RECENT BLOG NEWS
What’s New in wolfSSH 1.4.19
The latest version of wolfSSH, 1.4.19, brings improvements, stability fixes and an additional feature! DH Group 14 with SHA-256 Key Exchange (KEX) support was added in with this release.
Along with this new feature some of the improvements that were added are: CI testing, macro guards around TTY modes, use of wolfSSL kyber implementation, and an update to the Espressif example. Among the fixes there were additions for gracefully handling non-existent directories with SFTP and handling of re-key/window full cases with wolfSSHd. For a full list of changes see the bundled ChangeLog.md
Contact facts@wolfSSL.com for more information regarding wolfSSL and wolfSSH.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Live Webinar: Ensuring Security in Avionics with DO-178C Conformance
Learn about the critical role of DO-178C in ensuring the safety and security of avionics systems in our upcoming webinar! As the aviation industry continues to evolve, compliance with rigorous safety standards such as DO-178C becomes essential for avionics software development. wolfSSL Software Engineer Tesfa Meal will delve into how DO-178C conformance helps organizations meet stringent requirements and maintain the highest levels of security in their avionics software systems.
Register Now: Ensuring Security in Avionics with DO-178C Conformance
Date: November 6th | 10 AM PT
Discover the key components of DO-178C and its significance in avionics certification. We will explore the guidelines and objectives of DO-178C, focusing on how they ensure software reliability and safety in critical aviation applications. Additionally, attendees will gain insights into the features and benefits of wolfSSL’s DO-178C product certification, emphasizing its role in supporting secure avionics systems. A detailed customer use case will further illustrate how organizations can effectively implement DO-178C practices to enhance their avionics software security and compliance.
This webinar will cover:
- Overview of wolfSSL and its certifications
- Introduction to DO-178C standards and guidelines
- wolfSSL’s DO-178C Product Certification process
- Real-world DO-178C Customer Use Case and implementation strategies
Register now to secure your spot! Don’t miss this chance to deepen your understanding of DO-178C and its importance in the avionics industry. Take the first step towards ensuring security in your avionics systems and staying compliant with the latest safety standards.
As always, our webinars will include Q&A sessions throughout. If you have questions on any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
MAX32666 and MAX32665 Hardware Acceleration added to wolfSSL
wolfSSL now supports using the Trust Protection Unit (TPU), Modular Arithmetic Accelerator (MAA), and TRNG provided by Analog Devices MAX32666 and MAX32665 microcontrollers.
The implementation can be seen in PR #7777 to wolfSSL, and is in wolfSSL starting at 5.7.4!
The port offers various usage options: fully leveraging all hardware features, selectively enabling specific hardware acceleration like SHA acceleration, or utilizing Crypto Callbacks for mixed usage between hardware and software. For a guide on setting up the port please refer to the README.
Currently wolfSSL supports offloading the following algorithms and operations to the respective hardware:
TRNG:
- RNG
TPU:
- AES-CBC – 128/192/256
- AES-GCM – 128/192/256
- AES-ECB – 128/192/256
- SHA-1
- SHA-2 – 224/256/384/512
MAA (HW Accelerated Math Operations up to 2048 bits):
- Modulate (mod)
- Modular Addition (addmod)
- Modular Subtraction (submod)
- Modular Multiplication (mulmod)
- Modular Exponentiation (expmod)
- Modular Squaring (sqrmod)
Benchmarks:
These benchmarks were collected using a Cortex-M4 clocked at 96 Mhz included on the MAX32666 FTHR dev kit, and a bare metal implementation of our benchmark. The timer used for these benchmarks can be enabled with the addition of MAX3266X_RTC to user_settings.h for reproduction.
AES ECB/CBC/GCM:
AES-CBC and AES-ECB Hardware Acceleration provides a hefty 2x uplift in performance when compared to our Arm assembly acceleration and normal software implementations.
AES-GCM does not provide the same uplift due to the hardware not supporting GCM explicitly, but we take advantage of the ECB support of the hardware to still provide a speedup when compared to our standard software implementation.
You can enable this kind of speed up for other AES modes by adding HAVE_AES_ECB to user_settings.h.
All algorithms of SHA provide a consistent boost to performance. With our benchmark tool we see up to a 7x performance for SHA-384/512 when compared to our software implementations. As the algorithm gets simpler we see less of a performance increase, however the consistent throughput is still impressive.
