Category: Uncategorized

Cybersecurity in Person! Protect the sky with Daniele Lacamera and wolfSSL at Aerospace TechWeek Europe

Listen to us talk in person!

We will be at Aerospace TechWeek Europe in Munich on 29th-30th March 2023.

Senior Software Engineer Daniele Lacamera will be giving a fantastic presentation in the Tech Workshops, on the expo floor. Titled “Cybersecurity attacks in avionics: countermeasures and mitigations”; listen to Daniele introduce a range of potential risks related to digital and physical attacks targeting avionic systems, and illustrate the best strategies and technical countermeasures to mitigate and/or prevent these attacks.

Feel free to stop by our booth at Stand 815 to talk to our security experts including the man of the hour Daniele Lacamera, as well as our Business Directors Wolfram Kusterer and Martin Engstrom.

If you’re new to wolfSSL, here’s how we can help you secure all of your aerospace assets:

  • wolfSSL new features
  • wolfSSL with TLS 1.3, and DTLS 1.3
  • wolfCrypt with FIPS 140-3 support
  • wolfCrypt as an engine for OpenSSL
  • MISRA-C versions of wolfCrypt
  • DO-178 cert kits for wolfCrypt
  • wolfBoot Secure Bootloader
  • wolfSSL MQTT-SN and the latest version
  • wolfTPM
  • wolfSSH
  • cURL and tinycURL

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Support for Parsing Indefinite Length PKCS#12

wolfSSL’s cryptography engine wolfCrypt is a lightweight crypto library written in ANSI C and known for its speed, small size, and feature set. This feature set now includes the ability to parse BER encoded PKCS#12 certificates.

To test out the implementation, simply configure wolfSSL with --enable-indef and load your indefinite length PKCS#12 cert the same way you would a definite length one.

Are you looking to see any specific additions to wolfCrypt?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Secure the Skies and Space with wolfSSL at Satellite 2023

Be our guest at Satellite 2023 with a FREE Exhibit Hall Pass!

Come talk to the wolfSSL team at booth #1440, March 13-16 in Washington D.C!

We would love to talk with you about:

  • wolfSSL new features
  • wolfSSL with TLS 1.3, and DTLS 1.3
  • wolfCrypt with FIPS 140-3 support
  • wolfCrypt as an engine for OpenSSL
  • MISRA-C versions of wolfCrypt
  • DO-178 cert kits for wolfCrypt
  • wolfBoot Secure Bootloader
  • wolfSSL MQTT-SN and the latest version
  • wolfTPM
  • wolfSSH
  • cURL and tinycURL

We are also FIPS compatible! Learn more here: https://www.wolfssl.com/wolfssl-fips-ready-8/

The wolfSSL discounted registration code is: WOL1440

This code entitles your guests to a FREE Exhibit Hall Pass or $350 0ff conference passes with the link: https://satellite23.nvytes.co/sat23lp/WOL1440.html

Satellite 2023 will be an amazing opportunity to be a part of the revolutionary introduction of technology and satellites to countless industries. The demand and functionalities of satellites are constantly expanding and this event is an amazing opportunity to explore these possibilities. This event is an amazing way to have personal face-to-face interactions with individuals you may never meet otherwise and provides countless ways to expand your network.

To learn more about the tradeshow, visit: https://www.satshow.com/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Espressif and wolfSSL at Embedded World

Embedded World Nuremberg is this month! We’ll be there talking about security, encryption and everything in between. Stop by and say hello! We’ll be giving away plenty of awesome wolfSSL swag and we’d love to hear about your project.

One of the platforms we fully support is of course the ubiquitous Espressif ESP32. We have dedicated staff focusing exclusively on the ESP32 to make our encryption libraries easy to get started and easy to implement in your project.  

Our recent updates to the Core Espressif Examples are now “no install”: simply clone wolfssl and run the projects in the IDE/Espressif/ESP-IDF examples directory. We also have more examples in the wolfssl-examples repository and some Espressif SSH Server examples, too.

The examples can be used on any platform: Windows, Mac, Linux. For Windows users, we also have VisualGDB project files. For Espressif chipsets without a built-in JTAG, the projects are pre-configured to use the open source Tigard JTAG adapter.

All of the Espressif chipsets are supported. Both Xtensa and RISC-V: including the ESP32 classic, as well as the ESP32-C3, ESP32-S3, and more.

We welcome everyone from the largest corporate environments to the student hobbyists. We’re FIPS certified and ready to provide a serious, commercial grade, open source encryption solution.

wolfSSL will be at booth 4-610, with Business Directors Wolfram Kusterer and Martin Engstrom as well as our Senior Software Engineers David Garske and Juliusz Sosinowicz on the ground to answer all your embedded security questions. Plus, our full sales team will be on standby in the virtual booth to talk to you! Email facts@wolfSSL.com if you’d like to book a meeting ahead of the event. 

