Month: January 2021

Version 1.7.0 of wolfSSL JNI and JSSE is now available for download! wolfSSL JNI and JSSE provides Java applications with a convenient Java API to the widely-used wolfSSL embedded SSL/TLS library, including support for TLS 1.3!  This package provides both a Java JSSE Provider as well as a thin JNI wrapper around native wolfSSL.

Release 1.7.0 has bug fixes and new features including:

• Fixes for Infer analysis warnings
• Throw exception in DEFAULT_Context creation if engineInit() fails
• Defer creating DEFAULT WolfSSLContext until first use
• Check if Socket is open before doing TLS shutdown in WolfSSLSocket.close()
• Only load X509TrustStore issuers when needed by native wolfSSL verification
• Fix compiler warnings when used with older versions of native wolfSSL
• Verify and load intermediate CA certs in WolfSSLTrustX509.certManagerVerify()
• Add support for setSoTimeout() in WolfSSLSocket
• Fix suites length check in WolfSSLEngineHelper.setLocalCiphers()
• Check for connection closed before completing handshake in SSLSocket.read/write

wolfSSL JNI and JSSE 1.7.0 can be downloaded from the wolfSSL download page and the wolfSSL JNI Manual can be found here.

For any questions, or to get help using wolfSSL in your product or project, contact us at facts@wolfssl.com.

We would like to personally invite you to a webinar presented by wolfSSL.

In this webinar, we will talk about using hardware-based security with wolfTPM to protect your software and embedded systems. By using a TPM you can add secure storage for cryptographic keys and other secrets. More advance use is to protect the firmware and system settings of your IoT/Edge devices in the field.

When: Jan 20, 2021 08:00 AM Pacific Time (US and Canada)
Topic: Webinar: wolfTPM Roadmap and Best Differentiators

Register in advance for this webinar:
https://us02web.zoom.us/webinar/register/WN_9X8sstS0STaZqS4o_f2Jcg

After registering, you will receive a confirmation email containing information about joining the webinar.

See you there!

Additional Resources

Please contact us at facts@wolfssl.com with any questions about the webinar. For technical support, please contact support@wolfssl.com or view our FAQ page.

In the meanwhile, check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.

The wolfSSL embedded SSL/TLS library includes three different math libraries which can be used to support wolfCrypt’s cryptographic operations – the Normal Math library, the fastmath library, and SP math.  To help our users decide which math library is right for them, we have put together a helpful comparison matrix!

The wolfSSL Math Library Comparison Matrix, included below, shows the strengths and weaknesses of the 3 math options offered by wolfSSL. If you have any commentary or feedback please reach out to our team at facts@wolfssl.com or support@wolfssl.com!

A major release for wolfTPM came out at the end of 2020 and is now available for download from our website. This release brings many new features:

• Native support for using TPM2.0 hardware with wolfTPM under Microsoft Windows
• TPM simulator support for even easier development with wolfTPM and MacOS users
• Protection from MITM (man-in-the-middle) attacks using TPM2.0 Parameter Encryption. wolfTPM supports both TPM2.0 options for MITM protection, XOR encryption and AES CFB.
• HMAC Session support for verification of peer authenticity and integrity.

This release also adds multiple new examples: TPM key generation and key loading examples with options to store the key to disk and use parameter encryption to protect from MITM. Added is support for importing external private keys and easy re-loading. And for those who use the internal TPM clock for reference, there is now a TPM clock increment example.

Among the other enhancements of our portable TPM2.0 library are the use of HMAC sessions and new wolfTPM wrappers for easier work with TPM sessions and authorization of TPM objects.

Please contact us at facts@wolfssl.com for more information and help for taking advantage of the new wolfTPM features to better protect your systems.

Back in January of 2018 wolfSSL added support for use with the Open Whisper Systems Signal Protocol C Library! This means that you can now develop Signal applications using wolfCrypt as the underlying cryptography provider.

For those unfamiliar with the Signal Protocol, it is described on their GitHub page as “A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments.”

wolfSSL also has a JSSE provider that can be used with Android. This can seamlessly replace the default provider, giving all the benefits that come with using wolfSSL. Such as; extra performance boosts, access to our stellar support, and FIPS certifications to name a few items. Instructions on using the wolfSSL JSSE with Android can be found here https://www.wolfssl.com/docs/installing-a-jsse-provider-in-android-osp/.

wolfCrypt Signal Protocol Integration

By design, the Signal Protocol C Library does not depend on any SSL/TLS or cryptography library.  Instead, Signal allows the application to register a crypto provider at runtime.  We recently ported the wolfCrypt cryptography library into the “libsignal-protocol-c” test code and added a CMake configuration to build the libsignal-protocol-c test programs using cryptography from wolfSSL.