Math Acceleration (RSA 2048 and ECDSA p256):
Using the Math Acceleration hardware we do see a decrease in performance for RSA 2048 and ECDSA p256 when compared to our software implementations. This is likely due to the setup and preprocessing that needs to happen before sending the operands down to the hardware.
Download:
For our official release please checkout our download page!
Questions?
For information about using MAX32666 or MAX32665 hardware acceleration in your project, or any general inquiries about supporting your project’s hardware, reach out to our support team at support@wolfSSL.com
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
X509 Attribute Certificate support
wolfSSL is adding support for X509 Attribute Certificates (ACERTs, for short), enabled with --enable-acert
. This initial support includes reading, printing, and verifying. Furthermore, it uses our new ASN.1 template implementation, and supports RSA-PSS as well.
But what is an X509 Attribute Certificate, and how does it differ from the more commonly encountered X509 Public Key Certificate? Defined in RFC 5755, an Attribute Certificate is a digitally signed binding between an identity and authorization attributes. In contrast to X509 Public Key Certs, an X509 Attribute Cert does not contain a public key. However, the public key used to verify an Attribute Cert could be found in an X509 Pub Key Cert.
If you’re curious and want to learn more, check out the X509 ACERT pull request and our recently added ACERT example. The latter shows an example of using ACERT support with our openssl compatibility layer.
If you are interested in X509 Attribute Certificates support or have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
LMS in PKCS11
Most people know that wolfSSL supports being a PKCS11 consumer. It is easy to enable this with the --enable-pkcs11
configure time flag and then trying out the examples. Now, what most people don’t realize is that we also have the ability to be a PKCS11 provider!! This is via our library called wolfPKCS11. Check out the source repo on github.
The most interesting thing about PKCS11 is that the post-quantum stateful hash-based signature scheme LMS/HSS has already been added to the PKCS11 standard. If you look at the latest specification, you can already find an example template definition for a private key:
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; CK_KEY_TYPE keyType = CKK_HSS; CK_UTF8CHAR label[] = “An HSS private key object”; CK_ULONG hssLevels = 123; CK_ULONG lmsTypes[] = {123,...}; CK_ULONG lmotsTypes[] = {123,...}; CK_BYTE value[] = {...}; CK_BBOOL true = CK_TRUE; CK_BBOOL false = CK_FALSE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_LABEL, label, sizeof(label)-1}, {CKA_SENSITIVE, &true, sizeof(true)}, {CKA_EXTRACTABLE, &false, sizeof(true)}, {CKA_HSS_LEVELS, &hssLevels, sizeof(hssLevels)}, {CKA_HSS_LMS_TYPES, lmsTypes, sizeof(lmsTypes)}, {CKA_HSS_LMOTS_TYPES, lmotsTypes, sizeof(lmotsTypes)}, {CKA_VALUE, value, sizeof(value)}, {CKA_SIGN, &true, sizeof(true)} };
Are you looking to use wolfSSL to consume LMS/HSS? Our wolfCrypt library already has support for LMS/HSS; want to consume it via a PKCS11 interface? Want to get ahead of the curve and start prototyping ML-KEM (FIPS 203) or ML-DSA (FIPS 204) in PKCS11? Send a message to facts@wolfSSL.com to let us know which of these you want accelerated.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Repurposing ESP32 Devices for Enhanced Security: Insights from wolfSSL at Hackaday 2024
We’re excited to announce that wolfSSL will be attending the 2024 Hackaday Superconference from November 1st to 3rd in sunny Pasadena, California, as a featured speaker! Don’t miss our insightful talk, “Repurposing ESP32 Based Commercial Products,” where you’ll learn how to secure ESP32 devices and turn them into HomeKit compatible tools by flashing custom software onto existing products.
In this talk, we’ll dive into effective reverse engineering techniques, such as finding JTAG pins, and explore development and debugging using open-source Tigard JTAG hardware with VisualGDB in Visual Studio. We’ll also highlight how to implement secure cryptographic functions—like post-quantum TLS 1.3—using wolfSSL’s commercial-grade solutions. Additionally, we’ll discuss the risks associated with modifying high-voltage devices.
