VeriTender is a secure web application designed to manage government tender submissions with high standards of confidentiality, integrity, and non-repudiation. It implements core cybersecurity concepts including Hybrid Encryption, Digital Signatures, and Role-Based Access Control (RBAC) to ensure a tamper-proof bidding process.
-
Multi-Factor Authentication (MFA): Secure login using Password + Email OTP (One Time Password).
-
Role-Based Access Control (RBAC): Strict separation of duties between Contractors, Officials, and Auditors.
-
Hybrid Encryption: Bids are encrypted using AES-256 (for data) and RSA-2048 (for key exchange), ensuring only authorized officials can reveal bid amounts.
-
Digital Signatures & Receipts: Every submission generates a SHA-256 signature and a Base64 receipt to prove data integrity and non-repudiation.
-
Immutable Audit Logs: All critical actions (login, submission, decryption) are recorded in a read-only log for compliance.
-
Session Security: Implements anti-caching headers, signed session cookies, and automatic timeouts.
-
Backend: Python 3.10+, FastAPI
-
Database: SQLite (with normalized schema)
-
Frontend: HTML5, Jinja2 Templates, Bootstrap 5
-
Cryptography: cryptography library (Fernet, RSA, SHA-256)
-
Email: SMTP (Gmail TLS)
git clone https://github.com/Destroyer795/VeriTender.git
cd veritender# Windows
python -m venv venv
venv\Scripts\activate
# Mac/Linux
python3 -m venv venv
source venv/bin/activatepip install -r requirements.txtCreate a .env file in the root directory and add your email credentials for MFA.
EMAIL_USER=your_email@gmail.com
EMAIL_PASS=your_app_password
SECRET_KEY=your_random_secret_stringRun the seed script to create the database and populate it with initial users.
python seed.pyNote: If you need to reset the database (clear all data and start fresh), use:
python reset_db.pyThis will delete the existing database and reinitialize it with default users.
python main.pyAccess the application at: http://127.0.0.1:8000
-
Responsibilities: View active tenders and submit sealed bids.
-
Security: Bids are encrypted client-side before storage. The contractor receives a Base64 digital receipt as proof of submission.
-
Responsibilities: Open sealed tenders after the deadline.
-
Security: Possesses the RSA Private Key required to decrypt the AES keys of the submitted bids. Verifies the digital signature upon decryption.
-
Responsibilities: Monitor system activity for suspicious behavior.
-
Security: Read-only access to the Audit Logs. Cannot view bid details or submit tenders.
-
Submission Phase:
-
Contractor inputs Bid Amount ($X).
-
System generates a random AES Key and encrypts $X.
-
System encrypts the AES Key using the Server's RSA Public Key.
-
System hashes $X (SHA-256) and signs it to create a Digital Signature.
-
Encrypted Data + Encrypted Key + Signature are stored in veritender.db.
-
-
Verification Phase:
-
Official initiates decryption.
-
System uses Server's RSA Private Key to decrypt the AES Key.
-
System uses AES Key to reveal $X.
-
System calculates a fresh hash of $X and compares it with the stored signature.
-
Result: Integrity Confirmed (Match) or Warning (Mismatch).
-
VeriTender/
├── keys/ # RSA Keys (Auto-generated, do not commit)
├── static/ # Static assets (if any)
├── templates/ # HTML Jinja2 Templates
│ ├── base.html # Main layout
│ ├── dashboard.html # Role-based landing page
│ ├── login.html # Auth pages
│ └── ...
├── utils/
│ ├── auth.py # Password hashing logic
│ ├── crypto.py # Encryption & Signing logic
│ ├── email_service.py # SMTP logic
│ └── logger.py # Auditing logic
├── database.py # SQLite connection
├── main.py # FastAPI application entry point
├── seed.py # Database initialization script
├── reset_db.py # Database reset utility
└── requirements.txt # Python dependencies