RECENT BLOG NEWS

wolfSSL recently gave a presentation on FIPS 140-2 validating wolfCrypt inside a secure enclave at ICMC18 (#CryptoModConf).  Thanks to all those who attended!  For reference, we have put our slide deck up on Slideshare for our users to flip through or reference.

Session Abstract:

“Secure enclaves are becoming a popular way to separate and protect sensitive code and data from other processes running on a system. A FIPS 140-2 validated cryptographic software module is currently required to run power-on self tests when loaded, but security of the module can be taken one step further by validating the module inside a secure enclave, such as Intel SGX.

wolfSSL has been working on FIPS 140-2 validating the wolfCrypt library running inside an Intel SGX enclave. This session will discuss the advantages, challenges, and process of FIPS 140-2 validating a cryptographic software module inside Intel SGX and how the same process could be applied to other secure enclave environments.”

Contact us at facts@wolfssl.com if you have any questions about doing a FIPS validation inside a TEE or secure enclave!

wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!

The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.

Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.

An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.

While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.

If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!

Resources:
https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

We have created a new repository for hosting the FreeRTOS classic and Amazon FreeRTOS support for wolfSSL located here:
https://github.com/wolfSSL/wolfssl-freertos

There are two pull requests with support for wolfSSL including demos:

FreeRTOS Classic v10.0.1 with wolfSSL/wolfMQTT demos:
https://github.com/wolfSSL/wolfssl-freertos/pull/1

• Added a wolfMQTT FreeRTOS TCP demo. This demo connects to the iot.eclipse.org MQTT broker with TLS on port 8883. It sends a counter publish message every second.
• Updated wolfSSL demo:
• Project built and tested against latest v3.14.4 release.
• Switched to using user_settings.h (WOLFSSL_USER_SETTINGS).
• Updated the certs (expired Jan 31, 2018).
• Stop tracking the .filter project file.
• Add submodule for wolfMQTT v1.0 plus FreeRTOS TCP support.
• Replace wolfSSL sources with submodule wolfSSL v3.14.4 plus some Win VS fixes.
• Initial FreeRTOS v10.0.1

Amazon FreeRTOS v1.2.3 port to use wolfSSL:
https://github.com/wolfSSL/wolfssl-freertos/pull/2

• Port of the Amazon FreeRTOS v1.2.3 to use wolfSSL.
• Added a new solution and project for demo at FreeRTOS-AWS/demos/pc/windows/visual_studio/aws_demo_wolf.sln.
• Added wolfssl as submodule.

Did you know that the wolfSSL embedded SSL/TLS library supports ARMv8 as well as the Cryptography Extensions that it provides?  wolfSSL is more than 10 times faster with AES and SHA256 operations the ARMv8 board we have been testing on (HiKey LeMaker) when using hardware acceleration versus software crypto!

ARMv8 Benchmark Data comparing Software and Hardware Cryptography

If you are interested in using wolfSSL on an ARMv8 platform and want some tips on getting started for optimal performance, contact us at facts@wolfssl.com!  wolfSSL now includes support for TLS 1.3 as well!

Our wolfMQTT project includes an example for secure firmware update. This example uses the wolfSSL embedded SSL/TLS library to hash/sign the binary image and send it over MQTT. The example has two applications. One is called fwpush, which hashes, signs and publishes the firmware image over TLS to an MQTT broker. The second is called fwclient, which subscribes to the example firmware update topic, receives the firmware image and validates the signature of it. This example is located in examples/firmware.

The latest wolfMQTT releases can be downloaded at:
https://wolfssl.com/download

Documentation for wolfMQTT can be found here:
https://www.wolfssl.com/docs/wolfmqtt-manual/

The latest source code can be found on our GitHub repo at:
https://github.com/wolfSSL/wolfMQTT

For questions please contact support at support@wolfssl.com.

At wolfSSL our favorite way to stay up-to-date on everything IoT is by subscribing to Stacey Higginbotham’s weekly newsletter that explains the latest in IoT. You can sign up for the newsletter at https://staceyoniot.com/newsletter/. If you like podcasts, check out her podcast at IoTPodcast.com.

We’ve advertised in the newsletter a couple of times and it’s a good way to reach an audience of people making connected products and services. You can learn more about advertising at https://staceyoniot.com/advertise/

We have released an update to our asynchronous version of wolfSSL v3.14.4.

Using our wolfSSL asynchronous library with hardware acceleration increases performance on server platforms requiring high connection rates and throughput. We support hardware acceleration using the Intel QuickAssist and Cavium Nitrox III/V adapters. We also support crypto offloading to dedicated asynchronous worker threads using our simulator.

This release includes fixes and features including:

Cavium Nitrox III/V:
* Added Nitrox V ECC.
* Added Nitrox V SHA-224 and SHA-3
* Added Nitrox V AES-GCM
* Added Nitrox III SHA2 384/512 support for HMAC.
* Added error code handling for signature check failure.
* Added error translate for `ERR_PKCS_DECRYPT_INCORRECT`
* Added useful `WOLFSSL_NITROX_DEBUG` and show count for pending checks.
* Cleanup of Nitrox symmetric processing to use single while loops.
* Cleanup to only include some headers in cavium_nitrox.c port.
* Fixes for building against Nitrox III and V SDK.
* Updates to README.md with required CFLAGS/LDFLAGS when building without ./configure.

Intel QuickAssist:
* Fix for Intel QuickAssist HMAC to use software for unsupported hash algorithms.

If interested in evaluating our asynchronous versions of wolfSSL or wolfCrypt please email us at facts@wolfssl.com.  wolfSSL also now includes support for TLS 1.3!  Learn more here!

Download wolfSSL’s Asynchronous Flyer

wolfSSL is a growing company looking to add a top notch embedded systems software engineer to our organization. wolfSSL develops, markets and sells the leading Open Source embedded SSL/TLS protocol implementation, wolfSSL. Our users are primarily building devices or applications that need security. Other products include wolfCrypt embedded cryptography engine, wolfMQTT client library, and wolfSSH.

Job Description:

Currently, we are seeking to add a senior level C software engineer with 5-10 years experience interested in a fun company with tremendous upside. Backgrounds that are useful to our team include networking, security, and hardware optimizations. Assembly experience is a plus. Experience with encryption software is a plus. RTOS experience is a plus.  Experience with hardware-based cryptography is a plus.

Operating environments of particular interest to us include Linux, Windows, Embedded Linux and RTOS varieties (VxWorks, QNX, ThreadX, uC/OS, MQX, FreeRTOS, etc). Experience with mobile environments such as Android and iOS is also a plus, but not required.

Location is flexible. For the right candidate, we’re open to this individual working from virtually any location.

How To Apply

To apply or discuss, please send your resume and cover letter to facts@wolfssl.com.

wolfSSL recently exhibited at Embedded World in Germany, where we did a quick video interview with ST.  The video highlights the STM32 platform support we have in the wolfSSL embedded TLS library and the demo that we were showing off during the exhibition.  wolfSSL engineer David Garske talks about wolfSSL’s hardware crypto support on the STM32F7 as demonstrated by a wolfCrypt benchmark demo.  Watch our interview on YouTube, here:

The demo mentioned in the video is available on GitHub, here.

If you are interested in securing your STM32-based IoT, RTOS, or embedded project with wolfSSL, contact us at facts@wolfssl.com for some tips!  wolfSSL also supports TLS 1.3!