Category: wolfCrypt FIPS

Last week we put out a blog post sharing our integration of wolfCrypt into WireGuard. But did you know that we’ve already ported our FIPS 140-3 certified cryptographic engine into WireGuard GO, the official user space implementation of WireGuard in golang?

In cases where WireGuard’s functionality is desired, but a kernel isn’t available or installing a kernel-level VPN isn’t feasible, WireGuard GO offers a flexible solution.

And if you require FIPS compliance in your WireGuard GO deployments, our latest efforts make this possible. Using our golang wrapper go-wolfssl, we replaced WireGuard GO’s standard crypto (ChachaPoly, Curve25519, Blake2s) with our own FIPS certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard GO end-points may only communicate with other FIPS-ified end-points. This is because the same set of algorithms would be required on both sides for interoperability.

Although the usual trade-off of WireGuard vs WireGuard GO is performance vs simplicity and flexibility, wolfCrypt’s ability to utilize hardware acceleration for AES and SHA can let you keep reaping WireGuard GO’s benefits without having to compromise on performance.

See the README here for instructions to get started using WireGuard GO with wolfCrypt.

Are you interested in WireGuard GO with wolfCrypt FIPS 140-3?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

As WireGuard continues to grow in popularity for its simplicity and efficiency in VPN deployments, security-conscious organizations are increasingly demanding solutions that adhere to stringent security standards, such as the Federal Information Processing Standard (FIPS 140-3). FIPS certification is a key requirement for governmental agencies and industries like healthcare and finance, where secure cryptographic implementations are mandatory. However, WireGuard’s default cryptographic implementations, while highly secure, are not FIPS-certified.

This is where wolfCrypt steps in. wolfCrypt is a lightweight, portable, and highly optimized cryptographic library that offers FIPS 140-3 certification, making it an ideal partner for users seeking FIPS compliance in their WireGuard deployments. With our planned integration, we’ll replace the standard crypto suite that WireGuard offers (ChachaPoly, Curve25519, Blake2s) with our own certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard end-points may only communicate with other FIPS-ified end-points. But this of course is not a bug, but a feature. FIPS can only talk to FIPS.

So by leveraging our incoming integration, users can gain access to a VPN solution that is both secure and FIPS-compliant. This is especially important for industries with strict security requirements. The performance of WireGuard, combined with the certified cryptographic operations of wolfCrypt, ensures that you don’t sacrifice speed or security. In fact, with wolfCrypt’s ability to utilize hardware acceleration for AES and SHA, you might end up with a much faster WireGuard. Additionally, wolfCrypt’s small footprint makes it a practical choice for deployments in constrained environments, including IoT devices, embedded systems, and edge computing setups. You get a robust, certified security layer without bogging down performance.

Are you interested in WireGuard with wolfCrypt?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSL team has noticed an uptick in questions about FedRAMP requirements. Today, we want to cover the differences between FIPS and FedRAMP.

FIPS:

The Federal Information Processing Standards (FIPS) stipulate security requirements for cryptographic modules, which wolfSSL Inc. meets with our wolfCrypt FIPS module. NIST and the CMVP then encourage all federal programs using cryptography to follow these standards. Federal Procurement Officers (at the urging of NIST and the CMVP) then require FIPS compliance for solutions that consume cryptography and are used within the scope of their federal program(s).

FEDRAMP:

The Federal Risk and Authorization Management Program (FedRAMP) focuses on the security assessment, authorization, and continuous monitoring of cloud products and services. A prerequisite for FedRAMP is the proper implementation of a FIPS-validated cryptographic module by the cloud service provider.

Both programs aim to enhance data security but differ in scope. While FIPS focuses on cryptographic module validation and cryptography, FedRAMP ensures the overall security of cloud services, one part of which is proper implementation of FIPS validated cryptography for all cryptography running in the cloud. Beyond checking for proper FIPS implementations, FedRAMP also ensures the cloud service provider is fully compliant with NIST SP 800-53 IE: Security Controls, a NIST Risk Management Framework (RMF), service is monitored continuously, data protection methods are robust, incidents can be detected, responded to and recovered from, and more. For a complete list please refer to SP 800-53 at this [LINK].

