Docstoc

Santa Clara University

Document Sample
Santa Clara University Powered By Docstoc
					                  Santa Clara University
        DEPARTMENT of COMPUTER ENGINEERING

                                                Date: June 16, 2008


    I HEREBY RECOMMEND THAT THE THESIS PREPARED UNDER MY
                      SUPERVISION BY



                         Aaron Ramirez

                          ENTITLED

                  Online Teaching Evaluations


BE ACCEPTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE

                          DEGREE OF


       BACHELOR OF SCIENCE IN COMPUTER ENGINEERING




                                            ______________________
                                                   THESIS ADVISOR

                                            ______________________
                                                   DEPARTMENTCHAIR
ONLINE TEACHING EVALUATIONS


                        by



                  Aaron Ramirez




    SENIOR DESIGN PROJECT REPORT




Submitted in partial fulfillment of the requirements
                 for the degree of
  Bachelor of Science in Computer Engineering
              School of Engineering
              Santa Clara University




              Santa Clara, California

                  June 16, 2008
                            Acknowledgements



      This thesis is dedicated to my loving father, John Ramirez. No one

has been such a great support for me throughout my life.

      I also would not have been able to get as far as I have in this project

without the advising of Dr. Thomas Schwarz. He helped to make this

project possible and I owe him the greatest amount of thanks for his support

and assistance academically and professionally.

      Lastly, I want to thank all my family for being understanding and the

support they have given me over the years. I would not be where I am today

without them.




                                                                                iii
                            LIST of FIGURES
                                                                        Page

Figure 1: Snapshot of Homepage…………………………………………………….…...3

Figure 2: Snapshot of Login page…………………………………………………...……5

Figure 3: General Publics interaction with EvC………………………………..…………9

Figure 4: Snapshot of TDC page……………………………………………….………..11

Figure 5: Snapshot of Courses Database……………………………………….………..12

Figure 6: User interaction with Token Distribution Center (TDC)..…………………….13

Figure 7: User interaction with Evaluation Center (EvC)….………………………........15

Figure 8: User final interaction with EvC…………………………………………...…...16

Figure 9: Snapshot of Evaluation Center………………………………………………...18

Figure 10: Snapshot of Courses Database form………………………………………….20

Figure 11: Snapshot of Courses Database form………………………………………….21

Figure 12: Snapshot of Current Evaluation page………………………………………...23
                       TABLE OF CONTENTS
                                                                  Page
Acknowledgements…………………………………………………………………........iii
Chapter 1 – Introduction…………………………………………………………………..1
Chapter 2 – Non-Functional Requirements……………………………………………….2
Chapter 3 – Functional Requirements…………………………………………………….4
     3.1    Requirements of Evaluators………………………………..……………...6
     3.2    Requirements of Persons being evaluated…………………..………….…7
     3.3    Requirements of Administrators……………………………..……………8
Chapter 4 – Security Token Structure…………………………………………………….9
Chapter 5 – Interaction of Users and Databases………………………………………...12
     5.1    User and Token Emitter Server Interaction……………………………...12
     5.2    User and Evaluation Server Interaction……………………...…………..15
     5.3    Token Emitter and Evaluation Server Interaction……………………….17
Chapter 6 – Elements within Web Page Designs………………………………………..19
     6.1    Token Emitter Web Pages……………………………………………….19
     6.2    Evaluations Server Web Pages……………….………………………….23
Chapter 7 – Server / Database Design……………………………………………...…...25
     7.1    Token Emitter Database Design…………………………………………25
     7.2    Evaluation Server Database Design……...………………………………26
Chapter 8 – Current Implementation…………………………………………………….27
Chapter 9 – Security Analysis / Threats…………………………………………………29
Chapter 10 – Societal Issues…..…………………………………………………………30
Chapter 11 – Conclusion…………………………………………………………….......33
     11.1   Suggestions / Improvements………………………..……………………33
     11.2   Lessons Learned………………………………………………………....34


Appendix A – Source Code……………………………………………………………...35

Appendix B – Low-Level Design Specifications...……………………………………...60
1. Introduction

        In the world of Web 2.0, everyone is seeking to optimize the functionality of the

internet. Something like teaching evaluations or voting in elections can easily be

implemented in an online application to meet the convenience of the general public. The

security of these two examples is the major concern for everyone. The purpose of this

project is to synthesize and improve the process of teaching evaluations by offering a

secure online application to serve the educational community. To help expand on this

issue, I will use the example of the secure online e-voting system of the Canton of Zurich

government. They have addressed the similar security issue of keeping the users identity

private, while still keeping accountability of votes placed. With this approach I hope to

answer the concern of security and integration of accountability. The Online Teaching

Evaluations provides the service of performing teaching over the internet securely. In

order to answer the concerns mentioned above, I will first describe the requirements

necessary to meet the concerns of this project’s implementation.



2. Non-Functional Requirements

        To begin with the non-functional requirements, I should first lay timeline of

events that this project requires for the security protocol to function correctly. The four

distinct and separate timeline stages of this product start first with the distribution of

login and authentication information for users performing evaluations. The second

period lasts during the entire duration of students submitting evaluations for professors



                                                                                              1
they are currently taking courses with. The third period consists of the entire system

being frozen, so that no one can access or change information. This period of time

should begin right before final examinations last until all grades are submitted by

professors. The last period of time is the presentation of all the student evaluations. This

timeline is the most logical requirement for this project, because the evaluations are

meant to be an unbiased assessment of the course disregarding the difficult of final

exams. It also is meant to protect the students’ identity from being discovered while

performing evaluations, therefore not allowing professor to change a student’s grade

because of an evaluation. The purpose of this timeline is meant to serve as a protection

for all parties, the evaluators and the persons being evaluated. This is also as a general

guideline for all administrators and users of this product in order to keep the integrity of

this implementation with its desired functionality.

       Another non-functional requirement would be the constraints of development

platforms and integration of coding languages. This project is meant to serve a wide

range of users with many different operating systems and web browsers. To meet the

need of accessibility for all users, a simple coding language and design is used. This will

allow for this project to run from any server on any user’s machine on a secure

connection using the World Wide Web, or internet.




                                                                                               2
Figure 1: Snapshot of the simple homepage used for this project.



       The development platform at this point is almost meaningless, as this product

could have been developed on any one of the many available. The only concern at this

point is the use of programming language that allows for secure communication between

the users and servers. The platform chosen also allows for easy development of a

database, which is a concern because I have two separate databases speaking to the users

for security purposes.

       The reason for having two servers is for the improved security protocol from the

ones currently used by the Zurich government. This is also to meet the requirement of

anonymity of a user’s identity and verifiability of evaluations. Normally, students cannot

be linked to an evaluation, and this project makes it virtually impossible for an attacker to


                                                                                           3
discover that information. The students will still have the ability to verify that their

evaluation was counted and assuring that only their authenticated evaluation is counted.

As well as, in exceptional cases, administrators can reconstruct the link between

evaluator and evaluations.




3. Functional Requirements

           The functional requirements for this project are a lot more specific to the

implementation of the project. First, in order for this project to meet the issues of

security, anonymity, accountability, and assurance I have a strong encryption method for

communication. For this requirement, a computer language was chosen to meet the need

of encryption and scripting purposes. As the most important part of this project,

encryption helps with secure communication between users and servers over the internet.

The project requires that all of the identifiable information that is transmitted in

communication must be encrypted through a script. I have simplified a lot of

programming requirements by having the encryption of communication go through

scripts.




                                                                                           4
Figure 2: Snapshot of the Login page for users.



       The functional requirement for the security is the development of a web-based

interface for a student to login, while keeping their identity completely unknown to the

evaluation collection database. This evaluation server only collects and maintains the

number of students in each course, list of courses, a list of professors teaching the

courses, and the submitted evaluations from a given Security Token provided by a single

student. This is addition to hiding a master security key shared with the other login

database, the Token Emitter, for encrypting purposes (I will speak more about the

security features as well as the Security Token later in this report). The next functional

requirement is to have another Token Emitter or login database that will keep track of the

master security key shared with the evaluation server. It also must manage the


                                                                                             5
authentication of user’s identities, each user’s individual information, as well as the

number of students in each course, list of courses, and list of professors teaching the

courses. All of the above mentioned, while providing each student with an encrypted

security token that to be used for logging into the evaluation server to perform an

evaluation. The major functional requirement is the security protocol of the servers for

each different group of users, which will be discussed further as I define each user’s role

and their capabilities within the systems.



