RECENT BLOG NEWS
wolfCrypt now supports AES EAX
We are excited to announce that wolfCrypt now supports the EAX mode of operation for AES!
AES EAX is a two-pass authenticated encryption scheme that is optimized for simplicity and efficiency. More details about the algorithm can be found in EAX: A Conventional Authenticated-Encryption Mode, by M. Bellare, P. Rogaway, and D. Wagner.
To enable AES EAX in your wolfSSL build, simply pass the –enable-aeseax flag to configure. If you are building without autotools, you must define the WOLFSSL_AES_EAX preprocessor macro, as well as enable support for the AES CTR and CMAC algorithms by defining WOLFSSL_AES_COUNTER, WOLFSSL_AES_DIRECT, and WOLFSSL_CMAC.
The AES EAX API and a brief usage example can be found in the wolfCrypt AES API documentation. For a complete example, please refer to the aes_eax_test() function in wolfcrypt/test/test.c.
Please contact us at facts@wolfSSL.com or call us at +1 425 245 8247 with any questions, comments, or suggestions.
Download wolfSSL Now
Exploring wolfSSL Integration with OpenSC for smart cards
Are you interested in integrating wolfSSL into OpenSC for smart card support?
We’ve been pondering this idea as well, especially after hearing from a few customers. But, we’re eager to know if there’s a broader interest out there and would greatly appreciate your feedback.
If the prospect of using wolfSSL within OpenSC intrigues you, we’d love to hear from you! Please don’t hesitate to reach out to us at facts@wolfssl.com. Your insights and input can play a crucial role in making this integration a reality. Let’s explore the potential together!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Live Webinar: FIPS Training
The FIPS Training Webinar returns on October 12th at 10 AM PT, presented by wolfSSL Senior Software Engineer Kaleb. Join us for an exciting opportunity to enhance your understanding of FIPS and gain valuable insights into its implementation from wolfSSL as the current leader in embedded FIPS certificates.
Watch the webinar here: FIPS Training Webinar
Sneak peek of the webinar:
- Public resources for the FIPS module
- The Security Policy
- Locating and using the User Guide or Cryptographic Officer Manual
- Quick recap of the material
- Best Security Practices at the application level
Kaleb will provide in-depth insights of FIPS. This is your exclusive opportunity to expand your knowledge and familiarity with FIPS. Bring all your FIPS-related questions; Kaleb is ready to answer them all.
As always, our webinars will include Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com, or call us at +1 425 245 8247.
Download wolfSSL Now
Some Differences Between TLS and SSH
TLS provides end-to-end encryption on one connection. You are routing data in and out from one application. (Note, this application can be a tunneling utility, see Stunnel.) It authenticates the server with a certificate chain of trust going back to a root CA that you implicitly trust to sign identities. It can authenticate the client to the server the same way, or can keep the client anonymous. Many protocols used over TLS provide authentication, like putting up a webpage to sign in on for your bank.
SSH provides an end-to-end encryption for a collection of data channels on one connection. Each channel can be a shell, a pseudo-terminal, an application, port forwarding, etc. It is routing STDIN and STDOUT (and STDERR) over the channel for a command. (SFTP is just a command run in a channel over the connection. SCP is as well, but these days SCP is implemented in SFTP commands.) You may be connected to a shell and not realize you are running multiple channels over your connection. (You might have an ssh-agent channel over your connection. With the “-Y” option you’d have X11 forwarding in a channel or multiple channels.) It authenticates the server to the client by showing the human at the terminal a hash of the server’s key and asking them if they recognize it as being correct. (And we all just hit Y without looking. Ha ha. Just kidding.) The client user is authenticated (or not) by using a password, public key, or something else. (You can set up an SSH server to allow anonymous client access. A friend of mine did this on his text BBS; the connections were port forwarding to a telnet port where you’d then log in with a password.)
If you have questions about any of the above, please contact to facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11
We have notified the distros mailing list allowing the member distributions to prepare patches. (No one else gets details about these problems before October 11 without a support contract and a good reason.)
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time.
The new version and details about the two CVEs will be published around 06:00 UTC on the release day.
- CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
- CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
There is no API nor ABI change in the coming curl release.
I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The “last several years” of versions is as specific as I can get.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfTPM Policy PCR Sealing
When it comes to edge computing devices, keeping secrets such as encryption keys or identifiable metadata from being tampered with or stolen is of the utmost importance and the TPM is an ideal facility for keeping such secrets.
WolfTPM already has facilities for storing secrets to the TPM, but we’ve recently added convenience functions for sealing secrets to the TPM using policy authorization tied to PCR values, wolfTPM2_SealWithAuthSig, wolfTPM2_SealWithAuthKey and wolfTPM2_UnsealWithAuthSig. These functions also have NV versions for keeping persistent secrets. wolfTPM2_SealWithAuthSig uses a premade signature to seal the secret instead of a signing key so that the signing key can be kept externally.
