1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Gradecoin</title>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<style>
:root {
/* Primary theme color */
--primary-color: #F8D12F;
/* Primary theme text color */
--primary-text-color: #1E2329;
/* Primary theme link color */
--primary-link-color: #2F57F7;
/* Secondary color: the background body color */
--secondary-color: #FAFAFA;
--secondary-text-color: #303030;
/* Highlight text color of table of content */
--toc-highlight-text-color: #d46e13;
}
</style>
<link href="https://fonts.googleapis.com/css?family=Alfa+Slab+One&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Fira+Sans:400,500,600&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/normalize.css">
<link rel="stylesheet" href="https://gradecoin.xyz/juice.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.css" />
</head>
<body>
<header class="pos-absolute" style="background-color: transparent">
<a href="https://gradecoin.xyz/">
<div class="logo">
<img src="https://gradecoin.xyz/gradecoin.png" alt="logo">
Gradecoin
</div>
</a>
<nav>
<a class="nav-item subtitle-text" href="https://gradecoin.xyz/register-docs/">Register</a>
<a class="nav-item subtitle-text" href="https://gradecoin.xyz/jwt/">JWT</a>
<a class="nav-item subtitle-text" href="https://gradecoin.xyz/transaction-docs/">Transactions</a>
<a class="nav-item subtitle-text" href="https://gradecoin.xyz/block-docs/">Blocks</a>
<a class="nav-item subtitle-text" href="https://github.com/zhuowei/nft_ptr#why">why?</a>
</nav>
</header>
<div class="hero">
<section class="text-center">
<h1 class="heading-text animate__animated animate__jackInTheBox" style="font-size: 50px">
Mine your own grades
</h1>
<h3 class="title-text">
<b>Gradecoin</b> is the latest cutting edge blockchain technology agile grading framework that drives organic engagement and other buzzwords, with big data mining search engine optimization
</h3>
<div>
</div>
</section>
<img class="hero-image" style="width: 40%" src="https://gradecoin.xyz/gradecoin.png">
<div class="explore-more text"
onclick="document.getElementById('features').scrollIntoView({behavior: 'smooth'})">
⇩ Learn How ⇩
</div>
<style>
.hero section {
padding: 0 5rem;
}
@media screen and (max-width: 768px) {
.hero section {
padding: 0 2rem;
}
.hero-image {
display: none
}
}
footer {
color: #8b8b8b;
}
</style>
</div>
<main>
<div class="toc">
<div class="toc-sticky">
<div class="toc-item">
<a class="subtext" href="https://gradecoin.xyz/#welcome-to-gradecoin">Welcome to Gradecoin!</a>
</div>
<div class="toc-item">
<a class="subtext" href="https://gradecoin.xyz/#coinbase">Coinbase</a>
</div>
<div class="toc-item">
<a class="subtext" href="https://gradecoin.xyz/#public-key-signatures">Public Key Signatures</a>
</div>
<div class="toc-item">
<a class="subtext" href="https://gradecoin.xyz/#services">Services</a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#register"><small>- /register</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#transaction"><small>- /transaction</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#block"><small>- /block</small></a>
</div>
<div class="toc-item">
<a class="subtext" href="https://gradecoin.xyz/#questions">Questions</a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#this-all-sound-complicated"><small>- This all sound complicated!</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#i-found-a-bug"><small>- I found a bug!</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#i-hacked-the-server"><small>- I hacked the server!</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#submission"><small>- Submission?</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#can-my-friends-play"><small>- Can my friends play?</small></a>
</div>
<div class="toc-item-child">
<a class="subtext" href="https://gradecoin.xyz/#how-and-or-why"><small>- How and or Why?</small></a>
</div>
</div>
</div>
<div class="content text">
<div id="features" class="heading-text">Overview</div>
<h1 id="welcome-to-gradecoin">Welcome to Gradecoin!</h1>
<p>Blockchains are incredibly simple yet can appear very complicated, we will see how they work and practice programming <em>production</em> cryptography code.</p>
<p>This server is the sandbox for the PA1, it's currently running the Gradecoin application. Gradecoin is the faux currency we will use to simulate a blockchain network. At the end of the simulation, the amount of Gradecoin you hold will be your PA1 grade.</p>
<p><strong>A quick summary</strong>: authenticate yourself to the system using public key encryption.
Craft <a href="https://gradecoin.xyz/transaction-docs/">Transaction</a> proposals and tag them using <a href="https://gradecoin.xyz/jwt/">JWTs</a>.
When there are enough transactions then you can propose <a href="https://gradecoin.xyz/block-docs/">Blocks</a> in the same way.
Blocks need to be <em>mined</em> beforehand using Proof-of-work, or brute force.</p>
<p>Gradecoin offers 3 endpoints at <a href="/register">/register</a>, <a href="/block">/block</a> and <a href="/transaction">/transaction</a>. You can only send GET requests to /block and /transaction without authorization.
