Learn more about wolfSSL at Espressif DevCon 24

Espressif DevCon24 Getting Started with wolfSSL Best-Tested Commercial-Grade Cryptographic Libraries

It’s Expressif DevCon season again, and everyone is excited to attend the free online Espressif Developer Conference September 3-5 2024, 13:00-18:30 CEST (3 AM to 9:30 AM Pacific). For those of you on the West Coast of the USA, the wolfSSL presentation is on Day 2 at 8:30 AM Pacific Time.

Many people have already attended live or viewed another Getting Started webinar already available on YouTube:

Getting Started with wolfSSL on the Espressif ESP32

The wolfSSL presentation at Espressif DevCon24 will cover even more material and dive into a specific coding example of establishing your own TLS connection. We’ll also discuss how to use wolfSSL Managed Components, using various platforms such as Arduino, PlatformIO, VS Code, Visual Studio with VisualGDB, and more.

Tune in and learn more about why wolfSSL is the world’s leader in cryptographic solutions for the ESP32 and many other devices.

Check out our Espressif Examples on Github.

Ready to take your project to the next level? Not only do we have Post Quantum solutions for he ESP32, but we also recently announced that wolfSSL is the First in the World to offer FIPS 140–3 Automated Submission with our NIST Certificate #4718.

See our prior blogs on:

Have a specific request or questions? We’d love to hear from you. Please contact us at support@wolfSSL.com or open an issue on GitHub.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Part 5: 5 Real-World Use Cases and Troubleshooting

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Here are some places where wolfSSL can be found:

  1. Hex Five And wolfSSL Announce The First Secure IoT Stack For RISC-VHex Five Security, Inc., in collaboration with wolfSSL, has developed the first secure IoT stack for RISC-V, which is a significant advancement for secure embedded systems. This stack integrates Hex Five’s MultiZone™ Security, a trusted execution environment (TEE) that allows for hardware-enforced separation of software components into multiple isolated zones, with wolfSSL’s TLS 1.3 cryptographic library. This combination ensures that any security vulnerabilities in one part of the system are contained, preventing them from compromising the entire IoT device.

    “wolfSSL, a leading provider of TLS cryptography and Hex Five Security, provider of MultiZone™ Security, the first Trusted Execution Environment for RISC-V announce general availability of the industry-first secure IoT stack for RISC-V – a TLS 1.3 reference implementation of freeRTOS with hardware-enforced separation between OS, TCP/IP stack and root of trust”

    This secure IoT stack is particularly valuable for RISC-V developers as it addresses the security challenges inherent in monolithic system designs by enabling fine-grained separation and protection of system functions. The stack is open source and available for developers on GitHub, promoting wider adoption and innovation within the RISC-V community?.

  2. wolfSSL and Synopsys are working together to bring the wolfSSL portfolio of products to the Synopsys ARC® architecture.The Synopsys ARC Access Program is a collaborative initiative that supports a diverse ecosystem of hardware and software vendors in developing optimized solutions for Synopsys DesignWare® ARC® processors. The program provides members with access to essential development tools, such as ARC MetaWare, as well as opportunities for joint marketing and technical collaboration. This ecosystem is designed to accelerate the development and deployment of ARC-based embedded systems across various industries.

    As part of this program, wolfSSL offers its lightweight and embedded security solutions, which are highly optimized for speed, size, and portability, to enhance the security of ARC-based systems. This collaboration helps developers integrate advanced cryptographic features into their designs, ensuring secure communication and data protection in embedded applications.

  3. Microchip Microsemi PolarFire SoCThe Microchip Microsemi Accelerate Ecosystem Partner Program is a collaborative initiative that connects Microsemi with industry leaders in silicon, IP, systems, software, and design services to deliver integrated and pre-validated solutions. This program helps partners accelerate time to market and revenue generation through technology collaboration, joint marketing efforts, and sales acceleration. Notably, wolfSSL, a leading provider of SSL/TLS libraries, is part of this ecosystem, offering secure communication solutions that integrate with Microsemi’s products, enhancing security and performance for end customers?.
  4. Lightway, ExpressVPN’s new protocol for a superior VPN experienceWe at wolfSSL are proud to be partners with the awesome team over at ExpressVPN.

