RECENT BLOG NEWS

Some of our users have been wondering if we were doing benchmarks of our SSL/TLS and cryptography performance. Here are the results we have gathered so far: wolfSSL / wolfCrypt Benchmarking.  This page includes several reference benchmarks as well as comparisons of software versus hardware cryptography.

Let us know if we should do a different kind of benchmark at facts@wolfssl.com.

• This implementation provides all TPM 2.0 API’s in compliance with the specification.
• This uses the TPM Interface Specification (TIS) to communicate over SPI.
• The design allows for easy portability to different platforms:
  1. Native C code designed for embedded use.
  2. Single IO callback for hardware SPI interface.
  3. No external dependencies.
  4. Compact code size and minimal memory use.
• Examples for the Raspberry Pi and STM32 with CubeMX.
• Includes demo code for the most commonly used API’s.
• Includes wrappers for Key Generation, RSA encrypt/decrypt, ECC sign/verify and ECDH.
• Testing done using the Infineon OPTIGA SLB9670 module.

To the benefit of our end users and customers, wolfSSL completed yet another year of successful growth in our technology advancement, our business, and our personnel. Our build out of the company is on track and we expect another banner year in 2018! Our advancement is outlined in detail below, but particular attention should be paid to some key improvements:

1. TLS 1.3: As we near finalization of the new standard, wolfSSL plans to release our implementation concurrently with the IETF’s release. TLS 1.3 is a game changer in a variety of applications, from heavy load server side consumers, to the smallest devices on networks with high latency. We see particularly interesting design opportunities in automotive and satellite communications. A world of intellect and experience has been poured into TLS 1.3, and it will be widely adopted quickly.
2. Japan: wolfSSL has always been popular with Japanese IoT users. In anticipation of further growth in Japan, we have added additional development staff to support the user base. We have also appointed Yoko Suga as President, wolfSSL Japan, to work with Takashi Kojo-sama and the team.
3. 24×7 Support: Our users demand the best support, and they get it! In 2017, we rolled out 24×7 support. We are the only TLS and Cryptography provider to make 24×7 support available to the market.
4. FIPS: We have continued to accelerate our support of the FIPS 140-2 standard by adding a number of key operating environments to our existing FIPS certificate. For added security, our users can now even benefit by running FIPS certified cryptography within a secure element like Intel’s SGX.

We are fortunate to be able to provide all of the above, and more, to our users! It is with great zeal that we develop and deliver our products, because we think it is important to the market to have a high quality, independent provider of crypto. Thank you all for your trust.

Team wolfSSL
Securing two billion connections and counting

wolfSSL Technical Progress

A total of six releases of the wolfSSL embedded TLS library were delivered in 2017, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

