wolfSSH Coming Attractions: Privilege Separation

Bet you didn’t know that wolfSSH has its own stand-alone server application for use on POSIX systems, wolfSSHd. It’ll load OpenSSH style configuration files and will look up users on the local system. It also uses wolfSSH’s built in SFTP service. It doesn’t have privilege separation.

In 2023 we are planning on adding privilege separation to wolfSSHd when built for POSIX systems. This will not be available in embedded builds as they don’t typically have the concept of multiple users; everything runs in privileged mode.

A method for privilege separation was published in the paper “Preventing Privilege Escalation” by Provos et al. The general idea is to separate your server application into two applications. One runs as a privileged user and handles things like signing blobs of data, providing pseudo random numbers, and authenticating users. The other runs as an unprivileged user and runs the shell and monitors the socket. The two applications communicate using IPC of some form, like shared memory and pipes.

wolfSSH is lovingly crafted by wolfSSL Inc in the Pacific Northwest. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

What are the Advantages of wolfTPM?

At wolfSSL, we have been developing a TPM stack with customers for many years called wolfTPM, a portable, open-source TPM 2.0 stack with backward API compatibility, designed for embedded use. It is highly portable, and has native support for Linux and Windows. RTOS and bare metal environments can take advantage of a single IO callback for SPI hardware interface, no external dependencies, and compact code size with low resource usage.

wolfTPM offers API wrappers to help with complex TPM operations like attestation and examples to help with complex cryptographic processes like the generation of Certificate Signing Request (CSR) using a TPM.

Due to wolfTPM’s portability, it is generally very easy to compile on new platforms.

Here are a few reasons to use wolfTPM over other secure elements:

  1. It is based on a widely accepted standard TCG TPM 2.0.
  2. There are many chip vendors options and they are pin compatible.
  3. Support for RSA. All TPM’s support at least RSA 2048 (the STSAFE and ATECC do not).
  4. More NV storage
  5. Measured Boot (PCR’s)
  6. Advanced Policy management
  7. Seal/unseal data based on private key or PCR state.

Join our webinar on Getting Started with wolfTPM with wolfSSL Engineering, David Garske. This webinar describes the steps for getting started on your platform with a TPM 2.0 module including API interfaces, building, best practices and features!
Bring your questions for the Q&A session to follow!

When: Mar 2, 2023 10:00 AM Pacific Time (US and Canada)
Topic: Getting Started with wolfTPM

Watch the webinar today.

 

Contact us at facts@wolfssl.com with any TPM, crypto questions!

Love it? Star wolfSSL on GitHub.

Eeny, Meeny, Miny, Moe…

Do you have a favorite crypto algorithm? …or maybe just one that is important to you? 

Hash Functions: SHA2, SHA-3, RIPEMD-160, Poly1305, Blake2b, Blake2s, SipHash

Block, Stream, and Authenticated Ciphers: AES (CBC, CTR, OFB, XTS, GCM, CCM, GMAC, CMAC), Camellia, ChaCha20 and XChaCha20

Public Key Algorithms: DH, ECDH, ECDSA, RSA, ed448, ed25519, X448, X25519

Could they be running a bit faster for you?  wolfSSL has the knowledge and skills to make any algorithm perform competitively.

And don’t forget Post-Quantum algorithms!  

Post-Quantum KEM: Kyber

Post-Quantum Signature Schemes: Dilithium, FALCON, SPHINCS+

Let us know if there’s a post-quantum algorithm you would like to see supported by wolfSSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Posts navigation

1 2 3