Coming Soon: Kyber (ML-KEM) Hybridized with X25519 in wolfSSH
One of our most popular products is wolfSSH and for good reason; the SSH protocol is commonly used by industry, academia and governments. Efforts are underway in the community to bring post-quantum key exchange algorithms to the SSH protocol to protect your communications against “harvest now, decrypt later” attacks. But we can’t just switch over, we also have to consider compliance. That is why we started supporting ECDHE-P256 hybridized with Kyber at NIST Level 1 KEX as specified by the IETF in ‘Post-quantum Hybrid Key Exchange in SSH.’ This allows for both post-quantum protection as well FIPS-140 compliance.
We have just finished integrating X25519 support into wolfSSH. Our next logical step would be to bring in X25519 hybridized with Kyber at NIST Level 1 KEX as specified in the draft above.
Do you have X25519 requirements but are also thinking about post-quantum protection? Excited to see this happen? Want us to raise the priority of this work? Let us know by sending us a message at facts@wolfSSL.com!!
If you have questions about any of the above, please contact us at or call us at +1 425 245 8247.
Download wolfSSL Now
Getting Started with wolfSSL on Arduino
Getting started with wolfSSL has never been easier. We’ve recently updated our library as published on the Arduino libraries site, listed in the “Communications” section:
https://www.arduino.cc/reference/en/libraries/wolfssl/
To use wolfSSL in the Arduino IDE, download the latest IDE version from arduino.cc and follow the installation instructions.
Note that if you used any version of wolfSSL prior to v5.6.6.Arduino.1, those versions have been removed from the Arduino registry as they were not Official wolfSSL Arduino releases.
To install wolfSSL, click on Tools… Manage Libraries:
Type wolfssl in the search box, then press the Install button.
Additional details can be found in the Arduino documentation for installing libraries for V1 or using the Arduino IDE V2 installation method.
When the sketch is opened, click on the “Select Board” dropdown:
In the case of Windows, click on the COM port that has your device, here for COM36:
Enter part of name to more quickly find the desired board selection:
Click on the desired board and click the OK button.
For Arduino brand and compatible boards, the Arduino IDE will prompt if libraries are needed to be installed:
There are two main examples for wolfSSL: a TLS client and a TLS server. The most recent code can be found in the IDE/Arduino directory on GitHub.
To use the examples from the Arduino IDE Library, click on File… Examples. See the wolfSSL sample sketches in the “Examples from Custom Libraries” at the bottom of the list:
Note that both the Client and Server examples need a network connection. Most boards will need to have WiFi parameters set for this. See the beginning of the sketch for setting a file (typically outside the scope of any GitHub repository, to be kept private):
Otherwise if you are not using a private file, the values can be entered directly into the source code, shown here for your_SSID and your_PASSWORD:
Once the sketch is loaded and a board (and serial port) are selected, simply press the upload button as with any other Arduino sketch.
If using the Server example, make note of the IP address assigned. By default a DHCP address is requested, so the value will be specific to the SSID / Access Point.
If using the Arduino Client, not only do the WiFi settings need to be assigned, but also the Server address WOLFSSL_TLS_SERVER_HOST value to connect to, shown here for an example address of 192.168.1.39
Both the Arduino Client and Server sketches can of course be used to communicate with the wolfSSL executables, found in the examples/client and examples/server directories. These are built automatically when running make from the root of the wolfSSL clone:
./configure --enable-all make clean make && make test ./examples/client/client -h 192.168.1.39 -p 11111
Keep in mind that workstation examples may need firewall rules and/or anti-virus adjusted when communicating with external embedded devices such as the Arduino boards. The wolfSSL TLS examples typically use port 11111.
Want to customize the wolfSSL settings? See the user_settings.h file in
C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src
It’s best to not directly include the wolfSSL user_settings.h file in your code. When including the library, there’s a settings.h file that will automatically include the user_settings.h file as appropriate, along with making some default environment settings.
See the documentation for more details on settings. For embedded targets such as Arduino, all of the settings are the #define values in the user_settings.h file.
Details on how we publish wolfSSL to Arduino can be found in our wolfSSL/IDE/ARDUINO GitHub directory. If you have a local clone of wolfSSL, you can use the wolfssl-arduino.sh script to install your own latest version of wolfSSL directly to your Arduino libraries directory like this:
./wolfssl-arduino.sh INSTALL
Note that there’s only a Linux bash command. Windows users are encouraged to use WSL. See the README file for more information.
If any problems are encountered with the sketch, sometimes it can be helpful to delete the build cache directories. For Windows users, this is in the AppData directory:
C:\Users\%USERNAME%\AppData\Local\Temp\arduino\sketches
Find out more
If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.
Download wolfSSL Now
Post-Quantum Kyber Benchmarks (Linux)
To continue in our series of wolfSSL’s implementation of Kyber KEM benchmarks, we would like to show you benchmarking statistics for Linux. Some notes about the conditions under which the benchmarks were taken:
- The processor is “11th Gen Intel® Core™ i7-1185G7 @ 3.00GHz × 8”
- Only 1 core is used
- Conventional algorithms are present for comparison purposes
- The wolfSSL configuration used was:
./configure –disable-psk –disable-shared –enable-intelasm –enable-aesni –enable-sp –enable-sp-math –enable-sp-asm –enable-kyber=wolfssl,all ‘CFLAGS=-Os -DECC_USER_CURVES -DHAVE_ECC256 -DHAVE_ECC384’
The benchmarks results follow:
RSA 2048 public 75700 ops took 1.001 sec, avg 0.013 ms, 75632.019 ops/sec RSA 2048 private 2200 ops took 1.024 sec, avg 0.466 ms, 2147.942 ops/sec DH 2048 key gen 4428 ops took 1.000 sec, avg 0.226 ms, 4427.507 ops/sec DH 2048 agree 4700 ops took 1.006 sec, avg 0.214 ms, 4673.614 ops/sec KYBER512 key gen 282300 ops took 1.000 sec, avg 0.004 ms, 282207.889 ops/sec KYBER512 encap 162000 ops took 1.000 sec, avg 0.006 ms, 161981.038 ops/sec KYBER512 decap 164100 ops took 1.000 sec, avg 0.006 ms, 164033.359 ops/sec KYBER768 key gen 150400 ops took 1.000 sec, avg 0.007 ms, 150325.846 ops/sec KYBER768 encap 106200 ops took 1.001 sec, avg 0.009 ms, 106145.438 ops/sec KYBER768 decap 101800 ops took 1.000 sec, avg 0.010 ms, 101757.640 ops/sec KYBER1024 key gen 109200 ops took 1.001 sec, avg 0.009 ms, 109137.057 ops/sec KYBER1024 encap 73900 ops took 1.000 sec, avg 0.014 ms, 73896.212 ops/sec KYBER1024 decap 73900 ops took 1.000 sec, avg 0.014 ms, 73880.096 ops/sec ECC SECP256R1 key gen 93600 ops took 1.000 sec, avg 0.011 ms, 93586.478 ops/sec ECDHE SECP256R1 agree 24200 ops took 1.003 sec, avg 0.041 ms, 24133.422 ops/sec ECC SECP384R1 key gen 30000 ops took 1.002 sec, avg 0.033 ms, 29953.559 ops/sec ECDHE SECP384R1 agree 7100 ops took 1.008 sec, avg 0.142 ms, 7046.050 ops/sec ECC SECP521R1 key gen 17600 ops took 1.000 sec, avg 0.057 ms, 17598.074 ops/sec ECDHE SECP521R1 agree 4500 ops took 1.009 sec, avg 0.224 ms, 4460.319 ops/sec
Once again, the recurring theme holds. Performance is looking great for our implementation of Kyber KEM.
If you’re looking for different benchmarking data or have any questions, please reach out to us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: Getting Started with wolfTPM
We are excited to invite you to the 4th episode of our Getting Started series: “Getting Started with wolfTPM”! This informative webinar, led by wolfSSL’s Senior Embedded Software Engineer, David Garske, is scheduled for March 21st at 10 am PT.
Watch the webinar here: Getting Started with wolfTPM
David will delve into how you can start to leverage wolfTPM to elevate the security of your systems. He will guide you through steps for getting started on your platform with wolfTPM.
During the webinar, you will:
- Gain basic knowledge of TPM 2.0
- Explore build options for wolfTPM
- Learn how to use wolfTPM API
- Engage in a comprehensive API comparison of wolfTPM
- Delve into real-life wolfTPM use case examples
And much more!
Don’t miss this opportunity to gain a deeper understanding of TPM technology and discover how wolfTPM can shield your systems against emerging threats. Watch now.
As always, our webinars will include Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSL gRPC Support
wolfSSL is adding support for the gRPC (https://grpc.io/) project. gRPC is an open source high performance Remote Procedure Call (RPC) framework that can run in any environment. RPC is commonly used to execute procedures or subroutines in other computers on a network. This networking requires security and this is where wolfSSL comes in.
wolfSSL is a lightweight TLS library with a focus on embedded systems. wolfSSL implements protocols up to the latest TLS 1.3 and DTLS 1.3 standards and can run on any architecture or operating system. gRPC uses TLS to provide authentication and confidentiality when executing calls on remote computers.
Work on wolfSSL support in gRPC is currently in progress. If you are interested in using gRPC with wolfSSL or have any questions, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Securing Satellite Communications: Insights from Eric Blankenhorn and wolfSSL at Satellite 2024
wolfSSL returns to Satellite 2024 this year, with Senior Software Engineer Eric Blankenhorn taking the spotlight as a featured speaker for the conference program, “Fortifying the Skies: Space Defenders on the Frontlines of Cybersecurity”. Scheduled for March 21st at 9:30 am ET in room 146C, this program is a pivotal opportunity to delve into the evolving landscape of the space domain and address the critical need for securing satellite networks.
As the space domain continues to evolve and expand, ensuring the security and resilience of satellite networks is crucial. This conference program offers a unique platform to engage with industry leaders, gain invaluable insights, and collectively work towards a more secure future in space.
Eric, alongside other industry experts, will explore various topics including emerging threats in satellites and space, the development of standards and best practice for satellite cybersecurity, the convergence of IT & OT security, and strategies for securing the space supply chain.
Conference Program Details:
- Title: Fortifying the Skies: Space Defenders on the Frontlines of Cybersecurity
- Date: March 21st | 9:30 am ET
- Location: Room 146C
Make sure to mark your calendar and seize this opportunity to learn about securing satellite networks from cyber attacks and enhancing their resilience against evolving threats.
The wolfSSL will be available at booth 1445 during Satellite 2024 to address any inquiries. Don’t forget to swing by. Let’s safeguard satellite communication together.
If you have questions about any of the above or would like to schedule a one-on-one meeting with wolfSSL at Satellite 2024, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
How to Build wolfSSL for Android
Here at wolfSSL we provide best in class support by using our past experience to know what you will ask and then having examples, documentation and instructions already prepared before you even open a support ticket with us.
A great example of this is the recent uptick in questions about building our wolfSSL library for Android. If you’re building an Android app and have FIPS 140 needs then you’ve come to the right place!
Want to see an Android NDK Gradle example?
How about just a standalone toolchain example?
