Author: Kajal Sapkota

wolfSSL is happy to announce that we’ve recently added support for AES-SIV (synthetic initialization vector). Our implementation is based on the specification in RFC 5297. SIV mode is designed to be resistant to security degradation from accidental nonce reuse. Notably, AES-SIV is a mandatory AEAD algorithm for network time protocol (NTP) servers supporting network time security (NTS), per RFC 8915. We added AES-SIV to support our chrony 4.1 port, which is one of the only major NTP implementations that currently supports NTS.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Significant improvements to the C-only implementation of Single Precision math for P-256 and P-384 have been made in wolfSSL 5.1.1. Previously the Montgomery reduction implementation was performed generically. This function makes up a significant proportion of the time to perform ECC operations. By adding an optimised implementation the performance of the 32-bit C code improved by up to 80%! The 64-bit C code saw similar improvements.

Also the Aarch64 implementation of P-384 got an optimised version of the Montgomery reduction operation too. This improved its performance by up to 150%!

From fuzz testing, it was found that the implementation finding the square root modulo a prime (used in uncompressing a point) was not handling a value of zero correctly and resulted in the function not returning. This corner case will not occur with valid points. Compressed points are not recommended and disabled by default, but the fix was required to protect against potential attacks.

Bug fixes for the SP general math library were made for 5.1.1. These included fixes to sanity check values passed to sp_gcd (used in but not affecting RSA key generation) and better checking of maximum size of numbers when dividing. Also, when compiling for MIPS 32-bit, some compilers didn’t like the register names ‘$lo’ and ‘$hi’. These have been changed to ‘%lo’ and ‘%hi’ respectively.

The Single Precision code was also fixed around modular exponentiation. When the modulus is even or the exponent is 0 then we now error out. These are not use cases that are hit in normal operation.

A couple of bug fixes were made in the TFM implementation of our math library as well. An improved Montgomery reduction for Intel x86_64 was added in 5.0.0 and fixed to work reliably in this release. Also some out of memory error handling was improved around this same function.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

This is a quote from a message posted by Dustin Moody of NIST on the NIST PQC Forum at https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fvnhyQ25jUg :

“Yes - the 3rd round will shortly be ending.  NIST is actively writing the 3rd Round report which will 
explain our rationale for which algorithms we will standardize.   We hope to be able to announce the 
results and report not later than the end of March.”

Dustin Moody, Feb. 9, 2022

So, we can expect some news from NIST in a month or so. With this in mind, we thought this might also be a good time to talk about the FALCON Signature Scheme integration in the wolfSSL v5.1.1 release and some of the other work we have done around post-quantum cryptography.

The FALCON Signature Scheme is a post-quantum algorithm that is a finalist of round 3 of the NIST PQC competition. It shows much promise in that while its artifacts are large and key generation and signing are a bit slower than currently standardized algorithms, signature verification times are much faster which bodes well for IoT and constrained devices.  You can compare the speed in our benchmarking data that can be found in Appendix G of our wolfSSL Manual: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf

The good news for our customers that want to experiment with FALCON is that it couldn’t be easier! All you need to do is build liboqs, rebuild wolfSSL and add the –with-liboqs flag.  If you built your application to statically link with wolfSSL, you will need to rebuild your application.  If you dynamically link, you do not need to rebuild.  All you have to do now is  swap out your certificates with FALCON certificates!  No code changes are required for your application. You can find instructions and a script for generating a  FALCON certificate chain here: https://github.com/wolfSSL/wolfssl-examples/tree/master/pq

For customers who want to see post-quantum algorithms working in a real world use-case, we have instructions for you to build a quantum-safe apache web server and curl web client. All you need to do is follow the instructions here: https://github.com/wolfSSL/osp/blob/master/apache-httpd/README_post_quantum.md

Finally, just a few words regarding motivation.  Most people understand the harvest and decrypt threat model and thus see the urgency for moving to post-quantum key establishment. However, seeing the motivation for signature schemes might be harder. Suppose you are deploying authentication algorithms on devices that have long lifetimes and are hard to update.  A good example of this might be firmware for industrial machinery or cars.  If the lifetime of your deployment exceeds the time to a cryptographically relevant quantum computer, then you should probably consider experimenting to understand the impact of post-quantum algorithms sooner rather than later.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Here at wolfSSL, we have been supporting your FIPS needs for several years now with our FIPS Ready, certificate #2425 and certificate #3389 source bundles.  This support is going to continue with the soon to be granted FIPS 140-3 certificate. With the new certificate coming soon, we thought this might be a good time to do a bit of house cleaning.

As certificate #2425 has been added to the NIST sunset list as of June 2021, we will be removing the FIPS v1 feature from wolfSSL.

Customers who still need this feature are encouraged to move to the upcoming FIPS 140-3 certificate if timelines permit.  However, if customers need a solution in the near term, they can move to certificate #3389 which sunsets in 2024.  

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Here at wolfSSL, we strive to support our customers’ needs for customization and finding the right trade-offs. The following table is a list of the top 10 things you can do with wolfSSL’s configuration flags.

