Author: Kajal Sapkota

wolfSSL exhibited at  Xponential last month in Denver. While there, our team met some very kind and knowledgeable talent from “Dark Wolf Solutions” (Shout out, we love the name!)

We discussed with Dark Wolf personnel how the unmanned drone industry is currently in its wild west days and there are many gaps to fill when it comes to cyber security. Given a want for cyber security, there are steep barriers to entry into military and government applications. Many unmanned vehicles are still broadcasting video and telemetry data unencrypted and  in the clear for any adversary to pull down off the air waves!  We all agree this should be fixed before someone’s drone gets turned against them, or before their expensive drones get bricked by motivated adversaries. 

The Defense Innovation Unit (DIU) is part of the Department of Defense (DoD) and they are helping companies to take that next step turning their commercial technology into useful assets for national defense. One avenue to get from commercial only to defense is called “Blue sUAS” which stands for “small Unmanned Aerial Systems”. One can read more about Blue sUAS here: https://www.diu.mil/blue-uas and other projects available for commercial to DoD in their catalog: https://www.diu.mil/solutions/portfolio/catalog

wolfSSL is now interacting with Dark Wolf who specializes in reviewing drones for submission readiness to the Blue sUAS project. Dark Wolf assists their customers in identifying gaps that need to be addressed before they can pass and be approved for use by the DoD. Disqualifiers are things like “foreign tech” (i.e. chips or other components manufactured outside the US) in addition to insecure comms and data channels. wolfSSL can easily help with the comms and data channels!

wolfSSL is a U.S. based software company that implements NSA Suite B (and soon NSA 2.0 Suite) and NIST approved algorithms in software. Algorithms are all certifiable through the FIPS 140-2 and 140-3 program or NIAP (NSA) for use in CSfC should that be a requirement. The wolfSSL teams’ understanding was that many certifications are not currently a barrier to entry only that the solutions have to be capable of being certified if and when the time comes and that is absolutely the case with all wolfSSL solutions. wolfSSL implements several communication protocols including SSL/TLS up to the latest standards (TLS 1.3 and DTLS 1.3), MQTT (including v5 of the protocol) and SSH (all of these protocols are future-proofed with post-quantum algorithm support!).

wolfSSL offers consulting services and has the engineering-power and know-how to implement any other communication/transport protocols that may be needed or desired for use in UAS. wolfSSL can run on any processor and if a processor is not already supported, the wolfSSL team will add support for it! wolfSSL can encrypt sensitive data at rest in the event a UAS were to be lost on a battlefield and wolfSSL can secure your video, telemetry data, and comms links between the UAS and ground stations!

What is more, wolfSSL will tie into any on-board available hardware cryptography to accelerate performance and security if the software implementations of the algorithms are not yielding the desired performance. A list of existing supported chips is available on our website here: https://www.wolfssl.com/products/wolfcrypt-2/ (just scroll down to “Supported Chipmakers”) Benchmark numbers for various supported chipmakers can be found here: https://www.wolfssl.com/docs/benchmarks/

In summary, if you need Cyber Security solutions as an unmanned drone maker be it a surface maritime, submersible maritime or aerial drone platform,  wolfSSL can help. Also be sure to reach out to Dark Wolf for a review if considering using one of the DIU projects to take your drone from commercial to DoD ready!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

DTLS 1.3 is here! wolfSSL is the first to have DTLS 1.3 implementation and this is your chance to get all your questions answered! wolfSSL engineer, Marco Oliverio, will be hosting a live webinar on June 29th at 10am to share every information you need to know about DTLS 1.3.

If you are looking for enhanced security in your applications and interested in learning how wolfSSL’s cutting-edge technology can enhance your security infrastructure. Marco will give you in depth details about benefits and features of using wolfSSL DTLS 1.3. Join the wolfSSL team to learn how wolfSSL can protect your data and provide seamless integration with your existing systems. 

