ACVP and FIPS 140-3

As many in the FIPS world are aware NIST retired CAVP (Cryptographic Algorithm Validation Protocol) testing on June 30th of 2020, permanently replacing CAVP with ACVP (Automated Cryptographic Validation Protocol), also referred to as ACVTS (Automated Cryptographic Validation Test System).

In order to prepare for this transition NIST offered a “demo server” that Vendors like wolfSSL and FIPS Labs could utilize in standup of the new protocol. Once the transition was completed NIST also setup “production servers” which only FIPS Labs with a trusted certificate issued by NIST can connect to; Production Vectors passing are now the gateway to Algorithm Certification (IE certs like the ones wolfSSL just received!).

Algorithm Certification is a prerequisite to CMVP FIPS 140-3 validations. This design keeps in place the need for a FIPS lab to achieve algorithm certification but it now allows for Vendors such as wolfSSL to pre-test in advance of requesting production vectors for certification! wolfCrypt holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

wolfSSL also supports the new ACVP, which is the successor to the two decade old CAVP system from NIST. ACVP is intended to alleviate the manual steps of the older CAVP process, creating a more efficient and effective method for cryptographic algorithm testing and validation.

More on ACVP’s

ACVP stands for (Automated Cryptographic Validation Protocol) and it is the upcoming protocol that will be used for FIPS validation. This is going to be a prerequisite certificate for the CMVP(Cryptographic Module Validation Program) and CAVP(Cryptographic Algorithm Validation Program) certificates.

ACVP makes testing cryptographic algorithms and modules more efficient than the current method and more automated. There are three main parts to ACVP – a server, a proxy, and a client.

  • The server side handles requests for test vectors and requests for validation among other requests. This side is operated by a FIPS lab or by NIST themselves.
  • A proxy with ACVP can be used to communicate to offline systems and handle transferring information from the system being tested to the server. Often an ACVP client is used instead.
  • The last part being a client, which is most relevant to users who are wanting to get their cryptography FIPS validated. An ACVP client is directly hooked up to the module to be tested and then communicates with the ACVP server to send requests for test vectors, responses of the results from running those tests, and requests for algorithm validation. There are multiple pieces required to build a ACVP client in order to complete a validation process, some of the large portions of the effort go into
    • JSON parsing / creation for communication with a ACVP server
    • HTTPS GET / POST / PUT / DELETE messages used for securely transporting information
    • 2 factor authentication with TOTP (Time-Based One-Time Password Algorithm)
    • Plugging in the test harness that runs crypto operations

Ultimately an ACVP client communicates with the server to validate cryptographic operations. This includes creating, or referencing meta data such as; vendor, OE, and module information. A simplified message flow for getting an algorithm validated is as follows:

Live Webinar: Medical Device Security

Learn a comprehensive overview of the current medical device landscape, the associated security challenges, and how wolfSSL’s solutions can help you navigate these complexities effectively.

Check it out: Medical Device Security: Key Strategies for Cyber Security and Data Protection

In the rapidly evolving medical device sector, ensuring the security and integrity of devices is paramount. Join our expert, Eric Blankenhorn, as he delves into the intricacies of the medical device landscape, exploring common attack vectors, regulatory requirements, and emerging security trends. Discover how wolfSSL’s suite of solutions can safeguard your devices and ensure compliance with industry standards.

Key topics that will be covered include:

  • Overview and Trends: Introduction to wolfSSL and the latest security trends in medical devices.
  • Regulatory Compliance: Learn about regulatory requirements and how wolfSSL meets them.
  • Solutions and Use Cases: Discover wolfSSL’s solutions and real-world use cases in the medical sector.
  • Key Technologies: Overview of wolfSSL’s SSL/TLS, wolfCrypt FIPS 140-2/3, and wolfBoot.
  • Advanced Features: Explore wolfSentry and wolfSSL robust testing protocols.

Don’t miss out on this opportunity to elevate the security of your medical devices. Watch it now and take a proactive step towards safeguarding your devices against emerging threats.

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Changes to Maximum Alternative Names Macro in wolfSSL

In the 5.7.2 release, a new macro WOLFSSL_MAX_ALT_NAMES was introduced to limit the maximum number of allowed subject alternative names to a default value of 128 to prevent a possible denial of service attack. Unfortunately, after the release, some commonly used certificates were brought to our attention that have more than 128 subject alternative names. If you started using 5.7.2 and hit error -161 on certificate handling this may be your problem. This issue can be immediately mitigated by building with WOLFSSL_MAX_ALT_NAMES at a number larger, say 512 or 1024. The wolfSSL master branch already has an increased default of 1024 which should be sufficient for all real world certificates and will be included in the 5.7.3 release.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS 140-3 and SHA-1 Retirement

In December 2022, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life. While wolfSSL does not use or recommend SHA-1 for new designs, we implement and support it in our products. With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 validated certificate #4718 includes SHA-1. Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement with wolfCrypt FIPS 140-3.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3. wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out. We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

For more information on the announcement from NIST, check here.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfProvider Release 1.0.0

wolfSSL is proud to announce the release of wolfProvider 1.0.0. This release is the first official support for being a Provider for OpenSSL 3.x. Intended for use by customers who want to have a FIPS validated module, but are already invested in using OpenSSL. The provider gives drop-in replacements for the cryptographic algorithms used by OpenSSL. The wolfProvider uses the wolfCrypt engine underneath which is FIPS 140-3 certified.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL secures the world’s first SP800-140Br1 compliant FIPS 140-3 Validation Certificate

FIPS 140-3

In case you missed the news, wolfSSL Inc., a globally renowned leader in cryptography and network security solutions, is thrilled to announce the world’s first SP800 140Br1 compliant FIPS 140-3 Validation Certificate #4718 for wolfSSL’s wolfCrypt module.