3.1 Requirements of Evaluators

       The main functional requirement of the evaluators is secure communication with

the servers. This requirement of the evaluator is the most complex because their main

requirement is the secure and verifiable authentication of identity while retaining their

anonymity. There are many different ways to meet these requirements, and to meet them

both on at the same time with an acceptable level of adequacy requires a little more

thought with added difficulty. We want the students to be able to login to a secure site

and know that they can safely perform an evaluation on a professor without their identity

being compromised by any outside parties. There is also a strong focus on not allowing

anyone other than that evaluator to save, make changes, and submit verified evaluation of

a course. Their identity in all of these interactions is to be held confidentially from every

party outside of the student and the evaluation server collecting the evaluations. To

review the student’s main requirements, they are to be able to perform, save, edit/update,



                                                                                                6
submit, and verify an evaluation about a professor or course without their identity being

noticeable or discovered during the process of evaluation.



3.2 Requirements of Persons being evaluated

        The functional requirements of a professor or person who is being evaluated are

very closely tied to that of the administrators. Professors and administrators both cannot

be able to change an evaluation or see who performed an evaluation. And they should

only be able to see the calculation of the accumulated evaluations for professors.

Professors must also be allowed to measure themselves against certain questions

pertaining to their department studies, as well as, all other professors currently teaching.

Also, the professors also will require the same level of security as the students or

evaluators do for logging into the server and viewing their evaluation results. The

professor must also be allowed to login and view their results without their personal

information being compromised. Therefore, they also require secure authentication

while keeping their anonymity from any outside parties while they are logged into the

systems.




                                                                                               7
                              After evaluation period:
                              Professors, administrators,
                              general public access
   Professors,                evaluations
   Admins,
   General Public                                                         EvC

Figure 3: Professors, Administrators, General Public’s access interaction with the
       Evaluation Center (EvC) to review submitted evaluations from users.




3.3 Requirements of Administrators

       The administrators, like the students, will require a high level of security and

authentication for login. This is for the protection of the students and the systems. If an

attacker were able to gain access as an administrator to the evaluation server, they might

have the capability to view any and all professors’ evaluation results, which anyone

logged in can perform. As an administrator, the requirement of security is focused on

authentication of login for the Token Emitter server and during their interaction with the

systems. This issue can be addressed with proper implementation and efforts taken

towards creating a secure connection of communication between the systems and the

administrator. Another key requirement of the administrator is the capability to run

audits if necessary for reconstructing a link between an evaluation and the student that

performed the evaluation. This step MUST be approved by someone at the head of the

administrators managing each of the servers. Therefore, this implementation also calls


                                                                                              8
for both the Token Emitter server and evaluation server to be managed by separate

administrators for security purposes. This will not allow an administrator the capability

of changing a student’s evaluation, and linking an evaluation to a student without going

through many steps of authentication and security protocols. Their functional

requirements are more closely met by having them logged in and providing a log of all

interaction with the system while allowing for system rollbacks if unwanted changes are

made. Although, there is a strong concern about security over internet and/or network

connection into the system, I plan to emulate the same security design as the student with

a different flavor of features to allow for the administrator to perform changes to the

systems as necessary.



4. Security Token Structure

       The definition of the Security Token is the key that the Token Emitter server will

provide to a user once they have authenticated themselves. It is, structurally, a collection

of concatenated keys that put together make a token; but taken apart are key information

to an evaluation. The first part of the Security Token would have to be the randomly

generated user identification key (RGUID), which is a concatenation of randomly

generated unique alphanumeric characters. These are associated with an evaluator for

the current evaluation, or in the case of professors, their personal identification number,

and then encrypt it with the master security key shared only between the Token Emitter

and evaluation servers.




                                                                                              9
Figure 4: Snapshot of Token Distribution Center’s user interaction



       The second part of the Security Token is the course number, in the case of the

evaluators, which is linked to the professor they are currently taking the course with. If

the user is a professor, the second part of the Security Token is a department code. The

last part for the evaluator is their selection from a list of numbers, which is slightly higher

than the real total count of the students in the course. And each user selects a number

from the list to concatenate to the end of their security token. The last part for the

professors is going to be their email address. For security purposes, I am designing the

systems to have a greater number of students in each course than there really are in order

to submit “null” evaluations that will have no effect on the professor’s evaluation. The

“null” evaluations will throw attackers off as they will not be able to tell which



                                                                                            10
evaluations are real and which ones are the “nulls” and/or fake evaluations. Then, with

all three of these components concatenated together and encrypted with the master

security key shared only between the servers, it will form a Security Token. With their

security token users will be able to login to perform, view, change, and submit professor

evaluations.

       With this basic architecture, it should provide the users a form of untraceable

authentication to the servers. This should fend off any attackers from submitting fake

evaluations with fake security tokens. The security token is the most important way of

implementing security and providing accountability for the users. As mentioned

previously, the most important aspects of this project are the security and accountability,

and the security token helps to answer both.




Figure 5: Snapshot of user accessing the Courses Databases




                                                                                         11
5. Interaction of Users and Databases

       The first and most important interaction is the interaction between the user and

the Token Emitter database. For this interaction, my intent is to mimic the design of

Kerberos’ KDC database, Authentication Server, and Ticket-Granting Server. The

Kerberos design will serve as an example, by which I will relate my design and how I

intend to implement a secure protocol between the users and the systems.




5.1 User and Token Emitter Server Interaction

       The most important and influential interaction is between the user and the Token

Emitter database. Without the user authenticating their identity and therefore acquiring a

Security Token from the Token Emitter, there will be no way of accessing the evaluation

server. To begin this interaction, the user will need to have mutual authentication with

the Token Emitter. This will need to be established in the first interaction with Token

Emitter, the user will need to setup an account by answering a few security challenges

and creating secret key or password to be shared with the Token Emitter. For this to

work the first time, the user will be required to have a trusted Compact Disc, to be used

on their workstation, containing a shared security key with the Token Emitter server and

an HTTP web page with secure Common Gateway Interface (CGI) scripts, using a

combination of Perl TK and PHP, that will bring up a Graphical User Interface (GUI) or

browser window to access the Token Emitter server. This Compact Disc will allow them

to open a secured session into the server and establish an account with a password and all


                                                                                           12
required user information for performing evaluations. The user’s password will be used

in conjunction with the servers shared password to grant users the ability to begin to

communicate with the server.




                                Authentication
                                of student                         Token
   Evaluator                    TDC emits                          Distribution
                                Security Token*                    Center (TDC)

Figure 6: User interaction with Token Distribution Center to acquire a Security Token.




       The next step is to have the Token Emitter grant the user’s workstation a session

ticket to access the Token Emitter’s list of Security Tokens for a given course. The

user’s session ticket will be used to encrypt any message sent to the Token Emitter and

decrypt any message sent by it as well. Then the user, if an evaluator, will be given a

choice of a list of courses to choose from, if an evaluator, or if they are a person who is

being evaluated, a list of professor identification numbers, where they must select their

individual ID number. After answering a challenge question, where the answer will be

given to the professors to hand out to students as well as use themselves to access the

course evaluations, they must follow up by submitting that answer to the Token Emitter.

For persons who are being evaluated, they will further answer a challenge question about

their department or use a password provided from an administrator. After that, the user


                                                                                              13
will be given access to the Token Emitter database to gain a Security Token for use with

the Polling server. Then, if the user is an evaluator, they are given a list of numbers

referring to a number which will be slightly greater then that of the number of students in

the course they are currently trying to fill out an evaluation for. In the case of a person

who is being evaluated, they will have a selection of department codes. Then the Token

Emitter with create a Randomly Generated User Identification Number (RGUID),

consisting of a randomly generated unique alphanumeric key associated with that user for

this evaluation, and then encrypt it with the master security key shared only between the

Token Emitter and Polling servers. Once the user has chosen a number from the list of

the number of students in the course or in their department code, and Token Emitter has

generated an RGUID, it will take the List Number, the Course Number, and the RGUID,

and concatenate them together, encrypting it with the same master key shared with the

Polling server. The last step of the Token Emitter is to send this Security Token to the

user by posting it on the web page for the user to copy and paste it into the evaluation

form of the Polling server.




                                                                                              14
                                 Student uses
                                 Security Token to
      Evaluator                  authenticate to
                                 EvC
                                 Submits evaluation                    Evaluation
                                 to EvC                                Center (EvC)


Figure 7: User interaction with Evaluation Center (EvC) to begin evaluation process.




       The evaluators can only access the Token Emitter and use this Security Token

during the time period of evaluations as mentioned in the introduction. This is for

security purpose and will prevent evaluators from trying to perform an evaluation prior to

the time period where it should be administered. Administrator on the other hand,

assuming they have a constant secure connection to the Token Emitter can access this

server at all times for account setup and configuration. And last, professors or persons

being evaluated can only access this server after the dead period of final exams and only

after all grades have been posted to student records.



