Blog – Page 127

How to speed up handshake times when using ECDHE (and/or ECDSA)

September 13, 2018September 13, 2018

We have had some reports of low-end embedded systems taking 10-20 seconds to establish a TLS connection when generating a shared secret using the ECDH algorithm.

We wanted to remind our users of the fixed-point caching mechanism provided by wolfSSL. Users can enable fixed point caching with the configure option --enable-fpecc or by defining FP_ECC in their settings. Users will also need to configure which look up table (FP_LUT) to use and the number of entries (FP_ENTRIES).

FP_LUT: General rule is the larger the table, the more memory is needed but the faster subsequent lookup operations will be.

FP_ENTRIES: The number of entries allowed in the cache.

By default if users are not using the autoconf system (IE ./configure --enable-fpecc) users can start by adding these to either wolfssl/wolfcrypt/settings.h or their own user_settings.h when defining WOLFSSL_USER_SETTINGS globally:

/* Fixed point cache (speeds repeated operations against same private key) */
#undef  FP_ECC
#define FP_ECC
#ifdef FP_ECC
    /* Bits / Entries */
    #undef  FP_ENTRIES
    #define FP_ENTRIES  2
    #undef  FP_LUT
    #define FP_LUT      4  /* NOTE: FP_LUT must be between 2 and 12 inclusively */
#endif

Users can pre-cache fixed points on a curve related to a specific private key prior to establishing a connection to speed up shared secret computation times. Below we have provided some sample code users might use to accomplish this “pre-caching”. Ideally this would be a function you would run on system start-up or initialization of your embedded device prior to establishing a connection:

#include <stdio.h>
#include <string.h>

/* NOTE: ALWAYS include options.h or settings.h before any other wolf headers */
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn.h>

/* Build wolfSSL using ./configure --enable-fpecc or by adding #define FP_ECC to your user_settings.h. */

/* Fixed client ECC key */
static const unsigned char ecc_clikey_der_256[] =
{
    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xF8, 0xCF, 0x92,
    0x6B, 0xBD, 0x1E, 0x28, 0xF1, 0xA8, 0xAB, 0xA1, 0x23, 0x4F,
    0x32, 0x74, 0x18, 0x88, 0x50, 0xAD, 0x7E, 0xC7, 0xEC, 0x92,
    0xF8, 0x8F, 0x97, 0x4D, 0xAF, 0x56, 0x89, 0x65, 0xC7, 0xA0,
    0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01,
    0x07, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x55, 0xBF, 0xF4,
    0x0F, 0x44, 0x50, 0x9A, 0x3D, 0xCE, 0x9B, 0xB7, 0xF0, 0xC5,
    0x4D, 0xF5, 0x70, 0x7B, 0xD4, 0xEC, 0x24, 0x8E, 0x19, 0x80,
    0xEC, 0x5A, 0x4C, 0xA2, 0x24, 0x03, 0x62, 0x2C, 0x9B, 0xDA,
    0xEF, 0xA2, 0x35, 0x12, 0x43, 0x84, 0x76, 0x16, 0xC6, 0x56,
    0x95, 0x06, 0xCC, 0x01, 0xA9, 0xBD, 0xF6, 0x75, 0x1A, 0x42,
    0xF7, 0xBD, 0xA9, 0xB2, 0x36, 0x22, 0x5F, 0xC7, 0x5D, 0x7F,
    0xB4
};
static const int sizeof_ecc_clikey_der_256 = sizeof(ecc_clikey_der_256);

int pre_cache_my_priv_key(void)
{
    int ret;
/* If we plan on caching fixed points for ECC operations... */
#ifdef FP_ECC
    word32 idx = 0;
    WC_RNG rng;
    ecc_key dummyPubKey;
    ecc_key myPrivKey;
    word32 x = 32; /* large enough for 256-bit */
    unsigned char exportBuf[x];

    wc_ecc_init(&dummyPubKey);
    wc_InitRng(&rng);

    ret = wc_ecc_make_key(&rng, 32, &dummyPubKey);
    if (ret != 0) {
        printf("Failed to make the public key\n");
        return -1;
    }

    ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx,
                                 &myPrivKey, sizeof_ecc_clikey_der_256);
    if (ret != 0) {
        printf("Failed to import private key, ret = %d\n", ret);
        return -1;
    }

    ret = wc_ecc_shared_secret(&myPrivKey, &dummyPubKey, exportBuf, &x);
    wc_ecc_free(&dummyPubKey);
    if (ret != 0) {
        printf("Failed to generate a shared secret\n");
        return -1;
    }

    printf("Successfully pre-cached curve points!\n");
#else
    ret = 0;
#endif

    return ret;
}

int main(void)
{
    int ret;

    wolfSSL_Init();
    ret = pre_cache_my_priv_key();

   /* Do other interesting things, establish a TLS connection, etc. */

   wolfSSL_Cleanup(); /* Calls the wc_ecc_fp_free() function to free cache resources */

   return 0;
}

If you have any questions on the above solution please contact us anytime at support@wolfssl.com! If you have feedback or comments please send a note to facts@wolfssl.com we would love to hear from you!

TLS 1.3 combined with FIPS (#FIPS #TLS13)

September 12, 2018September 12, 2018

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
Single round trip
0-RTT (a mode that enable zero round trip time)
After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact facts@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

Using cURL with wolfSSL and TLS 1.3

September 11, 2018

cURL is an open-source project that provides the command line tool, curl, for transferring data between client and server with URLs, powered by cURL’s library, libcurl. curl and libcurl both provide support for building SSL/TLS libraries, including wolfSSL! The latest version of cURL can be downloaded from https://github.com/curl/curl.

To build curl with wolfSSL, simply configure and install curl with:

$ ./configure --with-wolfssl --without-ssl
$ make && make install

Starting with version 7.52.0, curl provides TLS 1.3 support when built with a TLS library. TLS 1.3 protocol support is also currently available in the wolfSSL library. Since both curl and wolfSSL support TLS 1.3, curl can be compiled with the addition of wolfSSL to select the TLS 1.3 protocol.

Configuring wolfSSL and curl to implement TLS 1.3 is simple. To build curl and libcurl with wolfSSL, wolfSSL must first be configured with TLS 1.3 support.

To enable TLS 1.3 support in wolfSSL, compile and install wolfSSL with the “–enable-tls13” option:

$ ./configure --enable-tls13
$ make && make install

Then, build curl with TLS 1.3-enabled wolfSSL:

$ ./configure --with-wolfssl --without-ssl
$ make && make install

To test a TLS 1.3 connection with curl + wolfSSL, invoke curl with the –tlsv1.3 option on a server that supports TLS 1.3. For example:

$ curl --tlsv1.3 https://enabled.tls13.com/

A successful connection will return the HTML page downloaded from https://enabled.tls13.com/:

<html>
    <head>
        <title>Test</title>
    </head>
    <body>
        <h1>Test</h1>
        <p>Testing</p>
    </body>
</html>

For more information on the cURL project, visit https://curl.haxx.se/

If you would like more information about wolfSSL’s support for TLS 1.3 or help on using it in your application, contact us at facts@wolfssl.com.

wolfSSH Manual Now Available

September 4, 2018

The wolfSSH Manual is now available on the wolfSSL website! It is easily navigable, descriptive, and detailed.

Some of the topics covered in the manual are listed below:

How to build wolfSSH
How to run the example applications
Library design
wolfSSH User Authentication Callback
Callback Function Setup API
wolfSSH SFTP Beta Introduction
wolfSSH API reference
And more!

The wolfSSH Manual can be viewed as HTML here: https://www.wolfssl.com/docs/wolfssh-manual/
Or downloaded as a PDF here: https://www.wolfssl.com/documentation/wolfSSH-Manual.pdf

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

September 4, 2018May 25, 2018

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0	Intel ® Xeon® E3 Family with SGX support	Intel®x64 Server System R1304SP
Windows 10 Pro	Intel ® Core TM i5 with SGX support	Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

wolfSSL FAQ page

September 1, 2018February 6, 2025

The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.

To view this page for yourself, please follow this link here.

Here is a sample list of 5 questions that the FAQ page covers:

How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
How do I manage the build configuration of wolfSSL?
How much Flash/RAM does wolfSSL use?
How do I extract a public key from a X.509 certificate?
Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?

