Using Pre-Shared Keys (PSK) with wolfSSL

Ever wondered how to use PSK with the embedded wolfSSL library?  PSK is useful in resource constrained devices where public key operations may not be viable.  It`s also helpful in closed networks where a Certificate Authority structure isn`t in place.  To enable PSK with wolfSSL you can simply do:

$ ./configure --enable-psk

Using PSK on the client side requires one additional function call:

wolfSSL_CTX_set_psk_client_callback()

There`s an example client callback in cyassl/test.h called my_psk_client_cb().  The example sets the client identity which is helpful for the server if there are multiple clients with unique keys and is limited to 128 bytes.  It could also examine the server identity hint in case the client is talking to multiple servers with unique keys.  Then the pre-shared key is returned to the caller, here that is simply 0x1a2b3c4d, but it could be any key up to 64 bytes in length (512 bits).

On the server side two additional calls are required:

wolfSSL_CTX_set_psk_server_callback()
wolfSSL_CTX_use_psk_identity_hint()

The server stores it`s identity hint to help the client with the 2nd call, in our server example that`s “cyassl server”.  An example server psk callback can also be found in my_psk_server_cb() in cyassl/test.h.  It verifies the client identity and then returns the key to the caller, which is again 0x1a2b3c4d, but could be any key up to 64 bytes in length.  If you have any questions about using PSK with TLS please let us know.

wolfSSL at Sensors Expo 2019

wolfSSL at Sensors Expo and Conference

Come visit wolfSSL at the 2019 Sensors Expo & Conference! Sensors Expo & Conference is the premier event for sensors, connectivity and systems, attracting the largest gathering of engineers and professionals of sensing-related technologies. This year the Sensors Expo & Conference will be held in San Jose, CA.

Where Sensors Expo & Conference will be held for 2019:
Venue: McEnery Convention Center, San Jose, CA
Booth #: 1525
When: June 25-27
Directionshttps://www.sensorsexpo.com/show-overview/

Stop by to hear more about the wolfSSL embedded SSL/TLS library, the wolfCrypt encryption engine, or to meet the wolfSSL team! Feel free to say hello!

For more information about wolfSSL, its products, or future events, please contact facts@wolfssl.com.

More information about Sensors Expo & Conference can be found here: https://www.sensorsexpo.com/

wolfCrypt Support for Cryptographic Callbacks

wolfCrypt adds support for cryptographic callbacks that can be registered for replacing stock software calls with your own custom implementations. The goal is to make adding hardware cryptographic support easier.

Currently supported crypto callbacks:

  • RNG and RNG Seed
  • ECC (key gen, sign/verify and shared secret)
  • RSA (key gen, sign/verify, encrypt/decrypt)
  • AES CBC and GCM
  • SHA1 and SHA256
  • HMAC

This feature is enabled using “–enable-cryptocb” or “#define WOLF_CRYPTO_CB”.

To register a cryptographic callback function use the “wc_CryptoCb_RegisterDevice” API. This takes a unique device ID (devId), callback function and optional user context.

typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
WOLFSSL_API int wc_CryptoCb_RegisterDevice(
    int devId,
    CryptoDevCallbackFunc cb,
    void* ctx);

To enable use of the crypto callbacks you must supply the “devId” arguments on initialization.

For TLS use:  

  • wolfSSL_CTX_SetDevId(ctx, devId);
  • wolfSSL_SetDevId(ssl, devId);

For wolfCrypt API’s use the init functions that accept “devId” such as:

  • wc_InitRsaKey_ex
  • wc_ecc_init_ex
  • wc_AesInit
  • wc_InitSha256_ex
  • wc_InitSha_ex
  • wc_HmacInit

Examples:

For questions please email us at facts@wolfssl.com.

wolfBoot adds RISC-V Support

We have added support for RISC-V hardware in our wolfBoot library. The reference example uses the SiFive HiFive1 FE310 board to demonstrate a secure bootloader and firmware upgrade.

The HiFive1 is a 32-bit E31 RISC-V core capable of running at 320MHz. It includes 4MB of external flash and 16KB of internal RAM.

The wolfBoot library provides:

  • Boot validation of the firmware image using hash and signature
  • Reliable firmware update (power fail safe).
  • Rollback support if application does not report “success”
  • Version checking to prevent downgrade attack
  • Support for external flash on updates

This adds support for:

  • RV32 Hardware Access Layer (HAL) support for:
    • PLL Clock configuration
    • Flash eSPI
    • UART
    • RTC
  • Firmware update example using the serial interface

Full setup and installation instructions can be found in “docs/Targets.md”.

These new features can be found on GitHub here:
https://github.com/wolfSSL/wolfBoot/pull/14

For questions please email us at facts@wolfssl.com.

Differences between TLS 1.2 and TLS 1.3 (#TLS13)

wolfSSL's embedded SSL/TLS library has included support for TLS 1.3 since early releases of the TLS 1.3 draft. Since then, wolfSSL has remained up-to-date with the TLS 1.3 specification. In this post, the major upgrades of TLS 1.3 from TLS 1.2 are outlined below:

TLS 1.3

This protocol is defined in RFC 8446. TLS 1.3 contains improved security and speed. The major differences include:

  • The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) algorithms.
  • A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties.
  • Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
  • All handshake messages after the ServerHello are now encrypted.
  • Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.
  • The handshake state machine has been restructured to be more consistent and remove superfluous messages.
  • ECC is now in the base spec  and includes new signature algorithms. Point format negotiation has been removed in favor of single point format for each curve.
  • Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS.
  • TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.
  • Session resumption with and without server-side state and the PSK-based ciphersuites of earlier versions of TLS have been replaced by a single new PSK exchange.

