RECENT BLOG NEWS

Clavister, one of Europe’s leading cybersecurity vendors, announced that their latest release of OneConnect for macOS, iOS and iPadOS utilizes acceleration from wolfSSL for better performance metrics. 

“We managed to leverage the acceleration in wolfSSL and could see a reduction of cpu usage (which should translate into better battery life),” says Clavister. If you’re not familiar with our performance benchmarks, visit our benchmarks page. 

wolfSSL is constantly expanding our hardware acceleration support portfolio. Check out our website for more information and send us a message to inquire about support for your target.

View Clavister’s announcement here. 

Follow wolfSSL on LinkedIn to stay tuned to more updates and use cases! Want to share how wolfSSL has helped your customers win?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL version 4.8.1 is available for download!!

This version of wolfSSL includes many new features, ports, and some great fixes. Some of the new features added includes:

• A tie in for use with wolfSentry. 
  • wolfSentry is a universal, dynamic, embedded IDPS (intrusion detection and prevention system)
  • The build option added to enable the code for use with wolfSentry can be compiled using the autotools flag –enable-wolfsentry. wolfSentry is our new product that can be used in a similar fashion as a firewall but unlike many firewall applications available today wolfSentry is designed for deeply embedded IoT devices with resource constraints.
  • Learn more from our webinar: Introducing wolfSentry, an Embeddable IDPS

• A number of API for the compatibility layer 
  • Helps support replacing OpenSSL using wolfSSL along with updating your crypto for FIPS requirements, 
• A QNX CAAM driver for use with NXP’  i.MX devices, 
  • CAAM stands for Cryptographic Accelerator and Assurance Module. When used, it speeds up the cryptographic algorithms such as ECC and AES, as well as increases security by using encrypted keys and secure memory partitions.
• Support for STM32G0, 
• Zephyr project example,
  • The Zephyr Project is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices, and built with safety and security in mind.
• An easy-to-use Dolphin emulator test for DEVKITPRO
  • devkitPro is a set of tool chains for compiling to gaming platforms.
• Fixes for PKCS#7 
  • PKCS#7 is used to sign, encrypt, or decrypt messages under Public Key Infrastructure (PKI). It is also used for certificate dissemination, but is most commonly used for single sign-on.
• Better parsing and handling of edge cases along with fixes for existing ports. 
• Fixes that came from testing with Coverity and fsanitizer tools. 
  • Coverity is very efficient in finding issues, and is often used as a metric for good code (based on how many issues are found and fixed)
  •  fsanitizer is a static analysis tool
• Two vulnerabilities announced, 
  • one dealing with OCSP 
    • OCSP or “Online Certificate Status Protocol” is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate.
  • the other with a previously fixed base64 PEM decoding side channel vulnerability.
    • PEM, or “Privacy Enhanced Mail” is the most common format that certificates are issued in by certificate authorities.

For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfssl).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The summer release of wolfMQTT v1.9.0 is now available! This release has several bug fixes and features including:

• Fixes for Sensor Network client (PR #204, 214, 219)
• Fixes for non-blocking (PR #205)
• Fixes for multithread (PR #207, 209, 211, 218)
• Fix for MQTTv5 publish response handling (PR #224, 220)
• Fix subscribe return code list (PR #210)
• Fix switch statement fallthrough on other toolchains (PR #225)
• Add HiveMQ Cloud capability with SNI feature (PR #222)
• Add ability to publish files from example client, fix chunked publish (PR# 223)

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

https://github.com/wolfSSL/wolfMQTT/blob/master/ChangeLog.md

While you’re there, show us some love and give the wolfMQTT project a Star!
You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT

We are excited to announce the release of v2.2.0 for wolfTPM. This release adds several new examples such as remote attestation, seal/unseal and GPIO control. There are minor fixes for authenticated sessions. A few coding refactors to improve readability and reliability. We also added endorsement hierarchy support to several examples. If you are using QNX then you will appreciate the built-in HAL SPI driver support.

• Fix for using multiple authenticated sessions.
• Added QNX support.
• Added new examples for remote attestation (make / activate credential).
• Added GPIO support and examples for ST33 and Nuvoton NPCT75x modules.
• Added new example for sealing a secret using TPM key.
• Added Endorsement Hierarchy support to many examples.
• Added missing TPM2_CreateLoaded and wrapper.
• Refactored the reference HAL IO code into separate files.
• Refactor of the TPM IO code to separate files.
• Refactor the assignment of structs to use memcpy to avoid alignment issues.
• Documentation improvements for API’s with Doxygen, QEMU and Windows TBS.