    Also read what you need to know about the OpenSSL bug:

    “Our Lightway VPN protocol uses wolfSSL for all of its cryptographic needs and does not use OpenSSL at all. That means that all Lightway clients and servers are totally unaffected by the OpenSSL bug. If you connect to ExpressVPN using Lightway (which is the default in our apps), you’ll be protected by wolfSSL”

  5. Espressif Managed ComponentsAnother company leveraging wolfSSL for RISC-V is Espressif, specifically in their ESP32-C3 and ESP32-C6 devices. wolfSSL has integrated RISC-V hardware acceleration into these devices, enhancing cryptographic performance. This integration allows Espressif’s RISC-V-based chips to benefit from the high-performance, lightweight SSL/TLS libraries that wolfSSL is known for, providing secure communication capabilities optimized for embedded systems.

    There are more details on Getting Started with Managed Components in our prior blog.

    See also:

Having any questions or problems with wolfSSL? We want to help!

  1. Check out the documentation
  2. Reach out to us on our product forums
  3. Open a GitHub issue
  4. View the wiki
  5. Send us an email at support@wolfSSL.com

Are you interested in RISC-V or FIPS Certification? We want to hear about your project!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

Part 4: Customization and Advanced wolfSSL Features on RISC-V

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The RISC-V architecture, known for its open-source and customizable nature, has seen a growing adoption in various embedded systems and IoT applications. As developers continue to push the boundaries of what RISC-V can achieve, the need for robust, secure, and highly optimized cryptographic solutions has become increasingly important. Enter wolfSSL, a lightweight SSL/TLS library that has been tailored for the unique demands of RISC-V environments.

Customization and advanced features of wolfSSL on RISC-V include hardware acceleration optimizations, particularly on platforms like Espressif’s ESP32-C3 and ESP32-C6 (see examples), where wolfSSL enhances performance with RISC-V assembly-level optimizations. These optimizations not only improve the speed of cryptographic operations but also ensure a smaller footprint, making them ideal for resource-constrained environments. Additionally, wolfSSL supports the integration of secure bootloaders, secure communication protocols, and FIPS 140-3 certifications, offering developers the tools needed to build secure, reliable, and high-performance systems on RISC-V.

This customization capability allows developers to tailor security features to their specific needs, leveraging the flexibility of RISC-V to create advanced, secure applications that meet the rigorous demands of modern embedded systems.

How can you make your application [Better | Faster | Smaller | More Secure] ?

The first place to look for customization is our Tuning Guide to get an overview. There are also some sample user setting files as described in a prior blog: Using user_settings.h with wolfSSL.

Wondering where to get started? We have examples that should work on nearly every Windows/Mac/*nix platform (let us know if you find one that doesn’t!). There are also numerous examples for different environments and IDE platforms.

Check out our recent blog: Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Live Webinar: World’s first SP800-140Br1 FIPS 140-3 validated certificate #4718

We’re thrilled to share a major milestone with you: wolfSSL has achieved the world’s first SP800-140Br1 FIPS 140-3 validated certificate (#4718)! This groundbreaking achievement underscores our dedication to delivering unparalleled security solutions. To celebrate, join us for an exclusive webinar hosted by wolfSSL Senior Software Engineer, Kaleb Himes, on August 28th at 10 AM PT!

