Technical Safeguards & Infrastructure Security

Data Security Standards

UA LabSign Architecture & Cryptographic Verification Framework | University of Assumption

1. Zero-Trust Security Architecture

UA LabSign operates on a Zero-Trust security model. Every attendance submission is treated as untrusted until mathematically verified through hardware-bound cryptographic signatures, institutional identity checks, time-sensitive room PINs, and physical geofence validation.


2. Device-Bound ECDSA P-256 Cryptography

To guarantee non-repudiation and eliminate proxy check-ins, UA LabSign leverages Elliptic Curve Cryptography (ECC) generated directly on student hardware:

Web Crypto API Key Generation

Private keys are generated locally using Web Crypto API or hardware-backed keystores. They are non-exportable and remain strictly isolated inside the student device.

Digital Payload Verification

Attendance submissions contain a SHA-256 hashed signature combining Student ID, room location, and server timestamps, verified on the backend against the student public key.


3. Database Encryption & Query Parameterization

Institutional records and attendance ledgers are protected using enterprise-grade data persistence standards:

Encrypted Database Storage: All persistence layers reside in a cloud-hosted PostgreSQL database enforcing TLS/SSL encrypted connections in transit and AES-256 encryption at rest.

SQL Injection Immunity: Database queries are executed strictly through an Object-Relational Mapping (ORM) layer utilizing automated query parameterization, completely neutralizing SQL Injection attacks.


4. Password Hashing & Role-Based Access Control (RBAC)

Identity protection and administrative authorization strictly follow industry cryptographic recommendations:

  • Bcrypt Key Derivation: All administrative passwords and student 6-digit Recovery PINs are stored as salted hashes using the Bcrypt algorithm (work factor 10). Plaintext credentials are never written to disk or logs.
  • Google SSO Token Validation: Student authentication requires verifying OAuth 2.0 ID tokens generated by Google Identity Services, restricted to official domain accounts (@ua.edu.ph).
  • Role-Based Access Control (RBAC): Administrative endpoints, audit logs, and teacher session controls are protected via HTTP-only server session cookies and middleware access checks.

5. Rate Limiting & System Audit Trails

To defend against brute-force attacks and maintain system accountability, UA LabSign implements automated perimeter defenses:

API Rate Limiting: High-frequency authentication requests, PIN validations, and check-in endpoints are rate-limited via sliding window memory counters to prevent automated denial of service or credential stuffing.

Immutable Audit Logging: Administrative changes (such as schedule creation, room PIN generations, and manual attendance overrides) record permanent log entries containing timestamp, actor ID, and IP metadata.


6. Security Safeguards Summary

By combining device-bound Web Crypto digital signatures, temporary 4-digit room PINs, instant 65-meter geofence checks, and salted Bcrypt hashing, UA LabSign ensures a tamper-resistant environment for the University of Assumption computer laboratory network.


Security Incident Reporting

If you discover a potential vulnerability or security concern within UA LabSign, please report it immediately to the Information Technology Department or the Laboratory Administrator at the University of Assumption, City of San Fernando, Pampanga.