RECENT BLOG NEWS

Microchip recently released an end-to-end security solution for IoT devices that connects to the Amazon Web Services (AWS). The kit, AT88CKECC, allows users to easily and securely connect to AWS out of the box. It includes the ECC508 device which provides secure key generation and storage.

Full details and product links can be found in the Microchip press release, or on the Microchip website.

wolfSSL has partnered with Microchip / Atmel to add support for the ATECC508A module in wolfSSL’s embedded SSL/TLS library. Please visit our ATECC508A webpage for complete details and a link to our downloadable package.

wolfSSL is happy to help answer any questions you may have about using wolfSSL with Microchip or Atmel platforms. Please reach out to us at facts@wolfssl.com to get in touch.

The wolfSSL embedded SSL/TLS library and wolfCrypt embedded crypto engine have been integrated into the Atmel ATECC508A crypto element, adding support for ECC hardware acceleration and protected private key storage on the ATECC508A.

Using wolfSSL, ATECC508A users can benefit from both increased ECC performance and secure key storage, thus hardening their TLS connections.  The wolfCrypt ATECC508A port adds:

+ wolfCrypt support for ECC hardware acceleration using the ATECC508A.  The new defines for this port are WOLFSSL_ATMEL and WOLFSSL_ATECC508A
+ New PK callback for Pre Master Secret

For more info please visit: https://www.wolfssl.com/docs/atmel/

wolfSSL is dual licensed under both the GPLv2 as well as a standard commercial license.  For licensing information, please see the wolfSSL License Page, or contact us facts@wolfssl.com or call us at (425) 245-8247

wolfSSL’s progressive embedded TLS/SSL library has a new release available for download by our community. This new release contains new features, updates to existing code, and bug fixes. Some of the additional features added to wolfSSL version 3.9.8 are the use of custom ECC curves, support for Brainpool curves, and RSA blinding for private key operations. With the addition of RSA binding comes increased protection against timing attacks for users that have static RSA suites on their server. Static RSA cipher suites are not recommended and are turned off by default with wolfSSL.

Some fixes were also made to the IoT wolfSSL library. A few of these fixes were dealing with sanity checks on malformed certificates outside of a TLS connection, revisions to the recent static memory feature, and updated handling of math operations with compressed ECC keys. It is recommended that users update to the most recent wolfSSL release. Users that have server side static RSA cipher suites enabled should update to this version of wolfSSL for RSA blinding, and create new RSA private keys.

Here is a full list of highlighted changes for this release of our embedded SSL library.

– Add support for custom ECC curves. This allows use of non-standard ECC curves.
– Add cipher suite ECDHE-ECDSA-AES128-CCM.
– Add compkey enable option. This option is for enabling and disabling compressed ECC keys.
– Add in the option to use test.h without gettimeofday function using the macro WOLFSSL_USER_CURRTIME. This makes test.h more portable.
– Add RSA blinding for private key operations. Enable option of harden which is on by default. This negates timing attacks.
– Add ECC and TLS support for all SECP, Koblitz and Brainpool curves.
– Add helper functions for static memory option to allow getting optimum buffer sizes. This calculates the size of the needed buffer to have it completely used with no excess unused memory at the end.
– Update wolfSSL for use with MYSQL v5.6.30.
– Update LPCXpresso eclipse project to not include misc.c when not needed.
– Updates to DTLS 1.2.
– Fixes for code in math sections with compressed ECC keys. This includes edge cases for buffer size on allocation and adjustments for compressed curves build.
– Fix function argument mismatch for build with secure renegotiation.
– X.509 bug fixes for reading in malformed certificates, reported by researchers at Columbia University
– Fix GCC version 6 warning about hard tabs in poly1305.c. This was a warning produced by GCC 6 trying to determine the intent of code.
– Fixes for static memory option. These fixes include avoiding potential race conditions with
counters and decrementing handshake counter in the case of a failed client connection attempt.
– Fix for a possible output buffer overrun when using anonymous cipher and Diffie Hellman key exchange on the server side.

For more information contact wolfSSL at facts@wolfssl.com.  Support questions can be directed to support@wolfssl.com.

wolfSSL Inc., makers of the wolfSSL (formerly CyaSSL) and wolfCrypt libraries for embedded applications and the IoT, are proud to announce our new library: wolfSSH. Do you have an embedded device using a serial port for configuration or logging? How would you like a secure tunnel into it to get at the logs and configuration, or even copy new firmware into it? wolfSSH is the solution for you!

wolfSSH keeps a small footprint by using the wolfCrypt cryptography library. If you need FIPS 140-2, wolfCrypt has you covered.

wolfSSH is currently dual licensed. You may download from our website and use it for free, so long as you abide by the GPLv3 licensing terms. Commercial licensing terms are also available. Please contact our sales team for more information.