Register Today: World’s First SP800-140Br1 FIPS 140-3 Validated Certificate #4718
Date: August 28th | 10 AM PT

What You’ll Learn:

  • Breaking New Ground: Discover the significance of our world-first SP800-140Br1 FIPS 140-3 validated certificate.
  • Seamless Integration: Find out how our solutions work with OpenSSL, including Provider and Engine support.
  • Java Security: Explore our FIPS-validated solutions for Java JSSE/JCE frameworks.
  • Commercial Excellence: Learn about the only general-purpose commercial FIPS solution available in the market.
  • Expert Insights: Engage with the wolfSSL team and get expert advice on navigating FIPS certification and implementation.

This is your chance to be part of a historic moment in cybersecurity! Kaleb will share invaluable insights, practical knowledge, and answer your questions in a live Q&A session.

Don’t miss out—register now and be part of this exciting event!

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Part 3: Sample Application: Integrating wolfSSL with a RISC-V

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The important thing to know: there are no special requirements for wolfSSL to run on your RISC-V device. There are no external dependencies. We can run a TLS stack in the smallest memory footprint. Although not a RISC-V device, [gojimmypi] was able to get a TLS stack working in less than 24KB on the Arduino Nano 33 IoT device with total 32KB RAM + 256KB Flash. Most targets will of course have considerably more memory resources.

There are examples to help you get started. There are also examples for different specific environments and IDE platforms.

One of the important things to remember, particularly on embedded devices, is that a reasonably accurate clock is needed. Otherwise certificate validation will fail if the device time is not within the begin and end dates for the certificates.

This particular example is extracted from the Espressif wolfssl_client example, but applies to all platforms:

For embedded systems, copy or install wolfSSL as needed for your particular environment.

For command-line systems:

  ./configure LDFLAGS="-L/path/to/wolfssl" CPPFLAGS="-I/path/to/includes"

For using a custom user_settings.h file, for instance with CMake, define WOLFSSL_USER_SETTINGS:

    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS")

Include a couple of wolfSSL files.

    /* wolfSSL */
    #include 
    #include 

Note that the settings.h file must be included before any other wolfSSL file, in every source file that uses wolfSSL. Never explicitly include the user_settings.h file, as it is preprocessed and included by the settings.h file.

Create and initialize wolfSSL ctx (context object)

    ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); /* SSL 3.0 - TLS 1.3. */
    /*   options:   */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());      only TLS 1.2 */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());      only TLS 1.3 */

Open a socket:

    sockfd = socket(AF_INET, SOCK_STREAM, 0)

Optionally set a cipher suite:

    ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE);

Set client certificate:

    ret = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx,
                                     CTX_CLIENT_CERT,
                                     CTX_CLIENT_CERT_SIZE,
                                     CTX_CLIENT_CERT_TYPE);

Load CA Certificate

        ret = wolfSSL_CTX_load_verify_buffer(ctx,
                                     CTX_CA_CERT,
                                     CTX_CA_CERT_SIZE,
                                     CTX_CA_CERT_TYPE);

Load private key:

    ret_i = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                                     CTX_CLIENT_KEY,
                                     CTX_CLIENT_KEY_SIZE,
                                     CTX_CLIENT_KEY_TYPE);

Create a wolfSSL secure socket layer connection:

    ssl = wolfSSL_new(ctx)

Tell wolfSSL to verify the peer, and no callback:

    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, 0);

Connect

    ret = connect(sockfd,
                 (struct sockaddr *)&servAddr,
                 sizeof(servAddr))

Once your application is connected, send a message with wolfSSL_write()

        /* Send the message to the server */
        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_write(ssl, buff, len);
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while (err == WOLFSSL_ERROR_WANT_WRITE ||
                 err == WOLFSSL_ERROR_WANT_READ);

And receive a message with wolfSSL_read()

        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_read(ssl, buff, sizeof(buff));
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while ((err == WOLFSSL_ERROR_WANT_READ) ||
                 (err == WOLFSSL_ERROR_WANT_WRITE) );

A build command would look something like this:

gcc -o simple_tls_client simple_tls_client.c \
    -I/usr/local/include -L/usr/local/lib -lwolfssl

Have any questions on using wolfSSL in your project? We’d love to help!

