Gradecoin
Welcome to Gradecoin!
Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming production cryptography code.
This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade.
A quick summary: authenticate yourself to the system using public key encryption. Craft Transaction proposals and tag them using JWTs. When there are enough transactions then you can propose Blocks in the same way. Blocks need to be mined beforehand using Proof-of-work, or brute force.
Gradecoin offers 3 endpoints at /register, /block and /transaction. You can only send GET requests to /block and /transaction without authorization.
The server is programmed in RESTful architecture, there are no DELETE, PUT or UPDATE operations, though.
Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round Blake2s hashing which produces 256-bit (64 hexadecimal characters) output. The target hash is 24 bits or 6 hexadecimal characters of 0. During testing, I could mine a block on average around 4-6 minutes.
We're expecting you to use existing tools and implementations. Standards are hard. Don't roll your own crypto. Feel free to ask questions. Collaborate.
You might ask,
But if nobody has any Gradecoin then how do we have transactions?
There is a bank! Their public key is 31415926535897932384626433832795028841971693993751058209749445923 and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests to yourself.
Coinbase
The first transactions of a block is called the coinbase. They are the author of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin.
Public Key Signatures
Gradecoin uses 2048 bit RSA keyspairs.
Services
/register
- Student creates their own 2048 bit RSA
keypair - Downloads
Gradecoin's Public Key from Moodle - Encrypts their JSON wrapped
Public Key,Student IDand one timepasswdusing Gradecoin's Public Key - Their public key is now in our database and can be used to sign their JWT's during requests
/transaction
- You can offer a Transaction - POST request
- The request should have
Authorization - The request header should be signed by the Public Key of the
byfield in the transaction
- The request should have
- fetch the list of
Transactions - GET request
/block
- offer a [
schema::Block] - POST request- The request should have
Authorization - The [
schema::Block::transaction_list] of the block should be a subset of [schema::Db::pending_transactions]
- The request should have
- fetch the last accepted [
schema::Block] - GET request
Authorization: The request header should have Bearer JWT.Token signed with Student Public Key
Questions
This all sound complicated!
- I've drawn inspiration from actual Bitcoin transactions and warp. The simplicity of the system is how little interfaces it has.
- Don't know where to start? Gradecoin uses RESTful API; simple
curlcommands or even your browser will work! This website can help as well. - JWT Debugger and the corresponding RFC
- Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair?
I found a bug!
Thank you! Please let me know so we can solve it.
I hacked the server!
That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it.
Submission?
At the end of the simulation, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either;
- c
- c++
- perl
- rust
- python
- random assortment of bash scripts
If your favourite programming language is missing please let me know 🤷?
Can my friends play?
Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication.