RECENT BLOG NEWS
Using Cryptographic Hashes for Hash Tables
Choosing a good hash function for a hash table is difficult to say the least. Even if you can achieve good distribution and performance for a given hash function it`s still most likely dependent on table size and the type of input. Resizing the table or getting unexpected input can quickly turn an otherwise good choice into a bad one. Using a cryptographic hash function reduces nearly all of the problems. Any and all table sizes are now equally supported. Strings, numbers, and even binary data are all valid input. And since a change in a single bit of input has an avalanche effect on the output, uniform distribution is achieved. Really, the only possible negative is performance. But it`s not nearly as bad as you probably think.
We tested 100 bytes of random data and did the test 1,000,000 times using the hash functions MD5, SHA1, and a typical MULTIPLIER type hash function. Of course the basic hash function was the fastest at 0.66 microseconds per hash. MD5 used 0.78 microseconds per hash while SHA1 consumed 1.02 microseconds per hash. All in all, the small hit in performance seems well worth the gains in being able to use variable table sizes and any type of input without concern. Testing was done using wolfSSL`s cryptography functionality in the CTaoCrypt module.
wolfSSL support for Green Hills INTEGRITY RTOS
Are you interested in using the wolfSSL lightweight SSL library on the Green Hills INTEGRITY RTOS? Although wolfSSL doesn’t currently have INTEGRITY support, we would like to gauge user and community interest to help us plan our schedule for the upcoming year. If you would like to see INTEGRITY support added to wolfSSL, please let us know at info@yassl.com.
From Wikipedia, INTEGRITY “is royalty-free, POSIX-certified, and intended for use in embedded systems needing reliability, availability, and fault tolerance. It is built atop the velOSity microkernel and is intended mainly for modern 32- or 64-bit embedded system designs that support an MMU.” To learn more about INTEGRITY, please visit the Green Hills website, here: http://www.ghs.com/products/rtos/integrity.html.
yaSSL 2012 Annual Report
Business and Company Progress
• We doubled our customer base again this year and dramatically increased revenues, confirming the usefulness of our technology, our open source strategy, and our relevance in the emerging device security and BYOD markets.
• We have further penetrated key vertical markets, including home appliances, smart metering, sensors, M2M, gaming, VoIP, banking, and defense/military.
• We expanded our partnerships with Synopsys, Freescale, Mentor Graphics, Intel, Microchip, ARM, Marvell, FreeRTOS, EBS Net, Cavium, and STMicroelectronicselectronics.
• We successfully participated in the following events: CES, FOSDEM, Design West, OSCON, RSA, Black Hat, Game Developer Conference, Design East, Infosec UK, Intel Developer Forum, Intel Alliance Summit, and ARM TechCon.
• We increased the size of our team, and continue to hire top notch engineering talent.
• We continue to value and support the open source community through our free support offering for open source users.
• We released two new case studies surrounding M2M communication (Cinterion, CCww) and a new white paper with Intel about AES-NI.
• We gave presentations at FOSDEM 2012 (Technical Update), the Kerberos Consortium during RSA (Kerberos/GSS-API Android), DESIGN West (Nucleus Support), Infosecurity UK (What to look for in a SSL/TLS library), and the MySQL Meetup in Seattle (yaSSL in MySQL).
• yaSSL introduced a Japanese version of www.yassl.com to better cater to our Japanese users and customers.
• We introduced a new three-tiered support program.
wolfSSL Technical Progress
• AES-GCM – Direct AES Galois Counter Mode support and cipher suites
• CRL – Certificate Revocation List processing with directory monitoring
• OCSP – Online Certificate Status Protocol support built in
• Lean PSK – A low footprint, 24k, PSK TLSv1.2 build
• Reduced Memory use after handshake – Once the TLS handshake is complete, handshake resources are freed
• Lower stack memory use – Use of large static buffers eliminated
• Reliable DTLS, Cookies – DTLS cookies and full reliability now supported, no longer beta
• Unit/Suite Tests – Exposed unit API, hash, and cipher suite tests with valgrind support
• Static ECDH – Now supports several static ECDH cipher suites
• ECC client cert – Authentication with client ECC certificates now supported
• ECC released into open source – Now available on github and downloads
• SHA-384 – Direct use and cipher suites supported
• Subject AltName processing – AltNames easily retrieved from peer certificate for verification
• Sniffer SessionTicket support – Support for modern browsers using session tickets
• Command line example options – Example client and server now have several runtime options
wolfSSL Porting Progress
• FreeRTOS and FreeRTOS Windows Simulator
• SafeRTOS
• Freescale MQX/RTCS/MFS. wolfSSL is now ported to MQX and has been tested on the Kinetis MCU. Example CodeWarrior projects are now available in the wolfSSL download.
• EBSnet RTIP
• Yocto/OpenEmbedded. A new Yocto/OpenEmbedded layer is available for easy integration of wolfSSL into existing Yocto projects.
