Academic Credential Issuance and Verification System

A decentralized approach to tamper-proof, permanent academic records using blockchain anchoring, IPFS storage, and threshold cryptography.

25 February 20267 min read
BlockchainWeb3IPFSCybersecurityCryptographyEthereumFull StackDecentralizationEdTech
Academic Credential Issuance and Verification System

A decentralized approach to tamper-proof, permanent academic records

Introduction

Academic credentials such as degrees and transcripts are foundational to employment, higher education, and professional licensing. Yet the infrastructure used to issue and verify them has barely evolved. Most systems still depend heavily on centralized institutional databases, manual verification workflows, and fragile storage mechanisms.

This creates serious risks:

  • Certificates can be forged
  • Verification is slow and costly
  • Records may disappear if institutions shut down
  • Students lack true ownership of their credentials

To address these challenges, we built the Resilient Credential Verification and Recovery System ā€” a decentralized, tamper-proof platform that ensures academic records remain secure, verifiable, and recoverable for the long term.

Our approach combines blockchain anchoring, IPFS-based storage, and threshold cryptography to eliminate single points of failure while preserving privacy and trust.

The Problem with Traditional Credential Systems

Conventional credential management suffers from several structural weaknesses.

Centralized Trust

Most verification workflows rely on universities as the sole source of truth. This creates:

  • A single point of failure
  • Verification bottlenecks
  • Long-term dependency on institutional uptime

Fraud and Tampering

Paper certificates and basic PDFs can be:

  • Edited
  • Reprinted
  • Forged

Even some digital systems lack strong cryptographic guarantees.

Data Impermanence

Institutional databases can be:

  • Lost in cyberattacks
  • Corrupted
  • Decommissioned
  • Or become inaccessible after institutional closure

When this happens, legitimate students may permanently lose proof of their qualifications.

Slow Verification

Today's verification often involves:

  • Emails to universities
  • Manual approvals
  • Days or weeks of waiting

This delays hiring and admissions processes.

Lack of Student Ownership

Students typically cannot independently prove their credentials without involving the issuing institution.

Our Solution: A Multi-Layer Decentralized Architecture

Our platform eliminates these risks using a combination of:

  • Blockchain anchoring
  • IPFS distributed storage
  • Advanced cryptography
  • Threshold key recovery

The goal is simple:

šŸ’”

Make credentials permanently verifiable, privately stored, and independently recoverable.

Core Design Pillars

1. Blockchain Anchoring A SHA-256 hash of each credential is permanently recorded on an Ethereum-compatible blockchain. This provides immutable, publicly verifiable proof of authenticity.

2. Decentralized Storage (IPFS) Encrypted credential documents are stored on IPFS via Filebase. Content addressing ensures the file can be retrieved from any node that pins it.

3. Threshold Key Recovery Using Shamir's Secret Sharing, the encryption key is split across independent custodians. This enables recovery without allowing any single party to access the credential.

Technology Stack

LayerTechnology
FrontendReact, TypeScript, Vite, Tailwind CSS
BackendNode.js, Express.js, TypeScript
DatabasePostgreSQL, Prisma ORM
BlockchainSolidity, Hardhat, Sepolia, Ethers.js
StorageIPFS via Filebase
CryptographyAES-256-GCM, RSA-OAEP, Shamir Secret Sharing

System Architecture Overview

The system distributes responsibility across multiple layers to eliminate centralized trust.

Frontend (React)
        ā”‚
        ā–¼
Backend (Node/Express)
   ā”‚        ā”‚        ā”‚
   ā–¼        ā–¼        ā–¼
PostgreSQL  IPFS   Blockchain

Each layer has a specific responsibility:

Client Application

  • Generates encryption keys
  • Encrypts credentials locally
  • Splits keys using SSS
  • Uploads ciphertext to IPFS

Backend Orchestrator

  • Handles authentication
  • Coordinates workflows
  • Logs audit events
  • Never accesses plaintext

Custodian Network

  • Stores encrypted key shares
  • Verifies recovery requests
  • Re-encrypts shares for the requester

Blockchain Layer

  • Stores credential hash
  • Stores IPFS CID
  • Provides immutable audit trail

How the System Works

The platform revolves around three primary workflows:

  1. Credential Issuance
  2. Credential Verification
  3. Credential Recovery

Let's break each down.

1. Credential Issuance Flow

When a university issues a credential:

  1. Issuer uploads the certificate
  2. Client generates a random AES-256 key
  3. Document is encrypted locally (AES-GCM)
  4. Ciphertext is uploaded to IPFS
  5. SHA-256 hash is computed
  6. Hash + CID anchored on blockchain
  7. AES key split using Shamir's Secret Sharing
  8. Key shares distributed to custodians

Why this is powerful

  • Server never sees plaintext
  • Document becomes tamper-evident
  • Storage becomes decentralized
  • Keys are not centrally stored

2. Instant Credential Verification

Verification is completely trustless.

