Security. A topic that most software developers approach with curiosity and fear. At Virgil Security, we believe that every product should have seamless security (including end-to-end encryption (E2EE), authentication without passwords, and verification of all data). Without the developer first having to read hundreds of RFCs, compile 50 piles of incoherent code, or read endless ruminations from people whose idea of “secure” is carrier pigeons delivering hand-written public keys (or meeting in person in a darkened garage).
Like flying cars and jetpacks, the idea of secure communications has been kicked around for decades and yet, like flying cars and jetpacks, security implementations have been severely lacking (and have occasionally fallen out of the sky). Virgil has a solution. Start securing your product now!
Why has not this been done before?
- Unusable, unsupported crypto implementations (Using PGP in 2016 is simply horrible)
- Lack of infrastructure to deploy crypto worldwide (not everyone uses NIST curves or Curve25519 or AES but apps and devices must be sold and used globally)
- Lack of interoperability on the platforms we actually run things on
- Lack of flexible key management
First: Historically cryptologists haven’t been developers and developers haven’t been cryptologists. As a result, crypto implementations have seldom served the needs of software developers well. There are even a sizable number of cryptologists who believe this is a solved problem, that there are no technical problems left, that no algorithms or crypto systems need to be developed, and that all the necessary tools already exist. There are countless tools available; however, they are simply not usable by the roughly 20 million developers worldwide. At Virgil we concentrated on reducing the APIs so that the most important functions could be deployed in a few lines of code in just a few minutes, made it a point to support a single interoperable API across the vast majority of programming languages and platforms, and released the resulting code under the BSD-3 clause open source license.
Second: Building a system that uses one particular algorithm or one particular way of doing things is simply repeating the mistakes of the last 20+ years. We’ve built infrastructure capable of using modern cryptography as well as have everything necessary to keep it continuously up to date. Moreover, what is “modern” in one part of the world may be “outdated” or “outlawed” in others — this is not something most developers care to know about — they just want to ship secure products and Virgil helps them do that in just a few lines of code. And for those with requirements of layered security — you are in luck. Cryptographic Agility allows you to switch which algorithms are used even on a per message basis. You no longer have to pick between RSA or Elliptic Curve (EC) (or a particular “trusted” EC curve). Switch to your hearts content — Virgil gives you access to most modern curves and you can decide how or when to use them. Is it going to be per packet? Per message? Per file? Per minute/hour/day? Anything is possible. And you can even easily build layered RSA+EC implementations. All with just a few lines of code. A single build of your product can operate under European, United States, Russian, or Chinese regulatory regimes.
Fourth: Key Management. Consumers cannot be asked to “manage” keys. In fact, they should not even be aware that keys exist. At Virgil we let you build applications that make E2EE transparent to the end users. You have both public key infrastructure (PKI) (your own personal PKI, one shareable across your apps, or one globally available for use cases such as email) and private key sync (think iCloud Keychain). As a developer you have the power to implement sophisticated crypto systems with… you got it — just a few lines of code.