_docs.md) and [transactions](@/transaction_docs.md) documentations. | ||
32 | - `iat` when the JWT was created in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) format | ||
33 | - `exp` when the JWT will expire & be rejected in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) | ||
34 | |||
35 | # Algorithm | ||
36 | We are using [RS256](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1), `RSASSA-PKCS1-v1_5 using SHA-256`. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works [here](https://jwt.io/). | ||
37 | |||
38 | # References | ||
39 | - [RFC, the ultimate reference](https://tools.ietf.org/html/rfc7519) | ||
40 | - [JWT Debugger](https://jwt.io/) | ||
11 | 41 | ||
diff --git a/site/content/_index.md b/site/content/_index.md index 7dd7a7c..bf33eef 100644 --- a/site/content/_index.md +++ b/site/content/_index.md | |||
@@ -3,8 +3,35 @@ title = "Gradecoin" | |||
3 | sort_by = "weight" | 3 | sort_by = "weight" |
4 | +++ | 4 | +++ |
5 | 5 | ||
6 | - Don't know where to start? Gradecoin uses RESTful API, simple `curl` commands or even your browser will work! [This website can help as well](https://curl.trillworks.com/). | 6 | # Welcome to Gradecoin! |
7 | - [JWT Debugger](https://jwt.io) and the corresponding [RFC](https://tools.ietf.org/html/rfc7519) | 7 | |
8 | Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming _production_ cryptography code. | ||
9 | |||
10 | This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade. | ||
11 | |||
12 | **A quick summary**: authenticate yourself to the system using public key encryption. | ||
13 | Craft [Transaction](@/transaction_docs.md) proposals and tag them using [JWTs](@/JWT.md). | ||
14 | When there are enough transactions then you can propose [Blocks](@/block_docs.md) in the same way. | ||
15 | Blocks need to be _mined_ beforehand using Proof-of-work, or brute force. | ||
16 | |||
17 | Gradecoin offers 3 endpoints at [/register](/register), [/block](/block) and [/transaction](/transaction). You can only send GET requests to /block and /transaction without authorization. | ||
18 | The server is programmed in [RESTful](https://www.service-architecture.com/articles/web-services/representational_state_transfer_rest.html) architecture, there are no `DELETE`, `PUT` or `UPDATE` operations, though. | ||
19 | |||
20 | Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round [Blake2s](https://www.blake2.net/) hashing which produces 256-bit (64 hexadecimal characters) output. The [target](https://wiki.bitcoinsv.io/index.php/Target) hash is _24 bits_ or _6 hexadecimal characters_ of 0. During testing, I could mine a block on average around 2-7 minutes. | ||
21 | |||
22 | > We're expecting you to use existing tools and implementations. Standards are hard. [Don't roll your own crypto](https://www.reddit.com/r/crypto/comments/2coqsy/dont_roll_your_own/). Feel free to ask questions. Collaborate. | ||
23 | |||
24 | You might ask, | ||
25 | |||
26 | > But if nobody has any Gradecoin then how do we have transactions? | ||
27 | |||
28 | There is a bank! Their public key is `31415926535897932384626433832795028841971693993751058209749445923` and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests _to_ yourself. | ||
29 | |||
30 | # Coinbase | ||
31 | The first transactions of a block is called the `coinbase`. They are the **author** of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin. | ||
32 | |||
33 | # Public Key Signatures | ||
34 | Gradecoin uses 2048 bit RSA keyspairs. | ||
8 | 35 | ||
9 | # Services | 36 | # Services |
10 | ## /register | 37 | ## /register |
@@ -26,3 +53,33 @@ sort_by = "weight" | |||
26 | - fetch the last accepted [`schema::Block`] - GET request | 53 | - fetch the last accepted [`schema::Block`] - GET request |
27 | 54 | ||
28 | `Authorization`: The request header should have Bearer JWT.Token signed with Student Public Key | 55 | `Authorization`: The request header should have Bearer JWT.Token signed with Student Public Key |
56 | |||
57 | # Questions | ||
58 | ## This all sound complicated! | ||
59 | - I've drawn inspiration from [actual Bitcoin transactions](https://explorer.bitcoin.com/btc) and [warp](https://github.com/seanmonstar/warp/blob/master/examples/todos.rs). The simplicity of the system is how little interfaces it has. | ||
60 | - Don't know where to start? Gradecoin uses RESTful API; simple `curl` commands or even your browser will work! [This website can help as well](https://curl.trillworks.com/). | ||
61 | - [JWT Debugger](https://jwt.io) and the corresponding [RFC](https://tools.ietf.org/html/rfc7519) | ||
62 | - Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair? | ||
63 | |||
64 | ## I found a bug! | ||
65 | Thank you! Please [let me know](mailto:yigit@ceng.metu.edu.tr) so we can solve it. | ||
66 | |||
67 | ## I hacked the server! | ||
68 | That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it. | ||
69 | |||
70 | ## Submission? | ||
71 | At the end of the _simulation_, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either; | ||
72 | - c | ||
73 | - c++ | ||
74 | - perl | ||
75 | - rust | ||
76 | - python | ||
77 | - random assortment of bash scripts | ||
78 | |||
79 | If your favourite programming language is missing please let me know 🤷? | ||
80 | |||
81 | ## Can my friends play? | ||
82 | Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication. | ||
83 | |||
84 | ## How and or Why? | ||
85 | - [Built](https://xkcd.com/2314/), with [Rust](https://xkcd.com/2418/) | ||