RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfBoot Supports the Infineon AURIX TriCore TC3xx

We’re thrilled to announce that wolfBoot now supports Infineon’s AURIX TriCore TC3xx family of microcontrollers, bringing enhanced security and flexibility to your automotive and industrial applications.

Why AURIX TC3xx?

Infineon’s AURIX TriCore TC3xx microcontrollers are renowned for their high performance, safety, and security features, making them ideal for automotive and industrial applications. Adding wolfBoot to your TriCore application means you get a small and performant secure bootloader designed to protect your firmware right from the start.

Why wolfBoot on AURIX TC3xx?

  1. Security: Ensure only authenticated firmware runs on your TriCore device, safeguarding against malicious code and aftermarket tuning modifications. Encrypted application images prevent attackers from reverse engineering your code and data, and rollback protection ensures bugs in your firmware can’t be exploited once fixed. Secure key storage means your cryptographic material remains inaccessible from the outside world, providing your application with a strong root of trust.
  2. Reliability: Combine the TC3xx’s functional safety with wolfBoot’s robust image update procedure, providing your application with resilience to power failures and support for delta/incremental updates.
  3. Flexibility: wolfBoot is OS agnostic, and can interoperate with any RTOS, Linux or bare-metal application, including AUTOSAR stacks. wolfBoot’s tight integration with wolfCrypt, the world’s best-tested cryptography library, provides built-in support for all major cryptographic algorithms, including post-quantum algorithms and Chinese government-mandated SM ciphers. This means your application benefits from exceptional crypto agility, easily adapting to new cryptographic standards and staying secure against evolving threats.

Getting Started

To get started with wolfBoot on the AURIX TC3xx, clone the wolfBoot repository and follow the AURIX build instructions. The example project contains everything you need to load and update images on the AURIX LiteKit-V2 development board, but the steps should be adaptable to any device in the TC3xx family.

wolfBoot TriCore HSM Integration

wolfHSM is a software framework that provides a portable and open-source abstraction to hardware cryptography, non-volatile memory, and isolated secure processing that maximizes security and performance for ECUs. It consists of a client-server library architecture, where the wolfHSM server runs on the secure HSM core, and client applications communicate with the server through the wolfHSM client library. wolfHSM dramatically simplifies client applications by allowing direct use of wolfCrypt APIs, with the library automatically offloading all sensitive cryptographic operations to the HSM core as remote procedure calls with no additional logic required by the client app. The AURIX TC3xx family of devices is fully supported by wolfHSM, and includes HSM hardware crypto acceleration.

With the wolfHSM server running on the AURIX HSM core, wolfBoot can use the wolfHSM client to offload all cryptography and key storage to within the HSM secure environment, providing application images with an HSM-backed root of trust. wolfHSM can also leverage wolfBoot on the HSM core, authenticating both the wolfHSM server application and the TriCore application images before releasing wolfBoot on the application cores.

Using wolfBoot on the Infineon AURIX TC3xx is a big step towards securing your automotive or industrial application with minimal effort, especially when combined with wolfHSM.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

wolfSSL Embraces RISC-V FIPS 140-3 Certifications Now Available

wolfSSL was a proud sponsor and exhibitor at the RISC-V Summit EU earlier this year. Thank you to all the attendees that stopped by; We enjoyed the interesting discussions regarding wolfSSL in your projects.

Some of the most common questions we heard:

Q: Is wolfSSL supported on RISC-V devices?

A: Yes! Absolutely. The wolfSSL libraries run on nearly every device, including RISC-V. For instance, recently we published a blog on the HiFive Unleashed RISC-V Benchmarks.

Q: Does wolfSSL have support for RISC-V Acceleration Extensions?

A: Yes! For example, see the GitHub wolfSSL PR #7569 that implemented the AES ECB / CBC / CTR / GCM / CCM for RISC-V 64-bit in assembly language where we saw a 50x improvement in performance.

Q: Does wolfSSL have support for IP Hardware Acceleration such as OpenTitan?

A: We are currently evaluating Open Titan and various other IP solutions. We added RISC-V hardware acceleration to the Espressif ESP32-C3 and ESP32-C6 devices earlier this year.

Q: Can RISC-V devices be FIPS 140-3 Certified?

A: Yes! Recently we announced that wolfSSL is the First in the World to offer FIPS 140–3 Automated Submission with our NIST Certificate #4718.

See our prior blogs on:

The What is FIPS (short version) blog also applies to RISC-V with regards to how your RISC-V Operating Environment (“OE”) can be certified:

  1. You send us your hardware and toolchain.
  2. We run the initial tests which ensure the cryptography module behaves according to specification given your specific hardware and operating system.
  3. The CMVP certified lab runs and verifies the tests and their documentation.
  4. The test results are submitted to CMVP for review.
  5. Your specific operating environment is added to our certificate.
  6. You are FIPS 140 compliant in 60-90 days.

For more details, see our blog What is FIPS (long version).

Are you interested in RISC-V or FIPS Certification? We want to hear about your project!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS 140-3 and KDF’s (Key Derivation Functions)

As our readers know, wolfSSL is currently the leader in embedded FIPS certificates. The wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

One of the things that is critical to our users is Key Derivation Functions.

Key derivation functions are consumed by TLS 1.2, TLS 1.3, and SSH. We will support KDF’s for all three in our new FIPS 140-3 certificate.

If you have questions on FIPS 140-3, please contact us at fips@wolfSSL.com or see our FIPS FAQ. For any other inquiries, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Why wolfSSH is Immune to the regreSSHion

Recently, Qualys found an exploit in OpenSSH’s sshd server application that they named regreSSHion. This exploit lets attackers run arbitrary code by exploiting a race condition in a signal handler.

wolfSSH is not a port or fork of OpenSSH. It is written from scratch by wolfSSL Inc. While wolfSSHd is using the same alarm signal to time out users, our signal handler only sets a flag. OpenSSH’s handler, on the other hand, called unsafe functions.

How wolfSSH Avoids This Vulnerability

wolfSSH’s signal handling is designed to be safer due to:

  1. Minimalist Signal Handling: Our handler only sets a flag, reducing race condition risks.
  2. Async-Signal Safe Operations: We ensure all operations within the signal handler are safe.
  3. Independent Implementation: wolfSSH is a complete rewrite, avoiding inherited vulnerabilities.

Conclusion

The regreSSHion exploit in OpenSSH underscores the need for safe signal handling. wolfSSH’s simple and secure approach to signal handling avoids the vulnerabilities found in OpenSSH, making it a safer choice for SSH server applications.

If you have any questions or want to talk about wolfSSH, please feel free to send us an email at facts@wolfssl.com or sales@wolfssl.com, or call us at +1 425 245 8247.

Download wolfSSL Now

Why Would You Want wolfSSL’s FIPS 140-3 Certificate

As our readers know, wolfSSL is currently the leader in embedded FIPS certificates. The wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718, valid through July 10th, 2029.

There are a few significant changes coming with FIPS 140-3. Over the years with many specification updates, a few things got a little inconsistent, so these inconsistencies have been brought back in line. wolfSSL is prepared to deliver the first and best implementation of FIPS 140-3, so get ready.

As FIPS 140-3 is the replacement for FIPS 140-2 it is always a good idea to switch over to it as soon as possible. You will also want wolfSSL’s FIPS 140-3 Certificate for many additional reasons that include:

  • Merging the FIPS + ISO Standard
  • CAST Testing Streamlined – just testing the algos they are actually using.
  • Addition of TLS KDF in FIPS Boundary
  • Addition of SSH KDF in FIPS Boundary
  • Addition of RSA 4096
  • Addition of ECDSA + SHA-3
  • Removal of insecure algorithms: example Triple DES

Check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Eclipse Mosquitto Broker with wolfSSL

The wolfSSL team has expanded our Open Source Projects repository with a port for Mosquitto, an open source MQTT broker. Mosquitto users can benefit from wolfSSL’s lightweight SSL/TLS library.

Why should you use wolfSSL with Mosquitto?

  • Portability across platforms and OS/RTOS environments
  • Low/optimized memory use (runtime and footprint)
  • Best-tested SSL/TLS/crypto implementation available, reducing vulnerabilities
  • Current protocol support, up to TLS 1.3
  • Progressive algorithm support (ChaCha20, Poly1305, Curve/Ed25519, etc)
  • Commercial support available direct from wolfSSL engineers
  • Commercial licenses available (in addition to standard GPLv2)

To use the Mosquitto port, follow the instructions in the patch file.

Set up wolfSSL

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-mosquitto
make
make install

Set up Eclipse Mosquitto

git clone https://github.com/eclipse/mosquitto.git
cd mosquitto
git checkout v2.0.18
patch -p1 < 
make WITH_TLS=wolfssl
make WITH_TLS=wolfssl test

Let us know what you think! We plan to add support for CMake builds. If you are interested or have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

ACVP and FIPS 140-3

As many in the FIPS world are aware NIST retired CAVP (Cryptographic Algorithm Validation Protocol) testing on June 30th of 2020, permanently replacing CAVP with ACVP (Automated Cryptographic Validation Protocol), also referred to as ACVTS (Automated Cryptographic Validation Test System).

In order to prepare for this transition NIST offered a “demo server” that Vendors like wolfSSL and FIPS Labs could utilize in standup of the new protocol. Once the transition was completed NIST also setup “production servers” which only FIPS Labs with a trusted certificate issued by NIST can connect to; Production Vectors passing are now the gateway to Algorithm Certification (IE certs like the ones wolfSSL just received!).

Algorithm Certification is a prerequisite to CMVP FIPS 140-3 validations. This design keeps in place the need for a FIPS lab to achieve algorithm certification but it now allows for Vendors such as wolfSSL to pre-test in advance of requesting production vectors for certification! wolfCrypt holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

wolfSSL also supports the new ACVP, which is the successor to the two decade old CAVP system from NIST. ACVP is intended to alleviate the manual steps of the older CAVP process, creating a more efficient and effective method for cryptographic algorithm testing and validation.

More on ACVP’s

ACVP stands for (Automated Cryptographic Validation Protocol) and it is the upcoming protocol that will be used for FIPS validation. This is going to be a prerequisite certificate for the CMVP(Cryptographic Module Validation Program) and CAVP(Cryptographic Algorithm Validation Program) certificates.

ACVP makes testing cryptographic algorithms and modules more efficient than the current method and more automated. There are three main parts to ACVP – a server, a proxy, and a client.

  • The server side handles requests for test vectors and requests for validation among other requests. This side is operated by a FIPS lab or by NIST themselves.
  • A proxy with ACVP can be used to communicate to offline systems and handle transferring information from the system being tested to the server. Often an ACVP client is used instead.
  • The last part being a client, which is most relevant to users who are wanting to get their cryptography FIPS validated. An ACVP client is directly hooked up to the module to be tested and then communicates with the ACVP server to send requests for test vectors, responses of the results from running those tests, and requests for algorithm validation. There are multiple pieces required to build a ACVP client in order to complete a validation process, some of the large portions of the effort go into
    • JSON parsing / creation for communication with a ACVP server
    • HTTPS GET / POST / PUT / DELETE messages used for securely transporting information
    • 2 factor authentication with TOTP (Time-Based One-Time Password Algorithm)
    • Plugging in the test harness that runs crypto operations

Ultimately an ACVP client communicates with the server to validate cryptographic operations. This includes creating, or referencing meta data such as; vendor, OE, and module information. A simplified message flow for getting an algorithm validated is as follows:

Live Webinar: Medical Device Security

Learn a comprehensive overview of the current medical device landscape, the associated security challenges, and how wolfSSL’s solutions can help you navigate these complexities effectively.

Check it out: Medical Device Security: Key Strategies for Cyber Security and Data Protection

In the rapidly evolving medical device sector, ensuring the security and integrity of devices is paramount. Join our expert, Eric Blankenhorn, as he delves into the intricacies of the medical device landscape, exploring common attack vectors, regulatory requirements, and emerging security trends. Discover how wolfSSL’s suite of solutions can safeguard your devices and ensure compliance with industry standards.

Key topics that will be covered include:

  • Overview and Trends: Introduction to wolfSSL and the latest security trends in medical devices.
  • Regulatory Compliance: Learn about regulatory requirements and how wolfSSL meets them.
  • Solutions and Use Cases: Discover wolfSSL’s solutions and real-world use cases in the medical sector.
  • Key Technologies: Overview of wolfSSL’s SSL/TLS, wolfCrypt FIPS 140-2/3, and wolfBoot.
  • Advanced Features: Explore wolfSentry and wolfSSL robust testing protocols.

Don’t miss out on this opportunity to elevate the security of your medical devices. Watch it now and take a proactive step towards safeguarding your devices against emerging threats.

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Changes to Maximum Alternative Names Macro in wolfSSL

In the 5.7.2 release, a new macro WOLFSSL_MAX_ALT_NAMES was introduced to limit the maximum number of allowed subject alternative names to a default value of 128 to prevent a possible denial of service attack. Unfortunately, after the release, some commonly used certificates were brought to our attention that have more than 128 subject alternative names. If you started using 5.7.2 and hit error -161 on certificate handling this may be your problem. This issue can be immediately mitigated by building with WOLFSSL_MAX_ALT_NAMES at a number larger, say 512 or 1024. The wolfSSL master branch already has an increased default of 1024 which should be sufficient for all real world certificates and will be included in the 5.7.3 release.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS 140-3 and SHA-1 Retirement

In December 2022, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life. While wolfSSL does not use or recommend SHA-1 for new designs, we implement and support it in our products. With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 validated certificate #4718 includes SHA-1. Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement with wolfCrypt FIPS 140-3.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3. wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out. We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

For more information on the announcement from NIST, check here.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 14 15 16 17 18 19 20 194 195 196

Weekly updates

Archives