If you’re new to wolfSSL, here’s how we can help you win big in the embedded industry and beyond:

  • wolfSSL is up to 20x smaller than OpenSSL 
  • First commercial implementation of TLS 1.3, with TLS 1.3 Sniffer
  • On of the first in FIPS 140-3 
  • Best tested, most secure, fastest crypto on the market with incomparable certifications and highly customizable modularity 
  • Access to 24×7 support from a real team of Engineers 
  • Support for the newest standards (including TLS 1.2, TLS 1.3, DTLS 1.2, and DTLS 1.3) 
  • Multi-platform, dual-licensed, royalty free, with an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package 
  • Full product suite including MQTT with support up to v5.0, Secure Boot, wolfSentry IDPS, SSHv2 server, TPM 2.0 portable project, Java wrappers and JSSE support, plus commercial curl support at the enterprise level. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star wolfSSL on GitHub.

Discover Embedded World here.

Follow @wolfSSL on Twitter for daily updates!

wolfSSL ADA/Spark language bindings

Exciting news in wolfSSL language bindings: we are currently exploring the possibility of adding bindings for the Ada and Spark languages!

Ada is a programming language known for its explicitness, strong typing, and abundance of compile-time checks. It is widely used in safety-critical and high-integrity software. Spark, on the other hand, is a smaller subset of Ada that offers the invaluable ability to formally prove the correctness of your software.

We believe that wolfSSL bindings would be immensely valuable to the Ada and Spark communities. These bindings would provide a production-ready, robust, and well-tested TLS stack that supports the latest protocols (TLS1.3/DTLS1.3). Additionally, it would open the door to obtaining FIPS 140-3 and DOI-178C certifications for Ada and Spark applications that use TLS for their encrypted communications, or that want to use our wolfCrypt implementation for their cryptographic operations, such as encrypting data at rest.

As wolfSSL already supports post-quantum TLS 1.3 and DTLS 1.3, these bindings would also naturally allow you to make your Ada and SPARK applications quantum-safe.

Are you interested in an Ada/Spark wrapper? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSH Coming Attractions: Algorithm Updates

It’s been a while since wolfSSH had any new algorithms. I think it is time we had more. wolfCrypt supports a few algorithms wolfSSH doesn’t take advantage of.

For encryption and message authentication, wolfCrypt has Poly1305 and CHACHA20 available. There is not a published RFC for using “poly-chacha” with the SSH protocol, but OpenSSH has its own implementation of this algorithm. wolfSSH shall be able to interoperate with it.

To sign your user authentication or prove the identity of your server, you will be able to use SHA2-256 and SHA2-512 hashing with your RSA keys. We shall add the algorithms rsa-sha2-256 and rsa-sha2-512 described in RFC 8332.

RFC 8709 describes how to use Ed25519 and Ed448 public key signature algorithms with the SSH protocol. wolfCrypt supports these algorithms. wolfSSH should and will as well.

In the area of key exchange, we are bringing wolfSSH into the present by adding KEX algorithms using SHA2-256 and SHA2-512 per RFC 8268. Oakley group 14 is a set of 2048-bit DH group parameters, and can be used with SHA2-256 hashing. The RFC describes how to use larger groups using SHA2-512.

The key exchange algorithms x25519 and x448 will be available along with a taste of the future using a key exchange hybrid with Kyber, the post-quantum key exchange standard.

What is getting left behind?

Network security is an ever evolving landscape. Things change constantly. While we develop new, faster, better algorithms, some of the existing algorithms get broken or brittle and need to be let go.

The digest algorithm SHA1 has been sunset. Since the SSH protocol pairs SHA1 with other algorithms, they are going to be removed as well. Say good-bye to ssh-rsa signing of the server’s KEX public key message and allowing users to authenticate using SHA1 signatures.

SSH uses ECDHE and DHE for key exchange. While ECDHE uses SHA2-256 or better, DHE uses SHA1 with Oakley groups 1 and 14, and Oakley group 1 is only 1024-bit. In this day and age, 1024-bits isn’t good enough and SHA1 shouldn’t be used anymore. The algorithms diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 will be removed.

wolfSSH is lovingly crafted by wolfSSL Inc in the Pacific Northwest. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSH Coming Attractions: Privilege Separation

Bet you didn’t know that wolfSSH has its own stand-alone server application for use on POSIX systems, wolfSSHd. It’ll load OpenSSH style configuration files and will look up users on the local system. It also uses wolfSSH’s built in SFTP service. It doesn’t have privilege separation.

In 2023 we are planning on adding privilege separation to wolfSSHd when built for POSIX systems. This will not be available in embedded builds as they don’t typically have the concept of multiple users; everything runs in privileged mode.

A method for privilege separation was published in the paper “Preventing Privilege Escalation” by Provos et al. The general idea is to separate your server application into two applications. One runs as a privileged user and handles things like signing blobs of data, providing pseudo random numbers, and authenticating users. The other runs as an unprivileged user and runs the shell and monitors the socket. The two applications communicate using IPC of some form, like shared memory and pipes.

wolfSSH is lovingly crafted by wolfSSL Inc in the Pacific Northwest. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

What are the Advantages of wolfTPM?

