Introducing Virgil Security

Introducing Virgil Security

Dmytro Matviiv — August 30th, 2017

Security. A topic that most software developers approach with curiosity and fear. At Virgil Security, we believe that every product should have seamless security (including end-to-end encryption (E2EE), authentication without passwords, and verification of all data). Without the developer first having to read hundreds of RFCs, compile 50 piles of incoherent code, or read endless ruminations from people whose idea of “secure” is carrier pigeons delivering hand-written public keys (or meeting in person in a darkened garage).

Like flying cars and jetpacks, the idea of secure communications has been kicked around for decades and yet, like flying cars and jetpacks, security implementations have been severely lacking (and have occasionally fallen out of the sky). Virgil has a solution. Start securing your product now!

Virgil makes every developer an applied cryptologist. Regardless of whether they code in C, C++, C#, Objective-C, Swift, JavaScript, asm.js, Node.js, Go, PHP, Python, Ruby, Java/Android, etc. Regardless of whether they’re targeting desktop applications, mobile applications, cloud applications, or embedded devices / IoT. Regardless of whether they’re hosting on Android, iOS, Linux, Mac OS X, Windows or no OS at all. Every developer can now add E2EE or passwordless authentication with just a few lines of code in as little as a few minutes of time and Virgil makes it happen.

Why has not this been done before?

In short:

  1. Unusable, unsupported crypto implementations (Using PGP in 2016 is simply horrible)
  2. Lack of infrastructure to deploy crypto worldwide (not everyone uses NIST curves or Curve25519 or AES but apps and devices must be sold and used globally)
  3. Lack of interoperability on the platforms we actually run things on
  4. Lack of flexible key management

First: Historically cryptologists haven’t been developers and developers haven’t been cryptologists. As a result, crypto implementations have seldom served the needs of software developers well. There are even a sizable number of cryptologists who believe this is a solved problem, that there are no technical problems left, that no algorithms or crypto systems need to be developed, and that all the necessary tools already exist. There are countless tools available; however, they are simply not usable by the roughly 20 million developers worldwide. At Virgil we concentrated on reducing the APIs so that the most important functions could be deployed in a few lines of code in just a few minutes, made it a point to support a single interoperable API across the vast majority of programming languages and platforms, and released the resulting code under the BSD-3 clause open source license.

Second: Building a system that uses one particular algorithm or one particular way of doing things is simply repeating the mistakes of the last 20+ years. We’ve built infrastructure capable of using modern cryptography as well as have everything necessary to keep it continuously up to date. Moreover, what is “modern” in one part of the world may be “outdated” or “outlawed” in others — this is not something most developers care to know about — they just want to ship secure products and Virgil helps them do that in just a few lines of code. And for those with requirements of layered security — you are in luck. Cryptographic Agility allows you to switch which algorithms are used even on a per message basis. You no longer have to pick between RSA or Elliptic Curve (EC) (or a particular “trusted” EC curve). Switch to your hearts content — Virgil gives you access to most modern curves and you can decide how or when to use them. Is it going to be per packet? Per message? Per file? Per minute/hour/day? Anything is possible. And you can even easily build layered RSA+EC implementations. All with just a few lines of code. A single build of your product can operate under European, United States, Russian, or Chinese regulatory regimes.

Third: Interoperability. While most programming languages and platforms have some kind of crypto built-in, few of them actually work well together. If you build and secure IoT device with Python (Raspberry Pi) — configuring it and consuming sensor data from it may not be so simple from the iOS or Android devices. With Virgil this worry of cross-platform interoperability is erased. Whichever platform you need to support — from PIC24 to nRF52 to Xeon to browser JavaScript — you get one API that works everywhere.

Fourth: Key Management. Consumers cannot be asked to “manage” keys. In fact, they should not even be aware that keys exist. At Virgil we let you build applications that make E2EE transparent to the end users. You have both public key infrastructure (PKI) (your own personal PKI, one shareable across your apps, or one globally available for use cases such as email) and private key sync (think iCloud Keychain). As a developer you have the power to implement sophisticated crypto systems with… you got it — just a few lines of code.

So, what are you waiting for? Secure your app today! Get started at one of our GitHub repositories or our quick start guides!