5.2 User and Evaluation Server Interaction

       The user’s interaction with the Polling server is a little more simplistic than with

the Token Emitter server. This is because the user should have already authenticated




                                                                                           15
their identity to the Token Emitter, which the Polling server cannot know, and received a

Security Token for use towards a single evaluation. In the Polling server, the user’s

identity is not to be known or discoverable, unless by a super user or administrator, for

administration purposes. User will be requested to submit their Security Token through a

secured HTTP web page running secure CGI scripts, opened from the trusted Compact

Disc provided to them. Once their token is submitted, the Polling server will populate

the database with the decrypted information from the Security Token, linking the RGUID

to an evaluation by the List number, the List number to a course number, and the course

number to a professor. The user will then be allowed to edit, save, logout, and return for

further editing using the same Security Token to access the single evaluation for that

course and professor.




                              Evaluators can
                              confirm her / his
                              evaluation upon
     Evaluator                submission

                                                                      EvC

Figure 8: Users final interactions with Evaluation Center (EvC).




       The Polling server will of course only be open to certain users at a given time as

mentioned in the introduction. The administrators should have access during the time



                                                                                            16
periods where courses are populated with the number of students, prior to the evaluation

time period. The administrators and evaluators will have access to the Polling Server

during the time period of performing the evaluations, prior to final exams. Absolutely no

one, including the administrators, should have access to the Polling server once final

exams start and not until all grades are posted to student records. And lastly,

administrators will gain back access to the evaluation server at the same time the

professors or persons being evaluated do, after the grades are posted to student records.

Although the interaction for the administrators has greater capability of running reports

against entire departments and singling out certain professors; the professor’s interaction

will be limited to viewing only the courses they currently teach and measuring

themselves against the rest of the department as long as there are more than two

professors to a given department. It must also be noted that the professor will access the

evaluation server in the same fashion, with a Security Token; but the format of their

Security Token is different from an evaluators as mentioned previously.




                                                                                            17
Figure 9: Snapshot of User interaction with Evaluation Center




5.3 Token Emitter and Evaluation Server Interaction

       The interaction of the Token Emitter and the Polling servers should be kept to a

minimum. They only information these two servers will ever need to share is the master

security key they share for encrypting and decrypting the Security Tokens provided to

users by the Token Emitter and used for the Polling server. Their administrative

interaction would be to link a user to a given evaluation by linking the RGUID from an

evaluation to the RGUID listed under a given user’s profile of evaluations. This action,

of course, should only be done by a super user or an administrator, with the approval of




                                                                                          18
the Dean of a given department of studies, with strong concern and credible reason. This

is for security purposes and is advised for the protection of the identity of students.



6. Elements within Web Page Designs

       To be clearer about this section of the design report, these are the fields and

attributes that are to be used in the creation and management of user accounts as well as

the fields required for a thorough evaluation of a professor of a given course. The design

of each web page’s colors, styles, textures, and fonts is meaningless at this point as the

implementation is as simple as pulling a template from online and modifying for the use

of this project. The more important information at this point in the design report is the

fields I intend to include for implementation of this project.




6.1 Token Emitter Web Pages

       The first Token Emitter web page will include a set of radio buttons for Sign In,

Create Account, Documentation, Contact Us, and Administrator, as well as a brief

description somewhere on the page of the product and the systems.

       The Sign In button will take users to a page that will have two forms with

associated text, one for username, and another for password, both required to login. This

is along with a Submit button right below those forms. Then the user will be taken to a

page where they will answer a challenge question to create a session security key to be

used for encrypting and decrypting messages shared with the Token Emitter.



                                                                                             19
       The Create Account button will take users to a page where they will be asked to

fill-in a list of required fields to create an account. The obvious fields will include filling

in their username, email address, student or professor identification number, and creating

and verifying a password for logging into their account. Upon creation of an account, the

user will establish a secure connection to the Token Emitter server where another page

will come up and they will answer a challenge question to create a session security key to

be used in encrypting and decrypting messages between the Token Emitter. From the

challenge question page about the course from both the Sign In and Create Account

pages, the user will be taken to a web page that is either for evaluators containing a drop-

down list of departments of study or in the case of professors, to a page they will have to

answer another challenge question, where the answer is given to them by an

administrator, either way starting the process of creating a Security Token.




Figure 10: Snapshot of Security Token


                                                                                             20
       From the Token Emitter server, once an evaluator has a department chosen, then a

drop-down list of courses offered during the current quarter is populated. After the

evaluator chooses a course, another drop-down list of course numbers is populated to

choose the section of the course the student is in. Last, when the user is finished

choosing their section, another drop-down list is populated of the list of number of

greater than the students in the course they have selected. They must then choose a

number from the list and then a Submit button will come up right next to this. This will

take the selection of information and request a Security Token from the Token Emitter.

Once a Security Token is created and the RGUID is linked to the user’s account, the

Token Emitter will post the Security Token on a new web page in a text format for the

user to copy and paste into the Polling server’s login web page. Along with the Security

Token posted on the webpage, a link to the Polling server login webpage will also be

populated below it.




Figure 11: Snapshot of Courses Database form.




                                                                                         21
       For professors, they go from the second challenge question page, verifying their

status as the professor, to a page where they select their department code. From there,

the professor will be given a Security Token for use to login into the Polling server to

view their evaluations.

       Before I go on about the Polling server’s web pages, let me finish up with

describing the destination of the Documentation and Contact Us radio buttons. The

Documentation button should take users to a web page where the documentation of this

product will be posted for user review and helpful guidance. The Contact Us button will

take users to a web page where the creator and the administrators of the systems contact

information will be posted, including names and email addresses.

       Last, the Administrator web page, which will include a view of the Token Emitter

database tables as well as radio buttons for Create, Search, Edit/Update, and Delete

functionality options for the user identification database and associated services in the

Token Emitter. Each radio button should be a link to the phpMyAdmin interface in the

development platform for making changes to the user identification databases in the

Token Emitter. The Administrators page will also include a view log radio button, which

should be able to take the administrator to a page where they can READ ONLY the log

of interactions with the Token Emitter. Considering the Security Token awarded to each

user for evaluation is encrypted by the master security key shared only between the

databases, an administrator will not be able to view a user’s Security Token.




                                                                                            22
6.2 Evaluations Server Web Pages

       The Polling server’s web page designs are a little more complicated than the

Token Emitter’s. The Token Emitter will require more security coding, where as the

Polling server will require more form and function coding. The Polling server login page

will be fairly simple, in that it will only require users to paste their Security Token into a

form for authentication into the system. Once the Security Token is decrypted and

verified, then the user may access the appropriate tools and interfaces they are eligible to

use.




Figure 12: Snapshot of Current Evaluation page



       For the evaluators, the next web page that will be populated will be a web page

with an evaluation form. The design and questions for the evaluation form itself do not

need to be in a standard form because different versions of evaluations may be used for

different departments as long as those versions are linked properly to a professor and a

course. I intend to have all questions written in text on the web page and for there to be a

majority of weighted radio button answers and a few text forms for users to provide

individual or personal responses. This is to protect the users from distinguishing



                                                                                            23
themselves with individual or personal responses. At the bottom of the evaluation forms,

I will have a Save & Exit button as well as a Submit & Exit button. Either button will

take a user to a Thank you for using Online Evaluations page, or something to that

extent.

          The web page for the persons being evaluated or professors, will display a

selection of the separate courses they are teaching, providing them with a calculation of

their scores to each question from each class. They will also have a Cumulative button to

view their cumulative scores across all courses. In addition to those, they will also have

a Department Comparison button that will allow them to gauge their evaluations against

all other professors in their department as long as there are more than two professors to

their department.

          The administrator’s web page interface to the Polling server is going to be fairly

similar to the professor’s web page design, except they will have the added capability of

choosing professors from a drop-down list and comparing them to their departments.

Administrators will also have the most important functionality of viewing any RGUID of

an evaluation that may have considerable reason for concern. In implementation, I hope

to have a security password installed for the added functionality of viewing the RGUIDs,

for the protection of the students. The point of viewing the RGUID, is to provide the

administrators the capability of taking that RGUID and logging back into the Token

Emitter and searching by the RGUID to find a user’s information. This functionality as I

mentioned before should not be used unless a super user or Dean of a specific department



                                                                                            24
has reason to believe that an evaluation would be of concern for a professor. Also, this

functionality is only going to be open to administrators or super users, which I assume

are persons with detailed knowledge of the system and how to access these features.




7. Server/Database Designs

       The design of these servers and/or these virtual storage databases is very

important as it all comes from the elements of the web page designs and required fields

for administration of these systems. The problem with the design of these database is the

complexity of the storage of confidential information and the implementation of the

security features without giving up a user’s identity if someone were to gain access to a

server. The most important database design is that of the Token Emitter, as it is the

storage of the most crucial user information and the Security Tokens. Although, almost

as important and influential is the design of the Polling server’s database, because it is the

storage of the evaluations and holds the other side of the link of a user’s evaluation to a

user’s profile. The focus of the design is obviously the security and confidentiality of the

evaluations while still allowing administrators to track evaluations if need be back to a

given evaluator. For all detailed database design specifications, please see Appendix B.