Common questions are answered over on our forums.

If you have a project that you don’t want to share publicly, please email us at support@wolfSSL.com.

We want to hear how you want to use wolfSSL. Please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHUb.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ and ‘Part 2: Installing and Configuring wolfSSL on RISC-V.’

Download wolfSSL Now

Part 2: Installing and Configuring wolfSSL on RISC-V

There are no special requirements or prerequisites for using wolfSSL in a RISC-V project. As noted in our prior blog, wolfSSL has been developed in a Clean Room environment and has no external dependencies. Unlike other options, wolfSSL is still maintained with oversight from the original developers. If your current project compiles, you can add wolfSSL.

See the wolfSSL Quick Start Guide.

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Prerequisites: Hardware and Software Requirements

  • Hardware: nearly any RISC-V board.
  • Software: Ubuntu or another Linux distribution, GNU toolchain for RISC-V, and necessary development tools (e.g., make, gcc).

Downloading wolfSSL

Building wolfSSL for RISC-V

Clone the Repository:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl

Set Up the Build Environment: Ensure the RISC-V GNU toolchain is installed and configured.

Compile wolfSSL:

There’s not much difference between compiling for RISC-V or any other platform, unless perhaps you need to cross-compile. See additional information in the INSTALL file.

./autogen # optional, depending on source. (see docs)
./configure --host=riscv64-unknown-elf
make
make install

Configuring wolfSSL

Custom Build Options: Modify the configure command with options specific to your use case. For example, enabling TLS 1.3:

make install
./configure --host=riscv64-unknown-elf --enable-tls13

By following these steps, you’ll have wolfSSL downloaded, built, and configured on your RISC-V platform, ready for development.

Beyond the basic compilation of wolfSSL, there are a variety of enhancements and optimization options available for the RISC-V CPU. See our upcoming blog: “Customization and Advanced wolfSSL Features on RISC-V”

Want to optimize performance? See Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

The wolfSSL cryptographic libraries will run anywhere on nearly any RISC-V CPU! Check out our prior blog using the Radiona ULX3S Softcore Hazard3 RISC-VHazard3 by Luke Wren is the same one used in the Raspberry Pi Pico 2.

Are you using RISC-V in your project? We want to hear about it!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ then dive into ‘Part 3: Sample Application: Integrating wolfSSL with a RISC-V‘.

Download wolfSSL Now

Part 1: Ready for Integration: wolfSSL and RISC-V

Advantages of Using wolfSSL on RISC-V Platforms

One of the key benefits of using wolfSSL in a RISC-V project is that the library has been developed in a “clean room” environment. In part, this means there’s no inherited code baggage and more importantly: no external dependencies. If there’s an existing RISC-V project, wolfSSL can be easily added. Just plug in the library and it is ready to go.

If there’s an existing RISC-V project that uses OpenSSL, there’s a compatibility layer to help transition the application and ease the migration effort. See Chapter 13 of the documentation and our prior blog on migrating from OpenSSL.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

Some environments such as the Espressif ESP32 “C” Series, use the RISC-V environment completely transparently to the developer.

If there’s not an existing project yet, check out some of our many examples on GitHub, or contact us for help getting started.

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Some of the aspects to consider:

  1. Resource Efficiency:
    • Reduced Footprint: wolfSSL’s small memory footprint and minimal code size are ideal for resource-constrained RISC-V environments.
    • Low Power Consumption: Efficient design leads to lower power consumption, perfect for embedded systems and IoT devices.
  2. Performance Optimization:
    • Hardware Acceleration: Leverage RISC-V’s custom instructions for accelerated cryptographic operations with wolfSSL.
    • Scalability: Tailor wolfSSL’s modular design for optimized performance in various RISC-V applications.
  3. Security:
    • Robust Features: Comprehensive support for modern cryptographic algorithms and TLS 1.3 ensures secure communication.
    • Compliance: FIPS 140-3 validation meets stringent security standards for various industries.
  4. Flexibility and Customization:
    • Open Source: Modify and tailor wolfSSL to specific needs with its open-source nature.
    • Rich Feature Set: Access a wide range of cryptographic algorithms and protocols without additional libraries.
  5. Community and Support:
    • Active Community: Benefit from a wealth of resources and community support for both wolfSSL and RISC-V. Visit our forums or browse our repositories on GitHub.
    • Professional Support: Commercial support from wolfSSL ensures quick resolution of critical issues.
  6. Future-Proofing:
    • Evolving Standards: Stay compatible with the latest RISC-V advancements and features.
    • Longevity: Invest in sustainable and forward-compatible technologies with wolfSSL and RISC-V.

Combining wolfSSL with RISC-V allows for the creation of secure, efficient, and scalable applications across various computing environments.

Are you interested in RISC-V or FIPS Certification? We want to hear about your project!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Continue to ‘Part 2: Installing and Configuring wolfSSL on RISC-V.’

Download wolfSSL Now

What is FIPS? (Quick Overview)

Doing FIPS responsibly since 2014! The wolfCrypt module now holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

FIPS is a set of standards, detailed in Special Publications, that need to be met in order to be awarded a FIPS validation/certification published on the NIST website.

A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal or military agencies and often required by some private sector entities as well.

The typical FIPS certification process is as follows:

  1. You send us your hardware and toolchain
  2. We run the initial tests which ensure the cryptography module behaves according to specification given your specific hardware and OS
  3. The CMVP certified lab runs and verifies the tests and their documentation
  4. The test results are submitted to NIST for review
  5. Your specific operating environment is added to our certificate
  6. You are FIPS 140 compliant in 60-90 days

For more information, please see the ‘What is FIPS (In-Depth Overview)‘.

If you have any questions about FIPS or the process of being awarded a FIPS validation/certificate, please contact us at fips@wolfSSL.com or facts@wolfSSL.com, or + 1 425 245 8247. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

Download wolfSSL Now

Live Webinar: Reasons to migrate from OpenSSL to wolfSSL

If you’re looking for a superior alternative to OpenSSL that offers better support and a smoother workflow, wolfSSL is the solution you need. It not only addresses the gaps you may encounter with OpenSSL but also boasts the world’s first SP800 140Br1 FIPS 140-3 validated certificate (#4718) for its wolfCrypt module. Join our upcoming webinar, where wolfSSL senior software developer Anthony will highlight the benefits of transitioning to wolfSSL and show how choosing wolfSSL over OpenSSL can transform your projects.

Register Today: Reasons to migrate from OpenSSL to wolfSSL

Date: August 21st | 10 AM PT

During this webinar, Anthony will cover…

  • Certified FIPS 140-3 Provider: wolfSSL is now FIPS 140-3 certified, ensuring the highest security standards.
  • Support for the QUIC Protocol: Enhance your network performance with QUIC support (–enable-quic).
  • Post-Quantum Integration: Stay ahead with post-quantum cryptography capabilities.
  • Exceptional Support Services: Experience top-notch customer support and service.

Anthony will delve into what sets wolfSSL apart from OpenSSL, offering a comprehensive overview of the potential benefits for your projects. Don’t miss this opportunity to discover solutions that best fit your needs!

Seats are limited. Register now for this informative webinar!

As always, our webinars will include Q&A sessions throughout. If you have questions on any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

What is FIPS? (In-Depth Overview)

Doing FIPS responsibly since 2014!
The wolfCrypt module now holds the world’s first SP800-140Br1 FIPS 140-3 Validated Certificate #4718.