Have a question that isn't on the FAQ? Feel free to email us at support@wolfssl.com.

stunnel support for TLS 1.3 using wolfSSL

August 20, 2018

Did you know that wolfSSL maintains a port of stunnel which includes wolfSSL support, and now supports TLS 1.3?

What is stunnel?

stunnel is a lightweight TLS proxy, designed to add SSL/TLS encryption to unsecured applications without changes to the program’s source code. Licensed under GNU GPLv2 and with an alternative commercial option, stunnel can be utilized to secure a host of different applications, including: mail exchange (SMTP, IMAP, POP3), web hosting (HTTP), remote shell, and virtually any other unprotected protocol desired.

TLS 1.3 Support!

Porting stunnel to use wolfSSL’s embedded SSL/TLS library means taking advantage of wolfSSL’s minimal footprint and high speed crypto implementation to increase performance and decrease required resources when compared to other SSL/TLS libraries. Not only that, but using wolfSSL with stunnel combines these benefits with the peace of mind that your application is secured by a progressive, transparent, and stable SSL/TLS library – known for its quality, integrity and efficiency.

The wolfSSL embedded SSL/TLS now includes support for TLS 1.3, which gives stunnel+wolfSSL users access to TLS 1.3! TLS 1.3 improves upon the SSL/TLS protocol by removing old insecure algorithms and changing the TLS handshake to increase security and reduce round trips.

To build wolfSSL for use with stunnel and TLS 1.3 support, simply configure wolfSSL with:

$ ./configure --enable-stunnel --enable-tls13

from wolfSSL`s main directory, then make and make install.

For a version of stunnel that links to the wolfSSL library, and for more information, contact us at facts@wolfssl.com.

wolfCrypt v4.0 FIPS 140-2 Certificate News

August 17, 2018

Good news from wolfSSL Inc! The upcoming update to our cryptography library, wolfCrypt v4.0, is on the NIST CMVP Modules in Process list and is in the Coordination phase. Our FIPS 140-2 revalidation certificate is just around the corner. Included on the new certificate will be key generation of RSA, ECC, DH keys; SHA-3 and HMAC with SHA-3; CMAC; AES-GCM with internally generated IVs and externally supplied IVs; and use of RDSEED, AES-NI, and AVX1/2 with Intel processors. All the algorithms from our original certificate #2425 are also included. For more information about our new FIPS 140-2 certificate, please contact us at fips@wolfssl.com.

wolfSSH v1.3.0 Released

August 15, 2018August 15, 2018

wolfSSL has released wolfSSH v1.3.0 to the public! Included in this release are two major features, SCP and SFTP. wolfSSH can now act as a server for copying files with SCP. We can also act like a client or server for SFTP connections! Now you can copy new firmware or configuration files to your embedded device with the ease of a file copy.

Also included are several small bug fixes and improvements.

wolfSSH was developed to with work with our wolfCrypt cryptography library. If you want FIPS 140-2, wolfSSH will seamlessly work with the FIPS version of wolfCrypt.

For more information about wolfSSH, wolfSSL, or wolfCrypt, please email facts@wolfssl.com or contact sales@wolfssl.com. If you want to know more about wolfSSH with wolfCrypt FIPS, contact fips@wolfssl.com. You can download wolfSSH 1.3.0 today from our download page!

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

August 4, 2018May 25, 2018

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

Debian 8.7.0	Intel ® Xeon® E3 Family with SGX support	Intel®x64 Server System R1304SP
Windows 10 Pro	Intel ® Core TM i5 with SGX support	Dell LatitudeTM 7480

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

1 2 3 … 124 125 126 127 128 129 130 … 194 195 196

RECENT BLOG NEWS

How to speed up handshake times when using ECDHE (and/or ECDSA)

TLS 1.3 combined with FIPS (#FIPS #TLS13)

Using cURL with wolfSSL and TLS 1.3

wolfSSH Manual Now Available

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

wolfSSL FAQ page

stunnel support for TLS 1.3 using wolfSSL

wolfCrypt v4.0 FIPS 140-2 Certificate News

wolfSSH v1.3.0 Released

wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!

Weekly updates

Archives

RECENT BLOG NEWS

Posts navigation

Weekly updates

Archives