RECENT BLOG NEWS

As you may know, wolfSSL has integrated our FIPS-certified crypto module (wolfCrypt) with OpenSSL as an OpenSSL engine, a product we call wolfEngine. You may also know that OpenSSL 3.0 has done away with the engines paradigm in favor of a new concept, called providers. wolfSSL has begun work on an OpenSSL 3.0 provider, allowing you to use latest version of OpenSSL backed by our FIPS-certified wolfCrypt library. Like wolfEngine, the wolfSSL provider for OpenSSL is an excellent pathway for users looking to get FIPS compliance fast while still using OpenSSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL is excited to announce support for using Silicon Labs Hardware acceleration. The EFR32 family of devices support multiple wireless interfaces with hardware cryptographic operations. wolfSSL can now offload cryptographic operations for dramatically increased performance on the Silicon Labs EFR32 family!

Our new support includes hardware acceleration of the following algorithms:

• RNG
• AES-CBC
• AES-GCM
• AES-CCM
• SHA-1
• SHA-2
• ECDHE
• ECDSA

The new functionality can be enabled by defining WOLFSSL_SILABS_SE_ACCEL. In user_settings.h More details are available in the README.md in wolfcrypt/src/port/silabs of the wolfSSL tree.

Benchmarks

Benchmark was performed on an EFR32 Gecko 2 (Series 1) using the xGM210P022.

The tests use Simplicity Studio v5 with Gecko SDK 3.0 using Micrium OS 5 and Secure Element Manager.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL now supports NXP’s SE050 hardware security chip. This is an external I2C crypto co-processor chip that supports RSA key sizes up to 4096-bit, ECC curves up to 521 bit and ED25519 / Curve25519. You can see the full implementation details in GitHub pull request 4322.

We have also expanded our Kinetis LTC support to accelerate RSA key generation. This made it into our v4.8.1 release of wolfSSL.

NXP Semiconductor is a key member of wolfSSL’s partner network. wolfSSL ships with support for offloading cryptographic operations onto several NXP devices, such as the Coldfire, Kinetis, LPC, S32 and i.MX microprocessors. Additionally we support hardware cryptographic acceleration using NXP’s CAU, MMCAU, LTC, CAAM and SE050 hardware. If your target is missing, tell us!

wolfSSL develops a full suite of products supporting NXP designs. Learn about wolfBoot secure boot and TLS 1.3 firmware update with FreeRTOS and wolfSSL on NXP Freedom Board K64 here. After the release of wolfSSL version 4.2.0, we provide improved support for crypto hardware performance, now on NXP mmCAU. Download the latest wolfSSL version 4.8.1 here!

wolfSSL also provides surviving FIPS certificates that can be leveraged for your i.MX8, i.MX7 and i.MX8 CAAM projects. Stay tuned for upcoming FIPS 140-3 support. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star us on GitHub!

wolfSSL is always adding new ports to our highly portable wolfCrypt library! We’re continuing our series on the latest open source project ports—this week, we’re featuring tcpdump.

We have integrated wolfSSL with tcpdump, a powerful command-line packet analyzer. This update allows for the use of tcpdump with our FIPS-validated crypto library, wolfCrypt. Tcpdump is a versatile tool with many options and filters, and is commonly used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface. Its long-running history ensures that there are many resources available for learning how to use this tool (See the tcpdump Wikipedia page for more info). 

Through the OpenSSL compatibility layer, tcpdump is able to call into wolfSSL. Visit the GitHub page here: https://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

News to look forward to—wolfSSL plans to integrate wolfTPM, our portable TPM 2.0 library, into U-Boot! This would extend the TPM 2.0 capabilities in U-Boot to include signature verification and measured boot.

For many platforms, we can replace U-Boot such as on the Xilinx UltraScale+ MPSoC.

wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. Thanks to its minimalistic design, wolfBoot is completely independent from any OS or bare-metal application. Some of its key features include:

• Partition signature verification using ED25519, RSA and ECC
• Encryption of partitions
• Updating of partitions in the boot loader
• Measured boot with TPM 2.0 PCR registers
• Offloading to crypto coprocessors like the TPM 2.0 modules
• Version checking for updates
• Rollback on failed updates

For information on our wolfBoot TPM integration, visit https://www.wolfssl.com/curious-learn-wolfboot-tpm/.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Connect with wolfSSL!
Twitter
LinkedIn
GitHub