• Nucleus RTOS
• TinyOS. Several CTaoCrypt algorithms have been ported to TinyOS
yaSSL Embedded Web Server Progress
• Release version 1.0 with bug fixes and feature enhancements
• SafeRTOS port
Community
• MIT Java GSS-API for Android
• wolfSSL is now able to be used as a crypto provider for MIT Kerberos
• wolfSSL now supports ssmtp 2.64
• libscs now has support for wolfSSL
wolfSSL Lightweight SSL in 20 kB with Lean PSK
Are you interested in using the wolfSSL embedded SSL library in an extremely resource constrained environment? If so, you may be interested to hear that we have recently implemented a wolfSSL “Lean PSK” build which enables the wolfSSL library to be built with a footprint size of 20kB!
The “Lean PSK” build requires the use of pre-shared keys with wolfSSL, along with removing several additional features. If you are curious, or would like to learn more, please contact us at info@yassl.com.
CyaSSL Competitive Upgrade Program
One of the services that yaSSL provides is the CyaSSL Competitive Upgrade Program. With this program, yaSSL offers competitive upgrade pricing for those who wish move from an outdated, orphaned, or overpriced SSL library to the CyaSSL embedded SSL library with low cost and minimal disturbance to their code base.
Here’s an outline of the Competitive Upgrade Program:
-
1.You need to currently be using a commercial competitor to CyaSSL.
-
2.You will receive up to two weeks of on-site consulting to switch out your old SSL library with CyaSSL. Travel expenses are not included.
-
3.Normally, two weeks is the right amount of time for us to make the replacement in your code and do initial testing. Additional consulting on a replacement is available as needed.
-
4.You will receive the standard CyaSSL royalty free license to ship with your product.
The purpose of this program is to enable users who are currently spending too much on their embedded SSL implementation to move to CyaSSL with ease. If you are interested in learning more, or interested in how CyaSSL compares to what you are currently using, then please contact us at info@yassl.com.
ECC Support Comes to the wolfSSL Embedded SSL Library
Although ECC support for the wolfSSL lightweight SSL library has been available in our GitHub repository for the past several weeks, we wanted to officially announce it to our users and customers. An official download of wolfSSL with ECC will be available on the www.yassl.com website with the next official release of wolfSSL.
wolfSSL’s ECC implementation can be found in the
/* ECDHE suites */
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
/* ECDH suites */
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
/* AES-GCM suites */
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
To view or download the most recent version of the wolfSSL sources with ECC integrated, please visit our source repository on GitHub (https://github.com/cyassl/cyassl). If you have any questions about ECC support in wolfSSL, please let us know at info@yassl.com
MIT Kerberos GSS-API with wolfSSL Now Available for Android
Support for the MIT GSS-API library is now available for the Android platform – complete with an org.ietf.jgss (RFC 5653) compatible application programming interface, wolfSSL cryptography integration, and NDK sample application.
You may have read our previous blog entry announcing the initial phases of our effort to port the MIT Kerberos libraries and wolfSSL embedded SSL library to the Android platform (see link in Reference section, below). This post described initial availability of the Kerberos libraries to Android through the native NDK framework – enabling Android NDK developers to add Kerberos support to their NDK applications at a native C or C++ programming level. At that time, we also commented on next steps for the project and sought feedback from the community on adding a Java API to make using Kerberos on Android easier and more standardized.
Since that time, we have been hard at work enhancing the project, adding support for a new Java GSS-API wrapper, updating our example code, and adding new features to our sample NDK application.
1. Java GSS-API Wrapper
The addition of a Java wrapper around the native MIT GSS-API took part in two stages – a SWIG-generated (http://www.swig.org/) Java interface, which then in turn was used as a building block for a org.ietf.jgss Java API. The individual layers are visualized in the figure below. Both the SWIG layer and the Java GSS-API layer are able to be used in a Java application to access the underlying MIT Kerberos/GSS-API libraries. The SWIG layer is more tedious to use and less standardized than the Java GSS-API layer, but is closer to the C programming API of the native MIT GSS-API. We suggest that Java developers use the org.ietf.jgss Java interface over using the SWIG layer directly. As the org.ietf.jgss interface followed RFC 5653, Java developers should be able to refer to the standard Java documentation for the org.ietf.jgss package for usage instructions and class descriptions.
Source code for this project has been released under the open source MIT license, and is currently available for download on GitHub. Both the Java Generic Security Services API wrappers (SWIG and Java GSS-API), as well as example client and server applications and build instructions are located in the kerberos-java-gssapi package, at the following GitHub URL:
http://github.com/cconlon/kerberos-java-gssapi
2. Enhanced Example Code
Included in the Java GSS-API package, we have created several example applications to help developers understand how to use this project in their own application. There are two sets of client and server examples provided. The first one is a set of client and server applications which directly use the SWIG-generated Java interface. The second set of applications is a client and server that use the more standardized Java GSS-API interface (org.ietf.jgss).
It is recommended for Java developers to use the Java GSS-API examples, as they demonstrate programming and API usage which is more common in the Java programming language. Before running any of the included examples, the development machine must first have a krb5.conf file and KDC set up correctly to match the principal names used in the examples. For more details about building and running these example applications, please see the README included in the kerberos-java-gssapi package.