7.1 Token Emitter Database Design

       First, the Token Emitter’s database design should be noted as a greater part of the

cornerstones of this project, because of it’s involvement in the implementation of the




                                                                                              25
security requirements. I have taken the time to consider this portion of the project to be

the most influential because it can be protected with scripts; but I think without a

coherent and complete backbone designed, the application will not function as desired.

       The design begins with the courses and student tables and structures required to

build the functionality and storage for the applications use. The user’s table will hold the

majority user’s authentication information, as well as be the key to the majority of the

relations in the Token Emitter database. The list of attributes are: a user’s unique login

ID, complete name, email, Santa Clara University identification number, their encrypted

password with salt for the password, creation date of the account, and the last date the

account was updated.



7.2 Evaluation Server Database Design

       The evaluation server or evaluations center database, is going to very simplistic in

comparison to the token emitter database, with less information to be stored. The main

function of the polling server is to verify a given security token and then allow a user to

perform a teaching evaluation only once. These two tasks, although, seemingly easy, are

very difficult to manage and control. We need to allow students to perform a single

evaluation for a given professor, allowing the student to verify a correct submission of

their evaluation and without storing or gathering any information regarding their identity.

       The best way to perform these tasks is through the simultaneous implementation

of protocol and information storage. This server will only accept a valid security token,



                                                                                             26
which includes an encrypted time stamp, for integrity checking. This is in addition to the

list number which will track the number of students who have performed evaluations in

correlation to the number of students enrolled in the class. These two features will allow

a user to access and perform an evaluation for a given course. But, none of this would be

possible without the Token Distribution Center and the Polling Center holding the same

information in regards to each course offered; but the polling center will withhold or

exclude any identifiable student information. The Polling Evaluation Center gathers all

evaluations and allows users to verify an evaluation prior to posting and storing them.




8. Current Implementation

       The current state of the project is not completely finished; but it does have a

majority of the key functionality it requires. I, unfortunately was not able to have all the

functionality of the evaluation center setup and operational. Nor was I able to implement

the evaluation forms. This is partly due to my late start on the project due to delays and

also because of my very hectic senior year classes and work. What I was able to

implement, I have tested and will describe to you its current status.

       From the screenshots presented above, you will notice that I was able to

implement a lot of the web page design. The web pages have a lot of the required

information for users to understand what the project is about and how to use it. The web

page also has the login page that allows users to access the token emitter database and

authenticate themselves to the server. By having multiple request forms for

authentication, the users are forced to have verifiable information to prove their identity.




                                                                                           27
I have the users go from a login page to a personal account verification page, and in the

background there is a CGI script running will query the token distribution center

database. The users again will be asked for the personal account information and another

CGI script will verify their provided information. It should also be noted that in this

current implementation I am using Perl-IDEA encryption with MIME BASE64

URLSAFE encoding. After their personal information is encrypted and verified, the user

will be provided a like to the courses database. The courses database is interfaced with a

CGI script that asks the user for the student identification number and provides them with

the list of classes they are currently enrolled in. The problem here is that the user has the

possibility to access another student’s list of courses, and this should be flagged as a

security flaw. I know if I had more time I would have the CGI script pass the students ID

from their personal information that is first verified. After the student chooses a course,

another CGI script runs to encrypt the security token, which is a concatenation of the

course number and the course title. Unfortunately, I was not able to get the RGUID to

populate for each token and have the ability to concatenate it to the security token. Along

with the login webpage and the homepage, I also built the Evaluation Center webpage,

which requests the user’s security token to grant them access. Once the user submits

their security token, a CGI script will parse the token and take the user to another page

which allows them to verify the course they have chosen to evaluate. The functionality

stops there because I was not able to work on this project with the little time I had for

implementation. The most difficult part of implementation was getting the platform and

modules to work together. This is in addition to the trouble I faced with downloading

required software that was necessary for a lot of the key encryption and CGI scripts.




                                                                                            28
9. Security Analysis / Threats

       Seeing almost all teaching evaluations have an effect on the status of a professor’s

tenure with the university and especially their performance in the classroom, there is a lot

to gain for an attacker if they do not like or prefer a professor. This is the same for online

e-voting, when an attacker will take the position to move or place bogus votes in favor of

a candidate they support. A teacher could receive bogus or negative reviews of their

performance, and therefore affecting their status within the department and/or the

university. To fight against the threat of an attacker submitting forged evaluations, I have

implemented various security protocols that have been discussed earlier in this thesis; but

the main focus of this section is to address the threats that are not covered.

       The main threats to this implementation are the access of an attacker to a user’s

account or vote buying. I have tried to answer this threat by having each user acquire a

unique CD or form of portable media to access the Token Distribution Center (TDC) in

order to receive a Security Token. This of course can be overcome by stealing a user’s

CD or portable media and to access the TDC using the user’s information. The only

requirement at this point for the attacker would be to have the login information for the

user they stole the CD from, which could be gained in various ways that this

implementation cannot protect against. I use a combination of a user’s TDC specific

login information, ecampus login information, as well as their email address. This would

require an attacker to acquire all of the information above along with the portable media

to gain access to the user’s account in the TDC. From there an attacker will have the


                                                                                            29
free-reign to perform evaluations for the courses that student is currently enrolled in. But

in the case the student notices that they did not perform the evaluation submitted, through

user verification of evaluations submitted on their behalf, they can re-submit a

replacement evaluation.

       There is no real protection against attacks like a man-in-the-middle or ARP

poisoning attack to a user; but I am hoping that in addition to a 64-bit and IDEA perl

encryption module, I will mitigate that risk. I am not using the most advanced encryption

method; but for the purposes of this projects implementation, it has proven to not only

encrypt but also help to answer the concern of an attacker packet sniffing user activity.

Another key point in regards to an attacker sniffing packets or ARP poisoning a user, the

interaction with databases is very limited, therefore mitigating the chance of a user’s key

information being stolen or captured by an attacker.

       Although the database information is not completely encrypted at this point in the

implementation, in future implementations, an advanced encryption algorithm would help

to answer a majority of the concerns of attacks. And overall, the system can never be

completely secured from outside attackers; but with complete accountability and

verification protocols taken within the implementation, it will prevent any unlawful

activity from occurring from within the user community.




10. Societal Issues

       The first and probably most important societal issue this project faces in its

implementation is the issue of ethics. The ethical problem this project faces is the



                                                                                            30
correctly counting the accurate and honest evaluation submitted by a user. The purpose

of this project is to also protect the user in the best ways possible from having their

identity stolen and/or fraudulent evaluations submitted on their behalf. This

implementation is called to ethically meet the need of the user, through protection and

verification in order to accurate gather the voice of evaluation of a professor’s

performance in the classroom.

       The social issue this project faces is meeting the need to bring an important and

decisive process that has been occurring for many years, into the 21st century and into

world of Web 2.0. This project will socially benefit all students and professors alike, by

providing fast and accessible information to gauge and improve professor’s performance

in the classroom.

       The political issue is going to be hard one to face, as this project can very closely

be correlated to e-voting and the democratic process that it follows. This project is on the

same level as the democratic process of voting because you are placing your opinion on

the approval of an individual based on their performance. With web applications that

serve a purpose like e-voting, the political issues are extremely hard to face, because of

the strong concern for security and integrity of data. This project is leveraging a lot of

the experience and implementation of the government of Zurich, and with that inherently

the societal issues they faced as well. The same question of right and wrong still apply

for this project. Like I mentioned before, the integrity and security of the systems

determine the ease by which attackers can change the outcome of the voting process. As

we have seen in the past, elections are becoming very faulty in there security protocols



                                                                                             31
and the outcomes are drastically changed by them. Same can be applied for the

evaluation process that determines a professors performance and sometimes their tenure.

       On a brighter side of societal issues I can address, the economic issue of finance.

The return of investment is a high note for this project. A prime example would be the

Zurich e-voting system, which is very similar to my implementation, and the main point

that they saved millions of dollars on implementation and sustainability of their program.

This project would not only cut the cost of personnel having to distribute, gather, and

count the evaluations, but also the cost of the paper and machinery required for the

evaluations process. This would also be a good time to touch on the environmental

impact this implementation would have, by cutting the usage of paper across the

academic community and therefore lowering the paper consumption, leading to less trees

being cut down, saving the environment. And as I mentioned before leading to a

sustainable future with the use of low power consuming servers and computers, as well

as, longer lasting hardware that can easily be upgraded, cutting cost and material usage.

       Overall, this project is a benefit to everyone and every community by simplifying

a sometimes tedious and elongated process. This helps to lower the cost, time, material

usage, personnel, and environmental impact of a university by moving the already

implemented process of performing evaluations from the paper ballots we use today, to

the ever-growing functionality of the world wide web in a world of Web 2.0.




