From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2018, security should be part of every developer's toolkit and cryptography a fundamental building block for the libraries and tools we use to protect our data and applications. This post will dive into modern cryptography, an overview of how it works, and its everyday use cases ― including how Twilio uses public-key crypto in ourAuthyapplication and tosecure our API.
Let's start with some context and history.
Meet Alice and BobAlice and Bob have a history of illicit dealings . We're not really sure what they're up to, but they don't want us, or the ever-curious Eve , to know. Before the internet, Alice and Bob could pass secret messages by encrypting text with an agreed upon cipher. Maybe that was through letter substitution or shifting or other sophisticated methods . They agreed on the method in advance and both knew how to encode and decode the end message.
This is known as symmetric-key cryptography ― the same key is used in both directions. This worked well for World War II spies , but what happens when our secret messengers can't agree on the key in advance?
We invented public-key, or asymmetric, cryptography so that two people like Alice and Bob could communicate securely without meeting first to agree on a shared encryption key or risk an eavesdropper like Eve to intercept the key over unsecured communication channels. This is an incredibly necessary advancement because of the internet ―we are no longer only transacting and communicating with people we know and trust.
What is Public Key Cryptography?In asymmetric, or public-key cryptography, each entityhas two keys:
Public Key ―to be shared Private Key ―to be kept secretThese keys are generatedat the same time using an algorithm and are mathematically linked. When using the RSA algorithm, the keys are used together in one of the following ways:
1. Encrypting with a public keyUse case: sending messages you don't want anyone else to read.
Bob encrypts a message with Alice's public key, then Alice decrypts the message with her private key. Since Alice is the only one with access to the private key, the encrypted message cannot be read by anyone besides Alice.
2. Signing with your private keyUse case: verifying that you're the one who sent a message.
Alice encrypts a message with her private key, then sends the message to Bob. Bob decrypts the message with Alice's public key. Since the public key can only be used to decrypt messages signed with Alice's private key, we can trust that Alice was the author of the original message.
These methods can also be combined to both encrypt and sign a message with two different key pairs.
Use Cases of Public-Key CryptographyPublic-key cryptography is used in a lot of scenarios:
SSH TLS (HTTPS) Bitcoin PGP and GPG Authentication How Twilio Uses Public-Key Cryptography
Authy Push Authentication
AuthyOne of the ways Twilio uses public-key cryptography is inAuthy applicationsfor push authentication (seen above). For every site you enable on Authy, your device generates a new RSA key pair on your device and only sends the public key to our servers ― your private key never leaves your device. When you "Approve" or "Deny" a request on your device, the Authy app validates:
That the request comes from the sender who is in control of the private key That the authorization request has not been modified in transit PKCVTwilio also offers Public Key Client Validation as an added layer of security for making API requests. Like Authy, when you send a request with Public Key Client Validation, Twilio validates:
That the request comes from a sender who is in control of the private key That the message has not been modified in transitYou can read more about PKCV and how to implement it here .
Trapdoor Functions for Security
Think about mixing together two paint colors: it's simple to combine them, but challenging to factor back out into the original colors. We see this idea all the time in physical security: things like zip ties, locks, tamper proof screws, sealed packages, and more. It's possible to undo these things without detection, but it's difficult enough that most people don't take the time or money to try. Cryptographyrelies on the same principle, using calculations that are easy to do in one direction and really hard to reverse unless you have a key. We call these trapdoor one-wayfunctions.
One way we achieve this in digital securityby using really large prime numbersand multiplying them together. It's easy for a computer to compute the product of two 600-digit prime numbers, but really hard to take the result and find its factors.
Your Challenge:find the two prime factors of 4,757
There are a few ways to do this, including brute force trial and error. For a 4-digit number you could write a script that loops through known prime numbers, but once that target number becomes 1000 digits long that's going to take a long time.
Your Next Challenge:multiply 67 and 71
Now that is much easier!
Your Final Challenge:let's build a key pair together! Don't worry, we'll walk you through this one. The numbers we use in our example are intentionally small.
Note:this example is for instructional purposes. Please don't roll your own cryptography for your application!
This example uses the RSA algorithm, one of many options for calculating key pairs. You can follow along in python code below or find the