curl with FIPS 140-3 wolfSSL

cURL is a popular open-source project that is used to transfer data between client and server with URLs through various protocols. It is widely utilized and often serves as the backbone for data transfer and communication between systems. curl (the command line tool) and libcurl (the library underneath) both provide support for secure communication by leveraging SSL/TLS libraries, the FIPS 140-3 certified wolfSSL library being one of them.

With the wolfCrypt FIPS 140-3 module, wolfSSL provides and makes use of an array of cryptographic algorithms that are rigorously tested and validated under NIST’s CMVP (Cryptographic Module Validation Program). When leveraged with cURL, the result is a FIPS 140-3 compliant build with the full feature set and utility that cURL users have come to expect, in addition to the cryptographic assurance that can help them meet security standards and requirements.

Additionally, there is also the tinycurl library, designed for smaller systems and more embedded use cases. tinycurl has the same capability to utilize FIPS wolfSSL.

Are you interested in curl with FIPS 140-3 wolfSSL? Contact us!

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Achieving WireGuard GO FIPS Compliance with wolfCrypt

Last week we put out a blog post sharing our integration of wolfCrypt into WireGuard. But did you know that we’ve already ported our FIPS 140-3 certified cryptographic engine into WireGuard GO, the official user space implementation of WireGuard in golang?

In cases where WireGuard’s functionality is desired, but a kernel isn’t available or installing a kernel-level VPN isn’t feasible, WireGuard GO offers a flexible solution.

And if you require FIPS compliance in your WireGuard GO deployments, our latest efforts make this possible. Using our golang wrapper go-wolfssl, we replaced WireGuard GO’s standard crypto (ChachaPoly, Curve25519, Blake2s) with our own FIPS certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard GO end-points may only communicate with other FIPS-ified end-points. This is because the same set of algorithms would be required on both sides for interoperability.

Although the usual trade-off of WireGuard vs WireGuard GO is performance vs simplicity and flexibility, wolfCrypt’s ability to utilize hardware acceleration for AES and SHA can let you keep reaping WireGuard GO’s benefits without having to compromise on performance.

See the README here for instructions to get started using WireGuard GO with wolfCrypt.

Are you interested in WireGuard GO with wolfCrypt FIPS 140-3?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS-Certified WireGuard: Bringing wolfCrypt into the VPN Solution

As WireGuard continues to grow in popularity for its simplicity and efficiency in VPN deployments, security-conscious organizations are increasingly demanding solutions that adhere to stringent security standards, such as the Federal Information Processing Standard (FIPS 140-3). FIPS certification is a key requirement for governmental agencies and industries like healthcare and finance, where secure cryptographic implementations are mandatory. However, WireGuard’s default cryptographic implementations, while highly secure, are not FIPS-certified.

This is where wolfCrypt steps in. wolfCrypt is a lightweight, portable, and highly optimized cryptographic library that offers FIPS 140-3 certification, making it an ideal partner for users seeking FIPS compliance in their WireGuard deployments. With our planned integration, we’ll replace the standard crypto suite that WireGuard offers (ChachaPoly, Curve25519, Blake2s) with our own certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard end-points may only communicate with other FIPS-ified end-points. But this of course is not a bug, but a feature. FIPS can only talk to FIPS.

So by leveraging our incoming integration, users can gain access to a VPN solution that is both secure and FIPS-compliant. This is especially important for industries with strict security requirements. The performance of WireGuard, combined with the certified cryptographic operations of wolfCrypt, ensures that you don’t sacrifice speed or security. In fact, with wolfCrypt’s ability to utilize hardware acceleration for AES and SHA, you might end up with a much faster WireGuard. Additionally, wolfCrypt’s small footprint makes it a practical choice for deployments in constrained environments, including IoT devices, embedded systems, and edge computing setups. You get a robust, certified security layer without bogging down performance.