More information about the TLS 1.3 protocol can be found here: https://www.wolfssl.com/docs/tls13/. Additionally, please contact facts@wolfssl.com for any questions.

wolfSSL Adds Support for the Arm® TrustZone® CryptoCell-310

Are you a user of MCU with CryptoCell hardware?  If so, you will be happy to know that wolfSSL recently added support for CryptoCell with wolfCrypt and benchmark examples to the wolfSSL embedded SSL/TLS library!

The wolfSSL port supports the following features:

  • SHA-256
  • AES CBC
  • Elliptic Curve Digital Signature Algorithm (ECDSA) – sign and verify
  • Elliptic Curve Diffie Hellman (ECDH) – shared secret
  • ECC key generation support
  • RSA sign and verify
  • RSA key generation support
  • RSA encrypt and decrypt

These features are tested on nRF52840 hardware platform with Nordic nRF5_SDK_15.2.0.

You can use the WOLFSSL_CRYPTOCELL macro to activate the CryptoCell support in wolfSSL. For instructions on how to build and run the examples on your projects, please see the “<wolfssl-root>/IDE/CRYPTOCELL/README” file.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL.

wolfSSL provides support for the latest and greatest version of the TLS protocol, TLS 1.3! Using the wolfSSL port will allow your device to connect to the internet in one of the most secure ways possible.

For more information, please contact facts@wolfssl.com.

Resources

The most recent version of wolfSSL can be downloaded from our download page, here: https://www.wolfssl.com/download/
wolfSSL GitHub repository: https://github.com/wolfssl/wolfssl.git
wolfSSL support for TLS 1.3: https://www.wolfssl.com/docs/tls13/

wolfSSL at IoT Tech Expo

This year, wolfSSL is at IoT Tech Expo Europe! Europe’s largest and leading IoT event covers the latest innovations within the IoT and how they impact industries such as Manufacturing, Transport, Supply Chain, Insurance, Logistics, Government, Energy and Automotive. This year’s key topics include smart building and facilities management, building the connected supply chain, smart city and transport management, smart grid data management and analytics, delivering smart connected new products, and much more. For 2019, IoT Tech Expo will be held in Amsterdam, Netherlands.

Where IoT Tech Expo will be held for 2019:
Venue: RAI Amsterdam
Booth #: 631
When: June 19-20
Directions: https://www.iottechexpo.com/europe/event-travel-accommodation/

Stop by to hear more about the wolfSSL embedded SSL/TLS library, the wolfCrypt encryption engine, or to meet the wolfSSL team! Feel free to say hello!

For more information about wolfSSL, its products, or future events, please contact facts@wolfssl.com.

More information about IoT Tech Expo can be found here: https://www.iottechexpo.com/europe/.

wolfSSH SSHv2 Server Library

wolfSSL provides many products, services, and support for almost all things TLS and embedded. One of these products provided by wolfSSL is wolfSSH - an SSHv2 server library!

wolfSSH is wolfSSL's own open-source and dual-licensed implementation of the SSHv2 protocol. It's a server library written in ANSI C and targeted for embedded/RTOS/resource-constrained environments. It's fast, has a small code size, and an extensive feature set.  This feature set includes items such as SCP support, SFTP support, PEM and DER certificate support, and also hardware cryptography for supported devices! This comes from wolfSSH's leverage of the wolfCrypt crypto engine for its cryptographic operations.

wolfSSH can be downloaded from the wolfSSL download page (located here: https://www.wolfssl.com/download/), or from a git-clone of the wolfSSH GitHub repository (located here: https://github.com/wolfssl/wolfssh.git).

Additionally, wolfSSL provides support and maintenance for all of its products, wolfSSH included. More information on wolfSSH support and maintenance can be found on the wolfSSL support page, located here: https://www.wolfssl.com/products/support-and-maintenance/.

For more information on wolfSSH or related products, please contact facts@wolfssl.com.

wolfSSL at Embedded Tech West

wolfSSL is at Embedded Tech West this year! ET & IoT Technology West features leading Edge technology and solutions. For 2019, ET West will be held in Osaka, Japan.

Where Embedded Tech West will be held for 2019:
Venue: Grand Front Osaka - KNOWLEDGE CAPITAL Congrès Convention Center
wolfSSL Booth #: H-06
When: June 12-13
Directions: http://www.congre-cc.jp/access/

Stop by our booth to hear more about the wolfSSL embedded SSL/TLS library, the wolfCrypt encryption engine, to meet the wolfSSL team, or to get some free stickers and swag!

For more information about wolfSSL, its products, or future events, please contact facts@wolfssl.com.

More information about Wireless IoT can be found here: http://www.jasa.or.jp/etwest/

Xilinx “Zynq UltraScale+ MPSoC’s” Benchmarking with wolfSSL

Benchmark values of the wolfSSL embedded SSL/TLS library running on Xilinx boards, including the ZCU102, have been collected and are up for viewing. Our friends over at Xilinx have a white paper posted that goes into detail about the benchmark values here https://www.xilinx.com/support/documentation/white_papers/wp512-accel-crypto.pdf. This shows how much faster applications can perform secure operations when incorporating the hardware acceleration available on Xilinx devices. It also gives a demonstration of the performance trade-offs when choosing FreeRTOS versus an embedded Linux OS.

Additionally, Xilinx has also posted their own evaluation of the cryptographic performance gains that can be achieved by using wolfSSL in conjunction with their own hardware. Their post can be viewed here: https://forums.xilinx.com/t5/Adaptable-Advantage-Blog/Increase-your-products-cryptographic-performance-by-using/ba-p/978932

For questions about building wolfSSL to use hardware acceleration or other general inquiries about wolfSSL, please contact us at facts@wolfssl.com.

Posts navigation

1 2