To support wolfSSL customers, wolfSSL Inc. offers a service to fully validate any Operational Environment (OE) (IoT, embedded, FPGA, Digital Signal Processor (DSP), laptop, desktop, server blade, or cloud system). wolfSSL Inc (the vendor) will fully test and validate the OE of choice using a third-party NVLAP accredited FIPS lab (or CSTL) and get the OE listed as a CMVP-validated OE on the wolfCrypt FIPS Certificate. This is a CMVP-backed OE addition which is guaranteed to be acceptable by any federal program with a FIPS requirement, as opposed to vendor affirmation or user affirmation which often fall short of the mark. Additionally, once the primary certificate is updated with the OE of choice, a rebranded cert with the customer’s logo and letterhead can be offered including that new OE.

wolfSSL’s wolfCrypt FIPS module supports the latest FIPS 140-3 standards and holds the world’s first SP800-140Br1 FIPS 140-3 validated certificate (#4718). Our expert support team is available to assist with the proper implementation of the module on your target OE, a critical step for achieving a successful FedRAMP effort.

Beyond getting proper OE’s for FEDRAMP initiatives, wolfSSL can support customers that are either:

1. Using an alternative OS within AWS, Azure, or Oracle cloud, or,
2. If you are standing up your own cloud, support you with meeting the FedRAMP FIPS requirements for the operating system of your choice.

For more information on how wolfSSL can help with your FIPS or FedRAMP compliance needs, shoot us an email at fips@wolfSSL.com today!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Do you need a FIPS 140-3 validated cryptography library for your ARM-based platform? wolfCrypt has been FIPS 140-3 validated (certificate #4718). While full FIPS 140-3 support on ARM isn’t available just yet, it’s on our radar. We’re making strides to bring this capability to you soon.

FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!

If you are interested in exploring FIPS 140-3 cryptography validations on ARM platforms, reach out to us at either facts@wolfSSL.com or +1 425 245 8247!

To learn more about our FIPS 140-3 certification, check out wolfCrypt FIPS Q&A.

Download wolfSSL Now

wolfSSL fans! Do you like FIPS? Do you like virtual machines? Guess what – wolfSSL’s crypto library, wolfCrypt, has been validated as the world’s first SP800-140Br1 FIPS 140-3 certificate! However, with the recent changes to the FIPS submission process, OE additions are slightly delayed via a manual process until such time as the CMVP can update the automated WebCryptik tool to support OEUP scenarios. wolfSSL Inc. is moving forward with our CSTL hoping to achieve our first OEUP manual submission in the very near future! As the landscape continues to evolve, wolfSSL remains committed to keeping wolfCrypt compliant with the latest FIPS standards. Stay tuned for more updates!

If you’re interested in getting a FIPS 140-3 approved crypto library running in your virtual or any operating environment, or if you have any questions about the process, please don’t hesitate to contact us at fips@wolfSSL.com or facts@wolfSSL.com, or call us at +1 425 245 8247. We look forward to hearing from you.

Download wolfSSL Now

Several years back with the release of wolfSSL 4.0.0, the wolfSSL team decided to also start releasing a new product: the wolfSSL FIPS Ready library. This product features new, state of the art concepts and technology. In a single sentence, wolfSSL FIPS Ready is a testable and free to download open source embedded SSL/TLS library with support for FIPS validation, with FIPS enabled cryptography layer code included in the wolfSSL source tree. To further elaborate on what FIPS Ready really means, you do not get a FIPS certificate and you are not FIPS validated or approved. FIPS Ready means that you have included FIPS code ready to be certified by the CMVP into your build and that you are operating according to the FIPS enforced best practices of default entry point, and Pre-Operational Self Test (POST) plus Conditional Algorithm self test (CAST).

FIPS validation is a government certification for cryptographic modules that states that the module in question has undergone thorough and rigorous testing to be certified. FIPS validation specifies that a software/encryption module is able to be used within or alongside government systems. The most recent FIPS specification is 140-3, with various levels of security offered (1-4). Currently, wolfCrypt has the world’s first SP800-140Br1 FIPS 140-3 validation with Certificate #4718! When trying to get software modules FIPS validated, this is often a costly and time-consuming effort and as such causes the FIPS validated modules to have high price tags.