The server is programmed in <a href="https://www.service-architecture.com/articles/web-services/representational_state_transfer_rest.html">RESTful</a> architecture, there are no <code>DELETE</code>, <code>PUT</code> or <code>UPDATE</code> operations, though.</p>
<p>Gradecoin uses a Proof-of-work block accepting mechanism. It uses single round <a href="https://www.blake2.net/">Blake2s</a> hashing which produces 256-bit (64 hexadecimal characters) output. The <a href="https://wiki.bitcoinsv.io/index.php/Target">target</a> hash is <em>24 bits</em> or <em>6 hexadecimal characters</em> of 0. During testing, I could mine a block on average around 2-7 minutes.</p>
<blockquote>
<p>We're expecting you to use existing tools and implementations. Standards are hard. <a href="https://www.reddit.com/r/crypto/comments/2coqsy/dont_roll_your_own/">Don't roll your own crypto</a>. Feel free to ask questions. Collaborate.</p>
</blockquote>
<p>You might ask,</p>
<blockquote>
<p>But if nobody has any Gradecoin then how do we have transactions?</p>
</blockquote>
<p>There is a bank! Their public key is <code>31415926535897932384626433832795028841971693993751058209749445923</code> and they have some amount of Gradecoin preloaded. It's also the only account that you can send transactions requests <em>to</em> yourself.</p>
<h1 id="coinbase">Coinbase</h1>
<p>The first transactions of a block is called the <code>coinbase</code>. They are the <strong>author</strong> of the block proposal and if the block is accepted then they get compensated for their efforts with some Gradecoin.</p>
<h1 id="public-key-signatures">Public Key Signatures</h1>
<p>Gradecoin uses 2048 bit RSA keyspairs.</p>
<h1 id="services">Services</h1>
<h2 id="register">/register</h2>
<ul>
<li>Student creates their own 2048 bit RSA <code>keypair</code></li>
<li>Downloads <code>Gradecoin</code>'s Public Key from <a href="https://odtuclass.metu.edu.tr/my/">Moodle</a></li>
<li>Encrypts their JSON wrapped <code>Public Key</code>, <code>Student ID</code> and one time <code>passwd</code> using Gradecoin's Public Key</li>
<li>Their public key is now in our database and can be used to sign their JWT's during requests</li>
</ul>
<h2 id="transaction">/transaction</h2>
<ul>
<li>You can offer a <a href="/transaction">Transaction</a> - POST request
<ul>
<li>The request should have <code>Authorization</code></li>
<li>The request header should be signed by the Public Key of the <code>by</code> field in the transaction</li>
</ul>
</li>
<li>fetch the list of <code>Transaction</code>s - GET request</li>
</ul>
<h2 id="block">/block</h2>
<ul>
<li>offer a [<code>schema::Block</code>] - POST request
<ul>
<li>The request should have <code>Authorization</code></li>
<li>The [<code>schema::Block::transaction_list</code>] of the block should be a subset of [<code>schema::Db::pending_transactions</code>]</li>
</ul>
</li>
<li>fetch the last accepted [<code>schema::Block</code>] - GET request</li>
</ul>
<p><code>Authorization</code>: The request header should have Bearer JWT.Token signed with Student Public Key</p>
<h1 id="questions">Questions</h1>
<h2 id="this-all-sound-complicated">This all sound complicated!</h2>
<ul>
<li>I've drawn inspiration from <a href="https://explorer.bitcoin.com/btc">actual Bitcoin transactions</a> and <a href="https://github.com/seanmonstar/warp/blob/master/examples/todos.rs">warp</a>. The simplicity of the system is how little interfaces it has.</li>
<li>Don't know where to start? Gradecoin uses RESTful API; simple <code>curl</code> commands or even your browser will work! <a href="https://curl.trillworks.com/">This website can help as well</a>.</li>
<li><a href="https://jwt.io">JWT Debugger</a> and the corresponding <a href="https://tools.ietf.org/html/rfc7519">RFC</a></li>
<li>Remember that you are absolutely encouraged to grab off-the-shelf implementations for every cryptography primitive you will use. You can start by finding a code snippet to generate a RSA keypair?</li>
</ul>
<h2 id="i-found-a-bug">I found a bug!</h2>
<p>Thank you! Please <a href="mailto:yigit@ceng.metu.edu.tr">let me know</a> so we can solve it.</p>
<h2 id="i-hacked-the-server">I hacked the server!</h2>
<p>That wasn't supposed to happen :( I did not place any intentional vulnerabilities to the system so if you cracked something, it was not intended. Please don't abuse it and let me know so I can patch it.</p>
<h2 id="submission">Submission?</h2>
<p>At the end of the <em>simulation</em>, your Gradecoin balance will be your grade. I will also expect a unique client programmed in either;</p>
<ul>
<li>c</li>
<li>c++</li>
<li>perl</li>
<li>rust</li>
<li>python</li>
<li>random assortment of bash scripts</li>
</ul>
<p>If your favourite programming language is missing please let me know 🤷?</p>
<h2 id="can-my-friends-play">Can my friends play?</h2>
<p>Sadly, no. Student's who are enrolled to the class will receive one-time-passwords for authentication.</p>
<h2 id="how-and-or-why">How and or Why?</h2>
<ul>
<li><a href="https://xkcd.com/2314/">Built</a>, <a href="https://lofi.cafe/">with</a> <a href="https://xkcd.com/2418/">Rust</a></li>
</ul>
</div>
</main>
<footer>
Built For ⁂ CENG489 ⁂ Introduction to Computer Security
</footer>
</body>
<script>
function highlightNav(heading) {
let pathname = location.pathname;
document.querySelectorAll(".toc a").forEach((item) => {
item.classList.remove("active");
});
document.querySelector(".toc a[href$='" + pathname + "#" + heading + "']").classList.add("active");
}
let currentHeading = "";
window.onscroll = function () {
let h = document.querySelectorAll("h1,h2,h3,h4,h5,h6");
let elementArr = [];
h.forEach(item => {
if (item.id !== "") {
elementArr[item.id] = item.getBoundingClientRect().top;
}
});
elementArr.sort();
for (let key in elementArr) {
if (!elementArr.hasOwnProperty(key)) {
continue;
}
if (elementArr[key] > 0 && elementArr[key] < 300) {
if (currentHeading !== key) {
highlightNav(key);
currentHeading = key;
}
break;
}
}
}
</script>
</html>
|