Category: wolfSSH

wolfSSH now has Curve25519 support as of version 1.4.17! Go ahead and download it today. You’ll need both wolfSSL and wolfSSH. Here are instructions to get this up and running to try out yourself.

Compile wolfSSL with support for wolfSSH and Curve25519.

$ cd wolfssl
$ ./configure --enable-wolfssh --enable-curve25519
$ make all
$ sudo make install
$ sudo ldconfig

After building and installing wolfSSL, you can simply configure wolfSSH with no options and build:

$ cd wolfssh
$ ./configure
$ make all

The wolfSSH client and server will automatically negotiate the use of Curve25519 for key exchange.

Run the server:

$ ./examples/echoserver/echoserver -f

In a separate terminal, run the client: 


$ ./examples/client/client -u jill -P upthehill

Congratulations! You’ve just made an SSH connection where the key exchange was done with Curve25519.

Our next natural step is to add support for hybrid Curve25519 and Kyber/ML-KEM at NIST security level 1. Want to see this work at a higher priority and accelerated? Let our management know. Simply send a message saying you support our efforts in developing this implementation to facts@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSH 1.4.15 release includes brand new support for the Zephyr RTOS. wolfSSH is a lightweight SSH library designed for embedded systems. It is a performant and low footprint solution, making it an ideal choice for IoT devices. The Zephyr RTOS is an open-source, scalable, and flexible real-time operating system tailored for resource-constrained devices. Its modular architecture and broad hardware support make it a popular choice for various embedded applications.

wolfSSH is introduced as a new module in the Zephyr ecosystem. Necessary steps to get started include setting up wolfSSH as a Zephyr module, modifying the west manifest, and finally building your project. In-depth instructions to set up wolfSSH with Zephyr can be found at the wolfSSH Github.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Not long ago, we announced preview support for new Espressif Managed Components. This is in addition to the core wolfssl managed component. Today you can add SSH capabilities to your toolbox by visiting this link:

https://components.espressif.com/components/wolfssl/wolfssh

If the ESP Registry page does not fully load with all the text, try holding down the “ctrl” key when pressing the refresh button in your browser. The CDN seems to occasionally cache incomplete web content.

Getting started with wolfSSL and wolfSSH has never been easier! You can add wolfSSH to your project with this command:

idf.py add-dependency “wolfssl/wolfssh”

We’ve also included a complete example project to connect to the AWS IoT MQTT. Just click the little “copy” icon and paste into a command prompt after the ESP-IDF has been installed:

Try it

Here’s an example of how the example can be created, built, and flashed onto your ESP32:

# Setup the ESP-IDF Environment (your actual path may vary)
. ~/esp/esp-idf/export.sh

# Download and create the example
idf.py create-project-from-example “wolfssl/wolfssh:wolfssh_echoserver”
cd wolfssl_echoserver

# Set your SSID and wifi Password in Example Connection Configuration
idf.py menuconfig

# Flash the code to your ESP32

idf.py -p /dev/ttyS9 -b 115200 flash monitor

The full wolfSSL repository for wolfSSH contains even more examples for not only this Echo Server Example, but many other target platforms as well.

Get Started with wolfSSL

Additional information on getting Started with wolfSSL on the Espressif environment is available on the wolfSSL GitHub repository as well as this YouTube recording:

Find out more

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

About the Compromise

Recently, a team led by Keegan Ryan from UCSD discovered that several implementations of the SSH protocol have been potentially leaking information about their keys and they came up with a way of exploiting it.

Every now and then, an RSA signature is made with a combination of padding and data that doesn’t verify correctly. If one saves billions of SSH signatures they can analyze the broken signatures and work out some keys.

The team released a paper [1] describing the issue and how it can be analyzed to obtain keys.

The wolfSSH Vulnerability

While wolfSSL verifies an RSA signature after producing it, and erroring out if it doesn’t verify, wolfSSH does not do this process. The compromise has not been proven against wolfSSH, the assumption is that it is possible. wolfSSH did not verify the RSA signatures after generation.

The Fix

As of wolfSSH v1.4.15, just released, we have added the verify step for RSA signatures. Luckily the time to verify an RSA signature is short compared to signing so there shouldn’t be a noticeable slowdown during the key exchange process.

References

1. Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive, Report 2023/1711. https://eprint.iacr.org/2023/1711.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now