Sealing secrets using policy this way not only keeps the secret stored safely within the TPM, but also restricts internal access to the secret, requiring a valid signature of the policyDigest used to seal it and that the PCR value matches the value it had at the time of sealing. This means that an attacker would need the key used to seal the secret and would need to gain access to the system without modifying the PCR values, so tying the PCR values to things like expected log output or the firmware image would lock an attacker out of the secret if those elements were modified.
Try these new functions for yourself with wolfTPM, for examples on how to use these new policy sealing function check out https://github.com/wolfSSL/wolfTPM/tree/master/examples/seal and https://github.com/wolfSSL/wolfTPM/tree/master/examples/nvram.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Quick start to wolfCLU
Newly created container for wolfCLU (wolfSSL’s Command Line Utility) was added to wolfSSL’s repo: https://github.com/wolfSSL/wolfssl/tree/master/Docker/wolfCLU The idea is to be able to quickly get set up and start using the latest wolfCLU in your projects. You can get a prebuilt container from https://hub.docker.com/repository/docker/wolfssl/wolfclu/general or by simply running:
docker run -it –rm -v $(pwd):/ws -w /ws wolfssl/wolfclu
This command will run inside your current directory so you can create certificates or verify existing files using wolfCLU.
If you have questions about any of the above, please contacts us at facts@wolfSSL.com or call us at +1 425 245 8247
Download wolfSSL Now
OFTP? Yes, We can Help!
Are you part of the Odette automotive networking platform community? Are you already using OFTP? Then we are here to help! As you might know, OFTP requires identity verification via specialized X.509 certificates issued by Odette, but the OFTP protocol depends on the underlying TLS protocol to handle the authentication, encryption and security aspects of the file transfer protocol. The overarching OFTP implementation is usually a separate library from the library that implements TLS. Have you considered using wolfSSL for your TLS and cryptography implementation?
Is your implementation of TLS out of date? Is it even maintained and supported? Do you know if it has any active CVEs against it? Do you need further certifications for your cryptographic implementations such as AUTOSAR? Come talk to us here at wolfSSL; we can help you get your software stack in order!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us as +1 425 245 8247.
Download wolfSSL Now.
Live Webinar: wolfSSL Training
We are thrilled to announce that wolfSSL training webinar is returning on October 5th at 10 AM CET presented by wolfSSL Engineer Daniele. If you are wanting to dive into the insight of wolfSSL embedded SSL/ TLS and expand your knowledge, this is the perfect opportunity.
Watch the training today!
Part 1
Part 2
Daniele will cover topics including library design, the process of building and starting with wolfSSL. He will feature portability, customizability, certificates and keys, SSL debugging and troubleshooting, wolfSSL best practices, and in-depth insights into the wolfCrypt cryptography library.
It is your chance to gain a deep understanding of SSL/ TLS protocols and enhance your knowledge of wolfSSL embedded SSL/ TLS library. Don’t miss this opportunity to gain the crucial knowledge of SSL/ TLS and wolfSSL.
As always, our webinar includes Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL
wolfBoot: support for post-quantum secure-boot with LMS/HSS signatures
Do you have a post-quantum secure-boot requirement from the looming CNSA 2.0 timeline? The timeline has stated that post-quantum signature schemes should be used exclusively by 2030, and adoption should begin immediately. To this end, a few months ago we hinted that plans were underway for post-quantum wolfBoot support, and just recently we added post-quantum LMS/HSS signatures to wolfCrypt.
Building on this, we are excited to announce we have added support for LMS/HSS post-quantum signatures to wolfBoot. LMS wolfBoot support includes keygen, signing, verifying, and importing public keys generated from e.g. an HSM. In fact, to demonstrate HSM interoperability, we recently tested an LMS firmware signature verification integration with Crypto4A’s QxEdge HSM, and showed a live demo at ICMC 2023! If you’re curious, you can read more about our support in our recently added wolfBoot PQ docs, and LMS example config. It describes the LMS/HSS parameters we support from RFC 8554, and the performance tuning and space/time tradeoffs they enable.
LMS/HSS is an example of a post-quantum stateful hash-based signature (HBS) scheme. The security of these signature schemes is based simply on their underlying hash functions and Merkle trees, and does not rely on the assumed mathematical hardness of, for example, prime factorization. This feature gives stateful HBS schemes time tested, tried and true post-quantum security, which is why they have been recommended by NIST SP 800-208 and the NSA’s CNSA 2.0 suite.
An astute reader might notice that both LMS/HSS and XMSS/XMSS^MT were recommended in NIST SP 800-208 and the NSA’s CNSA 2.0 suite. Should we add XMSS/XMSS^MT to wolfBoot as well? Let us know what you think.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
Weekly updates
Archives
- December 2024 (16)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)