wolfSSL Lightweight SSL in 20 kB with Lean PSK

Are you interested in using the wolfSSL embedded SSL library in an extremely resource constrained environment? If so, you may be interested to hear that we have recently implemented a wolfSSL “Lean PSK” build which enables the wolfSSL library to be built with a footprint size of 20kB!

The “Lean PSK” build requires the use of pre-shared keys with wolfSSL, along with removing several additional features. If you are curious, or would like to learn more, please contact us at info@yassl.com.

CyaSSL Competitive Upgrade Program

One of the services that yaSSL provides is the CyaSSL Competitive Upgrade Program. With this program, yaSSL offers competitive upgrade pricing for those who wish move from an outdated, orphaned, or overpriced SSL library to the CyaSSL embedded SSL library with low cost and minimal disturbance to their code base.

Here’s an outline of the Competitive Upgrade Program:

  1. 1.You need to currently be using a commercial competitor to CyaSSL.

  2. 2.You will receive up to two weeks of on-site consulting to switch out your old SSL library with CyaSSL.  Travel expenses are not included.

  3. 3.Normally, two weeks is the right amount of time for us to make the replacement in your code and do initial testing.  Additional consulting on a replacement is available as needed.

  4. 4.You will receive the standard CyaSSL royalty free license to ship with your product.

The purpose of this program is to enable users who are currently spending too much on their embedded SSL implementation to move to CyaSSL with ease.  If you are interested in learning more, or interested in how CyaSSL compares to what you are currently using, then please contact us at info@yassl.com.

ECC Support Comes to the wolfSSL Embedded SSL Library

Although ECC support for the wolfSSL lightweight SSL library has been available in our GitHub repository for the past several weeks, we wanted to officially announce it to our users and customers. An official download of wolfSSL with ECC will be available on the www.yassl.com website with the next official release of wolfSSL.

wolfSSL’s ECC implementation can be found in the /cyassl/ctaocrypt/ecc.h header file and the /ctaocrypt/src/ecc.c source file. Supported ECC cipher suites include:

/* ECDHE suites */
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

/* ECDH suites */
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

/* AES-GCM suites */
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

To view or download the most recent version of the wolfSSL sources with ECC integrated, please visit our source repository on GitHub (https://github.com/cyassl/cyassl). If you have any questions about ECC support in wolfSSL, please let us know at info@yassl.com

MIT Kerberos GSS-API with wolfSSL Now Available for Android

Support for the MIT GSS-API library is now available for the Android platform – complete with an org.ietf.jgss (RFC 5653) compatible application programming interface, wolfSSL cryptography integration, and NDK sample application.

You may have read our previous blog entry announcing the initial phases of our effort to port the MIT Kerberos libraries and wolfSSL embedded SSL library to the Android platform (see link in Reference section, below). This post described initial availability of the Kerberos libraries to Android through the native NDK framework – enabling Android NDK developers to add Kerberos support to their NDK applications at a native C or C++ programming level. At that time, we also commented on next steps for the project and sought feedback from the community on adding a Java API to make using Kerberos on Android easier and more standardized.

Since that time, we have been hard at work enhancing the project, adding support for a new Java GSS-API wrapper, updating our example code, and adding new features to our sample NDK application.

1. Java GSS-API Wrapper

The addition of a Java wrapper around the native MIT GSS-API took part in two stages – a SWIG-generated (http://www.swig.org/) Java interface, which then in turn was used as a building block for a org.ietf.jgss Java API. The individual layers are visualized in the figure below. Both the SWIG layer and the Java GSS-API layer are able to be used in a Java application to access the underlying MIT Kerberos/GSS-API libraries. The SWIG layer is more tedious to use and less standardized than the Java GSS-API layer, but is closer to the C programming API of the native MIT GSS-API. We suggest that Java developers use the org.ietf.jgss Java interface over using the SWIG layer directly. As the org.ietf.jgss interface followed RFC 5653, Java developers should be able to refer to the standard Java documentation for the org.ietf.jgss package for usage instructions and class descriptions.