EDMONDS, Wash., July 16, 2024 /PRNewswire-PRWeb/ — wolfSSL, INC., has partnered with AEGISOLVE, INC., on this unprecedented automated pilot program. Aegisolve is accredited by the National Voluntary Laboratory Accreditation Program (NVLAP Lab Code: 200802-0) for Cryptographic and Security Testing to assess and validate cryptographic based security systems and telecommunications infrastructure.

“As we move forward, wolfSSL remains focused on enhancing our technologies and expanding our capabilities. We are dedicated to continuous innovation in security. The advancements in our FIPS 140-3 module highlight our commitment to delivering state-of-the-art cryptographic solutions that meet the rigorous demands of today’s cybersecurity landscape.” Stated wolfSSL’s CTO, Todd Ouska. “Our collaboration with AEGISOLVE is just the beginning of a new era in cryptographic security, paving the way for future innovations and industry standards.”

“As a first of its kind, this is a tremendous achievement and a huge step forward for the next generation of FIPS 140-3 Validated Cryptographic Modules.” Reported Travis Spann, Founder and President of AEGISOLVE (NVLAP Lab Code: 200802-0). “AEGISOLVE is proud to have collaborated with the high-caliber wolfSSL team in the NIST SP800-140Br1 Pilot Project to achieve this groundbreaking milestone and we are eager to assist others to achieve the same goal.”

FIPS 140-3 validation testing is a rigorous and extensive process including detailed source code reviews, design reviews, documentation reviews, finite state machine verifications, CVE threat analysis, error injection, port sniffing, configuration management verifications, operational testing and test evidence auditing to the applicable requirements of the FIPS 140-3 Derived Test Requirements and FIPS 140-3 Implementation Guidance.

The National Institute of Standards and Technology (NIST) under the Cryptographic Module Validation Program (CMVP) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government.

Highlights: Under wolfCrypt FIPS 140-2, power on times in standard and embedded targets could be slower due to power on self test requirements of the module. With the wolfCrypt FIPS 140-3 module self-tests are now only required the first time an algorithm is used or when the application decides is an ideal time to run the test during a slower event cycle and ahead of first algorithm use. This means much faster boot times and optimal power and resource consumption with careful planning!**

Differences between wolfCrypt FIPS 140-2 and wolfCrypt FIPS 140-3:
– 3DES removed from the module, 3DES no longer available
+ CAST (conditional algo self tests)
+ KDF-TLS, TLS v1.2 KDF and TLSv1.3 KDF
+ SSH KDF
+ AES-OFB mode
+ RSA 3072, 4096 and PSS
+ New Degraded mode of operation, which means that in the event of a CAST failure other algorithm services will remain available.

* FIPS 140-3: Federal Information Processing Standard Publication 140-3. For more about what FIPS is please checkout these blogs:

** For information on transitioning from 140-2 to 140-3 please checkout our blog: What is the difference between FIPS 140-2 and FIPS 140-3?

If you have questions about any of the above, please contact us at fips@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSH 1.4.18 Now Available!

It is Christmas in July! The summer release of wolfSSH is here, version 1.4.18!

Version 1.4.18 brings with it bug fixes, new features, and some enhancements as well! New features in this release include new algorithms and a memory configuration option.

We also have a nice round of enhancements which range from channel setup callbacks, better testing, improved portability, and more!

New Features

  • wolfSSL style static memory pool allocation support.
  • Ed25519 public key support.
  • Banner option for wolfSSHd configuration.
  • Non-blocking socket support to the example SCP client.

Improvements

  • Documentation updates.
  • Update the Zephyr test action.
  • Add a no-filesystem build to the Zephyr port.
  • Update the macOS test action.
  • Refactor certificate processing. Only verify certificates when a signature is present.
  • Update the Kyber test action.
  • Refactor the Curve25519 Key Agreement support.
  • Update the STM32Cube Pack.
  • Increase the memory that Zephyr uses for a heap for testing.
  • Add a macro wrapper to replace the ReadDir function.
  • Add callback hook for keying completion.
  • Add function to return strings for the names of algorithms.
  • Add asynchronous server side user authentication.
  • Add ssh-rsa (SHA-1) to the default user auth algorithm list when sha1-soft-disable is disabled.
  • Update Espressif examples using Managed Components.
  • Add SCP test case.
  • Refactor RSA sign and verify.
  • Refresh the example echoserver with updates from wolfSSHd.
  • Add callback hooks for most channel messages including open, close, success, fail, and requests.
  • Reduce the number of memory allocations SCP makes.
  • Improve wolfSSHd’s behavior on closing a connection. It closes channels and waits for the peer to close the channels.