1. New Features
   • TLS 1.3 support (Drafts 18, 20, 21, 22) including support for 0RTT
   • DTLS multicast (–enable-mcast)
   • SHA3 Keccak (–enable-sha3)
   • AES-XTS (–enable-xts)
   • AES-CFB (–enable-aescfb)
   • RSA-PSS signature generation and verification
   • ECC Cofactor DH (ECC-CDH)
   • Intel QuickAssist asynchronous support
   • NXP i.MX6 hardware encryption support (CAAM)
   • Expanded OpenSSL compatibility layer
   • PKCS#7 SignedData ECDSA support
   • TLS Supported Point Formats extension (ec_point_formats)
   • ASN Extended Key Usage Support
   • ECC public key generation from private key
   • PKCS#8 key creation functionality
2. Performance Optimization Changes
   • Intel AVX1/2 performance improvements
   • AES-GCM, SHA-2, ChaCha20/Poly1305
   • Improved performance with Intel RDRAND to use full 64-bit output
   • Speedups for AES-GCM with AES-NI
   • Improvements to asynchronous modes for Intel QuickAssist and Cavium Nitrox V
   • SHA-3 size and performance optimizations
   • Ed25519 performance optimizations
   • Math updates with added TFM_MIPS speedup
   • Single Precision math option for RSA, DH and ECC (“–enable-sp”)
   • Added Curve25519 51-bit implementation, increasing performance on systems that have 128-bit types
   • Normal math speed-up to not allocate on mp_int and defer until mp_grow
   • Improve fp_copy performance with ALT_ECC_SIZE
   • Increase performance with ECC_CACHE_CURVE option
3. Substantial Code Changes
   • Disabled TLS 1.0 by default
   • Removed RNG ARC4 support
   • OCSP and OCSP Stapling updates and improvements
   • Refactored struct and hash type names to allow for OpenSSL coexistence
   • Async blocking support for wolfSSL sniffer, Async fixes for GCC 7.1
4. Memory Reduction Changes
   • USE_SLOW_SHA256, reduce SHA-256 code size at expense of performance
   • WOLFMEM_IO_SZ, allow adjusting static I/O buffer size
   • Support use of static memory with PKCS7
   • Reduce heap usage with fastmath when not using ALT_ECC_SIZE
5. Examples and Benchmark Apps
   • Static memory support added to the wolfSSL example client
   • wolfCrypt benchmark option added to benchmark individual algorithms
   • wolfCrypt benchmark option added to display benchmarks in powers of 10
   • Added HMAC benchmark and expanded AES key size benchmarks
   • Added block size argument to wolfCrypt benchmark
   • Expanded SSL/TLS and crypto examples available in wolfssl-examples repo
   • Added TLS by cipher suite benchmark utility
6. Build Updates and New Ports
   • Added simple GCC ARM Makefile example
   • Added new Xilinx port for Zynq UltraScale+
   • Added port for using Intel SGX with Linux
   • Added NXP Hexiwear example
   • Added tenAsys INtime RTOS port
   • Added STM32CubeMX support
   • Added Docker container support
   • Updated Visual Studio for ARM builds
   • Updated Visual Studio DLL projects
   • Updated Texas Instruments TI-RTOS build
   • Updated IAR EWARM project files
   • Updated Apple Xcode projects with new benchmark project
   • Updated MySQL with wolfSSL build support
   • Updated Micrium uC/OS-III Port
   • Updated ARMv8 port with SHA224 and AES key wrap
   • Updated MQX Classic and mmCAU ports
   • Updated STM32F4 and STM32F7 AES-GCM support
   • Updated Arduino build script
   • Updated uT-Kernel port (iTron)
7. Testing
   • Expanded API unit tests, including:
     • MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512, RIPEMD, HMAC, 3DES, IDEA, ChaCha20, ChaCha20-Poly1305 AEAD, Camellia, Rabbit, ARC4, AES, RSA, HC-128, ECC
   • Extended test code coverage for the wolfCrypt test (test.c)
   • Added wolfCrypt hash tests for empty strings and large data
   • Code updates for warnings reported by Coverity Scan
   • Added scripted PSK interoperability testing
   • Added new fuzzers (libfuzzer, tlsfuzzer, OSS-Fuzz, AFL)
   • Added automated FIPS testing (Windows and Linux)
   • Added lots of horsepower and architectures to our test rig
8. Wrappers
   • Expand wolfSSL Python wrapper to now include a client side implementation
   • Expand wolfSSL C# wrapper
9. Open Source Project Ports
   • Support for Nginx web server
   • Support for HAproxy load balancer
   • Updated WPA Supplicant and Host AP support
   • Update stunnel port for version 5.40
10. Config Changes
    • “–enable-all”, enable all features
    • “–enable-wolfssh”, for building wolfSSL for wolfSSH
    • “–disable-oldnames”, allow for using OpenSSL along-side wolfSSL headers
    • “–enable-lowresource”, memory reduced build
    • “–enable-trackmemory”, new memory tracking feature
    • “–enable-intelrand”, indicate use of RDRAND preference for RNG source
11. Additional Product Enhancements
    • wolfMQTT
      • Two new releases with bug fixes and enhancements.
    • wolfSSH
      • Added ECDH Group Exchange with SHA-2 hashing and NIST curves P-256, P-384, and P-521
      • Added ECDSA signing with SHA-2 hashing and NIST curves P-256, P-384, and P-521
      • Added AES128-GCM encryption compatible with OpenSSH
      • Added a Visual Studio solution
      • Added client protocol support
      • Added example client to talk to the example echoserver
      • Miscellaneous bug fixes and enhancements