                                                                                          32
11. Conclusion

       Although this implementation was not as near completed as I had hoped for it to

be by this time of the year, I am very satisfied in my personal efforts to not only take on a

project like this on my own, but acceptance of this project by my peers as a viable option

to a near future concern. I know if I had more time and a stronger focus on this project, I

would have learned a greater amount about the programming languages I have used and

the platform on which I developed in order to optimize the greatest amount of

functionality out of this implementation. I would hope that although I have not finished

now, I will be able to pick up this project post-graduation to fill-in the missing pieces to

this puzzle and possibly offer this solution to Santa Clara University as a viable option in

place of the old-fashion scantron teaching evaluations.


11.1 Suggestions / Improvements

       In future implementations of this project, I would strongly consider a few

improvements, either as suggestions or just that, to increase the security and

simplification of the development. I would first consider using a better development

operating system platform, like Linux or Unix, in order to simply programming and

testing. I also would prefer Linux, as it can easily be setup with the web server

application Apache. This would have simplified a lot of the problems I faced earlier on

with my implementation. I also would like to have incorporated PHP, in order to have

dynamically interfacing web pages that would allow a user to access the database more

readily and not through sometimes cumbersome Perl-CGI scripts. The development




                                                                                           33
would have been a lot easier for me if PHP would have worked with Microsoft Windows

XP and the Apache server I was running; but unfortunately, it was very finicky and

practically inoperable.

       The last most important improvement I would have made to this implementation

would have been to use a more advanced security algorithm. With the struggle for

network dominance, between attackers and network security developers, I would have

liked to have worked more closely with a network security company, to gather some

insight into the latest and greatest security encryption algorithms in use today for the

purpose of this project. This would have improved the integrity of the implementation

and given me greater insight into the battle against internet attackers.


11.2 Lessons Learned

       The main to lesson to learn from this project was to be confident in myself, even

when things seem to pile up in front of me. All throughout this project I was unconfident

in myself and my abilities; but after looking back upon my accomplishments, I realize

that the Computer Engineering program has prepared me for the projects like this. I not

only took the initiative to learn three new computer languages, but also a lot about web

programming, implementation and integration. I would have never taken the time to

learn all of this on my own without the drive to want to complete this project. And time

was another huge factor for me. I was working, taking a full load of classes and working

on this project. Time management was the greatest lesson I learned in my last year. I can

work as hard as I want; but I need to make sure I have the time for it.




                                                                                           34
                               APPENDIX A
Source Code
Default.css

/* Basic */
*
{
      margin: 0em;
      padding: 0em;
}
h1,h2
{
}
body
{
       font-family: "trebuchet ms", sans-serif;
       font-size: 10pt;
       background-color: #fff;
       color: #555;
}
a
{
       color: #007788;
       text-decoration: underline;
}
a:hover
{
      text-decoration: none;
}
.clear
{
      clear: both;
}
/* Outer */
#outer
{
      position: relative;
      margin: 2em;
}
/* Header */

#header
{
      position: absolute;
      top: 4.5em;
      background: #073C4C url('images/header.jpg') top right no-repeat;
      height: 135px;
      width: 100%;
}
#header h1
{
      position: absolute;
      top: 1.2em;



                                                                      35
      left: 1.0em;
      font-size: 2.5em;
      color: #fff;
}
#header h2
{
      position: absolute;
      top: 6em;
      left: 2.5em;
      font-size: 1.0em;
      font-weight: normal;
      color: #fff;
}
#header a
{
      color: #fff;
      text-decoration: none;
}
/* Menu */
#menu
{
      position: absolute;
      width: 100%;
      top: 0em;
      left: 0em;
      background: #007788 url('images/x3.gif') top left repeat-x;
      height: 4em;
}
#menu ul
{
      list-style: none;
      position: absolute;
      bottom: 0em;
      left: 1em;
}
#menu li
{
      display: block;
      float: left;
}
#menu li a
{
      color: #fff;
      display: block;
      padding: 0.75em 1.25em 1.25em 1.25em;
      text-decoration: none;
}
#menu li a:hover
{
      background: #007788 url('images/x4.gif') top left repeat-x;
}
/* Content */
#content
{
      line-height: 1.7em;
      padding-top: 188px;
}


                                                                    36
#content p
{
      margin-bottom: 1.5em;
}
#content h2,h3,h4,h5,h6
{
      width: 100%;
      position: relative;
      left: -14px;
      margin: 0em -22px 1.2em 0em;
      color: #333;
      padding: 1.1em 14px 0.0em 14px;
      font-size: 1.1em;
      background: #fff url('images/x2.gif') top left repeat-x;
}
#content h2 span, #content h3 span
{
      position: absolute;
      top: 0em;
      right: 0em;
      background: #fff url('images/x1.gif') top right no-repeat;
      width: 16px;
      height: 28px;
}
#content ul
{
      margin-bottom: 1.5em;
      padding-left: 1em;
}
#content blockquote
{
      border: dashed 1px #BFB793;
      background: #FFFEFB url('images/x5.gif') top left repeat-x;
      padding: 1em;
      margin-bottom: 1.5em;
}
#content blockquote p
{
      margin-bottom: 0em;
}
#content table
{
      margin-bottom: 1.5em;
}
#content table th
{
      text-align: left;
      font-weight: bold;
      padding: 0.5em;
}
#content table td
{
      padding: 0.5em;
}
#content table tr.rowA
{
      background: #FDFEFE url('images/x6.gif') top left repeat-x;


                                                                    37
      color: inherit;
}
#content table tr.rowB
{
      background: #FFFEFC url('images/x7.gif') top left repeat-x;
      color: inherit;
}
/* Primary Content */
#primaryContentContainer
{
      position: relative;
      float: left;
      margin-right: -36em;
      width: 100%;
}
#primaryContent
{
      margin: 0em 33em 0em 0em;
      padding: 1.5em;
}
/* Secondary Content */
#secondaryContent
{
      position: relative;
      float: right;
      width: 12em;
      padding: 1.5em;
      margin-right: 1em;
}
/* Tertiary Content */
#tertiaryContent
{
      position: relative;
      float: right;
      width: 12em;
      padding: 1.5em;
}
/* Footer */
#footer
{
      padding: 1.5em;
      background: #fff url('images/x2.gif') top left repeat-x;
}


Index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | Welcome</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>


                                                                        38
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                   <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                   <li><a href="http://localhost/login.html"
accesskey="2" title="localhost/index">Login</a></li>
                   <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                   <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                   <div id="primaryContent">
                         <h2>Welcome to the Online Teaching
Evaluations!<span></span></h2>
                         <p><strong>This is a senior year design project
that was developed
                         for <br><a href="http://www.scu.edu/">Santa
Clara University</a> and to be used for testing purposes
only!</strong></p>
                         <p>Online Teaching Evaluations is a project has
been developed to improve the process of performing professor
evaluations
                         at the end of every quarter at this university.
By performing evaluations online, we cut the cost of printing
                         on paper and the cost of personnel to collect,
calculate and present post evaluation results.</p>
                         <p>Below is a timeline of development for this
project:</p>
                         <h3>Implementation Timeline
Table<span></span></h3>
                         <table>
                               <tr class="rowH">
                                     <th>Date</th>
                                     <th>Title</th>
                                     <th>Description</th>
                               </tr>
                               <tr class="rowA">
                                     <td>May 8, 2008</td>
                                     <td>SCU Senior Design
Conference</td>
                                     <td>Presentation of project and
implementation to judges and faculty.</td>
                               </tr>
                               <tr class="rowB">
                                     <td>Feb - June, 2008</td>
                                     <td>Implementation Period</td>


                                                                      39
                                    <td>In these few months, I have
worked on implementing the project from the planning of the layout,
design, and concept of the application.</td>
                              </tr>
                              <tr class="rowA">
                                    <td>Nov - Jan, 2008</td>
                                    <td>Conception Phase</td>
                                    <td>From late November thru early
January, I worked on the concept and low-level design of what would
become an online teaching evaluation application.</td>
                              </tr>
                        </table>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>
                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">
                  <h3>Reason for Design<span></span></h3>
                  <blockquote>
                        <p>To provide students with an easy to use,
safe and secure online way of performing teaching evaluations in the
new world of the Web 2.0.
                        I hope to also help with pushing more
functionality through the internet and relieve part of the mundane,
costly, and tedious jobs of
                        gathering and calculating evaluation results.
This project's objective is to safely and securely provide an online
service to
                        evaluate a professor's performance in the
classroom, to the academic community.</p>
                  </blockquote>


                                                                      40
            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



Login.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | Login</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/login.html"
accesskey="2" title="localhost/login">Login</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Online Teaching Evaluations
Login<span></span></h2>

