- - - - - -

- -

- Authentication Process -

- - -

- - Cipher Initialization -

- -

- - Encryption -

- - - -

- -

POST request to /register endpoint

Lets a user to authenticate themselves to the system. -Only people who are enrolled to the class can open Gradecoin accounts. -This is enforced with your Student ID (e123456) and a one time password you will receive.

Authentication Process

-
The bytes you are sending over the network are all Base64 Encoded
-

Gradecoin's Public Key (gradecoin_public_key) is listed on our Moodle page and here. Download and load it it to your client.
Create a JSON object (P_AR) with your metu_id ("e"+6 chars) and public key in base64 (PEM) format (S_PK) reference

-{
-    "student_id": "e123456",
-    "passwd": "15 char secret",
-    "public_key": "---BEGIN PUBLIC KEY..."
-}
-

Cipher Initialization

-
Since we are working with AES-128, both key and IV should be 128 bits (or 16 hexadecimal characters)
-

Pick a short temporary key (k_temp)
Pick a random IV 1 2 (iv).

Encryption

Encrypt the serialized string of P_AR with 128 bit block AES in CBC mode with Pkcs7 padding using the temporary key (k_temp), the result is C_AR. Encode this with base64.
The temporary key you have picked k_temp is encrypted using RSA with OAEP padding scheme using SHA-256 with gradecoin_public_key, giving us key_ciphertext. Encode this with base64.
Base64 encode the IV (iv) as well.

-
- The available tools and libraries might warn you about how using the primitives given above are "hazardous". They are, crypto is hard. -
-

The payload JSON object (auth_request) can be serialized now:

-{
-    "c": "C_AR",
-    "iv": "iv",
-    "key": "key_ciphertext"
-}
-

If your authentication process was valid, you will be given access and your public key fingerprint that is your address. -You can now sign JWTs to send authorized transaction requests.

- - -

- - - -