Since the majority of wolfSSL products use the wolfCrypt encryption engine, this also means that if wolfSSH, wolfMQTT (with TLS support), wolfBoot, and other wolfSSL products in place can be tested FIPS validated code with their software before committing.

wolfSSL FIPS Ready can be downloaded from the wolfSSL download page.

For more information about wolfSSL and its FIPS Ready initiative, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Hi! This note is to announce that the wolfSSL team will be adding an operational environment for FreeRTOS/OpenRTOS to the wolfCrypt FIPS 140-3 validated certificate #4718. If you need FIPS 140-3 validated crypto on FreeRTOS or OpenRTOS, let us know at facts@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 24 8247.

Download wolfSSL Now

Doing FIPS responsibly since 2014!
The wolfCrypt module now holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

INTRO (wolfSSL FIPS service(s)):

(skip to next paragraph for “What is FIPS”)

FIPS is rightly viewed as a complex process with a steep entry learning curve. Lucky for customers of wolfSSL Inc. our management and engineering team have taken the time to learn the documentation surrounding the topic and developed all the tooling necessary to complete FIPS validation testing of the wolfCrypt cryptographic module in coordination with an NVLAP accredited FIPS lab. In order to FIPS validate a new product or operating environment (OE), wolfSSL asks for simply a customer’s hardware, compiler/toolchain (IDE etc), and a guide such that one of our FIPS developers can sit down with nothing but a laptop and achieve compiling and running a hello-world.c application on the target product to be FIPS validated. Yes you read that right, wolfSSL does not need your proprietary application software, just a hello-world.c application to get started. The CMVP validates the cryptographic module running on the target, not the applications that are consuming that cryptographic module. The wolfSSL team will standup the wolfCrypt module on your target product using your own tooling (Compiler, Linker, Assembler) and take it through the certification process as quickly as possible leaving your dev team free to focus on preparing the end product while FIPS certification is taking place simultaneously! At the end wolfSSL staff will deliver highly detailed instructions on re-creating the exact same FIPS approved binary from the source code we deliver given all work was completed with your own tooling in keeping with ISO/IEC 19790:2012 B.2.5 as applied to open source software.

HISTORY (What is FIPS):

Since there are so many options for securing information, the U.S. and Canadian governments recognized in the 1990’s a need to standardize those algorithmic methods deemed to be the most secure and enforce use of only those algorithms in critical government systems. To “encourage” adoption of the requirements by the two governments, the organizations NIST (National Institute of Standards and Technology)¹ and the CCCS (Canadian Centre for Cyber Security)² were called upon to fulfill that mission. The two agencies were to collaboratively:

1. Decide which algorithms were the best/strongest
2. Evaluate: If an algorithm had multiple modes or key lengths which modes or key lengths (if any) were considered too weak and should be excluded?
3. Determine if there were other requirements aside from just having the algorithms implemented correctly
   1. Did the algorithms NEED to be re-tested periodically? (IE as the device was powering up)
   2. Did the module need to be checked periodically to see if it had been tampered with since the factory? (IE an integrity check, etc)
4. Finally to enforce/encourage adoption of these standards by federal agencies belonging to either government. (Eventually expanded to include medical and some private entities as well)

These standards were called the “Federal Information Processing Standards” or FIPS. These standards were documented in a series of “Special Publications” (SP’s).

 Out of a need to document which cryptographic modules and vendors were abiding by the standards set forth, a “certification” program was decided as the best approach. Vendors who made cryptographic modules could submit for and be awarded a certificate if their module was found to be compliant with all standards applicable to that module. The certificates would be hosted on the U.S. based NIST website so that federal agencies (or the public) could “browse” the available FIPS certified modules.

 It was a big job for the two agencies to handle alone, so in 1995 NIST and CCCS established two organizations called the “CMVP” (Cryptographic Module Validation Program)³ and CAVP (Cryptographic Algorithm Validation Program)⁴ to handle testing Cryptographic modules for compliance with the standards. These two organizations would also handle issuing the certificates for vendors and products that passed algorithm testing and were found to meet all applicable standards outlined in the SP’s.

 The CAVP issues algorithm certificates (which are a prerequisite to submitting a module for FIPS certification to the CMVP). The CMVP issues FIPS certificates for “tested configurations” or “operating environments” found to pass the CAVP testing and be in compliance with the standards. Both certificate types (CAVP algo certs and CMVP FIPS certs) are hosted on the NIST website. The certificates are public domain and can be searched by anyone.

