Overview of how all communications (messages, calls) are encrypted. Use of WebRTC, SRTP, and DTLS for real-time media. Emphasis on no server access to content.

How twincodes establish and authenticate relationships. ECDSA signatures for data integrity and origin authentication. Protection against server compromise or forgery. SDP encrypted and signaling server cannot inspect WebRTC signaling.

IETF standards: UDP, RTP, ICE, STUN, TURN, SDP, SRTP, DTLS. Use of ChaCha20-Poly1305 and AES-GCM cipher suites. Interoperability with WebRTC ecosystem.

No personal information required (no phone/email). UUID-based accounts and cryptographically secure authentication. Salted challenge-response mechanism for passwords.

Secure key/value store for credentials (iOS Keychain, Android Keystore). Encrypted local database (SQLCipher with AES-256). Protection against physical device access.

TLS 1.2/1.3 for all device-server communications. Certificate pinning to prevent MITM attacks. Secure WebSocket access and firewall-protected servers.

Encrypted push tokens to prevent spoofing. Use of Apple/Google Push services with AES-256-CBC encryption. Authentication of notification content.

Secure Storage and Serialization

SQLCipher for encrypted local databases. Avro for secure serialization of compound objects. Platform-specific secure storage (iOS Keychain, Android Keystore).

Cryptographic Foundations

ECDSA for signatures and key exchange. AEAD (AES-256-GCM) for authenticated encryption. PBKDF2 and HMAC for key derivation and integrity.