INTRO (wolfSSL FIPS service(s)):

(skip to next paragraph for “What is FIPS”)

FIPS is rightly viewed as a complex process with a steep entry learning curve. Lucky for customers of wolfSSL Inc. our management and engineering team have taken the time to learn the documentation surrounding the topic and developed all the tooling necessary to complete FIPS validation testing of the wolfCrypt cryptographic module in coordination with an NVLAP accredited FIPS lab. In order to FIPS validate a new product or operating environment (OE), wolfSSL asks for simply a customer’s hardware, compiler/toolchain (IDE etc), and a guide such that one of our FIPS developers can sit down with nothing but a laptop and achieve compiling and running a hello-world.c application on the target product to be FIPS validated. Yes you read that right, wolfSSL does not need your proprietary application software, just a hello-world.c application to get started. The CMVP validates the cryptographic module running on the target, not the applications that are consuming that cryptographic module. The wolfSSL team will standup the wolfCrypt module on your target product using your own tooling (Compiler, Linker, Assembler) and take it through the certification process as quickly as possible leaving your dev team free to focus on preparing the end product while FIPS certification is taking place simultaneously! At the end wolfSSL staff will deliver highly detailed instructions on re-creating the exact same FIPS approved binary from the source code we deliver given all work was completed with your own tooling in keeping with ISO/IEC 19790:2012 B.2.5 as applied to open source software.

HISTORY (What is FIPS):

Since there are so many options for securing information, the U.S. and Canadian governments recognized in the 1990’s a need to standardize those algorithmic methods deemed to be the most secure and enforce use of only those algorithms in critical government systems. To “encourage” adoption of the requirements by the two governments, the organizations NIST (National Institute of Standards and Technology)¹ and the CCCS (Canadian Centre for Cyber Security)² were called upon to fulfill that mission. The two agencies were to collaboratively:

  1. Decide which algorithms were the best/strongest
  2. Evaluate: If an algorithm had multiple modes or key lengths which modes or key lengths (if any) were considered too weak and should be excluded?
  3. Determine if there were other requirements aside from just having the algorithms implemented correctly
    1. Did the algorithms NEED to be re-tested periodically? (IE as the device was powering up)
    2. Did the module need to be checked periodically to see if it had been tampered with since the factory? (IE an integrity check, etc)
  4. Finally to enforce/encourage adoption of these standards by federal agencies belonging to either government. (Eventually expanded to include medical and some private entities as well)

These standards were called the “Federal Information Processing Standards” or FIPS. These standards were documented in a series of “Special Publications” (SP’s).

 Out of a need to document which cryptographic modules and vendors were abiding by the standards set forth, a “certification” program was decided as the best approach. Vendors who made cryptographic modules could submit for and be awarded a certificate if their module was found to be compliant with all standards applicable to that module. The certificates would be hosted on the U.S. based NIST website so that federal agencies (or the public) could “browse” the available FIPS certified modules.

 It was a big job for the two agencies to handle alone, so in 1995 NIST and CCCS established two organizations called the “CMVP” (Cryptographic Module Validation Program)³ and CAVP (Cryptographic Algorithm Validation Program)4 to handle testing Cryptographic modules for compliance with the standards. These two organizations would also handle issuing the certificates for vendors and products that passed algorithm testing and were found to meet all applicable standards outlined in the SP’s.

 The CAVP issues algorithm certificates (which are a prerequisite to submitting a module for FIPS certification to the CMVP). The CMVP issues FIPS certificates for “tested configurations” or “operating environments” found to pass the CAVP testing and be in compliance with the standards. Both certificate types (CAVP algo certs and CMVP FIPS certs) are hosted on the NIST website. The certificates are public domain and can be searched by anyone.

 Once established, the CMVP and CAVP needed to establish a way to “test” the modules. To that end they called upon the NVLAP (National Voluntary Laboratory Accreditation Program)5 to accredit “third-party” testing laboratories that would serve as an intermediary between the vendors seeking FIPS certification and the CAVP/CMVP bodies.