                        <h3>Please enter your login information below
in order to login to the Token Distribution Center:</h3><BR>
                        <FORM ACTION="/cgi-bin/welcome.cgi"
METHOD="POST">
                        First Name:       <INPUT TYPE="text"
NAME="first" SIZE=15 MAXLENGTH=15><BR></pre>


                                                                         41
                        Last Name:        <INPUT TYPE="text"
NAME="last" SIZE=20 MAXLENGTH=20><BR>
                        Student ID:       <INPUT TYPE="text"
NAME="student_id" SIZE=11 MAXLENGTH=11><BR>
                        Password:         <INPUT TYPE="password"
NAME="password" SIZE=20 MAXLENGTH=20><BR>
                        <BR>
                        <INPUT TYPE="submit" VALUE="Submit">
                        <INPUT TYPE="reset" VALUE="Clear all fields">
                        </FORM>
                        <BR>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>




                                                                        42
Contact.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | Welcome</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/login.html"
accesskey="2" title="localhost/index">Login</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Contact Us<span></span></h2>
                         <p><strong>If you have any questions or
concerns about this design project developed for
                         <a href="http://www.scu.edu/">Santa Clara
University</a>,please feel free to using the contact information
below.</strong></p>
                         <br>
                         <p><strong>Email:</strong>
                         <br>Aaron Ramirez at
                         <br>ARamirez@scu.edu</p>
                         <p><strong>Phone Number:</strong>
                         <br>408 527 8821</p>
                         <p><strong>Address:</strong>
                         <br><a href="http://www.scu.edu/">Santa Clara
University</a>
                         <br>500 El Camino Real
                         <br>Santa Clara, CA 95053
                         <br><a
href="http://maps.google.com/maps?f=q&hl=en&geocode=&q=500+el+camino+re
al,+santa+clara,+CA+95053&sll=37.0625,-
95.677068&sspn=33.160552,63.28125&ie=UTF8&ll=37.350458,-
121.93511&spn=0.008119,0.01545&t=h&z=16">Map it!</a></p>


                                                                      43
                        <br>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



AboutUs.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | About Us</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />


                                                                        44
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/login.html"
accesskey="2" title="localhost/index">Login</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>About Us<span></span></h2>
                         <p><strong>This project, as mentioned on the
home page, is a senior design project by Aaron M. Ramirez, in
accordance to requirements set by Santa Clara University's Engineering
Department.</strong></p>
                         <BR>
                         <p>My name is Aaron Ramirez, and I am a senior
graduating June 2008, with a Bachelor's degree in Computer Engineering
from Santa Clara University.
                         This is my senior design project that I have
been working on from concept and development to its current
implementation status.</p>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                         <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                         <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                         <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                         <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>


                                                                      45
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



LogOut.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | Login</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/login.html"
accesskey="2" title="localhost/login">Login</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>


                                                                         46
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Online Teaching Evaluations
Login<span></span></h2>

                        <p><strong>Thank you for visiting <a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Online Teaching Evaluations.</a></strong><BR>
                        <h3>Please enter your login information below
in order to login to the Token Distribution Center:</h3><BR>
                        <FORM ACTION="/cgi-bin/welcome.cgi"
METHOD="POST">
                        First Name:       <INPUT TYPE="text"
NAME="first" SIZE=15 MAXLENGTH=15><BR></pre>
                        Last Name:        <INPUT TYPE="text"
NAME="last" SIZE=20 MAXLENGTH=20><BR>
                        Student ID:       <INPUT TYPE="text"
NAME="student_id" SIZE=11 MAXLENGTH=11><BR>
                        Password:         <INPUT TYPE="password"
NAME="password" SIZE=20 MAXLENGTH=20><BR>
                        <BR>
                        <INPUT TYPE="submit" VALUE="Submit">
                        <INPUT TYPE="reset" VALUE="Clear all fields">
                        </FORM>
                        <BR>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>


                                                                        47
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



TDC.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | TDC</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/logout.html"
accesskey="2" title="localhost/login">Log Out</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Token Distribution Center<span></span></h2>

                        <p><strong>You now will need to further verify
your identity in order to access the evaluation center with a security
token that we will provide to you.</strong></p>
                        <p>Thank you for your patience...</p>


                                                                         48
                        <h3>Please enter your login information below
in order to gain access to a Security Token:</h3><BR>
                        <FORM ACTION="/cgi-bin/tdc.cgi" METHOD="POST">
                        SCU email address:            <INPUT
TYPE="text" NAME="email" SIZE=20><BR>
                        eCampus ID:       <INPUT TYPE="text"
NAME="ecampus_id" SIZE=11 MAXLENGTH=11><BR>
                        eCampus password:       <INPUT TYPE="password"
NAME="ecampus_psswrd" SIZE=11 MAXLENGTH=11><BR>
                        <BR>
                        <INPUT TYPE="submit" VALUE="Submit">
                        <INPUT TYPE="reset" VALUE="Clear all fields">
                        </FORM>
                        <BR>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>


                                                                        49
</html>



TDC2.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | TDC</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/logout.html"
accesskey="2" title="localhost/login">Log Out</a></li>
                  <li><a href="http://localhost/aboutus.html"
accesskey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Token Distribution Center<span></span></h2>

                        <p><strong>Thank you for logging
in!</strong></p>
                        <p>Now please click the link below to access
the Courses Database to choose a course to evaluate: </p>
                        <strong><a href="http://localhost/cgi-
bin/course.cgi" accesskey="2" title="localhost/cgi">Courses
Database</a></strong>
                        <BR>

                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>


                                                                        50
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>
                        <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                        <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



EVC.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Teaching Evaluations | TDC</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="outer">
      <div id="header">
            <h1><a href="http://localhost/index.html">Online Teaching
Evaluations</a></h1>
            <h2>Santa Clara University 2008 Senior Design Project</h2>
      </div>


                                                                         51
      <div id="menu">
            <ul>
                  <li class="first"><a
href="http://localhost/index.html" accesskey="1"
title="localhost/index">Home</a></li>
                  <li><a href="http://localhost/logout.html"
accesskey="2" title="localhost/login">Log Out</a></li>
                  <li><a href="http://localhost/aboutus.html" acces
skey="2" title="localhost/index">About Us</a></li>
                  <li><a href="http://localhost/contact.html"
accesskey="5" title="localhost/index">Contact Us</a></li>
            </ul>
            <div class="clear"></div>
      </div>
      <div id="content">
            <div id="primaryContentContainer">
                  <div id="primaryContent">
                         <h2>Evaluation Center<span></span></h2>

                        <p><strong>In order to perform an online
evaluation, you will need to login with your provided security token.
Thank you for your patience...</strong></p>

                        <h3>Please enter your Security Token below in
order to login to the Evaluation Center:</h3><BR>
                        <FORM ACTION="/cgi-bin/decrypt.cgi"
METHOD="POST">
                        Security Token:   <INPUT NAME="sec_token"
SIZE=20><BR>
                        <BR>
                        <INPUT TYPE="submit" VALUE="Submit">
                        <INPUT TYPE="reset" VALUE="Clear field">
                        </FORM>
                        <BR>
                  </div>
            </div>
            <div id="tertiaryContent">
                  <h3>Helpful Links<span></span></h3>
                  <ul>
                        <li><a href="http://www.scu.edu/">Santa Clara
University</a></li>
                        <li><a
href="http://portal.acm.org/citation.cfm?id=1344232.1344247&coll=&dl=">
Swiss E-Voting Article</a></li>
                        <li><a
href="http://unpan1.un.org/intradoc/groups/public/documents/Other/UNPAN
022422.pdf">Geneva Internet voting system</a></li>
                        <li><a
href="http://www.geneve.ch/evoting/english/welcome.asp">REPUBLIQUE ET
CANTON DE GENEVE</a></li>

                  </ul>
                  <h3>Resources<span></span></h3>
                  <ul>
                        <li><a
href="http://www.activestate.com/Products/activeperl/">ActivePerl
5.10.0</a></li>


                                                                        52
                          <li><a href="http://www.mysql.com/">MySQL
5</a></li>
                          <li><a href="http://httpd.apache.org/">Apache
2.2</a></li>
                        <li><a href="http://notepad-
plus.sourceforge.net/">NOTEPAD++</a></li>
                  </ul>
            </div>
            <div id="secondaryContent">

            </div>
            <div class="clear"></div>
      </div>
      <div id="footer">
            <p>Copyright &copy; 2008 www.OnlineTeachingEvaluations.com.
Designed by Aaron M. Ramirez</p>
      </div>
</div>
</body>
</html>