For a detailed list of changes see our ChangeLog.md here:
https://github.com/wolfSSL/wolfTPM/blob/master/ChangeLog.md#wolftpm-release-22-07132021

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Pseudo Random Number Generator (PRNG)

Software-generated random numbers only are pseudorandom. They are not truly random because the computer uses an algorithm based on a distribution, and are not secure because they rely on deterministic, predictable algorithms. Since a seed number can be set to replicate the “random” numbers generated, it is possible to predict the numbers if the seed is known. Pseudorandom number generation in everyday tools such as Python and Excel are based on the Mersenne Twister algorithm. 

An example use of PRNGs is in key stream generation. Stream ciphers, such as Chacha, encrypt plaintext messages by applying an encryption algorithm with a pseudorandom cipher digit stream (keystream). Keystreams of some block cipher modes, such as AES CTR (counter) mode, act as a stream cipher and can also be regarded as pseudorandom number generation.

True Random Number Generator (TRNG)

For truly random numbers, the computer must use some external physical variable that is unpredictable, such as radioactive decay of isotopes or airwave static, rather than by an algorithm. At the quantum level, subatomic particles have completely random behavior, making them ideal variables of an unpredictable system. Most higher end microcontrollers have TRNG sources, which wolfSSL can use as a direct random source or as a seed for our PRNG. Intel RDRAND, a silicon-based TRNG, is supported by wolfSSL.

Additionally, wolfSSL supports the following hardware systems involving TRNGs:

• Espressif ESP32-WROOM-32
• Intel SGX
• Microchip ATECC608
• Microchip PIC32MZ
• Nordic nRF5x
• NXP i.MX6 CAAM
• NXP i.MX RT1060
• NXP Kinetis and KSDK
• Renesas TSIP
• Silicon Labs SE
• STM32
• Telit M2MB
• Whitewood Quantum RNG
• Windows CryptGenRandom

You can find the full list of all hardware acceleration/cryptography platforms currently supported by wolfSSL here: Hardware Cryptography Support

RNGs in cryptography

However, true RNGs on their own are often not cost efficient, and can be subject to gradual decline. Thus, there is still some reliance on post-processing algorithms (that are deterministic and vulnerable) to further improve randomness, as the quality of their entropy source is not consistent. The combination of a TRNG and a PRNG can limit the negative effects of this decline. For example, in NXP i.MX RT1060, the TRNG present in the core can be used as an entropy source to determine the seed of a Deterministic Random Bit Generator (DRBG), which on its own is a PRNG, but in combination with the TRNG results in a good approximation of randomness, without weakness over time. 

wolfSSL uses the SHA2-256 (Secure Hash Algorithm) Hash_DRBG described in NIST’s SP 800-90A (the specification for three allegedly cryptographically secure pseudorandom number generators for use in cryptography). Additionally, wolfRand, wolfSSL’s FIPS module which includes a hardware entropy source, is conformant to NIST’s SP 800-90B (the design principles and requirements for the entropy sources used by random-bit generators, and the tests for the validation of entropy sources).

For cryptographic purposes, a more secure approximation of a true random number can be achieved with a combination of algorithms, rather than just relying on one. In the update from TLS 1.1 to TLS 1.2, the MD5/SHA-1 combination in the pseudorandom function (PRF) was replaced with cipher-suite-specified PRFs, which continue to be used in TLS 1.3 with SHA2-256 and SHA2-384. 

MD5/SHA-1 (Message Digest/Secure Hash Algorithm) combined two Message Authentication Code (MAC) algorithms to provide a balance between speed and security. Meanwhile, a cipher suite is a set of cryptographic instructions or algorithms that helps secure network connections through Transport Layer Security(TLS)/Secure Socket Layer (SSL). During the SSL handshake between the web server and the client, the two parties agree on a cipher suite, which is then used to secure the HTTPS connection. A typical cipher suite contains 1 key exchange, 1 bulk encryption, 1 authentication, and 1 MAC algorithm. 

For more information on cipher suites and their uses, visit “What is a Cipher Suite?”

Conclusion

Truly random numbers are difficult to generate because they are not cost-efficient and subject to decline over time. However, random number generation can be made more effective by using multiple random processes in combination, either with a TRNG/PRNG combination, or an ensemble of algorithms in a cipher suite.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfTPM is the leading TPM library for embedded and baremetal applications. It is widely used in aerospace, military, and medical systems because the wolfSSL TPM 2.0 library is designed specifically for embedded systems. wolfTPM offers a low memory footprint and supports all of the TPM 2.0 commands and operations; as well as provids examples of: attestation, NVRAM usage, secure storage, and sealing.

Today, we have expanded on the new  TPM 2.0 feature called Extra GPIO, by adding support for the newest variant of NPCT75x modules by Nuvoton.

It is now possible to protect and control GPIO by using TPM 2.0 authorization. This way, extra GPIO on the TPM chip becomes a great tool for signaling of critical events across subsystems.