wolfSSL Top 10 Blog Posts/Technical Announcements

1. Difference between TLS 1.2 and TLS 1.3
2. TLS 1.3 Reducing Latency
3. wolfSSL Asynchronous Intel QuickAssist Support
4. wolfSSL in Intel SGX
5. Overview of Testing in wolfSSL
6. How to use the 0-RTT rope to climb, without hanging yourself!
7. wolfSSL Xilinx Support
8. Using wolfSSL on the Atmel ATECC508A with TLS 1.3
9. wolfCrypt/wolfSSL Benchmarks with iPhone 8/8 Plus/X(A11)
10. Using Alternative I/0 with wolfSSL Lightweight TLS

You’ll undoubtedly notice one the themes for this year was the early adoption of TLS 1.3 because the smaller footprint, less resource use, reduction of latency, and frankly better security. The other two themes that may not be so obvious is our focus on Hardware Based Security Enclaves or Elements to provide secure key storage, and our work on Asynchronous Crypto which passes off asymmetric operations to network acceleration cards like Cavium Nitrox and Intel QuickAssist.

wolfSSL Organizational Growth

• wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.
  https://www.wolfssl.com/job-posting-embedded-systems-engineer/
• We expanded our customer base considerably, now we are securing connections for over 1000 products, have partner relationships with over 30 vendors, and are securing well over 2 Billion connections on any given day.
• wolfSSL Japan is official! We recently opened a new office in Tokyo and expanded the team to 4 local engineers.
• We got the word out, we attended over 32 trade-events (see below). You may ask yourself, why is wolfSSL visiting so many venues? The answer we are trying to save the world from using bad implementations of Crypto and TLS.
  • To see a list of upcoming events, check out our upcoming events page.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 32 events in 2017, which was up from 20 in 2016! As part of these events we were in 22 cities, 10 US states, and 6 countries! The events we participated this last year included:

1. CES (Las Vegas, NV)
2. Cybertech Israel (Tel Aviv, Israel)
3. FOSDEM (Brussels, Belgium)
4. RSA (San Francisco, CA)
5. Industry of Things World (San Diego, CA)
6. Mobile World Congress (Barcelona, Spain)
7. IoT Pro Expo/Cloud fair (Tokyo, Japan)
8. Embedded World 2017 (Nuremberg, Germany)
9. Renesas Japan (Tokyo, Japan)
10. IoT DevCon (Santa Clara, CA)
11. ESC – Boston (Boston, MA)
12. LinuxFest (Bellingham, WA)
13. Internet of Things World (Santa Clara, CA)
14. Embedded Systems-IoT M2M Japan-Japan IT week (Osaka, Japan)
15. ICMC (Washington, DC)
16. NXP FTF Connects (San Jose, CA)
17. Sensor Expo West (San Jose, CA)
18. Black Hat 2017 (Las Vegas, NV)
19. Microchip Masters 2017 (Phoenix, AZ)
20. Fort Meade It & Cyber Day (Fort Meade, MD)
21. ST Developers Conference (Santa Clara, CA)
22. Mobile World Congress Americas (San Francisco, CA)
23. IoT Oil and Gas (Houston, TX)
24. RIOT Summit (Berlin, Germany)
25. Sensors Midwest (Rosemont, IL)
26. Defense Innovation Technology (Tampa, FL)
27. ARM TechCon (Santa Clara, CA)
28. ESC Minneapolis (Minneapolis, MN)
29. Embedded Technology 2017 Yokohama (Yokohama, Japan)
30. IoT Tech Expo (Santa Clara, CA)
31. ESC San Jose (San Jose, CA)
32. ARM Tech Symposia (Tokyo, Japan)

To see upcoming events that wolfSSL will be attending, check out our upcoming events page.