Conference Program Details:
Title: Repurposing ESP32 Based Commercial Products
Date and Time: November 2nd | 1:00 – 1:40 PM PT
Room: DesignLab
This is a fantastic opportunity to deepen your understanding of IoT security and cryptography, and see firsthand how wolfSSL is leading the way in secure solutions. Whether you’re looking to enhance your home automation setup or strengthen the security of your projects, this talk has something for everyone.
wolfSSL will also be available at the conference to answer your questions and discuss the future of cryptographic solutions. Don’t miss this chance to connect with us and learn more about how wolfSSL is shaping the future of security.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Live Webinar In the European Time Zone: Everything You Need to Know About FIPS 140-3
Curious about how FIPS 140-3 can elevate your security strategy? Join us on October 30th for an exclusive webinar with Kaleb Himes, Senior Software Engineer at wolfSSL. Kaleb will break down everything you need to know about the latest in cryptographic standards. From key differences between FIPS 140-2 and FIPS 140-3 to wolfCrypt’s industry-leading achievement, this is your chance to gain practical insights that can strengthen your systems.
Register today: Everything You Need to Know about FIPS 140-3 – Tailored for the European Time Zone
Date: October 30th | 7 AM PT / 3 PM CET
This webinar is scheduled to accommodate participants in the European Time Zone.
This webinar will cover:
- Basic & Benefits: Discover why FIPS 140-3 is essential for secure systems and what makes it a must-have.
- Difference Between FIPS 140-2 and FIPS 140-3: Understand the key distinctions and improvements from FIPS 140-2.
- wolfCrypt’s Achievement: Learn about wolfCrypt’s milestone as the first to receive the SP800-140Br1 FIPS 140-3 validated certificate (#4718).
And much more..
Don’t miss out on this chance to deepen your understanding of FIPS 140-3 and its critical role in securing modern systems. Whether you’re new to the standard or looking for expert insights, this webinar offers the knowledge and practical advice you need to stay ahead in cybersecurity.
Register today to secure your spot!
As always, our webinars will include Q&A sessions throughout. If you have questions on any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL 5.7.4 Release
wolfSSL release 5.7.4 is now available, with exciting optimizations for ARM devices and enhancements to post-quantum cryptography algorithms. If you’re using wolfSSL on RISC-V, we’ve also included new performance enhancements specifically for RISC-V devices. Alongside these optimizations and new features, several important fixes were made. One notable fix involves the behavior of X509_STORE_add_cert()
and X509_STORE_load_locations()
functions to better align with OpenSSL when the compatibility layer is enabled.
Below are some of the key changes in this release. For a more comprehensive list, refer to the ChangeLog.
New Features and Additions
- RISC-V 64: Added new assembly optimizations for SHA-256, SHA-512, ChaCha20, Poly1305, and SHA-3 (PRs 7758, 7833, 7818, 7873, 7916).
- DTLS 1.2 Connection ID: Implemented support for Connection ID (CID) (PR 7995).
- DevkitPro Support: Added support for (DevkitPro)libnds (PR 7990).
- Mosquitto: Added a port for Mosquitto OSP (Open Source Project) (PR 6460).
- sssd: Added a port for
init sssd
(PR 7781). - eXosip2: Added support for eXosip2 (PR 7648).
- STM32G4: Added support for STM32G4 (PR 7997).
- MAX32665 and MAX32666: Added support for TPU hardware and ARM ASM crypto callback (PR 7777).
- libspdm: Added support for building wolfSSL to be used in libspdm (PR 7869).
- Nucleus Plus: Added support for use with Nucleus Plus 2.3 (PR 7732).
- RFC5755 Attribute Certificates: Initial support for x509 attribute certificates (acerts) with
--enable-acert
(PR 7926). - PKCS#11 RSA Padding Offload: Allows tokens to perform CKM_RSA_PKCS (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt) (PR 7750).
- Heap/Pool Allocation: Added “new” and “delete” style functions for heap/pool allocation and freeing of low-level crypto structures (PRs 3166, 8089).
Espressif / Arduino Updates
- Updated
wolfcrypt settings.h
- Updated Espressif SHA, utility, memory, and time helpers (PR 7955).
- Fixed
_thread_local_start
and_thread_local_end
for Espressif (PR 8030). - Enhanced benchmarking for Espressif devices (PR 8037).