3. Sample NDK Application
As one of the main goals of this project was to bring MIT Kerberos/GSS-API support to the Android platform, we have created a sample Android NDK application to serve as an example and reference to Android developers. This sample application provides a GUI wrapper around the MIT Kerberos kinit, klist, kvno, and kdestroy applications. It also provides a sample client using the Java GSS-API interface to connect and communicate with the example server application (from Section 2, above).
This package contains cross-compiled version of the MIT Kerberos libraries, and includes instructions on how to re-compile the Kerberos libraries yourself for the Android platform. For details on how to build and run this example application in the Android emulator, please see the README file located in the NDK application package.
All sources for this sample application are located in the kerberos-android-ndk package, located at the following URL:
http://github.com/cconlon/kerberos-android-ndk
yaSSL and MIT are excited to bring Android developers MIT Kerberos and GSS-API support and look forward to seeing what kinds of applications will use this functionality. If you have any questions, comments, or feedback, we would enjoy to hear it! Please contact us directly at info@yassl.com.
References:
MIT Kerberos: http://web.mit.edu/kerberos/
wolfSSL: http://yassl.com/yaSSL/Products-cyassl.html
kerberos-java-gssapi: http://github.com/cconlon/kerberos-java-gssapi
kerberos-android-ndk: http://github.com/cconlon/kerberos-android-ndk
Initial announcement: https://www.wolfssl.com/android-kerberos-port-using-wolfssl-embedded-ssl/
Thanks,
Team yaSSL
Security on Freescale Kinetis MQX with wolfSSL
Hello Kinetis users!
Our team has now ported and released wolfSSL lightweight SSL for Freescale Kinetis. The newest work is for MQX/RTCS/MFS on Kinetis tower systems. Check our Github repository for the most recent source code:
https://github.com/cyassl/cyassl
If you are a Kinetis user, you will also be pleased to know that we support FreeRTOS, Micrium, and bare metal or operating systemless (NO_OS) configurations as well. You will find wolfSSL is optimal for connected home and Smart Grid security applications on Kinetis.
In addition to MQX/RTCS/MFS support, Kinetis onboard Random Number Generator Accelerator (RNGA) support is also available for wolfSSL. If you have a demanding performance requirement for your crypto, then let us know. We can work with you to optimize the following hardware supported algorithms: DES, 3DES, AES, MD5, SHA-1, SHA-256. We are also available to help with SHA-3.
We have bundled several example CodeWarrior projects with wolfSSL for MQX/RTCS/MFS, including a wolfSSL library project, CTaoCrypt test app, and wolfSSL example client. When building wolfSSL for MQX, define FREESCALE_MQX in cyassl/ctaocrypt/settings.h. This in turn defines FREESCALE_K70_RNGA which enables support for the Kinetis H/W RNGA.
You are welcome to contact us with any support or configuration questions at support@yassl.com.
Team yaSSL, from Montana, Idaho, Iowa, Washington, and Oregon. All American Crypto you can Trust.
yaSSL Embedded Web Server SafeRTOS Port
Have you been searching for a web server that runs on SafeRTOS? We recently ported the yaSSL Embedded Web Server and wolfSSL embedded SSL library to the SafeRTOS operating system. This means that you can easily serve up HTTPS content from your SafeRTOS-enabled project. The yaSSL Embedded Web Server offers a very small footprint, with build sizes of 100kB with SSL enabled (or 40kB without SSL). It also offers a full list of features including SSI, aliases, digest authorization, IP restrictions, and more.
From the SafeRTOS website, “SAFERTOS® is a unique real-time, deterministic operating system especially designed for critical applications. It is available pre-certified according to key standards in markets including Industrial and Medical. First certified by TÜV SÜD in 2007, SAFERTOS was developed in compliance with IEC61508 SIL3, and it continues to set the pace as the first pre-certified real-time operating system available in the ROM of a micro-controller.”
If you are interested in learning more about our port, or would like to try out either of these products on a SafeRTOS platform, please contact us at info@yassl.com for details.
yaSSL Embedded Web Server: http://yassl.com/yaSSL/Products-yassl-embedded-web-server.html
wolfSSL embedded SSL library: http://yassl.com/yaSSL/Products-cyassl.html
SafeRTOS: http://www.highintegritysystems.com/safertos/
Good article on potential SHA-3 (aka Keccak) use in embedded systems
Here`s a good article if you`re wondering how SHA-3 will be used: http://community.embeddedswstore.com/t5/Embedded-Connection/Why-Does-Embedded-Security-Get-Overlooked/ba-p/286
From the article:
“What then will SHA-3 be good for? While Polk says it may take years to identify all the possibilities for Keccak, it immediately provides an essential insurance policy in case SHA-2 is ever broken. He also speculates that the relatively compact nature of Keccak may make it useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers. Examples include sensors in a building-wide security system and home appliances that can be controlled remotely.
‘The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network,’ Polk says. ‘SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.’”
yaSSL is considering implementing a beta of SHA-3 in our wolfSSL embedded SSL product. Our current timeline will have code available sometime around Christmas this year. If you`re interested in taking a look at our implementation, then email us at info@yassl.com.
Weekly updates
Archives
- December 2024 (19)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)