Fixes

  • Refactor wolfSSHd service support for Windows to fix PowerShell Write-Progress.
  • Fix partial success case with public key user authentication.
  • Fix the build guards with respect to cannedKeyAlgoNames.
  • Error if unable to open the local file when doing a SCP send.
  • Fix some IPv6 related build issues.
  • Add better checks for SCP error returns for closed channels.
  • In the example SCP client, move the public key check context after the WOLFSSH object is created.
  • Fix error reporting for wolfSSH_SFTP_STAT.
  • In the example SCP client, fix error code checking on shutdown.
  • Change return from wolfSSH_shutdown() to WS_CHANNEL_CLOSED.
  • Fix SFTP symlink handling.
  • Fix variable initialization warnings for Zephyr builds.
  • Fix wolfSSHd case of non-console output handles.
  • Fix testsuite for single threaded builds. Add single threaded test action.
  • Fix wolfSSHd shutting down on fcntl() failure.
  • Fix wolfSSHd on Windows handling virtual terminal sequences using exec commands.
  • Fix possible null dereference when matching MAC algos during key exchange.

Visit our download page to download the release bundle, or clone it from GitHub. Feel free to email us at facts@wolfssl.com or support@wolfssl.com or call us at +1 425 245 8247 with any questions about the wolfSSH embedded SSH library or other products.

Download wolfSSL Now

Live Webinar: Secure and Reliable Firmware Updates with wolfBoot

Learn the intricacies of connected embedded systems and the challenges they face, particularly focusing on the pivotal role of secure boot mechanisms in enhancing security.

Watch it today for “Secure and Reliable Firmware Updates with wolfBoot.”

In today’s interconnected world, the ability to remotely update various artifacts within embedded systems is crucial. However, this convenience brings about significant security risks that must be meticulously addressed. Join our expert, Daniele, as he provides an in-depth guide on securing embedded systems, highlighting the importance of secure boot mechanisms and introducing wolfBoot as a premier solution in firmware security.

Key topics that will be covered include:

  • Explore IoT security challenges impacting device integrity and data protection.
  • Learn how a secure bootloader ensures trusted firmware updates.
  • Discover wolfBoot’s capabilities in secure firmware updates and device reliability.
  • Understand the importance of trust anchors for system integrity.
  • Dive into cryptographic algorithms for firmware authentication and update management.
  • Learn about new wolfBoot features enhancing security and functionality.

Don’t miss out on this chance to fortify your knowledge and skills in securing embedded systems. Check it out today and take a step towards securing your IoT devices against emerging threats.

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Everything You Need To Know About FIPS 140-3

wolfSSL is currently the leader in embedded FIPS certificates. With current FIPS 140-3 validated certificate #4718 for the wolfCrypt Cryptographic Module, wolfSSL is thrilled to hold the world’s first SP800-140Br1-compliant FIPS 140-3 Validation Certificate. Join the wolfSSL team as we cover all things FIPS 140-3. We will cover the current transition to FIPS 140-3, its importance for cybersecurity, as well as how wolfSSL is implementing it in our products.

Watch the video: Everything You Need to Know about FIPS 140-3

FIPS 140-3 is the third revision of the Federal Information Processing Standard (FIPS) for cryptographic modules. The new revision of the standard includes an increased focus on algorithm agility, updated requirements for testing and validation, including changes to the testing methodology. wolfSSL is at the forefront of this important transition, and is working to ensure that its products continue to meet the highest standards of security and compliance.

FIPS 140-3 establishes the security requirements for cryptographic modules used by the U.S. government, as well as other organizations in the public and private sectors. By complying with the FIPS 140-3 standard, organizations can have greater confidence in the security of their cryptographic solutions, which is particularly important in today’s world where data breaches and cyber attacks are becoming more frequent and sophisticated.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

What is FIPS (short version)

Doing FIPS responsibly since 2014!

FIPS is a set of standards, detailed in Special Publications, that need to be met to be awarded a FIPS validation/certification published on the NIST website.

A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal, or military agencies and is often required by some private sector entities as well.

The typical FIPS certification process is as follows:

  1. You send us your hardware and toolchain
  2. We run the initial tests which ensure the cryptography module behaves according to specification given your specific hardware and OS
  3. The CMVP certified lab runs and verifies the tests and their documentation
  4. The test results are submitted to NIST for review
  5. Your specific operating environment is added to our certificate
  6. You are FIPS 140 compliant in 60-90 days

For more info please see the long version of this post.

If you have any questions about FIPS or the process of being awarded a FIPS validation/certifcation please contact us at fips@wolfssl.com, support@wolfssl.com or +1 425 245 8247 anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

Download wolfSSL Now

Posts navigation

1 2 3 9 10 11 12 13 14 15 189 190 191