Are you interested in WireGuard with wolfCrypt?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

FIPS vs FedRAMP Compliance and Requirements

The wolfSSL team has noticed an uptick in questions about FedRAMP requirements. Today, we want to cover the differences between FIPS and FedRAMP.

FIPS:

The Federal Information Processing Standards (FIPS) stipulate security requirements for cryptographic modules, which wolfSSL Inc. meets with our wolfCrypt FIPS module. NIST and the CMVP then encourage all federal programs using cryptography to follow these standards. Federal Procurement Officers (at the urging of NIST and the CMVP) then require FIPS compliance for solutions that consume cryptography and are used within the scope of their federal program(s).

FEDRAMP:

The Federal Risk and Authorization Management Program (FedRAMP) focuses on the security assessment, authorization, and continuous monitoring of cloud products and services. A prerequisite for FedRAMP is the proper implementation of a FIPS-validated cryptographic module by the cloud service provider.

Both programs aim to enhance data security but differ in scope. While FIPS focuses on cryptographic module validation and cryptography, FedRAMP ensures the overall security of cloud services, one part of which is proper implementation of FIPS validated cryptography for all cryptography running in the cloud. Beyond checking for proper FIPS implementations, FedRAMP also ensures the cloud service provider is fully compliant with NIST SP 800-53 IE: Security Controls, a NIST Risk Management Framework (RMF), service is monitored continuously, data protection methods are robust, incidents can be detected, responded to and recovered from, and more. For a complete list please refer to SP 800-53 at this [LINK].

To support wolfSSL customers, wolfSSL Inc. offers a service to fully validate any Operational Environment (OE) (IoT, embedded, FPGA, Digital Signal Processor (DSP), laptop, desktop, server blade, or cloud system). wolfSSL Inc (the vendor) will fully test and validate the OE of choice using a third-party NVLAP accredited FIPS lab (or CSTL) and get the OE listed as a CMVP-validated OE on the wolfCrypt FIPS Certificate. This is a CMVP-backed OE addition which is guaranteed to be acceptable by any federal program with a FIPS requirement, as opposed to vendor affirmation or user affirmation which often fall short of the mark. Additionally, once the primary certificate is updated with the OE of choice, a rebranded cert with the customer’s logo and letterhead can be offered including that new OE.

wolfSSL’s wolfCrypt FIPS module supports the latest FIPS 140-3 standards and holds the world’s first SP800-140Br1 FIPS 140-3 validated certificate (#4718). Our expert support team is available to assist with the proper implementation of the module on your target OE, a critical step for achieving a successful FedRAMP effort.

Beyond getting proper OE’s for FEDRAMP initiatives, wolfSSL can support customers that are either:

  1. Using an alternative OS within AWS, Azure, or Oracle cloud, or,
  2. If you are standing up your own cloud, support you with meeting the FedRAMP FIPS requirements for the operating system of your choice.

For more information on how wolfSSL can help with your FIPS or FedRAMP compliance needs, shoot us an email at fips@wolfSSL.com today!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfCrypt FIPS 140-3 on ARM

Do you need a FIPS 140-3 validated cryptography library for your ARM-based platform? wolfCrypt has been FIPS 140-3 validated (certificate #4718). While full FIPS 140-3 support on ARM isn’t available just yet, it’s on our radar. We’re making strides to bring this capability to you soon.

FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!

If you are interested in exploring FIPS 140-3 cryptography validations on ARM platforms, reach out to us at either facts@wolfSSL.com or +1 425 245 8247!

To learn more about our FIPS 140-3 certification, check out wolfCrypt FIPS Q&A.

Download wolfSSL Now

New FIPS Operating Environments

wolfSSL fans! Do you like FIPS? Do you like virtual machines? Guess what – wolfSSL’s crypto library, wolfCrypt, has been validated as the world’s first SP800-140Br1 FIPS 140-3 certificate! However, with the recent changes to the FIPS submission process, OE additions are slightly delayed via a manual process until such time as the CMVP can update the automated WebCryptik tool to support OEUP scenarios. wolfSSL Inc. is moving forward with our CSTL hoping to achieve our first OEUP manual submission in the very near future! As the landscape continues to evolve, wolfSSL remains committed to keeping wolfCrypt compliant with the latest FIPS standards. Stay tuned for more updates!