At wolfSSL, we have been developing a TPM stack with customers for many years called wolfTPM, a portable, open-source TPM 2.0 stack with backward API compatibility, designed for embedded use. It is highly portable, and has native support for Linux and Windows. RTOS and bare metal environments can take advantage of a single IO callback for SPI hardware interface, no external dependencies, and compact code size with low resource usage.

wolfTPM offers API wrappers to help with complex TPM operations like attestation and examples to help with complex cryptographic processes like the generation of Certificate Signing Request (CSR) using a TPM.

Due to wolfTPM’s portability, it is generally very easy to compile on new platforms.

Here are a few reasons to use wolfTPM over other secure elements:

  1. It is based on a widely accepted standard TCG TPM 2.0.
  2. There are many chip vendors options and they are pin compatible.
  3. Support for RSA. All TPM’s support at least RSA 2048 (the STSAFE and ATECC do not).
  4. More NV storage
  5. Measured Boot (PCR’s)
  6. Advanced Policy management
  7. Seal/unseal data based on private key or PCR state.

Join our webinar on Getting Started with wolfTPM with wolfSSL Engineering, David Garske. This webinar describes the steps for getting started on your platform with a TPM 2.0 module including API interfaces, building, best practices and features!
Bring your questions for the Q&A session to follow!

When: Mar 2, 2023 10:00 AM Pacific Time (US and Canada)
Topic: Getting Started with wolfTPM

Watch the webinar today.

 

Contact us at facts@wolfssl.com with any TPM, crypto questions!

Love it? Star wolfSSL on GitHub.

Eeny, Meeny, Miny, Moe…

Do you have a favorite crypto algorithm? …or maybe just one that is important to you? 

Hash Functions: SHA2, SHA-3, RIPEMD-160, Poly1305, Blake2b, Blake2s, SipHash

Block, Stream, and Authenticated Ciphers: AES (CBC, CTR, OFB, XTS, GCM, CCM, GMAC, CMAC), Camellia, ChaCha20 and XChaCha20

Public Key Algorithms: DH, ECDH, ECDSA, RSA, ed448, ed25519, X448, X25519

Could they be running a bit faster for you?  wolfSSL has the knowledge and skills to make any algorithm perform competitively.

And don’t forget Post-Quantum algorithms!  

Post-Quantum KEM: Kyber

Post-Quantum Signature Schemes: Dilithium, FALCON, SPHINCS+

Let us know if there’s a post-quantum algorithm you would like to see supported by wolfSSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Deprecation of wolfSSL Normal Math Library

We are establishing a timeline to deprecate our legacy math backend, which is called “normal” or “heap” math.  It will be removed  from the wolfSSL/wolfCrypt library by the end of this year.

Currently, our library includes three different math backends that can be used to support public cryptography:

  1. Normal math (integer.c) which can be enabled with –enable-heapmath or CFLAGS=-DUSE_INTEGER_HEAP_MATH
  2. Fast math (tfm.c) which can be enabled with –enable-fastmath or CFLAGS=-DUSE_FAST_MATH
  3. SP math** (sp_int.c, Default) which can be enabled with –enable-sp-math-all or CFLAGS=-DWOLFSSL_SP_MATH_ALL

** Note: SP math comes with MANY tunable features including combinations of fastmath with sp or sp-math and key size toggles and heap/stack tuning knobs for nearly every use-case!

You can refer to https://www.wolfssl.com/wolfssl-math-library-comparison-matrix/ to see a comparison.

The SP math has been the default configuration math backend since wolfSSL release 5.4.0  (see https://github.com/wolfSSL/wolfssl/pull/4759).

The latest version of our SP math can do everything its predecessor can and then some! It also has constant-time and cache access safe algorithm implementations to prevent side-channels. (see https://www.wolfssl.com/wolfssl-hardened-default/)

Prior to wolfSSL release 5.4.0, if you build with –disable-fastmath (or #undef USE_FAST_MATH), normal math was utilized as a default backend.

Post release 5.4.0, you were required to use  –enable-heapmath ( #define USE_INTEGER_HEAP_MATH) to be able to use the normal math. 

Additionally, we are changing the math library for our FIPS users.

  1. We are moving all of our normal math customers to use Fast math for users of –enable-fips=v2 or HAVE_FIPS_VERSION <= 2
  2. We are moving all of our customers to use SP math for users of –enable-fips=v5 (FIPS 140-3) or HAVE_FIPS_VERSION > 2 (Also includes fips-ready and v5-dev)

If you have not done so already, we recommend migrating to the new SP math backend as early as possible.  It offers far superior performance, security, and longevity.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Posts navigation

1 2 3 52 53 54 55 56 57 58 197 198 199