In summary, we had a great year! 2017 was successful for us on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2018! As always, your feedback is welcome at facts@wolfssl.com!

It has been 4 years since the TLS v1.3 specification came out with Draft 1 and it looks like it has been finalized! With the release of Draft 24 the last of the WG comments have been addressed. Now the IESG will review the document and it is expected that it will soon be ratified as an RFC.

wolfSSL has updated its TLS v1.3 code to include support for Draft 22 and 23. Draft 24 is not significantly different and with the highly anticipated release of the RFC, we are looking forward to finalizing the TLS v1.3 code.

The last time we discussed TLS v1.3 the specification was at Draft 21. Since then a number of changes have been made to deal with middlebox incompatibilities.

Middleboxes are devices that sit between the client and the server that typically inspect, filter or act as a proxy. They are a necessary part of the Internet ecosystem. Inspection middleboxes are used to monitor network traffic and to collect statistics. Filters attempt to detect and remove undesirable network traffic that is malformed or malicious. Proxy-servers are used to terminate TLS connections to better manage the network traffic and spread load.

Middleboxes include embedded devices that are updated by changes to the firmware. Therefore updates are seldom made and the TLS v1.3 specification had to be modified to work with the deployed systems.

Mozilla performed a customer test with their browser connecting to a controlled website supporting Draft 18. The results (https://www.ietf.org/mail-archive/web/tls/current/msg25091.html) were that TLS v1.3 Draft 18 failed 2.91% of the time compared to TLS v1.2 failure rate of 1.58%. This was statistically significant. After some compatibility changes the failure rate fell to 1.63%. It was clear the changes were needed.

The changes required include:

• Changing the ServerHello version and record layer version post ServerHello to 0x0303
• Restoring missing fields from the ServerHello message.
• Merging the HelloRetryRequest into the ServerHello message.
• Ignoring ChangeCipherSpec messages in handshake.

It was first assumed that middleboxes would inspect ClientHello messages and pretty much ignore the responses like ServerHello and HelloRetryRequest messages. This didn’t work out in the real world. Therefore some of the ServerHello changes from TLS v1.2 had to be undone. All required changes are now available in wolfSSL.

Further optional compatibility changes are specified. This includes sending a ChangeCipherSpec before any encrypted data, thus the previous requirement to ignore these messages. wolfSSL has the ability to enable these with the use of the define: WOLFSSL_TLS13_MIDDLEBOX_COMPAT.

A more extensive test was performed by Mozilla after Draft 22 was released. The results (https://www.ietf.org/mail-archive/web/tls/current/msg25179.html) were:

• TLS v1.2 failure rate: 4.85% (3.25% US only)
• TLS v1.3 Draft 22: 5.02% (3.45% US only)
• TLS v1.3 Draft 22 Compat: 4.81% (3.24% US Only)

It is clear that the Draft 22 changes are working.

Draft 23 renumbered the KeyShare extension to allow for compatibility with CANON printers that were based on BSAFE and added a separate extension for negotiating certificate signatures.

wolfSSL by default supports Draft 23 but can be configured to support Draft 22 with: –enable-tls13-draft22. Also, for backwards compatibility for early adopters, Draft 18 support can be configured with: –enable-tls13-draft18.

If you have any questions or issues with wolfSSL’s TLS 1.3 implementation, please email us at facts@wolfssl.com, or our support team at support@wolfssl.com.