Watch the webinar here: Everything You Need to Know About DTLS 1.3

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Power consumption on IoT devices can be a big concern. Especially when adding in the latest security and using DTLS 1.3 / TLS 1.3 connections to secure communication. Here at wolfSSL we minimize power consumption and work with EEMBC to measure how much power wolfSSL is consuming when adding security to battery powered designs. Benchmarks of wolfSSL power consumption on an STM32L476G device are available here (https://www.eembc.org/viewer/?benchmark_seq=13436). These benchmarks prove that wolfSSL is the perfect security solution for Ultra Low-Power WiFI designs.

ULP WiFI is a great solution for battery connected devices, but cryptography and TLS can be computationally expensive, so we’ve optimized wolfSSL to minimize energy usage. What we have found is that using wolfSSL’s SP (Single Precision) math with assembly speed ups is superior and has a positive impact on both performance and power consumption. More recently, we are exploring additional energy saving optimizations for the Talaria Two ULP and NXP i.MX ULP WiFi parts.  

wolfSSL also supports TLS over BLE for maximum security on sensitive designs. Here is an example of using wolfSSL with Bluetooth Low Energy (BTLE) (https://github.com/wolfSSL/wolfssl-examples/tree/master/btle). In the example directory there is a TLS 1.3 over Bluetooth example too! (https://github.com/wolfSSL/wolfssl-examples/tree/master/btle/tls).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL release 5.6.3 is available. This is a minor release version that resolves an issue found when building with autoconf in release 5.6.2. Included in this release are 3 other improvements and fixes that increase the quality of code and ease of use of wolfSSL. The following is a list of all 4 items in wolfSSL 5.6.3:

• Fix for setting the atomic macro options introduced in release 5.6.2. This issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch of the generated macros defined in options.h file and the macros used when the wolfSSL library is compiled. In version 5.6.2 this mismatch could result in unstable runtime behavior.
• Fix for invalid suffix error with Windows build using the macro GCM_TABLE_4BIT.
• Improvements to Encrypted Memory support (WC_PROTECT_ENCRYPTED_MEM) implementations for modular exponentiation in SP math-all (sp_int.c) and TFM (tfm.c).
• Improvements to SendAlert for getting the output buffer.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL release 5.6.2 is now available! wolfSSL 5.6.2 brings many new features, exciting enhancements, fixes, and vulnerability fixes. Here at wolfSSL the developers are working diligently to achieve the highest level of security for users. Release 5.6.2 provides quality fixes which we were able to find and address by working quickly with independent researchers who file reports of potential issues.

Some of the notable changes in this release are:
* Adding in support for STM32H5, Renesas TSIP v1.17, Renesas SCE RSA crypto-only support, NXP IMX6Q CAAM port with QNX
* An ASN.1 syntax parsing utility located in ./examples/asn1/ directory
* Memory usage optimizations and code size reduction with lean builds
* Documentation, benchmark app, and unit test app improvements
* Fixes for use with STM32 and code quality improvements including a potential out of buffer access fix

Two vulnerabilities were addressed in this release dealing with TLS 1.3 client side behavior and another with AES side channel issue on RISC-V. More details about the vulnerabilities can be found in the wolfSSL ChangeLog along with special thanks to the researchers who reported them.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

For people following the development of wolfSSH, they might have noticed something very strange recently. There is a new key exchange method that has a very long name: ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org. This replaces ecdh-sha2-nistp256-kyber-512-sha256 which was similar but had some differences in data formatting.

This name comes from the following IETF draft authored by Panos Kampanakis and Torben Hansen of AWS and Douglas Stebila of the University of Waterloo: https://www.ietf.org/id/draft-kampanakis-curdle-ssh-pq-ke-01.html

The main purpose of this post is to let everyone know that our wolfSSH implementation of ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org passed NIST NCCoE interoperability tests!  It was tested against the AWS implementation of SSH and OQS’s fork of openSSH (https://github.com/open-quantum-safe/openssh). Here at wolfSSL, we know that for protocol products such as wolfSSH, interoperability is a key requirement to be an ecosystem player.  Our customers can rest easy knowing that they can interoperate with other products seamlessly.  Want to try it out? You can download it from https://github.com/wolfSSL/wolfssh. 

