POST request to /register endpoint Lets a [User] (=student) to authenticate themselves to the system This request can be rejected if the payload is malformed (=not authenticated properly) or if the [AuthRequest.user_id] of the request is not in the list of users that can hold a Gradecoin account

Authentication Process

• Gradecoin's Public Key (gradecoin_public_key) is listed on moodle.

• Gradecoin's Private Key (gradecoin_private_key) is loaded here

• Student picks a short temporary key (k_temp)

• Creates a JSON object (auth_plaintext) with their metu_id and public key in base64 (PEM) format (S_PK): { student_id: "e12345", passwd: "15 char secret" public_key: "---BEGIN PUBLIC KEY..." }

• Encrypts the serialized string of auth_plaintext with 128 bit block AES in CBC mode with Pkcs7 padding using the temporary key (k_temp), the result is auth_ciphertext TODO should this be base64'd?

• The temporary key student has picked k_temp is encrypted using RSA with OAEP padding scheme using sha256 with gradecoin_public_key (TODO base64? same as above), giving us key_ciphertext

• The payload JSON object (auth_request) can be JSON serialized now: { c: "auth_ciphertext" key: "key_ciphertext" }

Gradecoin Side

• Upon receiving, we first RSA decrypt with OAEP padding scheme using SHA256 with gradecoin_private_key as the key and auth_request.key key as the ciphertext, receiving temp_key (this is the temporary key chosen by stu
• With temp_key, we can AES 128 Cbc Pkcs7 decrypt the auth_request.c, giving us auth_plaintext
• The auth_plaintext String can be deserialized to [AuthRequest]
• We then verify the payload and calculate the User fingerprint
• Finally, create the new [User] object, insert to users HashMap <fingerprint, User>