RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

NXP CAU, mmCAU, and LTC Hardware Cryptography with TLS 1.3

As you may know, wolfSSL includes support for offloading cryptography operations into NXP Coldfire and Kinetis devices that include the CAU, mmCAU, or LTC hardware crypto modules. Taking advantage of these modules improves performance of both the cryptography and the SSL/TLS layer running on top of it.

Here is a quick comparison of performance between software cryptography and the hardware-based cryptography offered by the Kinetis mmCAU on a K60 TWR running at 100MHz:

               Software Crypto     Hardware Crypto
   
AES            0.49 MB/s           2.71 MB/s
DES            0.31 MB/s           3.49 MB/s
3DES           0.12 MB/s           1.74 MB/s
MD5            4.07 MB/s           4.88 MB/s
SHA-1          1.74 MB/s           2.71 MB/s
SHA-256        1.16 MB/s           2.22 MB/s
HMAC-SHA       1.74 MB/s           3.05 MB/s
HMAC-SHA256    1.22 MB/s           2.03 MB/s

And, here are some benchmark comparisons between software and hardware cryptography offered by the LTC module on a NXP FRDM-K82F, Cortex M4 running at 150 MHz:

                                 Software Crypto     Hardware Crypto
   
RNG                              0.136 MB/s          0.939 MB/s
AES enc                          0.247 MB/s          12.207 MB/s
AES dec                          0.239 MB/s          12.207 MB/s
AES-GCM                          0.016 MB/s          12.207 MB/s
AES-CTR                          0.247 MB/s          8.138 MB/s
AES-CCM                          0.121 MB/s          6.104 MB/s
CHACHA                           0.568 MB/s          3.052 MB/s
CHA-POLY                         0.444 MB/s          1.878 MB/s
POLY1305                         2.441 MB/s          8.138 MB/s
SHA                              0.842 MB/s          4.069 MB/s
SHA-256                          0.309 MB/s          2.713 MB/s
SHA-384                          0.224 MB/s          0.763 MB/s
SHA-512                          0.216 MB/s          0.698 MB/s
RSA 2048 public                  147.000 ms         12.000 ms    (over 1 iteration)
RSA 2048 private                 2363.000 ms        135.000 ms   (over 1 iteration
ECC 256 key generation           355.400 ms         17.400 ms    (over 5 iterations)
EC-DHE key agreement             352.400 ms         15.200 ms    (over 5 iterations)
EC-DSA sign time                 362.400 ms         20.200 ms    (over 5 iterations)
EC-DSA verify time               703.400 ms         33.000 ms    (over 5 iterations)
CURVE25519 256 key generation    66.200 ms          14.400 ms    (over 5 iterations)
CURVE25519 key agreement         65.400 ms          14.400 ms    (over 5 iterations)
ED25519 key generation           25.000 ms          14.800 ms    (over 5 iterations)
ED25519 sign time                30.400 ms          16.800 ms    (over 5 iterations)
ED25519 verify time              74.400 ms          30.400 ms    (over 5 iterations)

Did you know that wolfSSL also provides support for TLS 1.3? With TLS 1.3, users also have the ability to use this new protocol version for TLS connections with even better performance!

TLS 1.3 includes many improvements over TLS 1.2, including reducing the number of round trips required to perform a full handshake, repurposing the ticketing system to allow for servers to be stateless, and the removal of insecure algorithms. These changes mean better performance on Freescale/NXP CAU, mmCAU, and LTC-based devices, and lower memory usage on those devices acting as a TLS server.

To learn more about using TLS 1.3 in wolfSSL, visit our TLS 1.3 webpage today! Additionally, please feel free to contact support@wolfssl.com or visit our FAQ page for more information.

New NXP Kinetis K8X LP Trusted Crypto (LTC) support for PKI (RSA/ECC)

NXP has a new LP Trusted Crypto (LTC) core which accelerates RSA/ECC PKI in their Kinetis K8x line.

The LTC hardware accelerator improves:

  • RSA performance by 12-17X
  • ECC performance by 18-23X
  • Ed/Curve25519 performance by 2-3X.

This adds to the existing MMCAU support which accelerates RNG, AES (CBC, CCM, GCM, CTR), DES/3DES, MD5, SHA, SHA256, SHA384/512 and ChaCha20/Poly1305.

The combined LTC/MMCAU hardware acceleration improves performance, reduces power consumption and reduces code size by 40%.