This is just one hybrid key exchange. If you want other post-quantum key exchanges or signature schemes to be supported in wolfSSH, let us know!  We are always interested to hear about what you want us to do! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Watch our live wolfEngine webinar, where we introduce one of our newest products wolfEngine, a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL. wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally. Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.

Learn about about what wolfEngine is, why you should care, and why wolfEngine could be the solution to all of your problems. As always bring your questions for the Q&A following the presentation.

Watch it now: wolfEngine : wolfCrypt as an Engine for OpenSSL
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Hi!  We have some of our automotive customers asking for wolfSentry integration with AUTOSAR IDS.  Is this something that you need?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

This post has been cross posted from Daniel Stenberg’s blog – originally posted here.

For widely used, widely distributed open source project such as curl, we often have little to no relation at all with our users and therefore it is hard to get feedback and learn what works and what is less good.

Our best and primary way is thus simply to ask users every year how they use curl.

user survey

For the tenth consecutive year, we put together a survey and we ask everyone we know and can reach who ever used curl or library within the last year, to donate a few minutes of their precious time and give us their honest opinions.

The survey is anonymous but hosted by Google. We do not care who you are, but we want to know how you think curl works for you.

The survey will remain online for submissions during 14 days. From Thursday May 25 2023 until midnight (CEST) Wednseday June 7 2023. Please tell your friends about it!

user survey

Post survey analysis

At June 5 the painstaking work of analyzing the results and putting together a summary and presentation begins. It usually takes me a few weeks to complete. Once that is done, the results will be shared for the entire world to enjoy.

Then we see what the curl project should take home and do as a direct result of what users say. Updating procedures, writing documentation and adding features to the roadmap are among the things that can happen and has happened after previous surveys.

Support

• wolfSSL offers Curl support is available, and part of that support revenue goes into finding and fixing these kinds of vulnerabilities.
•  Customers under curl support can get advice on whether or not the advisories apply to them.
•  24×7 support on curl is available, and can include pre-notification of upcoming vulnerability announcements.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

“BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M separation
Watch the webinar here:  “BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M Separation

Join our wolfSSL webinar about BUSted presented by wolfSSL engineer Daniele Lacamera as well as either Dr. Sandro Pinto or Cristiano Rodrigues.

At the Black Hat Asia conference in Singapore, Dr. Sandro Pinto and Cristiano Rodrigues presented their research that introduced a groundbreaking technique that exploits the shared pipeline on the newest Cortex-M CPUs to place a time based, side-channel attack from an application running in non-secure domain to security code running in secure mode. The researchers named this attack “BUSted”. This is sudden and difficult news hitting the new generations of ARMv8 microcontrollers. The attack was demonstrated live using a Cortex-M33 microcontroller as target.

Due to the nature of the attack, targeting specific micro-architectural design issues, this disclosure has already been compared to “Spectre” and “Meltdown”, well known attacks that have affected more sophisticated architectures in the recent past. All the embedded projects that were counting on hardware-assisted privilege separation through TrustZone-M should now take into account the possibility of leaking information from the trusted components running in the secure world.

According to the researchers, software based countermeasures and mitigations are possible to counter the effects of this micro-architectural design fault. The most important aspect to take into account when dealing with time-based attacks is to avoid as much as possible secret-dependent code in the implementation of security operations. In other words, the time required for a security procedure to run must not depend on the success of the operation or on any secret involved in the operation.

Tune in to this webinar to learn more about the attack from the researchers themselves as well as from cybersecurity experts how wolfSSL has been proactive and already studying the necessary workarounds for our users and customers.

As always we will have a Q&A Session following the webinar

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.