There is also the ability to replace BoringSSL. Have a look at
https://github.com/wolfSSL/wolfssl/tree/master/IDE/Android
Another thing you might be thinking of is wolfSSL JNI and JSSE! You’ll want to have a look at
https://github.com/wolfSSL/wolfssljni?tab=readme-ov-file#building-for-android
Perhaps you’re using OpenSSL on Android and you have FIPS 140 requirements. Have a look at https://github.com/wolfSSL/wolfProvider/tree/master/IDE/Android
When it comes to Android, we’ve got you covered. And if you need further details or clarifications, we are always happy to help you. Please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Partner Webinar: wolfSSL and Cesium RTOS Integration
Get Excited! wolfSSL is partnering with Weston Embedded Solutions to host an exclusive webinar, wolfSSL and Cesium RTOS Integration. We will explore the intricate world of secure communication in an RTOS environment. Led by wolfSSL’s Senior Software Developer, Anthony Hu, and Weston Embedded’s President and co-founder, Janos Magasrevy, along with Senior Software Engineer and co-founder at Weston Embedded, Yanko Sosa.
Weston Embedded Solutions is a leading provider of embedded software and engineering services, specializing in the Micrium µC/OS and Cesium RTOS family of products. This webinar presents a unique opportunity to delve into the fundamentals of Transport Layer Security (TLS) and its pivotal role in securing data transmission. Discover the capabilities of Cs/NET and its seamless integration with wolfSSL’s cutting-edge security solutions.
Watch the webinar here: wolfSSL and Cesium RTOS Integration (Partner Webinar with Weston Embedded)
You are expecting to learn:
- Learn fundamental of wolfSSL TLS
- Dive into Weston Embedded’s Cs/NET integration with wolfSSL
- Live Demonstration of Cs/NET’s HTTP Client in Action Using TLS v1.3
And much more!
Learn from industry experts as they share valuable insights and best practices in secure communication protocols, Watch it now.
As always, our webinars will include Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSL’s Kyber ML-KEM Implementation Now Included Free of Charge for Commercial Customers; Future Proofing is here today
We are now including commercial Kyber/ML-KEM in our wolfSSL/wolfCrypt commercial packages. At this point, you need to ask our support organization for a delivery if you want to start testing it. If you are willing to wait, then you will find it included in the next commercial bundle that we release. In summary, there will be no additional charge if you are a supported customer of wolfSSL/wolfCrypt.
Please note all of the advantages of our Kyber implementation from the previous blog posting here.
This begs the question, what about customers who have let their support plan lapse? Our answer is “What are you waiting for?!?”. Get started by reviewing our support packages. The next step is to get in contact with your wolfSSL business director and get signed up. You can do that by sending a message to facts@wolfssl.com.
To get an idea of the kind of performance you will get, see our benchmarks here:
Start your future proofing today and get started with post-quantum algorithms! Want wolfSSL’s implementation of Dilithium? Interested in LMS and XMSS? Let’s talk! CNSA 2.0 requirements? We can help. Contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
Support for wolfBoot on Renesas RZ/N2L
We are excited to announce wolfBoot support for the Renesas RZ/N2L evaluation board. The Renesas RZ/N2L uses the high-performance Arm Cortex-R52 core to easily add network functionality onto industrial equipment and machines. The RZ/N2L is supported by an open and flexible ecosystem concept – the Flexible Software Package (FSP), built on FreeRTOS – and is expandable to use other RTOS and middleware.
wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. Due to its minimalistic design and tiny HAL API, wolfBoot is completely independent from any OS or bare-metal application.
By adding wolfBoot support for the evaluation board, it demonstrates simple secure firmware boot from external flash memory by wolfBoot. The example uses SPI boot with external flash memory on the evaluation board. On this boot mode, wolfBoot is copied to the internal RAM(B-TCM). wolfBoot copies the application program from external flash memory to RAM(System RAM). As a final step of wolfBoot the entry point of the copied application program is called if the integrity and authenticity of the image are valid. More detailed steps can be found here.
If interested in wolfBoot support on the RZ/N2L, or if you have questions about any of the above, please contact facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now