  1. Verifier inputs CID
  2. System fetches encrypted file from IPFS
  3. SHA-256 hash is recomputed
  4. Compared with on-chain hash
šŸ’”

āœ… Match ā†’ Authentic | āŒ Mismatch ā†’ Tampered/Fake ā€” No university involvement required.

3. Threshold-Based Credential Recovery (Key Innovation)

This is the USP of the project.

The Problem It Solves

Even in decentralized systems:

  • If the encryption key is lost
  • Or the institution disappears

The credential may become permanently inaccessible.

Our Approach

We use Shamir's Secret Sharing (SSS).

The AES key is split into multiple shares:

  • Stored with independent custodians
  • Only threshold number needed
  • No single party has full key

Recovery Flow

  1. Student requests recovery
  2. Generates temporary key pair
  3. Custodians verify request
  4. Custodians re-encrypt shares
  5. Student reconstructs AES key
  6. Credential decrypted locally

Security Guarantees

  • Custodians cannot collude easily
  • Backend never sees keys
  • Recovery works without issuer
  • Student retains sovereignty
ā„¹ļø

This guarantees long-term accessibility without centralized trust.

Key Features

Tamper-Proof Records

Any modification to the document changes the hash and fails verification.

Instant Verification

Third parties can verify credentials in seconds.

Disaster Resilience

No single point of failure due to:

  • IPFS storage
  • Blockchain anchoring
  • Distributed key shares

Student-Centric Ownership

Students can:

  • Hold their credentials
  • Present them anywhere
  • Recover them independently

Full Audit Trail

All major actions are logged for transparency.

Setting Up the Project Locally

Prerequisites

  • Node.js v18+
  • npm or yarn
  • PostgreSQL
  • Sepolia RPC access (Alchemy/Infura)
  • Wallet with Sepolia ETH
  • Filebase account

Step 1 ā€” Clone Repository

git clone <repository-url>
cd miniproject

Step 2 ā€” Install Dependencies

npm run install:all

This installs dependencies for:

  • frontend
  • backend
  • contracts

Step 3 ā€” Configure Environment Variables

Create .env files in both backend and frontend.

Backend .env

DATABASE_URL="postgresql://user:password@localhost:5432/miniproject"

PORT=5000
NODE_ENV=development
JWT_SECRET="your-secret-key"
JWT_EXPIRES_IN="7d"

FILEBASE_ACCESS_KEY="your-access-key"
FILEBASE_SECRET_KEY="your-secret-key"
FILEBASE_BUCKET="your-bucket-name"
FILEBASE_REGION="us-east-1"
FILEBASE_ENDPOINT="https://s3.filebase.com"

SEPOLIA_RPC_URL="https://eth-sepolia.g.alchemy.com/v2/..."
PRIVATE_KEY="your-wallet-private-key"
CONTRACT_ADDRESS="0x..."

CORS_ORIGIN="http://localhost:5173"

Frontend .env

VITE_API_URL="http://localhost:5000"
VITE_CONTRACT_ADDRESS="0x..."
VITE_SEPOLIA_RPC_URL="https://eth-sepolia.g.alchemy.com/v2/..."

Step 4 ā€” Setup Database

cd backend
npm run prisma:migrate
npm run prisma:generate

Step 5 ā€” Deploy Smart Contract

cd ../contracts
npx hardhat run scripts/deploy.ts --network sepolia

Copy the deployed contract address into both env files.

Step 6 ā€” Run the Application

From project root:

npm run dev
ā„¹ļø

Frontend: http://localhost:5173 | Backend: http://localhost:5000

Project Structure

miniproject/
ā”œā”€ā”€ backend/
ā”œā”€ā”€ contracts/
ā”œā”€ā”€ frontend/
ā”œā”€ā”€ package.json
ā””ā”€ā”€ README.md

Testing Highlights

During evaluation, the system demonstrated:

  • Successful end-to-end issuance
  • 100% verification accuracy
  • Reliable threshold recovery
  • Zero plaintext exposure
  • Strong resistance to tampering

Future Enhancements

Planned improvements include:

  • W3C Verifiable Credentials integration
  • Zero-knowledge selective disclosure
  • Mobile credential wallet
  • Multi-institution consortium model
  • Production-grade custodian governance

Conclusion

The Resilient Credential Verification System demonstrates how modern cryptography, blockchain, and decentralized storage can transform academic credential management.

By removing single points of failure and giving students sovereign control over their records, this architecture moves us closer to a future where academic credentials are:

  • Permanently verifiable
  • Cryptographically secure
  • Institution-independent
  • Globally portable