Task	Configure Flag(s)	Details
Get Ready for Your First FIPS Customer	–enable-fips=ready	You will need to have a fips-ready bundle which is available as both an open source code bundle or under a proprietary license.
Become DO-178 Compliant	–enable-sp-math	We have taken ECC in sp_c32.c in the SP-Math Library through DO-178C certification.
Make Your Application Secure from Side-Channel Attacks	–enable-sp-math –enable-sp-math-all CFLAGS=”WOLFSSL_SP_CACHE_RESISTANT” or –enable-fastmath –enable-harden	Our SP-Math Library is always timing resistant and runs private key operations in constant time.  Our Fast Math Library can be made timing resistant by enabling the hardened build.
Reduce Your Stack Usage	–enable-smallstack and –enable-smallstackcache	Allocating memory on the heap will be favored over the stack.
Reduce Your Heap Usage	–enable-static-memory	All memory that wolfSSL LIbrary allocates will be on the stack as local variables.
Reduce Your Code Size	–enable-sha3=small –enable-aesgcm=small –enable-lowresource CFLAGS=”-DNO_ERROR_STRINGS -DNO_INLINE -DCURVED25519_SMALL -DUSE_SLOW_SHA” -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA612”	This will come at a cost of algorithm speed and memory usage.
Make a Really Small PSK-Only wolfSSL Library	–enable-leanpsk	PSK stands for pre-shared key. Approximate build size for wolfSSL on an embedded system with this enabled is 21kB.
Make a Really Small Client-Only wolfSSL Library	–enable-leantls	This produces a small footprint TLS client that supports TLS 1.2 client only, ECC256, AES128 and SHA256.
Use Only wolfCrypt	–enable-cryptonly	This enables a wolfCrypt-only build, greatly reducing the size. No TLS, no SSL.
Figure Out What is Going on Under the Hood	–enable-debug	This will build the wolfSSL Library with debug symbols so you can use your debugger to step through the code as it executes.  Also, if you call wolfSSL_Debugging_ON() lots of debugging messages will be printed to stderr.

 

Note that some of these flags can be combined while others are mutually exclusive. Please feel free to experiment with different combinations.

Want more? You can see a full list of our configuration flags by downloading our latest release and executing the following command:  ./configure –help

Still hungry? You can get detailed documentation about our configuration flags from “Chapter 2: Building wolfSSL” in the wolfSSL  Manual which can be found here: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf.  Need some expert advice? 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We now support wolfCrypt as a PKCS11 provider for applications to consume. The new wolfPKCS11 library adds a PKCS11 layer on top of the wolfCrypt API’s to enable customers who wish to standardize on an API interface or may already have developed code against PKCS #11.

PKCS #11 is an OASIS standard for “Cryptographic Token Interface Base Specification” (A.K.A Cryptoki). It defines an API interface for communicating with Hardware Security Modules (HSM) to provide cryptography support such as RSA and ECC. It allows enumeration of devices and features using a shared or static library.

A good introduction to PKCS #11 can be found here: 

http://wiki.ncryptoki.com/introduction-to-pkcs-11-specifications.ashx

The source code is in a new GitHub repository here:

https://github.com/wolfSSL/wolfPKCS11

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfCLU (wolfSSL command line utility) has seen many feature additions! One of the features added was support for the command ‘ca’. This command now can handle basic conf. files for use with signing certificates. It is useful in projects to make a quick certificate with a given CA while avoiding having to write the code and create an application. This feature was one of many that has recently been added. Check out the repository here for the current bleeding edge of wolfCLU (https://github.com/wolfSSL/wolfclu).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

A new version of wolfBoot (1.10) has been recently released and can be downloaded from our website, or cloned from our github repository. A full list of features can be found in our Changelog.

As we recently announced, we have ported wolfBoot to run as an EFI application to verify the subsequent stages in the boot chain of a x86_64 PC. We have improved the configuration for some of the supported platforms and targets. Finally, because of improved support for delta updates and one new signature verification algorithm (Ed448), this new version adds even more unique characteristics that you won’t find in any other existing secure boot solutions.

Here is a summary of our users’ favorite unique features, now fully supported in wolfBoot 1.10:

Secure, compact, fast, FIPS-compliant cryptographic library

wolfBoot’s main task is to ensure that only a trusted firmware image can run on the target device, as indicated by RFC9019. It uses signature verification on the  firmware image every time the device starts or when a firmware update is received, OTA or through any custom transport.

wolfBoot relies on wolfCrypt cryptographic engine to support the widest range of options for signature verification algorithms, including: ECC-256, RSA up to 4096 bit, Ed25519 and Ed448. 

Thanks to a wide choice of hardware security modules and crypto co-processors supported by wolfCrypt; wolfBoot can offload all cryptographic operations to dedicated hardware components when available, cutting down boot time and run-time resources.

