Overview AETHELRED UNIVERSITY Registrar’s Office wants to start issuing a digital transcripts and diploma for graduating students. You are called to build the system to prevent grade tampering and fake records.

Lab 2: Blockchain-Based Academic Credentials Lab

Lastname: ______________            Firstname:________________

1. Overview

AETHELRED UNIVERSITY Registrar’s Office wants to start issuing a digital transcripts and diploma for graduating students. You are called to build the system to prevent grade tampering and fake records. Each student’s transcript and diploma is issued as a blockchain record where a cryptographic hash of the transcript is stored on-chain.

This lab would guide you through designing, implementing, and testing a prototype system that issues cryptographic proofs of academic transcripts on a blockchain.

We will:

·       Develop a simple smart contract to record transcript and diploma hashes.

·       Issue sample transcript entries for AETHELRED UNIVERSITY students.

·       Issue sample diploma for AETHELRED UNIVERSITY students.

·       Store transcript files off-chain (local file or IPFS) and store their cryptographic fingerprints on-chain.

·       Simulate tampering and show how a hash mismatch detects modification.

·       Explore a deliberate smart contract bug and demonstrate its consequences.

The User Roles and User Stories

·       AETHELRED UNIVERSITY admin to add student profile, generate transcripts and diploma for students, encrypt and compute SHA-256 fingerprints issues on chain and manage keys

·       Student that receives an encrypted credential file and a small proof token. Student posts a short public validation link or CeDiD on LinkedIn. Recruiter clicks/enters code to validate.

·       Recruiter enter the student’s proof tokens and get an instant verification of the transcript/diploma

·       Government simulate (A) modify an issued transcript, (B) create a fake student and issue a diploma outside AETHELRED UNIVERSITY, (C) create a diploma for an active (non-graduating) student.

By the end of the lab you’ll understand the architecture, attack surface, and tradeoffs for a blockchain-based credentialing system.

2. Lab Environment Setup

You will do everything in Google Colab. Make a copy of the notebook (https://colab.research.google.com/drive/1-68h_VKjSnJqbO55z4O7JKxQ5EgK0Gof?usp=sharing). I will reference the code using cell number as label. Below are the tools we would be using

·       Node.js v16+ and npm

·       Python 3.8+ and pip

·       Ganache (CLI or GUI) or access to an Ethereum testnet (Sepolia) and an API key (Infura/Alchemy)

·       Remix IDE or Hardhat/Truffle for compiling and deploying contracts

·       web3.py (Python) or ethers.js (Node)

3. Tasks (Lab Steps)

Task 0 – Environment & Setup

1.     Open the Colab notebook (link above).

2.     Run Cells 1–3 to install dependencies, start Ganache

3.     Run Cell  4 to Compile both contract for transcript and diploma.

Screenshot your compiled contract for transcript and diploma

4.     Run Cell 5 to connect to a Ganache account

Screenshot or copy the owner address from Cell 5

5.     Run cell 5b to deploy the contract

Screenshot or copy the address of your TranscriptRegistry and DiplomaRegistry

Task 1 – Adding Students and Issuing Credentials

1.     Run cell 6 to create a test transcript and diploma for Jane Doe.

Whats the transcript SHA for the user

Screenshot or copy the Diploma SHA, CeDiD and Initails of this user.

2.     Run cell 7 to issue the transcript and diploma on blockchain

Screenshot of the student key and issued transaction hash

3.     Run cell 8 to verfiy the newly created transcript and diploma that we have on the chain

Screenshot of the verification, was this successful?

4.     Run cell 9 to see how we can tamper with the transcript and diploma

Was your tempering successful? Screenshot of the tempering

If not successful, explain why it was not successful

Task 2 – Issue a Transcript and Diploma

We want to create a system for AETHELRED UNIVERSITY admin to use to add users to the DB, run cell 10 to create the DB. Here cell 10 adds a user to the DB and later adds the user to the same block chain that was created before

What DB was used in this example?

Pick a new DB of your own and update the code to use your own DB, which DB did you choose and why?

Add a new user to your own DB, screenshot of your DB with the new user you added

Transaction hash and event log, plus the transcript file and computed hash.

Try to change the blockchain account that the transcript is added, whats the new account that was used for this

Task 3 – Verification of Transcript and Diploma as a Recruiter

Here we run cell 11 to create the function that helps the recruiter verify that a students transcript or diploma is issued by AETHELRED UNIVERSITY.

Command output showing transcript and diploma verified as not tempeted

Update the code to check from your own DB, did this work?

Verify the users you have on your own DB, on the original blockchain account, what was your observation?

Change back to the 2^nd blockchain account from Task 2 and verify the users, was this successful? If not, why? Include screenshots

 

Task 4 – Tamper Simulation

Based on the data on your DB, do the following tamper simulations

1.     Edit the off-chain transcript (change a grade).

2.     Edit the diploma, change the name, but let the name have the same initials

Was the diploma with the same initials on this tempered diploma, was the verification successful? Include screenshots

3.     Recompute the SHA-256 of the edited file.

4.     Re-run verification, show the on-chain hash does not match (verification fails).

5.     Explain why this prevents silent grade changes.

Two hashes (original and tampered), and verification result showing mismatch.

Change the issuer of the Diploma from AETHELRED UNIVERSITY to another school, try to use AETHELRED UNIVERSITY to verify the diploma, did it work?

What would you do to prevent AETHELRED UNIVERSITY from validating a diploma it did not issue?

Task 5 – Smart Contract Vulnerability

1.     Modify the contract to remove the “prevent overwrite” check (comment out require(records[studentId].issuedAt == 0, “already issued”);) and re-deploy (or deploy a second broken version).

2.     From the owner account (or vulnerability scenario: change the contract to allow any account to call issueTranscript), attempt to overwrite an existing record with a new hash (e.g., attacker issues a fake transcript hash).

3.     Observe implications: if anyone can reissue, the system is broken. If only owner can reissue but owner account is compromised (simulate compromise), records can be changed.

How does “permissioned” vs “permissionless” blockchain change your threat model?

What happens if the private key of the Registrar is leaked?

Demonstration of successful overwrite and an explanation.

 

 

 

Question and answer

1.     What is the purpose of using blockchain in this lab?

 

2.     What specific, immediate outcome occurs during the verification process if the off-chain transcript file is modified even slightly?

 

3.     What is the precise security purpose of this ‘require(records[studentId].issuedAt == 0, “already issued”);’ statement? How does its presence ensure the integrity of the academic record over time?

 

4.     Describe the specific malicious action an attacker could take with the broken contract, and why this represents a catastrophic failure for an academic credentials system?

 

5.     What are the security risk identified in this lab and what are the solution?

 

4. Extra Tasks (Lab Steps)