- Introduced Espressif common
CONFIG_WOLFSSL_EXAMPLE_NAME
in Kconfig (PR 7866). - Added
wolfSSL esp-tls
- Updated wolfSSL release for Arduino (PR 7775).
Post-Quantum Crypto Updates
- Dilithium: Support for fixed-size arrays in
dilithium_key
(PR 7727). - Dilithium Precalc: Added option to use precalc with small sign (PR 7744).
- Kyber FIPS: Allowed Kyber to be built with FIPS (PR 7788).
- Kyber in Linux Kernel: Enabled Kyber ASM usage in Linux kernel module (PR 7872).
- Dilithium, Kyber: Updated to final specifications (PR 7877).
- Dilithium FIPS: Supported FIPS 204 Draft and Final Draft (PRs 7909, 8016).
ARM Assembly Optimizations
- ARM32: Added assembly optimizations for ChaCha20 and Poly1305 (PR 8020).
- Poly1305 Aarch64: Improved Poly1305 assembly optimizations for Aarch64 (PR 7859).
- Poly1305 Thumb-2: Added Poly1305 optimizations for Thumb-2 (PR 7939).
- STM32CubePack: Added ARM ASM build option to STM32CubePack (PR 7747).
- Visual Studio: Added ARM64 support to the Visual Studio project (PR 8010).
- Kyber ARM Optimizations: Added assembly optimizations for ARM32, Aarch64, ARMv7E-M, and ARMv7-M (PRs 8040, 7998, 7706).
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfBoot: Secure Boot now with support for FIPS 204 ML-DSA post-quantum signature algorithm
NIST recently announced three new standards for post-quantum cryptography (FIPS 203-205), and among them was ML-DSA (FIPS 204, Module-Lattice Digital Signature Algorithm), a lattice-based algorithm derived from the round 3 finalist CRYSTALS-DILITHIUM. As a general purpose digital signature algorithm ML-DSA has attractive features, such as fast key generation, signing, and verifying, as well as a tunable security strength. ML-DSA also supports organizations migrating to CNSA 2.0.
Naturally the wolfSSL team found this quite interesting, and we eagerly set to work on ML-DSA support. We are pleased to announce we have added ML-DSA to wolfBoot, which is achieved by utilizing wolfCrypt’s implementation of dilithium (ML-DSA). This implementation supports all three parameter sets standardized in FIPS 204: ML-DSA-44, ML-DSA-65, and ML-DSA-87. If you’re curious, you can read more about it in our wolfBoot PQ docs, and test out the new ML-DSA config example.
In total, wolfBoot now has support for three NIST approved post-quantum algorithms:
- ML-DSA: NIST FIPS 204
- LMS/HSS: NIST SP 800-208
- XMSS/XMSS^MT: NIST SP 800-208
Conspicuously absent from this list is FIPS 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA, the NIST standard successor of SPHINCS+). Should we amend this absence? Let us know.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Achieving WireGuard GO FIPS Compliance with wolfCrypt
Last week we put out a blog post sharing our integration of wolfCrypt into WireGuard. But did you know that we’ve already ported our FIPS 140-3 certified cryptographic engine into WireGuard GO, the official user space implementation of WireGuard in golang?
In cases where WireGuard’s functionality is desired, but a kernel isn’t available or installing a kernel-level VPN isn’t feasible, WireGuard GO offers a flexible solution.
And if you require FIPS compliance in your WireGuard GO deployments, our latest efforts make this possible. Using our golang wrapper go-wolfssl, we replaced WireGuard GO’s standard crypto (ChachaPoly, Curve25519, Blake2s) with our own FIPS certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard GO end-points may only communicate with other FIPS-ified end-points. This is because the same set of algorithms would be required on both sides for interoperability.
Although the usual trade-off of WireGuard vs WireGuard GO is performance vs simplicity and flexibility, wolfCrypt’s ability to utilize hardware acceleration for AES and SHA can let you keep reaping WireGuard GO’s benefits without having to compromise on performance.
See the README here for instructions to get started using WireGuard GO with wolfCrypt.
Are you interested in WireGuard GO with wolfCrypt FIPS 140-3?
If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Weekly updates
Archives
- December 2024 (15)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)