 A last step in the history of FIPS was adoption of software modules. Originally when the standards were written, only dedicated hardware could perform the heavy lifting necessary for cryptographic mathematical operations so the standards were designed with ONLY hardware modules in mind. Doing cryptography in software at the time was impractical and therefore not considered in the original standards. As general purpose CPUs advanced, eventually it became feasible to implement algorithms in software and have those expensive math operations executed by a general purpose CPU in a reasonable amount of time. Once this reality arrived the standards were “adapted” to allow for both hardware and software modules. To this day there are “some scenarios” in the standards that only seem to make sense for hardware (See our blog post on vendor affirmation and how some software vendors are exploiting a loophole in the standards that was intended for hardware). NIST, the CMVP and CAVP have done a lot of work in the past few years bringing about the latest 140-3 standards. wolfSSL Inc. is thrilled to be the world’s first SP800-140Br1 FIPS 140-3 Validated, Certificate #4718, and one of the first software modules with a commercial FIPS 140-3 offering!

The Process (validating a module):

 Today a hardware or software vendor will work in coordination with an NVLAP accredited lab to complete algorithm testing and receive algorithms certificates.

(Milestone 1 of a FIPS certification effort)

 Once the vendor receives the prerequisite CAVP certificates they will perform operational testing with the same NVLAP accredited lab. Once all testing evidence has been captured and everything reviewed and approved by the NVLAP quality assurance department, the lab is ready to submit everything to the CMVP.

(Milestone 2 of a FIPS certification effort)

 The CMVP will coordinate with the vendor via the NVLAP accredited lab and once all requirements have been satisfied the CMVP will either issue a new FIPS certificate or update an existing certificate if the vendor is adding an operating environment to an existing certificate.

(Milestone 3 of a FIPS certification effort)

Submission Scenario(s) supported by wolfSSL Inc:

  • New cert (draw a new module boundary around specific algorithms and certify from scratch resulting in a new certificate)
  • OE addition (Add an OE to an existing certificate)
  • Revalidation (redraw the module boundary of an existing validated module to include new or remove existing algorithms from the boundary description)
  • Vendor Affirmation – wolfSSL is a software module vendor. As a responsible FIPS vendor wolfSSL feels that software vendors are generally incapable of determining how a change to the CPU or OS will affect the cryptography (especially if the CPU or OS changes completely). As such wolfSSL Inc does not currently offer Vendor Affirmation as a path to FIPS. Special circumstances MAY exist but would need to be evaluated on a case-by-case basis.

Timeline estimates for the various scenarios change over time. If you would like an up-to-date estimate for a given submission scenario please contact support@wolfssl.com for the latest.

Summary:

  • wolfSSL Inc can make the process of certifying your product painless and hands-free once we have the product and basic instructions for getting a hello-world app up and running on the target!
  • FIPS is a set of standards, detailed in Special Publications, that need to be met in order to be awarded a FIPS validation/certification published on the NIST website. A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal or military agencies and often required by some private sector entities as well.
  • The process can take time so please plan accordingly!

If you have any other questions about FIPS or the process or wolfSSL Inc please contact either fips@wolfSSL.com or support@wolfSSL.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

¹ The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. – https://www.nist.gov/about-nist

² The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public. – https://www.cyber.gc.ca/en/about-cyber-centre

³ The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. – https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program

4 The CAVP was established in July 1995 by NIST and the Government of Canada’s CCCS. CSD’s Security Testing, Validation, and Measurement Group (STVMG) manages the validation testing of cryptographic modules and their underlying cryptographic algorithms through the CAVP and CMVP. – https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program

5 The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories in response to legislative actions or requests from government agencies or private-sector organizations. NVLAP-accredited laboratories are assessed against the management and technical requirements published in the International Standard, ISO/IEC 17025:2017. – https://www.nist.gov/nvlap

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 6 7 8 9 10 11 12 188 189 190