WELCOME.cgi
#!c:/Perl/bin/perl.exe -wT
use strict;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use CGI qw(:standard);
use CGI qw/:standard :html3/;
use CGI qw(:standard Vars);
use DBI;

my   $tdc = "http://localhost/tdc.html";
my   $login = "http://localhost/login.html";
my   $login_missing = "http://localhost/login_missing.html";
my   $login_incorrect = "http://localhost/login_incorrect.html";

my   %FORM = Vars();
my   $first = param('first');
my   $last = param('last');
my   $s_id = param('student_id');
my   $psswrd = param('password');
my   ($first_name, $last_name, $student_id, $password);

if ($first && $last && $s_id && $psswrd) {

      my $dbh = DBI->connect(
"DBI:mysql:host=localhost;database=tdc","root","Sessions",
{PrintError=>0,RaiseError=>1}) or die "error";

      my $query = "SELECT * FROM student_info WHERE first_name =
'$first' &&
            last_name = '$last' && student_id = '$s_id' && password =
'$psswrd'";
      my $dbs = $dbh->prepare ($query);
      $dbs->execute();


                                                                          53
      # BIND TABLE COLUMNS TO VARIABLES
      $dbs->bind_columns(\$student_id, \$first_name, \$last_name,
\$password);

      # LOOP THROUGH RESULTS
      if($dbs->fetch()) {

            if (($student_id == $s_id) || ($first_name == $first) ||
($last_name == $last)) {

                     print   redirect ($tdc);
                     print   header;
                     print   start_html("TDC");
                     print   h1("Welcome to Token Distribution Center");

                     print "<p> hello $first_name $last_name, your id is:
$student_id <br>";
                     print "<p>You are in the database.<br>";
                     $dbh->disconnect;
                     print "<br>";
                     print "Thank you ", $first, " ", $last, "!";
                     print "<br>";

            }
      } else {

                  print redirect ($login_incorrect);
                  print header;
                  print start_html("TDC");
                  print h1("Welcome to Token Distribution Center");
                  print "<p>You are not in the database!";
                  print "<p>Please contact the system administrator to
request an account at aramirez.scu.edu.";
                  print "<p>Thank you.";

      }
} else {

      print redirect ($login_missing);
      print header;
      print start_html("TDC");
      print "<br>";
      print "You did not enter your name or student id.", "<br>";
      print "You cannot perform an evaluation without your name and
student id!", "<br>";
      print "Please visit the Online Teaching Evaluations login form
again.", "<br>";

}
exit (0);




                                                                            54
TDC.cgi
#!c:/Perl/bin/perl.exe -wT

use   strict;
use   CGI;
use   CGI::Carp qw(fatalsToBrowser);
use   CGI qw(:standard);
use   CGI qw/:standard :html3/;
use   CGI qw(:standard Vars);
use   DBI;

my $tdc2 = "http://localhost/tdc2.html";
my $tdc_missing = "http://localhost/tdc_missing.html";
my $tdc_incorrect = "http://localhost/tdc_incorrect.html";

my   %FORM = Vars();
my   $e_mail = param('email');
my   $ec_id = param('ecampus_id');
my   $ec_psswrd = param('ecampus_psswrd');
my   ($student_id, $email, $ecampus_psswrd, $ecampus_id);

if ($e_mail && $ec_id && $ec_psswrd) {

      my $dbh = DBI->connect(
"DBI:mysql:host=localhost;database=tdc","root","Sessions",
{PrintError=>0,RaiseError=>1}) or die "error";

        my $query = "SELECT * FROM ecampus_info WHERE email = '$e_mail'
&&
              ecampus_id = '$ec_id' && ecampus_psswrd = '$ec_psswrd'";
        my $dbs = $dbh->prepare ($query);
        $dbs->execute();

      # BIND TABLE COLUMNS TO VARIABLES
      $dbs->bind_columns(\$student_id, \$email, \$ecampus_psswrd,
\$ecampus_id);

        # LOOP THROUGH RESULTS
        if($dbs->fetch()) {

            if (($email == $e_mail) || ($ecampus_id == $ec_id) ||
($ecampus_psswrd == $ec_psswrd)) {

                    print   redirect ($tdc2);
                    print   header;
                    print   start_html("TDC");
                    print   h1("Now to choose a course to evaluate");

                    print "<p>You are in the database.<br>";
                    $dbh->disconnect;
                    print "<br>";
                    print "Thank you!";
                    print "<br>";

              }
        } else {



                                                                          55
                  print redirect ($tdc_incorrect);
                  print header;
                  print start_html("TDC");
                  print h1("Welcome to Token Distribution Center");
                  $dbh->disconnect;
                  print "<p>Your information is incorrect!";
                  print "<p>Please contact the system administrator to
request an account at aramirez.scu.edu.";
                  print "<p>Thank you.";

      }
} else {

      print redirect ($tdc_missing);
      print header;
      print start_html("TDC");
      print "<br>";
      print "You did not enter correct information", "<br>";
      print "You cannot perform an evaluation without the correct login
information!", "<br>";
      print "Please visit the Online Teaching Evaluations login form
again.", "<br>";

}
exit (0);



Course.cgi
#!c:/Perl/bin/perl.exe -wT

use   strict;
use   CGI;
use   CGI::Carp qw(fatalsToBrowser);
use   CGI qw(:standard);
use   CGI qw/:standard :html3/;
use   CGI qw(:standard Vars);
use   DBI;
use   MIME::Base64::URLSafe;

if (param()) {

        my $s_id = param('student_id') || '';

        if (param('Submit')) {

              print header;
              print start_html("TDC");
              print h1("Now to choose a course to evaluate");

            my $dbh = DBI->connect(
"DBI:mysql:host=localhost;database=tdc","root",
                                          "Sessions",
{PrintError=>0,RaiseError=>1}) or die "error";
            my $query = "SELECT student_course.course_number,
student_course.course_title FROM student_course,



                                                                         56
                              course_detail WHERE
student_course.course_number = course_detail.course_number AND
                              course_detail.student_id = '$s_id'";
            my $dbs = $dbh->prepare ($query);
            $dbs->execute();

            print   "Please select a Course Title from the list below to
evaluate...";
            print   "<br>";
            print   "<br>";
            print   "Coure Information: ";
            print   "<BR>";
            print   "Course Code . Course Title";
            print   "<br>";

            print start_form();

            my @title = ();
            my $course = "";
            while (@title = $dbs->fetchrow()){
                  $course = $title[0]."%".$title[1];
                  print qq{<input type=radio name="course"
value="$course">$title[0] . $title[1]</br>};
                  print "<BR>";
            }
            print "<BR>";
            print submit('Get Token');
            print end_form();
            print "<br>",
                  end_html;

      } elsif (param('Get Token')) {

            my $c_title = param('course') || '';

            print
                    header(),
                    start_html('TDC'),
                    h2('Here is your Security Token:'),
                    "<BR>";

            #Encrypt the key and send to user's screen...
            my $crypt_txt = urlsafe_b64encode($c_title);
            print "<P>",
                  "Security Token / Encrypted Course Title: ",
                  "<BR>",
                  "$crypt_txt";

            print "<P>",
                  "Please highlight and copy the Security Token above
before visiting the Evaluation Center.",
                  "<BR>",
                  "Thank you for visiting the Token Distribution
Center.",
                  "<BR>",
                  "<BR>",
                  "Now please visit the evaluation center at: ",


                                                                           57
                      "<p>",
                      "http://localhost/evc.html/",
                      "<br>",
                      "Course Number:",
                      "<BR>",
                      "$c_title",
                      end_html;

                my $decrypt_txt = urlsafe_b64decode($crypt_txt);
                print "<P>",
                      "Decrypted Token:",
                      "<BR>",
                      "$decrypt_txt";
        }

} else {

      print
        header(),
        start_html('TDC'),
        h1('Please enter your student ID again for verfication in the
form below:'),
        start_form(),
            h2('Student ID: '),
            "<INPUT NAME=\"student_id\" SIZE=5 MAXLENGTH=4><BR>";

        print
                "<BR>",
                submit ('Submit'),
                end_form,
                end_html;

}



Decrypt.cgi
#!c:/Perl/bin/perl.exe -wT

use   strict;
use   CGI;
use   CGI::Carp qw(fatalsToBrowser);
use   CGI qw(:standard);
use   CGI qw/:standard :html3/;
use   CGI qw(:standard Vars);
use   MIME::Base64::URLSafe;

my %FORM = Vars();

if (param()) {

        my $crypt_txt = param('sec_token');

        my $decrypt_txt = urlsafe_b64decode($crypt_txt);

        print
                header(),


                                                                        58
             start_html('TDC'),
             h2('This is the course ID you will evaluate:'),
             "<BR>";

     substr($decrypt_txt,6,1,"-");

     print "<p>",
           "Decrypted Course Information: ",
           "<BR>",
           "<BR>",
           "Course Number - Title",
           "<BR>",
           $decrypt_txt,
           "<br>",
           end_html;

