RECENT BLOG NEWS
wolfSSH: Post-Quantum Interoperability? Confirmed!
For people following the development of wolfSSH, they might have noticed something very strange recently. There is a new key exchange method that has a very long name: ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org. This replaces ecdh-sha2-nistp256-kyber-512-sha256 which was similar but had some differences in data formatting.
This name comes from the following IETF draft authored by Panos Kampanakis and Torben Hansen of AWS and Douglas Stebila of the University of Waterloo: https://www.ietf.org/id/draft-kampanakis-curdle-ssh-pq-ke-01.html
The main purpose of this post is to let everyone know that our wolfSSH implementation of ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org passed NIST NCCoE interoperability tests! It was tested against the AWS implementation of SSH and OQS’s fork of openSSH (https://github.com/open-quantum-safe/openssh). Here at wolfSSL, we know that for protocol products such as wolfSSH, interoperability is a key requirement to be an ecosystem player. Our customers can rest easy knowing that they can interoperate with other products seamlessly. Want to try it out? You can download it from https://github.com/wolfSSL/wolfssh.
This is just one hybrid key exchange. If you want other post-quantum key exchanges or signature schemes to be supported in wolfSSH, let us know! We are always interested to hear about what you want us to do! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfEngine: wolfCrypt as an Engine for OpenSSL
Watch our live wolfEngine webinar, where we introduce one of our newest products wolfEngine, a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL. wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally. Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.
Learn about about what wolfEngine is, why you should care, and why wolfEngine could be the solution to all of your problems. As always bring your questions for the Q&A following the presentation.
Watch it now: wolfEngine : wolfCrypt as an Engine for OpenSSL
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSentry integration with AUTOSAR Intrusion Detection System (IDS)
Hi! We have some of our automotive customers asking for wolfSentry integration with AUTOSAR IDS. Is this something that you need?
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
cURL User Survey 2023
This post has been cross posted from Daniel Stenberg’s blog – originally posted here.
For widely used, widely distributed open source project such as curl, we often have little to no relation at all with our users and therefore it is hard to get feedback and learn what works and what is less good.
Our best and primary way is thus simply to ask users every year how they use curl.
For the tenth consecutive year, we put together a survey and we ask everyone we know and can reach who ever used curl or library within the last year, to donate a few minutes of their precious time and give us their honest opinions.
The survey is anonymous but hosted by Google. We do not care who you are, but we want to know how you think curl works for you.
The survey will remain online for submissions during 14 days. From Thursday May 25 2023 until midnight (CEST) Wednseday June 7 2023. Please tell your friends about it!
Post survey analysis
At June 5 the painstaking work of analyzing the results and putting together a summary and presentation begins. It usually takes me a few weeks to complete. Once that is done, the results will be shared for the entire world to enjoy.
Then we see what the curl project should take home and do as a direct result of what users say. Updating procedures, writing documentation and adding features to the roadmap are among the things that can happen and has happened after previous surveys.
Support
- wolfSSL offers Curl support is available, and part of that support revenue goes into finding and fixing these kinds of vulnerabilities.
- Customers under curl support can get advice on whether or not the advisories apply to them.
- 24×7 support on curl is available, and can include pre-notification of upcoming vulnerability announcements.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
“BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M separation
“BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M separation
Watch the webinar here: “BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M Separation
Join our wolfSSL webinar about BUSted presented by wolfSSL engineer Daniele Lacamera as well as either Dr. Sandro Pinto or Cristiano Rodrigues.
At the Black Hat Asia conference in Singapore, Dr. Sandro Pinto and Cristiano Rodrigues presented their research that introduced a groundbreaking technique that exploits the shared pipeline on the newest Cortex-M CPUs to place a time based, side-channel attack from an application running in non-secure domain to security code running in secure mode. The researchers named this attack “BUSted”. This is sudden and difficult news hitting the new generations of ARMv8 microcontrollers. The attack was demonstrated live using a Cortex-M33 microcontroller as target.
Due to the nature of the attack, targeting specific micro-architectural design issues, this disclosure has already been compared to “Spectre” and “Meltdown”, well known attacks that have affected more sophisticated architectures in the recent past. All the embedded projects that were counting on hardware-assisted privilege separation through TrustZone-M should now take into account the possibility of leaking information from the trusted components running in the secure world.
According to the researchers, software based countermeasures and mitigations are possible to counter the effects of this micro-architectural design fault. The most important aspect to take into account when dealing with time-based attacks is to avoid as much as possible secret-dependent code in the implementation of security operations. In other words, the time required for a security procedure to run must not depend on the success of the operation or on any secret involved in the operation.
