How to securely distribute student grades?
So I'm asking HNers: can you think of a relatively low friction way for me to distribute grades to my students securely?
My University does have a web-based course management system where I can enter grades, and each student can log-in using their University credentials to look up grades, etc ... but I truly LOATH the system my University has chosen to use. It's slow, it's ugly, it's error prone, yuck yuck yuck.
I could get each student to generate a public/private key pair using GPG, and send me their public key. Then I can send them an email with their grade encrypted. Advantages: it's secure; it would also teach them how to use GPG which I am all in favour of. Disadvantages: it's clunky for me to send 20 separate emails using 20 separate public keys.
HNers: Is there a way I can send a single email to the entire class, with the entire set of grades encrypted in such a way that each student can only decrypt their email and nobody else's?
27 comments
[ 123 ms ] story [ 1463 ms ] threadI could ask each student to send me a password and I could post a symmetric encryption of their grade using their password ...
I'm thinking the only way to do this is to have a student-specific password, either symmetric or public/private key pair
ID9999999LastNameFirstNameWHATSMYGRADE
if my university were paying attention they would complain that sending me the passwords would be insecure... but I suppose each student could hand me a piece of paper
Everybody would then attempt to decode each cipher, with only one working for any individual private key.
This isn't all that different from your original posting, except that you now only need to send one unique e-mail.
(For Beavis, who's getting an F because he never showed up to class, you might get in trouble with the administration because a simpleton couldn't decode their grade through this or other sophisticated means.)
That said, encrypt the each grade with a key derived from the students ID (which is privileged information) and make a webpage to do the decryption for the students. SHA256 ( ID + Salt ) == Key for symmetric encryption.
--former IT college staffer
They have access to SHA256 so they can privately find their own student ID hash and then look up their grades
Yes yes, use bcrypt etc., but that's overkill; I'll post a simpler solution.
If you are not in your office much, then I would just offer the GPG option. Sending 20 e-mails will not take very long. Out of the 20 students, I bet only half of them get their act together and e-mail you a key, so it's really more like 10 emails that you would need to send.
Another option is set up a website with a login id (student id or something) and have students submit a pin (4-12 chars) and let them use that to login and see their grades (probably should be ssl).
As for your question I don't see how you could send them encrypted, you could make up random ids for each student and only give that student their id then send grades out corresponding to their random ids but that may still violate privacy issues.
Even though it is terrible I would just stick with the schools system.
- If you don't like it they'll have the least grade possible.
- If they do, use it.
Easy.
Also what kind of rule is that lol? Privacy, really?
(A.k.a. you can't solve this without either a pre-shared secret or public-key cryptography; so get yourself a pre-shared secret.)
(Potential pitfall: no matter how many instructions you add, someone is going to write down his bank password.)