Month: March 2016

wolfSSL has partnered with Atmel to provide users of the wolfSSL embedded SSL/TLS library the ability to take advantage of the Atmel ATECC508A crypto element. From the Atmel page:

“Due to lack of better alternatives, TLS implementations have historically stored private keys and authentication credentials in software where they are more vulnerable to attack. In addition, the mathematics used for authentication and asymmetric key agreement were also done in software which is less feasible in small IoT devices that have limited code space and processing power.

The Atmel Hardware-TLS platform provides an interface between software TLS packages and the ATECC508A cryptographic co-processor. wolfSSL and OpenSSL implementations can now utilize hardware-based secure storage for private keys and authentication data and also allow resource-constrained IoT nodes to implement full elliptic curve authentication and Diffie-Hellman key agreement and session key derivation. With Atmel HW-TLS, TLS communications links can have hardened security even out to the smallest IoT edge node.”

Full details can be found on the Atmel website:
http://www.atmel.com/tools/Atmel-HW-TLS.aspx

Contact us at facts@wolfssl.com with any questions or to inquire about using wolfSSL on the Atmel ATECC508A.

A new release of wolfSSL is now available. Version 3.9.0 of the industry leading embedded SSL/TLS library has a number of additions, updates, and fixes. With the addition of ports to both Arduino boards and to the Nordic nRF51 board wolfSSL is adding to its ever increasing IoT use. This release version also has an update to the progressive ChaCha20-Poly1305 cipher suites, allowing for use with PSK and increased interoperability.

There is no high level, urgent, fixes but we always suggest keeping up to date with the most current version of wolfSSL. By default FP_ECC is turned off, but users who have manually enabled this feature should update to wolfSSL 3.9.0 for the fix of a zero hash bug.

– Add new leantls configuration
– Add RSA OAEP padding at wolfCrypt level
– Add Arduino port and example client
– Add fixed point DH operation
– Add CUSTOM_RAND_GENRATE_SEED_OS and CUSTOM_RAND_GENERATE_BLOCK
– Add ECDHE-PSK cipher suites
– Add PSK ChaCha20-Poly1305 cipher suites
– Add option for fail on no peer cert except PSK suites
– Add port for Nordic nRF51
– Add additional ECC NIST test vectors for 256, 384 and 521
– Add more granular ECC, Ed25519/Curve25519 and AES configs
– Update to ChaCha20-Poly1305
– Update support for Freescale KSDK 1.3.0
– Update DER buffer handling code, refactoring and reducing memory
– Fix to AESNI 192 bit key expansion
– Fix to C# wrapper character encoding
– Fix sequence number issue with DTLS epoch 0 messages
– Fix RNGA with K64 build
– Fix ASN.1 X509 V3 certificate policy extension parsing
– Fix potential free of uninitialized RSA key in asn.c
– Fix potential underflow when using ECC build with FP_ECC
– Fixes for warnings in Visual Studio 2015 build

For more information about wolfSSL contact us at facts@wolfssl.com

Hi! Please email us if you want to join our Free Early Warning list. We will put you on our list of people to tell when there is a breach or vulnerability. Email us at facts@wolfssl.com with the subject Free Early Warning in the subject, and we’ll add you to the list.

The recently-announced DROWN attack allows attackers to decrypt TLS sessions by taking advantage of servers that support SSLv2 and EXPORT cipher suites. SSL 2.0 was the first version of the SSL/TLS protocol standard released, and has been known to be insecure for many years now.

wolfSSL has never supported SSL 2.0 and has never had support for EXPORT grade cipher suites. As such, users of wolfSSL (formerly CyaSSL) are safe from DROWN.

Please contact us at facts@wolfssl.com if you have further concerns or questions.

References:
DROWN Attack
CVE-2016-0800