If you’re interested in getting a FIPS 140-3 approved crypto library running in your virtual or any operating environment, or if you have any questions about the process, please don’t hesitate to contact us at fips@wolfSSL.com or facts@wolfSSL.com, or call us at +1 425 245 8247. We look forward to hearing from you.

Download wolfSSL Now

wolfSSL FIPS-Ready

Several years back with the release of wolfSSL 4.0.0, the wolfSSL team decided to also start releasing a new product: the wolfSSL FIPS Ready library. This product features new, state of the art concepts and technology. In a single sentence, wolfSSL FIPS Ready is a testable and free to download open source embedded SSL/TLS library with support for FIPS validation, with FIPS enabled cryptography layer code included in the wolfSSL source tree. To further elaborate on what FIPS Ready really means, you do not get a FIPS certificate and you are not FIPS validated or approved. FIPS Ready means that you have included FIPS code ready to be certified by the CMVP into your build and that you are operating according to the FIPS enforced best practices of default entry point, and Pre-Operational Self Test (POST) plus Conditional Algorithm self test (CAST).

FIPS validation is a government certification for cryptographic modules that states that the module in question has undergone thorough and rigorous testing to be certified. FIPS validation specifies that a software/encryption module is able to be used within or alongside government systems. The most recent FIPS specification is 140-3, with various levels of security offered (1-4). Currently, wolfCrypt has the world’s first SP800-140Br1 FIPS 140-3 validation with Certificate #4718! When trying to get software modules FIPS validated, this is often a costly and time-consuming effort and as such causes the FIPS validated modules to have high price tags.

Since the majority of wolfSSL products use the wolfCrypt encryption engine, this also means that if wolfSSH, wolfMQTT (with TLS support), wolfBoot, and other wolfSSL products in place can be tested FIPS validated code with their software before committing.

wolfSSL FIPS Ready can be downloaded from the wolfSSL download page.

For more information about wolfSSL and its FIPS Ready initiative, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS 140-3 and CNSA 2.0 with a Single TLS Connection

Can you believe it? With wolfSSL you can now have a TLS 1.3 connection that is compliant with both FIPS 140-3 and the CNSA 2.0! Want to know how?

For key establishment, we can use the new ML-KEM-1024 (also known as Kyber-1024 which is at security level 5 as defined by NIST) hybridized with ECDH on curve P-521.

In terms of authentication, we can use our dual algorithm certificates where the conventional algorithm is ECDSA on curve P-521 and the alternative algorithm is ML-DSA-87 (also known as Dilithium 5 which is at security level 5 as defined by NIST). The server would then also have conventional and alternative private keys so they would both be used to sign the transcript.

For the cipher suite, We can use AES-256-GCM-SHA384; this is approved by both FIPS 140-3 and CNSA 2.0.

And just like that, we have dual compliance! Want more details and a demo with steps to do it yourself? Not to worry, we’ll have a webinar soon to explain how you can achieve this yourself as well! Please stay tuned.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSH VxWorks FIPS 140-3

Do you need SSH support for an embedded device running VxWorks and do you have a FIPS 140-3 requirement? wolfSSL has what you need: wolfSSH, an embedded SSH library running on top of our wolfCrypt FIPS library, and the wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 Validated, Certificate #4718.

While full FIPS 140-3 support on VxWorks isn’t here yet, stay tuned! Exciting developments are on the horizon. We’re working hard to bring this capability to you in the very near future!

Interested in learning more or preparing for what’s ahead? Email us at fips@wolfSSL.com, and let’s discuss how we can help you integrate wolfSSH into your VxWorks application and guide you through the FIPS process when the time comes.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3