Home

Awesome

Virgil Pythia .NET/C# SDK

Nuget package GitHub license

Introduction | SDK Features | Install and configure SDK | Usage Examples | Docs | Support

Introduction

<a href="https://developer.virgilsecurity.com/docs"><img width="230px" src="https://cdn.virgilsecurity.com/assets/images/github/logos/virgil-logo-red.png" align="left" hspace="10" vspace="6"></a>Virgil Security provides an SDK which allows you to communicate with Virgil Pythia Service and implement Pythia protocol for the following use cases:

In both cases you get the mechanism which assures you that neither Virgil nor attackers know anything about user's password.

SDK Features

Install and configure SDK

The Virgil .NET Pythia SDK is provided as a package named Virgil.Pythia. The package is distributed via NuGet package management system.

The package is available for .NET Framework 4.5 and newer.

Supported platforms:

Install SDK Package

Installing the package using Package Manager Console:

Run PM> Install-Package Virgil.Pythia -Version 0.2.0

Configure SDK

When you create a Pythia Application on the Virgil Dashboard you will receive Application credentials including: Proof Key and App ID. Specify your Pythia Application and Virgil account credentials in a Pythia SDK class instance. These credentials are used for the following purposes:

Here is an example of how to specify your credentials SDK class instance:

// here set your Virgil Account and Pythia Application credentials
var config = new PythiaProtocolConfig
{
    AppId     = "APP_ID",
    ApiKeyId  = "API_KEY_ID",
    ApiKey    = "API_KEY",
    ProofKeys = new[] {
        "PK.1.PROOF_KEY"
    }
};

var pythia = PythiaProtocol.Initialize(config);

Usage Examples

Breach-proof password

Virgil Pythia SDK lets you easily perform all the necessary operations to create, verify and update user's breach-proof password without requiring any additional actions and use Virgil Crypto library.

First of all, you need to set up your database to store users' breach-proof passwords. Create additional columns in your database for storing the following parameters:

<table class="params"> <thead> <tr> <th>Parameters</th> <th>Type</th> <th>Size (bytes)</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>salt</td> <td>blob</td> <td>32</td> <td> Unique random string that is generated by Pythia SDK for each user</td> </tr> <tr> <td>deblindedPassword</td> <td>blob </td> <td>384 </td> <td>user's breach-proof password</td> </tr> <tr> <td>version</td> <td>int </td> <td>4 </td> <td>Version of your Pythia Application credentials. This parameter has the same value for all users unless you generate new Pythia credentials on Virgil Dashboard</td> </tr> </tbody> </table>

Now we can start creating breach-proof passwords for users. Depending on the situation, you will use one of the following Pythia SDK functions:

Create Breach-Proof Password

Use this flow to create a new breach-proof password for a user.

Remember, if you already have a database with user passwords, you don't have to wait until a user logs in into your system to implement Pythia. You can go through your database and create breach-proof user passwords at any time.

So, in order to create a user's breach-proof password for a new database or available one, go through the following operations:

// create a new Breach-proof password using user's password or its hash
var pwd = await pythia.CreateBreachProofPasswordAsync("USER_PASSWORD");

// save Breach-proof password parameters into your users DB

After performing CreateBreachProofPassword function you get previously mentioned parameters (Salt, deblindedPassword, version), save these parameters into corresponding columns in your database.

Check that you updated all database records and delete the now unnecessary column where user passwords were previously stored.

Verify Breach-Proof Password

Use this flow when a user already has his or her own breach-proof password in your database. You will have to pass his or her password into an VerifyBreachProofPassword function:

// get user's Breach-proof password parameters from your users DB

...
// calculate user's Breach-proof password parameters
// compare these parameters with parameters from your DB
var isValid = pythia.VerifyBreachProofPasswordAsync("USER_PASSWORD", pwd);

if (!isValid) 
{
    throw new Exception("Authentication failed");
}

The difference between the VerifyBreachProofPassword and CreateBreachProofPassword functions is that the verification of Pythia Service is optional in VerifyBreachProofPassword function, which allows you to achieve maximum performance when processing data. You can turn on a proof step in VerifyBreachProofPassword function if you have any suspicions that a user or Pythia Service were compromised.

Update breach-proof passwords

This step will allow you to use an updateToken in order to update users' breach-proof passwords in your database.

Use this flow only if your database was COMPROMISED.

How it works:

Here is an example of using the UpdateBreachProofPassword function:

// get previous user's VerifyBreachProofPassword parameters from a compromised DB

...

// set up an updateToken that you got on the Virgil Dashboard
// update previous user's Breach-proof password, and save new one into your DB

var updatedPwd = pythia.UpdateBreachProofPassword("UT.1.2.UPDATE_TOKEN", pwd);

BrainKey

PYTHIA Service can be used directly as a means to generate strong cryptographic keys based on user's password. We call these keys the BrainKeys. Thus when you need to restore a Private Key you use only user's Password and Pythia Service.

Generate BrainKey

Use this flow to generate a new BrainKey for a user.

In order to create a user's BrainKey, go through the following operations:

// Define a callback that obtains an Access Token from 
// your application backend service.
Func<TokenContext, Task<string>> tokenCallback = async (ctx) =>
{
    // Getting an Access Token may look like this:
    
    HttpClient client = new HttpClient();
    var responseMessage = await client.GetAsync("https://yourapplication.net/get-virgil-access-token");
    var accessToken = await responseMessage.Content.ReadAsStringAsync();

    return accessToken;
};

// Initialize and create an instace of BrainKey class.
var brainKey = BrainKey.Initialize(tokenCallback);

// Generate default public/private key pair which is Curve ED25519
var keyPair = brainKey.GenerateKeyPair("some password");

Docs

Virgil Security has a powerful set of APIs, and the documentation below can get you started today.

License

This library is released under the 3-clause BSD License.

Support

Our developer support team is here to help you. Find out more information on our Help Center.

You can find us on Twitter or send us email support@VirgilSecurity.com.

Also, get extra help from our support team on Slack.