} else {

     print
       header(),
       start_html('TDC'),
       h1('Please enter your Security Token in the form below:'),
       start_form(),
           h2('Security Token: '),
           "<INPUT NAME=\"sec_token\" SIZE=70><BR>";

     print
             "<BR>",
             submit ('Submit'),
             end_form,
             end_html;

}




                                                                    59
                                       APPENDIX B
Low-Level Design Specifications


Student CD
File with CD-Number and Student Key pair

Perl TDC-GUI:
   • Mediates between student and TDC
         o Details of interaction in Section ...
         o Relevant GUI elements:
                   Submit student id
                   Submit password
   • Displays tokens
         o Student requests token by providing course number
         o Perl TDC-GUI opens token and decrypts token file
         o Perl TDC-GUI displays token in field that can be pasted
   • Start web browser with http connection to Evaluation Center




TDC: Token Distribution Center
Database Tables
Master Student-Course:
string 5 char: course number
string 2 char: number of students
string 7 char: course
string 20 char: course title
string 20 char: professor_name

Course-Detail:
string 5 char: course number
string 11 char: enrolled Student ID

Log of Interaction:
Time/Date: timestamps
string 11 char: Student ID
string 2 char: description (read, write, update)

Student-Key:
string 20 char: CD-Number
string 20 char: CD-key



                                                                     60
string 11 char: Student ID

Student-ecampus password:
string 11 char: Student ID
string 20 char: student SCU email address
string 20 char: hashed e-campus password

Student-Info:
string 11 char: Student ID
string 15 char: First_name
string 20 char: Last_name
string 20 char: crypt_password

Session:
string 20 char: session id
string 20 char: CD-Number
big integer: random number

Tokens Issued:
string 50 char: token (course #, RGUID, timestamp, integrity check)
string 30 char: RGUID
Time/Date: timestamp (14)
string 1 char: integrity check
string 11 char: student ID


Administrative Tasks:
Populating Student-Key database:
   •   Create a large list of student-keys and CD-Numbers.
   •   Print CDs with a student-key-CD-Number pair


Manage Token Issued database:
   •   Track tokens issued and the expiration dates, and timestamps.
   •   Manage link of tokens issued to students




                                                                       61
EVC: Evaluation Center
Database Tables

Master Student-Course:
string 6 char: course number
string 2 char: number of students
string 7 char: course
string 20 char: course title
string 20 char: professor name

Log of Interaction:
Date/Time: timestamps
string 11 char: Student ID
string 2 char: description (read, write, update)

Evaluations:
string 6 char: course number
number 2 int: question number
string 256 char: question
number 1 int: integer response
text 500 char: text response

Tokens Used:
string ?? char: token
string 6 char: RGUID
string 6 char: timestamp
string 1 char: integrity check


Administrative Tasks:
Manage Evaluation database:
   •   Store a large list of evaluations and tokens.
   •   Verify student submission of evaluations to students
   •   Post results of evaluations with hidden evaluation-token pairing.




Student – TDC Communication


                                                                           62
Generating tokens:

   1. Student starts Perl TDC-GUI.
   2. Perl TDC-GUI sends http request start session to TDC:
           a. CD-ROM identifies CD-Number to TDC
           b. TDC check if CD-Number exists and has been used before
                   i. if CD-Number doesn’t exist, closes connection
   3. TDC generates session identifier and binds session identifier to CD-ROM
   4. TDC authenticates CD:
           a. TDC generates random number/session identifier pair
           b. TDC encrypts random number with master key from Student-Key
              database
           c. TDC sends result to Perl TDC-GUI
           d. Perl TDC-GUI decrypts
           e. Perl TDC-GUI adds 3 to random number
           f. Perl TDC-GUI sends answer to TDC
                   i. Session identifier
                  ii. Encrypted changed random number
           g. TDC decrypts answer and compares with random number.
   5. TDC looks up Student-Key database to obtain CD-Number, CD-key, student ID
   6. TDC asks Perl TDC-GUI for student ID.
   7. Perl TDC-GUI displays request to student
   8. Student answers request
   9. Perl TDC-GUI encrypts and sends answer to TDC
   10. TDC matches result: If student ID from input matches the one from the database,
       then proceed, otherwise, send abort with error message: “CD already used”.
   11. Student authenticates with e-campus password:
           a. TDC requests password
           b. Perl TDC-GUI requests password from student
           c. Student types in password
           d. Perl TDC-GUI calculates hash password
           e. Perl TDC-GUI encrypts hashed password with CD-key
           f. Perl TDC-GUI sends result to TDC
           g. TDC decrypts
           h. TDC compares
           i. TDC either authenticates or closes connection
   12. TDC looks up courses that student can evaluate with 5 possible list numbers and
       sends results to Perl TDC-GUI
   13. Perl TDC-GUI receives and presents results to student
   14. Student selects list numbers in courses
   15. Perl TDC-GUI sends selection to TDC
   16. TDC generates tokens
           a. TDC concatenates the following into the token
                   i. Course number
                  ii. List number chosen by the student
                 iii. RGUID (Randomly Generated Unique ID)



                                                                                    63
                iv. Issue date of token (make sure to address clock drift)
                 v. Integrity check for security purposes
           b. TDC then encrypts the token with a secret key shared between EVC
           c. Using 64 encoding, breaks token into 6Byte chunks
   17. TDC sends tokens to Perl TDC-GUI
   18. Perl TDC-GUI stores tokens in a file at a well-known location.
   19. Perl TDC-GUI displays tokens ready for pasting.

Message Format: (Packed as http requests in body)

Message Format:

Generic:
Message ID (1 Byte)
Version Number (1Byte)
Session key (4 Bytes or empty)
Body of Message

Start session request:
Message ID: 0
Version Number: 0
Session key: 0
CD Number: 20B

CD authentication request:
Message ID: 1
Version Number: 0
Session key: session key
big number: Encrypted Random Number

CD authentication answer:
Message ID: 2
Version Number: 0
Session key: session key
big number: Encrypted Random Number

Student ID authentication request:
Message ID: 3
Version Number: 0
Session key: session key
Student ID: 11B

Student ID authentication answer:
Message ID: 4
Version Number: 0
Session key: session key



                                                                                 64
Student ID: 11B

ecampus authentication request:
Message ID: 5
Version Number: 0
Session key: session key
ecampus password: 20B

ecampus authentication answer:
Message ID: 6
Version Number: 0
Session key: session key
Encrypted hashed ecampus password: 20B

Course list request:
Message ID: 7
Version Number: 0
Session key: session key
???


Course list answer:
Message ID: 8
Version Number: 0
Session key: session key
???

Token issued:
Message ID: 9
Version Number: 0
Session key: session key
???




Student – EVC Communication
Submitting Evaluations:
Note: The “production version” of the project would use https instead of http

   1. Student starts browser and enters EVC location.
   2. Student browser sends request start session to EVC:
         a. browser send http request to EVC
         b. ? EVC responds and creates secure connection to user…
   3. EVC requests security token received from TDC
   4. Browser posts request from EVC for token to be pasted or typed into form


                                                                                 65
   5. Student pastes or types token received from TDC and submits
   6. EVC receives token
   7. EVC decrypts and marks token as used and adds to list if valid, otherwise, send
       error message (with time delay) and log interaction:
           a. EVC decrypts token.
           b. EVC checks integrity of token. If no, send error message
           c. EVC checks whether token is expired. If yes, send error message.
           d. EVC checks whether token has been used.
           e. EVC stores token into a database, so that tokens cannot be reused
           f. (Database entries are purged periodically to remove old tokens)
           g. EVC logs interaction
   8. EVC parses the token for information
           a. EVC pulls the course and list number from the token
   9. EVC posts evaluation for course to web browser for student to fill out
   10. Student fills in evaluation
   11. Student then submits evaluation form to EVC
   12. EVC receives response from student’s web browser with evaluation
   13. EVC responds to Student with confirmation of evaluation, posting their
       evaluation back to them
   14. EVC requests Student confirmation of evaluation to be submitted
   15. Student responds with either acceptance or denial of confirmation:
           a. if the evaluation is accepted as the correct evaluation submitted, the
              student will confirm and submit
           b. if the evaluation is not accepted as the evaluation filled out, then the
              student is asked to re-evaluate the course and re-submit
   16. Student submits the confirmed evaluation to the EVC
   17. EVC posts evaluation to the database
           a. CGI script will post the evaluation directly to the evaluation tables in the
              database
           b. the evaluation results are calculated from new user input
   18. EVC posts results of submitted evaluation to student’s web browser for their
       confirmation of effects of evaluation to professor
   19. EVC logs the student out and closes connection

Checking evaluations:
During evaluation period:
(Token required)

After grades are posted:

All evaluations are visible to everyone. Evaluations will contain list number:

Create Teaching report:

Give summary statistics and list of free form comments




                                                                                         66

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:10/3/2011
language:English
pages:71