Why Would you Want wolfSSL’s FIPS 140-3 Certificate

Hi! As our readers know, wolfSSL produces the first embedded TLS library that has begun testing for the new FIPS 140-3 standard, as listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list

There are a few significant changes coming with FIPS 140-3. Over the years with many specification updates, a few things got a little inconsistent, so these inconsistencies have been brought back in line. wolfSSL is prepared to deliver the first and best implementation of FIPS 140-3, so get ready.

As FIPS 140-3 is the replacement for FIPS 140-2 it is always a good idea to switch over to it as soon as possible. You will also want wolfSSL’s FIPS 140-3 Certificate for many additional reasons that include:
– Merging the FIPS + ISO Standard (see this https://www.corsec.com/fips-140-3/)
– CAST Testing Streamlined – just testing the algos they are actually using.
– Addition of TLS KDF in FIPS Boundary
– Addition of SSH KDF in FIPS Boundary
– Addition of RSA 4096
– Addition of ECDSA + SHA-3
– Removal of insecure algorithms: example Triple DES

Additional Resources

Please visit our website at https://www.wolfssl.com or contact us at facts@wolfssl.com!

Check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.

Please join us for our upcoming ISRG Partner Webinar!

wolfSSL’s Daniel Stenberg will be joined by Josh Aas and Sean McArthur for this ISRG Partner Webinar. They will cover what the project is about, how it will improve curl and Hyper, how it was done, lessons to be learned, and what to expect in the future.

When: Feb 11, 2021 10:00 AM Pacific Time (US and Canada)
Topic: ISRG Partner Webinar: Let’s Encrypt- “curl, Hyper and Rust”
Register in advance for this webinar:

After registering, you will receive a confirmation email containing information about joining the webinar.

Bring any questions you may have, and we look forward to seeing you there!

wolfSSH version 1.4.6 is available!

wolfSSH version 1.4.6 is now available for download!  Some of the notable changes in this version of wolfSSH are fixes for issues that came about from additional fuzz testing using OSS-Fuzz, improved modularity in the build to assist with resource constrained environments, updates for use with MQX, and expansion of the bundled examples. A full list of the changes can be seen in the ChangeLog.md file bundled with wolfSSH.

For questions about wolfSSH contact us at facts@wolfssl.com.

Small TLS 1.3 with PSK Only

wolfSSL supports embedded customers achieving secure communications in the tightest constraints. For TLS 1.3, this means avoiding certificates and large code size algorithms like RSA and ECC and using Pre-Shared Keys (PSK) with no key exchange.

wolfSSL 4.6.0 has been optimized to be compiled for this configuration only with minimal code and memory usage. This has been achieved by careful exclusion of code across the TLS implementation to only include the parts that are necessary. In fact, the library code can be compiled to less than 50 kB!

If you have any commentary or feedback please reach out to our team at facts@wolfssl.com or support@wolfssl.com!

wolfSSL and Intel CPU ID Flags

With the newest release of wolfSSL, you can now set the Intel CPU ID flags rather than let them be discovered. The CPU ID flags indicate which instructions are implemented in the CPU. wolfSSL uses this information to decide which is the fastest optimized implementation that will execute!

wolfSSL’s normal discovery works just fine when running on physical CPUs, but emulation in virtual environments does not always report the true state. In these cases users can call cpuid_set_flag() to enable the flag that is needed. Bugs do occur in CPU implementations and in these cases turning off a flag with cpuid_clear_flag() enables switching to different implementations across potentially a number of different cryptographic algorithms. Alternatively, the exact list of flags that you want can be selected with cpuid_select_flags().

If you have any commentary or feedback please reach out to our team at facts@wolfssl.com or support@wolfssl.com!

wolfSSL Support for LwIP

The wolfSSL embedded SSL/TLS library supports LwIP, the light weight internet protocol implementation, out of the box!  Users should define WOLFSSL_LWIP when compiling wolfSSL, or uncomment the line /* #define WOLFSSL_LWIP */ in wolfssl/wolfcrypt/settings.h to use wolfSSL with LwIP.  This will enable wolfSSL’s LwIP port, which uses LwIP’s BSD socket API.  LwIP users who are using the native LwIP API can also use wolfSSL by defining HAVE_LWIP_NATIVE, then writing and registering their own Input/Output callbacks.