Since, wolfTPM already offers support for extra GPIO for ST33 modules from STMicroelectronics. Here is a brief comparison of the GPIO capabilities between ST33 and NPCT75x :

In safety-critical systems, extra GPIO control through the TPM 2.0 module provides signaling for security events and important changes of the system state. Such use cases are observed in the rising railway IoT automation and in modern automotive systems.

We want to thank the team at Nuvoton led by Mr. Oren and the amazing field application engineer Ms. Dana for collaborating on this project.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The wolfMQTT client library “mqttclient” example demonstrates securely connecting over TLS provided by wolfSSL.

We set up a HiveMQ Cloud cluster that can be used for testing. The HiveMQ Cloud broker uses the Server Name Indicator (SNI) extension for TLS client authentication, which is specified using the `-S ` option. The example is located in `/examples/mqttclient/`. You can test with our HiveMQ Cloud cluster using:

./examples/mqttclient/mqttclient -h 833f87e253304692bd2b911f0c18dba1.s1.eu.hivemq.cloud -t -S -u wolf1 -w NEZjcm7i8eRjFKF -p 8883

Everyone deserves to have their IoT data secure, and wolfSSL provides the best libraries to accomplish that! Secure-IoT-Love from the wolfSSL team!

You can download the latest release here: https://www.wolfssl.com/download/

Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT

Don’t forget to add a star while you’re there!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We are adding hardware security to wolfSSH to meet the rising security requirements for connected systems.

Thanks to the widely available Trusted Platform Module (TPM) and our portable wolfTPM library, wolfSSH can have the user’s private SSH key stored and used directly from a hardware security module. This way the private key material is never exposed in raw form and the system has physical tamper-proof protection of its important secrets.

wolfSSH is a portable SSH v2.0 client and server. It also supports the SCP and SFTP protocols. This makes wolfSSH a preferred choice for embedded systems and applications. 

wolfTPM is a portable TPM 2.0 library, designed for baremetal and embedded systems. wolfTPM has its own TPM Interface Layer (TIS) developed in accordance with the Trusted Computing Group Group (TCG). This allows wolfTPM to operate in every operating environment, because it does not require a TPM driver.

For information on our wolfSSH capabilities see https://www.wolfssl.com/products/wolfssh/.

Do you want to use SSH with hardware protected keys?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The QSslSocket class in Qt makes it easy to add encryption to your application. wolfSSL makes it secure!

The wolfSSL embedded SSL/TLS library is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments – primarily because of its small size, speed, and feature set.  It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross-platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2 levels, is up to 20 times smaller than OpenSSL, supports FIPS, and has critical interfaces like TPM 2.0 and  PKCS#11.

Qt has traditionally used OpenSSL as the provider for SSL/TLS in Qt Network for secure network communications. wolfSSL 4.4.0 adds support for building Qt 5.12 and 5.13 against the wolfSSL embedded SSL/TLS library instead of the default OpenSSL backend! The wolfSSL integration with Qt provides a performance-minded alternative, ideal for Qt developers who are looking for a lightweight, progressive, and well-tested SSL/TLS implementation.  

Using wolfSSL as a TLS provider in Qt can have many advantages, depending on application and industry.  Some of these may include:

• Progressive SSL/TLS protocol support (up to TLS 1.3)
• Smaller footprint size (up to 20 times smaller than OpenSSL)
• Extensive testing to reduce bugs and vulnerabilities (currently the best-tested SSL/TLS implementation available)
• Certifications (FIPS 140-2, DO-178C)
• Portability (supports over 30 operating systems)
• Hardware cryptography support
• Commercial support
• Consulting services and training available

To learn more about the advantages of using wolfSSL, visit our page on “wolfSSL vs. OpenSSL”. For more insight into building Qt with wolfSSL, the advantages it brings to Qt developers when used in place of OpenSSL, and the current state of SSL/TLS and the cryptography algorithms used, watch this recorded talk by our Engineering Manager, Chris Conlon. 

For instructions on how to compile Qt with the wolfSSL patch, please visit Building Qt with wolfSSL. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

The 200th curl release found 3 major security advisories from the curl bug-bounty program. These are the advisories:

• CVE-2021-22901: TLS session caching disaster

This is a Use-After-Free in the OpenSSL backend code that in the absolutely worst case can lead to an RCE, a Remote Code Execution. The flaw is reasonably recently added and it’s very hard to exploit but you should upgrade or patch immediately.

The issue occurs when TLS session related info is sent from the TLS server when the transfer that previously used it is already done and gone.

• CVE-2021-22898: TELNET stack contents disclosure

When libcurl accepts custom TELNET options to send to the server, it the input parser was flawed which could be exploited to have libcurl instead send contents from the stack.

• CVE-2021-22897: schannel cipher selection surprise

In the Schannel backend code, the selected cipher for a transfer done with was stored in a static variable. This caused one transfer’s choice to weaken the choice for a single set transfer could unknowingly affect other connections to a lower security grade than intended.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.