Tune in to this webinar to learn more about the attack from the researchers themselves as well as from cybersecurity experts how wolfSSL has been proactive and already studying the necessary workarounds for our users and customers.
As always we will have a Q&A Session following the webinar
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL support for STM32 hardware
We’ve expanded our STM32 support for wolfSSL to include the STM32H5 and G0. The STM32WL is also coming soon.
Using STM32 hardware and development boards are easy with our wolfSSL, wolfSSH and wolfMQTT (soon) Cube packs. These packs integrate with the STM32CubeIDE and STM32CubeMX tools for generating a project and code with support for our libraries.
The documentation for using the Cube packs is here:
https://github.com/wolfSSL/wolfssl/tree/master/IDE/STM32Cube
The new wolfSSL build options are:
- H5: WOLFSSL_STM32H5
- G0: WOLFSSL_STM32G0
wolfCrypt benchmarks for the H5 and G0 have been posted here:
https://github.com/wolfSSL/wolfssl/blob/master/IDE/STM32Cube/STM32_Benchmarks.md
We’ve also added wolfBoot support for the STM32G0. The wolfBoot STM32H5 support is coming soon. For details on wolfBoot G0 support see: https://github.com/wolfSSL/wolfBoot/pull/286
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
STM32Cube Expansion Packs for more wolfSSL Products
The wolfSSL embedded TLS library has support for most of the STM32 microcontrollers and for their hardware-based cryptography (AES/HASH/PKA) and random number generator (TRNG). Here are the STM32 processors we currently support:
- STM32F2
- STM32F4
- STM32F7
- STM32F1
- STM32L4
- STM32L5
- STM32WB
- STM32H7
- STM32G0
- STM32U5
- STM32H5
wolfSSL offers STM32Cube Expansion Packages for the STM32 toolset, letting users pull wolfSSL and wolfSSH directly into STM32CubeMX and STM32CubeIDE projects.
We currently support STM32Cube Expansion packs for wolfSSL and wolfSSH (our lightweight SSHv2/SCP/SFTP library). Soon we will be adding packs for wolfMQTT (our MQTT client implementation) and wolfTPM (our TPM 2.0 library).
For information on our wolfSSL Cube pack see:
https://github.com/wolfSSL/wolfssl/blob/master/IDE/STM32Cube/README.md
For information on our wolfSSH Cube pack see:
https://github.com/wolfSSL/wolfssh/blob/master/ide/STM32CUBE/README.md
Are you looking to improve our STM32 support within wolfSSL products? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSentry: A turnkey dynamic firewall for lwIP
wolfSentry, wolfSSL’s embedded firewall and IDPS, now supports out-of-the-box integration with lwIP!
After simple initialization calls at application startup, all network traffic is evaluated and subject to filtration by the wolfSentry engine. Prefiltering by network layer, protocol, and event type, allows zero-overhead transparency for selected traffic. For example, TCP connection requests, inbound and/or outbound, can be fully evaluated by the wolfSentry engine, while traffic within established TCP connections passes freely.
lwIP integration also facilitates stateful and ephemeral rules for safe use of connectionless protocols such as DNS over UDP. These protections are configuration-driven, automatically managed by wolfSentry-with-lwIP, and are completely transparent to the application and other libraries.
Integration with lwIP is achieved with a simple patchset to the lwIP 2.1.3+ core, bundled with wolfSentry and documented in the lwip/ subdirectory. lwIP integration also facilitates deep packet inspection by application-installed plugins, which receive pointers to the lwIP connection context and raw packet contents.
The wolfSentry configuration system has also grown with the addition of route table export to reingestable JSON. A persistent baseline (“factory”) JSON configuration can be supplemented with a separate, mutable rule configuration, for convenient, efficient, and safe checkpointing of rules for reload at next system startup.
wolfSentry on FreeRTOS has further matured, with full support for native heap, timer, and threading facilities. Portability improvements also prepare wolfSentry for use with QNX, GH integrity, VxWorks, and other embedded realtime OSs. Portability is further assured with optional strict compliance with C89, now available with the WOLFSENTRY_C89 build option.
All of these new capabilities, and much more, are featured in wolfSentry 1.3. For more details, clone wolfSentry from https://github.com/wolfSSL/wolfsentry, review ChangeLog.md and README.md, and “make test”.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Using wolfSSL on BlackBerry QNX
One of the earliest posts on our blog is this one: https://www.wolfssl.com/wolfssl-supports-the-rim-playbook/
In 2010 it was announced that wolfSSL supported (Research In Motion) RIM’s BlackBerry Playbook and mentions QNX support ever since the first source release of wolfSSL. That has been close to 20 years of support.
In this post we’d like to mention that it is not just the wolfSSL library that supports QNX; all of our products do!