Source code for this project has been released under the open source MIT license, and is currently available for download on GitHub. Both the Java Generic Security Services API wrappers (SWIG and Java GSS-API), as well as example client and server applications and build instructions are located in the kerberos-java-gssapi package, at the following GitHub URL:

http://github.com/cconlon/kerberos-java-gssapi

2. Enhanced Example Code

Included in the Java GSS-API package, we have created several example applications to help developers understand how to use this project in their own application. There are two sets of client and server examples provided. The first one is a set of client and server applications which directly use the SWIG-generated Java interface. The second set of applications is a client and server that use the more standardized Java GSS-API interface (org.ietf.jgss).

It is recommended for Java developers to use the Java GSS-API examples, as they demonstrate programming and API usage which is more common in the Java programming language. Before running any of the included examples, the development machine must first have a krb5.conf file and KDC set up correctly to match the principal names used in the examples. For more details about building and running these example applications, please see the README included in the kerberos-java-gssapi package.

3. Sample NDK Application

As one of the main goals of this project was to bring MIT Kerberos/GSS-API support to the Android platform, we have created a sample Android NDK application to serve as an example and reference to Android developers. This sample application provides a GUI wrapper around the MIT Kerberos kinit, klist, kvno, and kdestroy applications. It also provides a sample client using the Java GSS-API interface to connect and communicate with the example server application (from Section 2, above).

This package contains cross-compiled version of the MIT Kerberos libraries, and includes instructions on how to re-compile the Kerberos libraries yourself for the Android platform. For details on how to build and run this example application in the Android emulator, please see the README file located in the NDK application package.

All sources for this sample application are located in the kerberos-android-ndk package, located at the following URL:

http://github.com/cconlon/kerberos-android-ndk

yaSSL and MIT are excited to bring Android developers MIT Kerberos and GSS-API support and look forward to seeing what kinds of applications will use this functionality. If you have any questions, comments, or feedback, we would enjoy to hear it! Please contact us directly at info@yassl.com.

References:

MIT Kerberos: http://web.mit.edu/kerberos/
wolfSSL: http://yassl.com/yaSSL/Products-cyassl.html
kerberos-java-gssapi: http://github.com/cconlon/kerberos-java-gssapi
kerberos-android-ndk: http://github.com/cconlon/kerberos-android-ndk
Initial announcement: https://www.wolfssl.com/android-kerberos-port-using-wolfssl-embedded-ssl/

Thanks,
Team yaSSL

Security on Freescale Kinetis MQX with wolfSSL

Hello Kinetis users!  

Our team has now ported and released wolfSSL lightweight SSL for Freescale Kinetis.  The newest work is for MQX/RTCS/MFS on Kinetis tower systems.  Check our Github repository for the most recent source code:

https://github.com/cyassl/cyassl

If you are a Kinetis user, you will also be pleased to know that we support FreeRTOS, Micrium, and bare metal or operating systemless (NO_OS) configurations as well.  You will find wolfSSL is optimal for connected home and Smart Grid security applications on Kinetis.

In addition to MQX/RTCS/MFS support, Kinetis onboard Random Number Generator Accelerator (RNGA) support is also available for wolfSSL.  If you have a demanding performance requirement for your crypto, then let us know.  We can work with you to optimize the following hardware supported algorithms:  DES, 3DES, AES, MD5, SHA-1, SHA-256.  We are also available to help with SHA-3.

We have bundled several example CodeWarrior projects with wolfSSL for MQX/RTCS/MFS, including a wolfSSL library project, CTaoCrypt test app, and wolfSSL example client. When building wolfSSL for MQX, define FREESCALE_MQX in cyassl/ctaocrypt/settings.h. This in turn defines FREESCALE_K70_RNGA which enables support for the Kinetis H/W RNGA.

You are welcome to contact us with any support or configuration questions at support@yassl.com.

Team yaSSL, from Montana, Idaho, Iowa, Washington, and Oregon.  All American Crypto you can Trust.