wolfSSL has supported FreeRTOS for over a decade but you can now run wolfSSL’s command-line tool, wolfCLU, on FreeRTOS as well! The wolfSSL embedded TLS library is a lightweight, portable, C-based SSL/TLS library known for its low footprint, speed, and feature set and wolfCLU makes use of this portable library to offer a portable, low overhead cert/crypto command-line tool alternative.
As of right now, all wolfCLU commands that do not require a filesystem can be run on FreeRTOS including commands for generating certificates, certificate requests, DSA/DH/ECC parameters, and random data.
Are you interested to have more wolfCLU functionality supported on FreeRTOS?
Contact us at email@example.com with any questions, comments, or suggestions.
Join us Wednesday, June 29th at 9AM Pacific Time.
Story time with wolfSSL! Join us for a comprehensive presentation on how to leverage wolfSSL for all of your Automotive Security needs as we go through a variety of different use cases and example with the specific engineering details for each story.
As always bring your questions for the Q&A following the presentation.
We’ve had some recent interest in adding resistance for detection of encrypt issues due to glitching. A recent report for ESP32 AES HW showed it was possible to skip the encrypt operation with some timed glitching. The attack requires physical access to the hardware. The attack results in the HW encrypt operation being skipped and the data being sent unencrypted over the TLS transport.
As a result we’ve added a new build option WOLFSSL_CIPHER_TEXT_CHECK to enable checking of the encrypt to ensure the data changed (i.e. is not the same). It defaults to checking 64-bits of the buffer, but this can be enlarged by overriding the WOLFSSL_CIPHER_CHECK_SZ macro.
We enable this feature by default with our “max strength” build option `–enable-maxstrength`.
For details see PR https://github.com/wolfSSL/wolfssl/pull/5231 “Added sanity check on TLS encrypt to trap against glitching”.
If you have any questions please email firstname.lastname@example.org
wolfSSL has easy options for using FreeRTOS with LwIP on Xilinx boards! The Xilinx SDK has support for FreeRTOS and LwIP with embedded projects, which wolfSSL has been ported to use both for some time! The directory containing some Xilinx IDE projects and information for a quick start when working with the Xilinx SDK is located here (https://github.com/wolfSSL/wolfssl/tree/master/IDE/XilinxSDK).
With Xilinx FreeRTOS there are also calls to hardware acceleration using the Xilinx hardened crypto which greatly speeds up AES-GCM, SHA3, and RSA operations (https://docs.xilinx.com/v/u/en-US/wp512-accel-crypto). Stay tuned for updated benchmark numbers and status on the hardware acceleration with the new Versal board.
For questions about using wolfSSL with Xilinx contact email@example.com
While GO has its own tls/crypto library, wolfSSL is a proven and optimized solution that could soon be a viable option for GO projects. For some insight on how it would work, follow the instructions in this README to view/build a simple server/client example secured by wolfSSL TLS.
Are you interested in a more complete Golang wrapper?
Contact us at firstname.lastname@example.org with any questions, comments, or suggestions!
wolfSSL’s DTLS 1.3 implementation is not ready for commercial use, but it’s fully functional and ready for being beta-tested! As usual, you can find the code at our GitHub repo or you can download the beta version here.
Since its first version, DTLS aims to bring the same security guarantees as TLS, but without requiring a reliable and order-preserving underlying protocol. This means that it’s much more suitable for latency-sensitive applications that can suffer from the overhead of TCP or similar protocols. The specifications of DTLSv1.3 were published just last April (RFC 9147) and DTLSv1.3 brings all the improvements of TLS v1.3 to DTLS: faster and more secure handshake, 0-RTT resumption, modern crypto algorithms, better downgrade protection and so on. We are the first to release a working implementation. If you are working on DTLS, or if you just have questions, don’t hesitate to contact us at email@example.com. We’re more than happy to hear from you!
Want to talk to us face to face about DTLS 1.3 at Embedded World? Come by Hall 4, Booth 4-135!
We are in the process of developing an SSHD server with wolfSSH. This will be a fully featured application that can take in a typical OpenSSH style sshd_config file and handle incoming SSH connections. It’s backed by the progressive and well tested wolfCrypt library for all crypto operations. It is also developed with embedded devices in mind, having a reduced footprint size!
For early access to the SSHD server or questions contact us at firstname.lastname@example.org.
Here at wolfSSL, we pride ourselves on keeping up to date with the various post-quantum developments related to the protocols we support. wolfMQTT is a client side library that supports the MQTT publish and subscribe protocol that is a very good fit for IoT applications.
Recently, the OpenQuantumSafe project got a pull request for a new demo which featured the mosquito MQTT broker operating on top of TLS 1.3 with post-quantum cryptographic algorithms. Naturally, we were very excited to try and run some interoperability tests against it!
This blog post is to announce that wolfMQTT now supports KYBER_LEVEL1 KEM group and P256_KYBER_LEVEL1 hybrid group for key exchange along with FALCON_LEVEL1 for signature authentication over TLS 1.3. Our implementation has been successfully tested for inter-operability with the OpenQuantumSafe project’s mosquito MQTT broker demo. If you would like to try it out, please follow the instructions athttps://github.com/wolfSSL/wolfmqtt#post-quantum-mqtt-support
Want different post-quantum groups for KEM key exchange? Want other post-quantum signature schemes? Want to see the wolfSSL team make a post-quantum MQTT broker? Want to see this setup working on STM32 devices? Contact your wolfSSL regional business director or e-mail us at email@example.com to discuss these possibilities!
McKinsey and Company have release the following report “When – and how – to prepare for post-quantum cryptography” https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/when-and-how-to-prepare-for-post-quantum-cryptography
In it they outline some options regarding how you can handle the coming migration to post-quantum cryptography. Here is a brief summary of their options our response:
Option 1: Adopt post-quantum cryptography solutions today
While adopting one of these solutions might seem to be the best path for any company that needs to act today, there are trade-offs and drawbacks to consider…
The wolfSSL library already has post-quantum algorithms integrated. Let us help you understand these new trade-offs. Don’t worry, speed and performance won’t be a major factor. Please see our benchmarks: https://www.wolfssl.com/docs/benchmarks/
Option 2: Retrofit systems with post-quantum cryptography solutions later
Finally, organizations should begin building long-term relationships with relevant suppliers, regulators, and peers within and outside of their industries as soon as possible. These relationships will be critical for staying up to date on emerging standards and solutions for PQC. … collectively developing solutions, for example, could cost less than if an organization devised solutions on its own.
The wolfSSL Team has a long and stable history of providing quality open-source software for security protocols and we are here to stay. We are here to help you find the right solution that will help you comply with industry standards and interoperate with your peers.
Option 3: Focus only on enhancing traditional encryption protocols
Decision makers should also begin planning for future updates to long-lasting systems by, for instance, evaluating the modularity of their technological architecture.
The wolfSSL Team also provides various consulting services. We can help you update to the latest standards while becoming more flexible and agile to prepare for the coming post-quantum migration.
Please reach out to your regional business director or e-mail us at firstname.lastname@example.org .