Here are the benchmarks on a FRDM-K82F Cortex M4 @ 150MHz, showing the improvements offered by the hardware acceleration:

Hardware Accelerated (LTC / MMCAU):
RNG      25 kB took 0.026 seconds,    0.939 MB/s
AES enc  25 kB took 0.002 seconds,   12.207 MB/s
AES dec  25 kB took 0.002 seconds,   12.207 MB/s
AES-GCM  25 kB took 0.002 seconds,   12.207 MB/s
AES-CTR  25 kB took 0.003 seconds,    8.138 MB/s
AES-CCM  25 kB took 0.004 seconds,    6.104 MB/s
CHACHA   25 kB took 0.008 seconds,    3.052 MB/s
CHA-POLY 25 kB took 0.013 seconds,    1.878 MB/s
POLY1305 25 kB took 0.003 seconds,    8.138 MB/s
SHA      25 kB took 0.006 seconds,    4.069 MB/s
SHA-256  25 kB took 0.009 seconds,    2.713 MB/s
SHA-384  25 kB took 0.032 seconds,    0.763 MB/s
SHA-512  25 kB took 0.035 seconds,    0.698 MB/s
RSA 2048 public          12.000 milliseconds, avg over 1 iterations
RSA 2048 private         135.000 milliseconds, avg over 1 iterations
ECC  256 key generation  17.400 milliseconds, avg over 5 iterations
EC-DHE   key agreement   15.200 milliseconds, avg over 5 iterations
EC-DSA   sign   time     20.200 milliseconds, avg over 5 iterations
EC-DSA   verify time     33.000 milliseconds, avg over 5 iterations
CURVE25519 256 key generation 14.400 milliseconds, avg over 5 iterations
CURVE25519 key agreement      14.400 milliseconds, avg over 5 iterations
ED25519  key generation  14.800 milliseconds, avg over 5 iterations
ED25519  sign   time     16.800 milliseconds, avg over 5 iterations
ED25519  verify time     30.400 milliseconds, avg over 5 iterations

Software only:
RNG      25 kB took 0.179 seconds,    0.136 MB/s
AES enc  25 kB took 0.099 seconds,    0.247 MB/s
AES dec  25 kB took 0.102 seconds,    0.239 MB/s
AES-GCM  25 kB took 1.486 seconds,    0.016 MB/s
AES-CTR  25 kB took 0.099 seconds,    0.247 MB/s
AES-CCM  25 kB took 0.201 seconds,    0.121 MB/s
CHACHA   25 kB took 0.043 seconds,    0.568 MB/s
CHA-POLY 25 kB took 0.055 seconds,    0.444 MB/s
POLY1305 25 kB took 0.010 seconds,    2.441 MB/s
SHA      25 kB took 0.029 seconds,    0.842 MB/s
SHA-256  25 kB took 0.079 seconds,    0.309 MB/s
SHA-384  25 kB took 0.109 seconds,    0.224 MB/s
SHA-512  25 kB took 0.113 seconds,    0.216 MB/s
RSA 2048 public          147.000 milliseconds, avg over 1 iterations
RSA 2048 private         2363.000 milliseconds, avg over 1 iterations
ECC  256 key generation  355.400 milliseconds, avg over 5 iterations
EC-DHE   key agreement   352.400 milliseconds, avg over 5 iterations
EC-DSA   sign   time     362.400 milliseconds, avg over 5 iterations
EC-DSA   verify time     703.400 milliseconds, avg over 5 iterations
CURVE25519 256 key generation 66.200 milliseconds, avg over 5 iterations
CURVE25519 key agreement      65.400 milliseconds, avg over 5 iterations
ED25519  key generation  25.000 milliseconds, avg over 5 iterations
ED25519  sign   time     30.400 milliseconds, avg over 5 iterations
ED25519  verify time     74.400 milliseconds, avg over 5 iterations

The code to support the LTC is currently in PR #597 here, soon to be rolled into the wolfSSL embedded SSL/TLS library:
https://github.com/wolfSSL/wolfssl/pull/597

These changes are also included in the KSDK 2.0.

wolfSSL Renesas CS+ Support

Are you a user of Renesas CS+?  If so, you will be happy to know that wolfSSL recently added support and example project files to the wolfSSL embedded SSL/TLS library for CS+!

Renesas CS+ (formerly CubeSuite+) integrated development environment provides simplicity, security, and ease of use in developing software through iterative cycles of editing, building, and debugging.

CS+ IDE project files for building the wolfSSL library, as well as a project file to build and run the wolfCrypt test app have been included in the wolfSSL package, specifically in the “IDE/Renesas/cs+/Projects” directory.

For instructions on how to build the projects, please see the README, located at “IDE/Renesas/cs+/Projects/README”.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well.  For any questions or help getting wolfSSL up and running on your Renesas environment, please contact us at support@wolfssl.com.  wolfSSL also now supports the most current version of TLS, TLS 1.3!  Learn more here!

OpenSSL Compatibility Layer Expands with 15 New Functions

As many of our readers know, the wolfSSL embedded SSL/TLS library includes an OpenSSL compatibility layer.  This layer makes it easier to replace OpenSSL with wolfSSL in applications that have previously been using OpenSSL.