Simplicity and portability

wolfBoot does not depend on any specific libraries, except for wolfCrypt. It does not rely on any operating system environment, driver, platform or toolchains.

wolfBoot can secure the boot process of any standalone applications as well as complex operating systems, from small class-I microcontrollers up to Rich Execution Environments, on a wide range of microcontrollers and processors architectures (ARM, x86, PowerPc, RISC-V, and more). It can manage the initialization of Trusted execution environments (TEE) (e.g. TrustZone-M in ARM Cortex-M33).

The build-time configuration is concentrated in a single configuration file, and a command-line wizard is made available to ensure a quick and painless integration.

The key command line tools, ‘sign’ and ‘keygen’ (for Windows, Linux, MacOS), distributed along with wolfBoot, follow the development of all the features supported by the bootloader to the latest version. They are easy to use, widely documented, and simple to  integrate with any deploy mechanism and back-end update services.

Roll-back: the bootloader “rescue” mode

wolfBoot stores a copy of the old firmware that gets replaced during the update. Mistakes can happen when building or transmitting a firmware update; even if the firmware is trusted and authenticated through wolfBoot it might still introduce bugs and issues in the field that may prevent the device from being reachable again. For this reason, wolfBoot implements a mechanism that requires the firmware to confirm that the system is working as expected after the update. In absence of this confirmation, at the next reboot wolfBoot considers the update as failed, and restores the original image from the backup taken during the update.

Use any external storage, with confidentiality

Some microcontrollers may not have enough flash space to accommodate two versions of the firmware in the internal FLASH. The only requirement on these system is normally that only the current executing firmware image should be stored in FLASH, where it can be eXecuted in Place (XiP). Most systems don’t support XiP on external storage supports, but that space can still be allocated to store updates and host the swap space required by wolfBoot to perform the update.

Thanks to a transparent, generic external flash interface, wolfBoot can use any external non-volatile memory support to host update and swap partitions, maximizing the space available in the internal FLASH for the running software.

Neighbor systems can host a virtual partition for the wolfBoot target, using any communication bus to implement remote, emulated memory access.

Encryption and decryption is done at runtime by wolfBoot when accessing these external storage devices for writing and reading, respectively. This mechanism prevents wiretapping or intercepting the firmware images when they are transferred on the BUS (SPI, CAN, Uart,…) that connects to the storage device.

Examples distributed with wolfBoot showcase this feature, with common SPI FLASH targets, and emulated remote storage, on a neighbor system via UART.

Self-update: can a secure bootloader update itself?

wolfBoot offers the possibility to authenticate and install a newer version of itself. A special update package can be created with the key tools, containing an update for the bootloader itself. wolfBoot will parse, authenticate and install the update by temporarily executing a copy of itself in RAM.

Incremental updates: faster OTA transfers with “delta updates”

wolfBoot supports incremental updates, based on a specific older version. Thesign tool can create a small “patch” that only contains the binary difference between the version currently running on target and the update package, a ‘delta update’ package. This package is processed by wolfBoot to reconstruct a complete image of the resulting update. The authenticity of the update is verified twice: first when the package is received before applying the patch, and then after the patch is applied, every time the new firmware is staged for boot.

What feature would you like to see in the next release of wolfBoot? Contact us at facts@wolfssl.com with any comments or questions!
Check out our GitHub page for the full documentation, and to stay up to date with our latest developments. And while you are there, consider giving the wolfBoot project a star!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

At wolfSSL, we have been developing a TPM stack with customers for many years called wolfTPM, a portable, open-source TPM stack with backward API compatibility, designed for embedded use. It is highly portable, and has native support for Linux and Windows. RTOS and bare metal environments can take advantage of a single IO callback for SPI hardware interface, no external dependencies, and compact code size with low resource usage.

wolfTPM offers API wrappers to help with complex TPM operations like attestation and examples to help with complex cryptographic processes like the generation of Certificate Signing Request (CSR) using a TPM.

Due to wolfTPM’s portability, it is generally very easy to compile on new platforms.

Here are a few reasons to use wolfTPM over other secure elements:

1) It is based on a widely accepted standard TCG TPM 2.0.

2) There are many chip vendors options and they are pin compatible.

3) Support for RSA. All TPM’s support at least RSA 2048 (the STSAFE and ATECC do not).

4) More NV storage

5) Measured Boot (PCR’s)

6) Advanced Policy management

7) Seal/unseal data based on private key or PCR state.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star wolfSSL on GitHub.

There has been a little turmoil between the CAVP and the FIPS community regarding the TLS KDF. The CAVP deprecated testing of the kdf-component-tls-1.0 at the beginning of the year. The community wasn’t ready and it was temporarily un-deprecated. wolfSSL and our wolfCrypt cryptography library are ready for the transition to the RFC7627 TLS KDF.

The kdf-component-tls-1.0 KDF is the standard TLSv1.2 KDF described in RFC5246. The preferred algorithm is the KDF described in RFC7627, also know as Extended Master Secret. This uses the TLSv1.2 KDF and replaces the client and master random values with hashes of the handshake messages up to the key exchange. This cryptographically ties the TLS master secret to the handshake. wolfSSL has enabled Extended Master Secret as a default since 2016.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.