 Once established, the CMVP and CAVP needed to establish a way to “test” the modules. To that end they called upon the NVLAP (National Voluntary Laboratory Accreditation Program)⁵ to accredit “third-party” testing laboratories that would serve as an intermediary between the vendors seeking FIPS certification and the CAVP/CMVP bodies.

 A last step in the history of FIPS was adoption of software modules. Originally when the standards were written, only dedicated hardware could perform the heavy lifting necessary for cryptographic mathematical operations so the standards were designed with ONLY hardware modules in mind. Doing cryptography in software at the time was impractical and therefore not considered in the original standards. As general purpose CPUs advanced, eventually it became feasible to implement algorithms in software and have those expensive math operations executed by a general purpose CPU in a reasonable amount of time. Once this reality arrived the standards were “adapted” to allow for both hardware and software modules. To this day there are “some scenarios” in the standards that only seem to make sense for hardware (See our blog post on vendor affirmation and how some software vendors are exploiting a loophole in the standards that was intended for hardware). NIST, the CMVP and CAVP have done a lot of work in the past few years bringing about the latest 140-3 standards. wolfSSL Inc. is thrilled to be the world’s first SP800-140Br1 FIPS 140-3 Validated, Certificate #4718, and one of the first software modules with a commercial FIPS 140-3 offering!

The Process (validating a module):

 Today a hardware or software vendor will work in coordination with an NVLAP accredited lab to complete algorithm testing and receive algorithms certificates.

(Milestone 1 of a FIPS certification effort)

 Once the vendor receives the prerequisite CAVP certificates they will perform operational testing with the same NVLAP accredited lab. Once all testing evidence has been captured and everything reviewed and approved by the NVLAP quality assurance department, the lab is ready to submit everything to the CMVP.

(Milestone 2 of a FIPS certification effort)

 The CMVP will coordinate with the vendor via the NVLAP accredited lab and once all requirements have been satisfied the CMVP will either issue a new FIPS certificate or update an existing certificate if the vendor is adding an operating environment to an existing certificate.

(Milestone 3 of a FIPS certification effort)

Submission Scenario(s) supported by wolfSSL Inc:

• New cert (draw a new module boundary around specific algorithms and certify from scratch resulting in a new certificate)
• OE addition (Add an OE to an existing certificate)
• Revalidation (redraw the module boundary of an existing validated module to include new or remove existing algorithms from the boundary description)
• Vendor Affirmation – wolfSSL is a software module vendor. As a responsible FIPS vendor wolfSSL feels that software vendors are generally incapable of determining how a change to the CPU or OS will affect the cryptography (especially if the CPU or OS changes completely). As such wolfSSL Inc does not currently offer Vendor Affirmation as a path to FIPS. Special circumstances MAY exist but would need to be evaluated on a case-by-case basis.

Timeline estimates for the various scenarios change over time. If you would like an up-to-date estimate for a given submission scenario please contact support@wolfssl.com for the latest.

Summary:

• wolfSSL Inc can make the process of certifying your product painless and hands-free once we have the product and basic instructions for getting a hello-world app up and running on the target!
• FIPS is a set of standards, detailed in Special Publications, that need to be met in order to be awarded a FIPS validation/certification published on the NIST website. A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal or military agencies and often required by some private sector entities as well.
• The process can take time so please plan accordingly!

If you have any other questions about FIPS or the process or wolfSSL Inc please contact either fips@wolfSSL.com or support@wolfSSL.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

¹ The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. – https://www.nist.gov/about-nist

² The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public. – https://www.cyber.gc.ca/en/about-cyber-centre

³ The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. – https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program

⁴ The CAVP was established in July 1995 by NIST and the Government of Canada’s CCCS. CSD’s Security Testing, Validation, and Measurement Group (STVMG) manages the validation testing of cryptographic modules and their underlying cryptographic algorithms through the CAVP and CMVP. – https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program

⁵ The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories in response to legislative actions or requests from government agencies or private-sector organizations. NVLAP-accredited laboratories are assessed against the management and technical requirements published in the International Standard, ISO/IEC 17025:2017. – https://www.nist.gov/nvlap

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now