With this build option and wolfCrypt integration, Signal application developers can choose to use cryptography from wolfSSL instead of OpenSSL.  Thanks to wolfSSL’s small footprint size, low memory usage, and broad platform support, application developers can more easily use the Signal Protocol C Library on small resource-constrained platforms and embedded systems.

For more information on using wolfCrypt with Signal, contact us at facts@wolfssl.com!

The team here at wolfSSL is putting together a Sparkplug example that we’d like to share with you! The Sparkplug specification is useful for Industrial IoT system developers building on top of MQTT. Sparkplug defines a set of device states, adds topic naming structures, and defines payload formats. The wolfMQTT client library is perfectly suited to help secure your IIoT project since it is already integrated with wolfSSL!

For more information send a quick note to facts@wolfssl.com

You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT
While you’re there, show us some love and give the wolfMQTT project a Star!

Last year wolfSSL fixed 8 vulnerabilities and documented them in the wolfSSL embedded SSL/TLS library release notes. Thanks to all of the researcher reports, and to the dedicated wolfSSL team, the fixes were identified and resolved rapidly. How rapidly you may ask? The average time to get a fix submitted for review on the vulnerabilities listed in 2020 was just over 26 hours.

Thanks to the researchers that submitted reports!

• Gerald Doussot from NCC group
• Lenny Wang of Tencent Security Xuanwu LAB
• Ida Bruhns from Universität zu Lübeck and Samira Briongos from NEC Laboratories Europe
• Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from the Network and Information Security Group (NISEC) at Tampere University
• Paul Fiterau of Uppsala University and Robert Merget of Ruhr-University Bochum
• Pietro Borrello at Sapienza University of Rome

If you have a vulnerability to report or would like more information, contact us at facts@wolfssl.com, the wolfSSL development team takes vulnerabilities seriously.

wolfSSL is developing a library to handle the location of where crypto operations run amongst multiple cores. For large systems that have many sign/verify operations happening at once this library would be able to distribute those sign/verify requests based on a user’s input. In addition to managing where the operation runs it can be used to plug in hardware acceleration for handling requests that come in. An example use case would be having 3 cores for generic lower priority operations and saving 1 core that has hardware acceleration for fast, real time responses, that would run high priority operations.

Contact us at facts@wolfssl.com with any questions, or for more details!  The wolfSSL embedded SSL/TLS library also supports TLS 1.3, FIPS 140-2/3, and DO-178.

We would like to personally invite you to a webinar presented by wolfSSL Partner Microchip!

If you are developing IoT systems, this webinar will help you learn how to use TLS/MQTT to ensure secure endpoint-to-cloud communication and employ hardware roots of trust to enable strong security. We will also explain how to use wolfSSL, with its secure software suite integrated within our MPLAB® Harmony Framework, to secure endpoint communication.

Title: SHIELDS UP! Webinar #29: Securing the IoT from the Endpoint to the Cloud
Date: Wednesday, January 13, 2021
Time: 08:00 AM Pacific Standard Time
Duration: 45 minutes

Register for the webinar here: https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=2862875&sessionid=1&key=0AE813D5055E821C7E8E12C6546B44F2®Tag=&V2=false&sourcepage=register

Learn more about Microchip’s webinar series here:
https://www.microchip.com/training/webinars/security/shields-up-webinar-series

We hope to see you there!

Additional Resources

Please contact us at facts@wolfssl.com with any questions about the webinar. For technical support, please contact support@wolfssl.com or view our FAQ page.

In the meanwhile, check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.

The wolfSSL library includes a useful tool for sniffing TLS traffic. This can be used to capture and decrypt live or recorded PCAP traces when at least one of the keys is known. Typically a static RSA ciphersuite would be used, however with TLS v1.3 only Perfect Forward Secrecy (PFS) ciphers are allowed. For TLS v1.3 all cipher suites use a new ephemeral key for each new session.

In order to solve this we added a “static ephemeral” feature, which allows setting a known key that is used for deriving a shared secret. The key can be rolled periodically and synchronized with the sniffer tool to decrypt traffic. This feature is disabled by default and is only recommended for internal or test environments.

As a proof of concept we added this support to Apache httpd to demonstrate real-time decryption of web traffic. We are also working on a key manager to assist with key rolling and synchronization.

A use case that might be interesting is a company internal web server that requires auditing.

The TLS v1.3 sniffer support was added in PR 3044 and officially supported in v4.6.0.
The Apache httpd branch with sniffer and FIPS ready support is here.

Contact us at facts@wolfssl.com to learn more!