Hi!  The IETF TLS Working Group released the next draft of the TLS 1.3 protocol specification on July 12th, 2016. We wanted to update our users with this for those interested in tracking the protocol’s progress with us.

The updated specification can be found on GitHub at:
https://tlswg.github.io/tls13-spec/

We are eager to implement TLS 1.3 as it gets closer to its final specification!  We think this new protocol iteration will add a lot of improvement!  As such, we`re excited to get going and need user feedback.  Please contact us to let us know what parts of the spec are most important to you.  We will consider adding pieces of TLS 1.3  to our current TLS 1.2 implementation, should users of wolfSSL need them.  Let us know your thoughts at facts@wolfssl.com.

wolfSSL Inc has received 3 more FIPS certifications for wolfSSL’s wolfCrypt Implementation on ATMEL’s SAM4L w/ OpenRTOS v9.0.0!! These certificates can be viewed here: SHS (SHA) certificate #3310, HMAC certificate #2617, AES certificate #4012.

wolfSSL Inc is in the process of certifying CMAC, AES, SHS, and HMAC on NXP’s LPC43S20 w/ OpenRTOS v8.2.3.  The lab tests have all passed and we are simply awaiting our CAVP certificates to be given a number and publish on the NIST site!

wolfSSL has successfully tested FIPS on NXP’s LPC43S37 w/ FreeRTOS v8.0.1 and previously wolfSSL received FIPS certifications on STMicro’s STM32F w/ FreeRTOS 7.6: SHS (SHA) certificate #2882, HMAC certificate #2228, AES certificate #3490, Triple DES certificate #1966, RSA certificate #1791, DRBG certificate #863

If you have a need for FIPS on FreeRTOS/OpenRTOS please do not hesitate to contact us.

fips@wolfssl.com
facts@wolfssl.com
support@wolfssl.com

If you are a Keil MDK-ARM user, we’re happy to remind our users that the wolfSSL embedded SSL library is integrated into the Keil MDK5 as an easy-to-use software pack.

This integration means that MDK5 users can easily pull in SSL/TLS support directly to their Keil projects without going out to the web to do a separate download.  In addition to the library itself, several example projects using wolfSSL are also available.

As stated by Reinhard Keil, ARM’s Director of MCU Tools, “The Keil and wolfSSL teams have successfully collaborated to fully integrate wolfSSL Embedded SSL into MDK 5. The result is the most seamless tool combination available for developers wishing to secure their device communications with SSL.”

To read more, the press release can be found here: http://www.prweb.com/releases/2013/10/prweb11215195.htm.  We’re excited to hear user feedback and field any questions that may come up.  Let us know what you think at facts@wolfssl.com.

wolfSSL also supports Keil RTX.  Keil RTX is a Real-Time Operating System (RTOS) that supports ARM and Cortex-M.  It is a royalty free RTOS designed for embedded systems with deterministic behavior.  Read more about Keil RTX here: http://www.keil.com/rl-arm/kernel.asp and http://www.keil.com/rl-arm/rtx_benefits.asp

Documentation for wolfSSL with Keil MDK-ARM can be found here: https://www.wolfssl.com/docs/keil-mdk-arm/

wolfSSL has begun adding support for the Intel Quick Assist 8950 PCIe adapter. By utilizing our new asynchronous support and the quick assist’s cryptography acceleration we should yield performance many times better than what can be achieved in software alone. This adapter retails for about $800 and is capable of 40K RSA 2048-bit operations per second. If you’d like more information please contact facts@wolfssl.com.

Product Brief: http://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/quickassist-adapter-8950-brief.pdf

wolfSSL fans! Do you like FIPS? Do you like virtual machines? Guess what. wolfSSL`s crypto library, wolfCrypt, has been validated for FIPS 140-2 mode running on three different virtual operating environments. We now have wolfCrypt validated for Microsoft® Windows® 7 running on VMware ESXi™ and SUSE® Linux Enterprise Server running on both VMware ESXi™ and Microsoft® Hyper-V®. If you are interested in getting a FIPS 140-2 approved crypto library running in your virtual operating environment, or any operating environment, please don`t hesitate to send us an email at fips@wolfssl.com. We look forward to hearing from you.

Many new additions and updates have been introduced in wolfSSL 3.9.6. For IoT and embedded SSL/TLS there was the addition of embOS and uTasker ports, each of these ports allowing for easily building wolfSSL on the respective environments. Updates were also done to STM32 crypto for using AES-GCM and AES-CCM, and updates were made to the MDK5 projects.