- wolfSSL and wolfCrypt with FIPS, DO-178 DAL A or without are all fully supported
- Running QNX on a board with a TPM on it? Then wolfTPM which supports the TPM 2.0 protocol is something you must use.
- Need a light-weight SSH implementation on your QNX project? Then wolfSSH is your solution.
- Want to guarantee the integrity of your QNX firmware image or do over the air updates? Then the wolfBoot bootloader is perfect for you.
- Looking for an (Intrusion Detection and Prevention System) IDPS to secure your QNX-based deployment? Then wolfSentry is what you’re looking for.
- Have a need for lightweight data transfer? Try curl or even tiny-curl for those low-resource platforms that QNX is known to run on.
Please reach out to us to learn more about how we can help you secure your QNX deployments! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
WolfBoot vs Das U-Boot
With the myriad of options available for a bootloader today many integrators try and fail to find the most secure and flexible bootloader with the smallest footprint. To help put an end to this search we will be going over wolfBoot’s many advantages compared to its competitors to make clear why wolfBoot is the best fit for your application.
Supported Signature Verification Algorithms
Signature verification in secure boot is the process of verifying and authenticating a boot image using a signature and public key provided by a signing authority. Out of the box Das U-Boot supports RSA image signature verification using SHA-1 or SHA-256 digests. U-Boot can be extended to include any algorithm you wish but that requires the additional effort of including or writing an external crypto library that will inflate code size and increase the time it takes to get a working product.
WolfBoot was built using wolfCrypt, our small embeddable crypto library that powers all of our products, and leverages it to support a wide range of signature verification options including ED25519, ECC and RSA. It does not support the outdated SHA-1 but instead supports the modern SHA-256, SHA-384 and SHA3 hashing algorithms and because its free software can also be extended as you wish.
Encrypted Boot Partition
Both wolfBoot and U-Boot support encrypted images but wolfBoot supports both AES and CHACHA encryption while U-Boot only supports AES.
Beauty and the Bloat
U-Boot has many unnecessary features for a secure bootloader, including a command line interface and a full TCP/IP networking stack. These features increase the amount of code, which increases the number of potential bugs, the size of the image and creates a larger attack surface to compromise your system.
WolfBoot was built by security experts and thus was designed to boot into the application image as fast and securely as possible. By constraining wolfBoot to the essentials we are able to keep code size down leading to less bugs in the first place and less attack vectors open to compromise your system. Keeping code size down leaves more room for such features in the application image where they belong.
Portability
Porting U-Boot to a new system is a complicated process as U-Boot takes responsibility for bringing up the system’s peripherals ahead of the OS being loaded. WolfBoot takes a hands off approach and leaves those tasks to the application image, making it system and OS agnostic. Getting wolfBoot running on a new target only requires adding a new Hardware Abstraction Layer (HAL) file for setting the clock up and reading and writing flash. HALs are straightforward to write with the right documentation and usually come in under 600 lines of code.
Interruptible Update Process
While both U-Boot and wolfBoot support image updates, only wolfBoot has an interruptible update process that allows it to complete an update even in the event of a power failure during the update. In this event of an unfortunately timed power failure this makes the difference between a working board and a paperweight.
Delta Updates
In addition to being interrupt safe, wolfBoot also has the additional feature of delta updates, which chunks and strips an updated image down to only the parts that differ from the last image. WolfBoot will then apply this new image to the old one as a patch, which leads to significantly smaller update images that save space in environments where flash memory is scarce.
FIPS Support
FIPS (Federal Information Processing Standards) is a cryptography standard that firms who deal with the United States government are often required to comply with in order to sell to them. WolfCrypt is FIPS compliant (when built with the correct options) and therefore wolfBoot is FIPS compliant without any additional work required, saving a lot of time on compliance. U-Boot on the other hand uses a standalone cryptography library that would need to be manually replaced with a fips compliant library, which is a costly and time consuming process.
DO-178 Certification
In addition to FIPS, wolfCrypt, and by extension wolfBoot, is DO-178 Certifiable. DO-178 is a strict aviation standard that the FAA (Federal Aviation Administration) and EASA (European Union Aviation Safety Agency) require for software components that run inside aircraft approved to fly in their airspace. WolfSSL itself is DO-178 DAL A certified on numerous operating environments and our expert DO-178 engineers are available for consulting to help get your operating environment certified. U-Boot’s standalone cryptography library would need to be brought through the certification process from scratch or an external library would need to be swapped out for a certifiable one.
If you need need a secure and flexible bootloader, with the smallest footprint, wolfSSL can help. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Weekly updates
Archives
- December 2024 (17)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)