Public key infrastructure or PKI is important term used to define everything that is used to “create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.” (https://en.wikipedia.org/wiki/Public_key_infrastructure) As RSA and ECC are one of the main algorithms used for PKI key generation, we are wondering if anyone is interested in RSA 3k or ECC 384 support in wolfBoot?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfBoot
While you’re there, show us some love and give the wolfBoot project a Star!

wolfSSL has long been aware of the quantum threat to modern cryptography. Though quantum computing currently exists on small scales, research has determined enough to know that once full-scale quantum computing is available, all modern cryptography (RSA, ECC, etc.) will no longer be secure. Furthermore, the proven usage model of Quantum Computing as a Service (QCaaS) via the Cloud means that quantum capabilities will be more widely available, posing a greater security threat. This risk is why wolfSSL provides support for integration with the NTRU cryptosystem and an implementation of the QSH TLS extension. 

With NIST already having announced the Round 3 finalists of the Post-Quantum Cryptography Competition, we thought it was time to update our quantum-safe offerings. WolfSSL will soon support integration with the Open Quantum-Safe project’s libOQS. Initial support will be for Key Exchange only using all parameter sets of Crystals-Kyber, NTRU, and SABER for TLS 1.3. With perfect forward secrecy, these algorithms can protect you from the “Harvest and Decrypt” threat model.

“Harvest and Decrypt”

If encrypted sensitive data is stolen (harvested) today, it will be accessible (decrypted) once a sufficiently-powered quantum computer is available. If the sensitive information has a secrecy requirement that extends beyond the time it will take to develop large-scale quantum computing, then that data should be considered at risk today. The quantum threat to current confidential data demonstrates the importance of migrating to quantum-safe solutions as soon as possible. For more details, you can look up “Mosca’s Inequality”.

Next Steps

To continue future-proofing encrypted data streams, wolfSSL plans to hybridize key construction algorithms with NIST-standardized ECDSA components. These hybridized algorithms will continue to be FIPS compliant under the current NIST standards. In addition, wolfSSL is developing a test for post-quantum cURL, coming in the next 4 to 6 weeks.

wolfSSL is attending ICMC (International Cryptographic Module Conference) this week, where we will be talking more about post-quantum computing—come visit us there! 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

One of the highlights of our wolfCrypt library is its exceptional portability, which allows wolfSSL’s team of engineers to frequently add new ports! Stay tuned for the rest of our blog series on the latest open source project ports over the next few weeks.

This week, we’re showcasing libssh2! We have integrated wolfSSL with the libssh2 project, which allows for the use of libssh2 with our FIPS-validated crypto library, wolfCrypt. Libssh2 is a client-side C library designed to implement the SSH2 protocol for embedding specific SSH (Secure Shell) capabilities into other tools. The project includes hundreds of functions that allow specific activities and components to be selected and added to an application, while still remaining small in size.

We’ve enabled libssh2 to be able to call into wolfSSL through the OpenSSL compatibility layer. You can access the GitHub page here: https://github.com/wolfSSL/osp/tree/master/libssh2/1.9.0

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

lighttpd has added support for wolfSSL in version 1.4.51! lighttpd is a fast and lightweight web server designed with a very low memory footprint. These design goals make wolfSSL an excellent choice as the SSL/TLS implementation, as it’s built to be lightweight, portable, and very fast. wolfSSL targets embedded and IoT devices but works just as well on desktop, enterprise, and cloud environments. Configuring wolfSSL as the SSL/TLS backend for lighttpd is simple and can provide you with the immediate benefit of a lower memory footprint and faster cryptography!

Compile wolfSSL with:

./configure --enable-lighty
make
make install

Compile lighttpd with:

./configure --with-wolfssl
make 
make install

To learn about how to setup your lighttpd instance to use wolfSSL, please visit https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star us on GitHub!

Because of the exceptional portability of our wolfCrypt library, plus our fantastic team of engineers, we’re able to frequently add new ports. We’ll be showcasing a few of the latest open source project ports over the next ten weeks, so tune in!

First, we just integrated wolfSSL with the NTP (Network Time Protocol) project. This port allows for the use of NTP with our FIPS-validated crypto library, wolfCrypt. NTP is designed to synchronize the clocks of computers over packet-switched, variable-latency data networks. For more information on NTP, you can also visit the project’s website at ntp.org.

We’ve enabled NTP to be able to call into wolfSSL through the OpenSSL compatibility layer. You can access the GitHub page here: https://github.com/wolfSSL/osp/tree/master/ntp/4.2.8p15

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.