AES-NI saw an update for AES-CBC decrypt with wolfSSL version 3.9.6. This update decrypts 6 or 8 blocks at a time, greatly speeding up decryption times while using AES-NI. Additions that overlap both IoT and desktop platforms were also added like the addition of static memory. Compiling wolfSSL with –enable-staticmemory allows for using no dynamic memory while creating a SSL/TLS connection. This is useful for applications that wish to have a fixed amount of memory ahead of time and want more control over memory management. In addition to using static memory, compiling with –enable-sessionexport allows for serializing and exporting DTLS session information after the handshake is completed – giving the option of performing DTLS handshakes on one device and then sending that connection over to another device to handle throughput.

wolfSSL`s wrapper and OpenSSL compatibility layer were both expanded with the recent release. Version 3.9.6 introduced Python wrappers for crypto operations, allowing for integrating wolfSSL in Python projects. This easy to build wrapper is found in the directory “wolfssl-3.9.6/wrapper/python” along with a set of instructions for building it. Expansion to the OpenSSL compatibility layer was made with the introduction of dynamic session tickets. This makes it even easier for plug and replace when switching to use wolfSSL.

Furthering the progressiveness of wolfSSL, there was the addition of using the netRandom quantum random number generator from Whitewood. Now a quantum resistant cipher suite using NTRU can also be using a quantum random number generator. Making wolfSSL an excellent choice for quantum resistant security.

If looking to gain more speed with SSL/TLS connections operating in parallel to each other, check out the asynchronous operations addition to wolfSSL with this version. This keeps wolfSSL from blocking on SSL/TLS operations, such as RSA for example, in addition to non blocking on socket read/writes. If interested in using the new asynchronous features of wolfSSL please contact facts@wolfssl.com.

Along with all the additions and updates, some fixes were made to wolfSSL code with release 3.9.6. One fix was some edge case bugs with ECC when using ALT_ECC_SIZE and with key sizes over 256 bits. Additional code and comments on these ECC fixes can be found on our github page with pull requests #411, #416, and #428. The following list shows highlighted feature additions, updates and fixes.

Expanded list of release 3.9.6 for wolfSSL including new features and bug fixes:

– Add staticmemory feature, for using no dynamic memory allocation with wolfSSL
– Add public wc_GetTime API with base64encode feature
– Add AES CMAC algorithm, enabled using –enable-cmac
– Add DTLS sessionexport feature to serialize and send connection information. This allows for another system to take up the connection after the DTLS handshake has been performed
– Add python wolfCrypt wrapper. Located in directory wolfssl-3.9.6/wrapper/python.
– Add ECC encrypt/decrypt benchmarks. Can be ran with “./configure –enable-eccencrypt –enable-hkdf && make && ./wolfcrypt/benchmark/benchmark”
– Add dynamic session tickets to be used with openSSL compatibility
– Add eccshamir to configure.ac giving the option to compile without using ECC_SHAMIR. Can be used with ./configure –disable-eccshamir
– Add quantum RNG support with Whitewood netRandom, –with-wnr
– Add embOS port. Located in the directory wolfssl-3.9.6/IDE/IAR-EWARM/embOS
– Add minimum key size checks for RSA and ECC during TLS connection
– Add STARTTLS support to example client with ‘-M’ argument
– Add uTasker port. Macro define for uTasker can be found in wolfssl-3.9.6/wolfssl/wolfcrypt/settings.h
– Add asynchronous crypto and wolf event support
– Add compile check for misc.c with inline, this helps developers working in IDEs to not compile misc.c when not needed
– Add RNG benchmark to wolfcrypt/benchmark/benchmark.c
– Add reduction to stack usage with hash-based RNG
– Update STM32F2_CRYPTO port with additional algorithms supported, AES-GCM and AES-CCM
– Update MDK5 projects
– Update AES-NI to allow decrypting AES-CBC by 6 and 8 blocks at a time
– Fix for STM32 missing wc_ShaUdate return code with STM32F2_HASH defined
– Fix for function visibility warnings when building with MinGw
– Fix ECC math bugs with ALT_ECC_SIZE and key sizes over 256 bit. Code changes for ECC fix can be found at pull requests #411, #416, and #428
– Fix mismatch of certificate buffers to certificate files, github issue #422
– Fix decrypt max size with RSA OAEP. Previously in the case that the max message size allowed was being decrypted a bad padding error was returned
– Fix DTLS sanity check with DTLS timeout notification
– Fix free of WOLFSSL_METHOD on failure to create CTX
– Fix potential memory leak in failure case with wc_RsaFunction. Builds using RSA with using normal math and not RSA_LOW_MEM should update

Note: the tag v3.9.6w is for a simple port value fix with the echo server on a windows OS. This is with using Visual Studio as a development and testing environment.

For more information about any of the items on this list or information in general about wolfSSL contact us at facts@wolfssl.com