The focus of LwIP is to reduce RAM usage while still providing a full TCP stack.  That focus makes LwIP great for use in embedded systems, the same area where wolfSSL is an ideal match for SSL/TLS needs.  An active community exists with contributor ports for many systems.

In addition to LwIP, wolfSSL also supports TLS 1.3, FIPS 140-2/140-3, DO-178C, and more! For help getting started using wolfSSL in your project, contact wolfSSL at facts@wolfssl.com

wolfSSL SP Math All and OpenSSL

In this blog series, we are giving our users more details about wolfSSL‘s new SP Math All math library. So far, we have introduced SP Math All, and provided comparisons to both wolfSSL’s normal Big Integer library and wolfSSL’s TFM library. And up next, what about OpenSSL? Is the SP Math All better than OpenSSL?

When compiling OpenSSL, you will get the highly optimized and large implementations by default. wolfSSL already has the Single Precision code that is as good or better! If you choose to compile OpenSSL without assembly then wolfSSL wins again.

Compiling both with no assembly and the SP Math All fast variation (the smaller of the two fast builds) has the following results:

Architecture: x64Percent Faster (wolfSSL vs. OpenSSL)
RSA 2048 Sign8.27%
RSA 2048 Verify29.75%
ECC P-256 Agree20.56%
ECC P-256 Sign25.31%
ECC P-256 Verify24.13%

Better across the aboard! And the size? It is difficult to obtain an accurate number for OpenSSL without writing a custom application. But looking at the size of the BN symbols indicates to us that OpenSSL would be as much as twice the size.

So you can see, the new SP Math All implementation is perfect for all your needs regardless of whether you are developing a memory limited embedded application, other embedded application or a mobile app. And don’t forget that Single Precision implements RSA and ECC algorithms at specific sizes to run blindingly fast in your mobile, desktop or server app and co-exists with SP Math All.

If you have any commentary or feedback please reach out to our team at facts@wolfssl.com or support@wolfssl.com!

Upcoming Webinar: Navigating Vehicle and IoT Security: Your Questions Answered by Crypto Experts

Don’t miss this exclusive opportunity, Feb 10 10:00 am Pacific, to gain access to the top thought leaders in the digital space, Ellen Boehm, VP of IoT Strategy at Keyfactor, and Chris Conlon, Engineering Manager at wolfSSL.

Register for the Q&A now to get your questions answered on how to navigate the fast paced world of IoT, and to gain insights on how to embed strong cryptography into vehicles and other connected devices with topics like:

-Unique security challenges that engineers face when securing connected devices
-The role that cryptography plays in securing vehicles
-Practical advice on how these principles can improve security for other connected IoT devices

Register here: (https://hubs.ly/H0Fv3pG0)

See you there!

Additional Resources

Please contact us at facts@wolfssl.com with any questions about the webinar. For technical support, please contact support@wolfssl.com or view our FAQ page.

In the meanwhile, check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.

Post Quantum Algorithms in SSH

New year new projects!

We are super excited to announce that we are expanding our post-quantum cryptography needs into SSH.

At wolfSSL we try to be progressive with our support of new cryptography technology. To prepare for a post-quantum world where quantum computing presents a threat to public key primitives due to their ability to solve hard cryptographic problems in polynomial time, the National Institute of Standards and Technology (NIST) is currently working on the new generation of quantum-resistant key encapsulation and authentication schemes, especially to address this threat to critical Internet security protocols like the Transfer Layer Security (TLS), and Secure Shell (SSH).

In preparation for the future we are planning for the transition into post quantum cryptography by planning on adding post quantum algorithms in SSH.

The future on the cryptography landscape is scary and exciting. We at wolfSSL Inc want to help you navigate these dangers with cutting edge technologies with quantum computing safe algorithms.

Please visit our website at https://www.wolfssl.com or contact us at facts@wolfssl.com!

Posts navigation

1 2 3