MySQL (#mysql) currently comes bundled with yaSSL to provide an option for SSL/TLS connections when using a database. A patch for securing MySQL with the wolfSSL embedded SSL/TLS library is available for MySQL version 8.0.0 here https://github.com/wolfSSL/mysql-patch.

Along with an increased level of security comes the potential to use progressive features offered by wolfSSL – such as TLS 1.3 and ChaCha20 / Poly1305 AEAD cipher suites (ex: ECDHE-RSA-CHACHA20-POLY1305). Another great feature is that wolfSSL cryptography is FIPS 140-2 validated! The change from yaSSL to wolfSSL will fit nicely into both Open Source and commercial applications, as it is dual licensed under both GPLv2 and standard commercial license terms.

For more information about the port, or to provide us feedback, contact us at facts@wolfssl.com!

wolfSSL is a growing company looking to add a top notch embedded systems software engineer to our organization. wolfSSL develops, markets and sells the leading Open Source embedded SSL/TLS protocol implementation, wolfSSL. Our users are primarily building devices or applications that need security. Other products include wolfCrypt embedded cryptography engine, wolfMQTT client library, and wolfSSH.

Job Description:

Currently, we are seeking to add a senior level C software engineer with 5-10 years experience interested in a fun company with tremendous upside. Backgrounds that are useful to our team include networking, security, and hardware optimizations. Assembly experience is a plus. Experience with encryption software is a plus. RTOS experience is a plus.  Experience with hardware-based cryptography is a plus.

Operating environments of particular interest to us include Linux, Windows, Embedded Linux and RTOS varieties (VxWorks, QNX, ThreadX, uC/OS, MQX, FreeRTOS, etc). Experience with mobile environments such as Android and iOS is also a plus, but not required.

Location is flexible. For the right candidate, we’re open to this individual working from virtually any location.

How To Apply

To apply or discuss, please send your resume and cover letter to facts@wolfssl.com.

We are working on adding MQTT v5.0 support to wolfMQTT.

Some of the new MQTT 5 features include:

• AUTH packet type to submit authentication method/data information after connect.
• CONNACK packets now include a reason code to better describe connect failures.
• DISCONNECT now supports server to client.
• Packets can include optional key/value properties.
• New data type for UTF-8 string pairs.
• No retry for QoS 1 and 2 packets (let assumed TCP handle retry).
• Passwords can be provided without a username

The new specification can be found here:
http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html

Support for these new features will be release in the next few weeks as wolfMQTT v1.0.

We’re excited that wolfSSL embedded SSL/TLS library now includes support for TLS 1.3 and think that there are many advantages to using TLS 1.3 in applications, projects and devices.  Here are the top 5 advantages to using TLS 1.3 with wolfSSL:

1. More secure than older TLS protocol versions by eliminating risky crypto
2. Reduces latency through fewer roundtrips in the TLS handshake
3. The server can be stateless when resuming a session
4. We are the first and only commercial license supplier of TLS 1.3 library for embedded devices today
5. We are the only company to support its own TLS 1.3 stack

If you would like to talk in more detail about using TLS 1.3, contact us at facts@wolfssl.com!

We are excited to announce that wolfCrypt v4.0 is currently in process for CMVP validation for FIPS 140-2. We are adding more algorithms to our security boundary including ECDSA, ECDHE, AES-GCM, AES-CCM, SHA-3, and RSA-PSS. Also included is FIPS 186-4 compliant key generation for RSA and ECC. We will be able to offer TLSv1.3 with FIPS validated cryptography for embedded devices. For more information, please email fips@wolfssl.com.

wolfSSL has supported the ThreadX/NetX RTOS with the TLS protocol. Recently we added the ability to use DTLS with NetX. Out of the box, wolfSSL has the I/O callback functions for handling UDP packets for DTLS. As an extension to DTLS, wolfSSL also supports Multicast DTLS. If you would like to know more please contact our sales team via email, sales@wolfssl.com