As wolfSSL is ported into more and more projects that have previously used OpenSSL, our compatibility layer expands.  As part of a recent project, we have added 15 new functions to the OpenSSL compatibility layer, including:

OpenSSL_add_all_algorithms_noconf()
RAND_poll()
d2i_X509_fp()
X509_check_ca()
X509_CRL_free()
X509_STORE_add_crl()
d2i_X509_CRL_fp()
PEM_read_X509_CRL()
ASN1_GENERALIZEDTIME_free()
ASN1_STRING_print_ex()
ASN1_TIME_to_generalizedtime()
d2i_PKCS12_fp()
i2d_RSAPublicKey()
d2i_RSAPublicKey()
i2c_ASN1_INTEGER()

We also added 4 helper functions related to these new compatibility layer functions:

int wolfSSL_ASN1_TIME_get_length(WOLFSSL_ASN1_TIME *t)
  Get length member data of WOLFSSL_ASN1_TIME structure.

unsigned char* wolfSSL_ASN1_TIME_get_data(WOLFSSL_ASN1_TIME *t)
  Get data member data of WOLFLSSL_ASN1_TIME structure and return pointer of ASN1_TIME data.

int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store)
  Return number of signer in cert manager of WOLFSSL_X509_STORE.

long wolfSSL_X509_get_version(const WOLFSSL_X509 *x509)
  Return version number of X509.

There are several reasons that users switch from OpenSSL to wolfSSL, including memory usage, portability, algorithm support, CAVP and FIPS 140-2 validations, and the availability of excellent commercial support.  To learn more about the advantages of using wolfSSL, visit our page on “wolfSSL vs. OpenSSL”.  If you have any questions about using wolfSSL in your application, or replacing OpenSSL with wolfSSL, please reach out to our support team at support@wolfssl.com!

Renesas e2studio Support

Are you a user of Renesas e² studio?  If so, you will be happy to know that wolfSSL recently added support and example project files to the wolfSSL embedded SSL/TLS library for e² studio!

Renesas e² studio is a development environment based on the popular Eclipse CDT (C/C++ Development Tooling), covers build (editor, compiler and linker control), as well as debug interface.

e² studio project files for building the wolfSSL library, as well as a project file to build and run the wolfCrypt test app have been included in the wolfSSL package, specifically in the “IDE/Renesas/e2studio” directory.  When working with Renesas e² studio, wolfSSL worked with e² studio version 6.3.0 and the Renesas C compiler.

For instructions on how to build the projects, please see the README, located at “IDE/Renesas/e2studio/Projects/README”.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well.  For any questions or help getting wolfSSL up and running on your Renesas environment, please contact us at support@wolfssl.com.

TLS 1.3 combined with FIPS (#FIPS #TLS13)

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

  1. Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
  2. Single round trip
  3. 0-RTT (a mode that enable zero round trip time)
  4. After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact facts@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

Lighttpd support for wolfSSL

Lighttpd master now supports wolfSSL with autoconf, meson, CMake, and SCons.

Build wolfSSL using:

./configure --enable-lighty
make
sudo make install

Build Lighttpd using:

./configure --with-wolfssl=yes

or

cmake -DWITH_WOLFSSL=ON ..

This work was submitted via: https://github.com/lighttpd/lighttpd1.4/pull/92

Current documentation can be found here:
https://github.com/dgarske/lighttpd1.4/tree/lighttpd_wolfssl/doc/wolfssl (document is currently being migrated to lighttpd master)

For more questions please email us at facts@wolfssl.com.

Securing MySQL (#mysql) with wolfSSL SSL/TLS

MySQL logo             wolfSSL logo

MySQL (#mysql) currently comes bundled with yaSSL to provide an option for SSL/TLS connections when using a database. A patch for securing MySQL with the wolfSSL embedded SSL/TLS library is available for MySQL version 8.0.0 here https://github.com/wolfSSL/mysql-patch.

Along with an increased level of security comes the potential to use progressive features offered by wolfSSL – such as TLS 1.3 and ChaCha20 / Poly1305 AEAD cipher suites (ex: ECDHE-RSA-CHACHA20-POLY1305). Another great feature is that wolfSSL cryptography is FIPS 140-2 validated! Additionally, these features of wolfSSL are not mutually exclusive. For example, the FIPS 140-2 validation can be combined with wolfSSL’s support for TLS 1.3 for a lethal combination of security. The change from yaSSL to wolfSSL will fit nicely into both Open Source and commercial applications, as it is dual licensed under both GPLv2 and standard commercial license terms.

For more information about the port, or to provide us feedback, contact us at facts@wolfssl.com!

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0 Intel ® Xeon® E3 Family with SGX support Intel®x64 Server System R1304SP
Windows 10 Pro Intel ® Core TM i5 with SGX support Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

wolfSSL FAQ page

The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.

To view this page for yourself, please follow this link here.

Here is a sample list of 5 questions that the FAQ page covers:

  1. How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
  2. How do I manage the build configuration of wolfSSL?
  3. How much Flash/RAM does wolfSSL use?
  4. How do I extract a public key from a X.509 certificate?
  5. Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?

Have a  question that isn't on the FAQ? Feel free to email us at support@wolfssl.com.

Posts navigation

1 2 3 122 123 124 125 126 127 128 194 195 196

Weekly updates

Archives