Adding SHE (Secure Hardware Extension) Support to wolfSSL

    • wolfSSL now includes support for the Secure Hardware Extension (SHE) key management standard (see PR #10009). This new wolfCrypt module provides software-based generation and verification of SHE key update messages (M1–M5), with built-in support for hardware offload via crypto callbacks.

    What is SHE?

    The SHE specification was developed by the Hersteller Initiative Software (HIS) consortium to standardize secure key management in automotive Electronic Control Units (ECUs).

    The Mechanics: M1 through M5

    The SHE update protocol relies on a sequence of five messages to securely deliver a new key to a hardware slot:

    • M1/M2/M3: These messages authorize the update and deliver the encrypted new key.
    • M4/M5: These are returned by the receiver as cryptographic proof of a successful update.

    Why Add SHE to wolfCrypt?

    While our wolfHSM product already provides a full SHE implementation, we recognized a need for a standalone, portable module within wolfCrypt. This adds a new layer of flexibility for automotive developers:

    • Platform Independence: You can now generate SHE update messages M1/M2/M3 and M4/M5 without the need for wolfHSM, keeping your footprint light and your dependencies minimal.
    • Hardware-Agnostic API: It integrates with wolfCrypt’s crypto callback framework. This means your application code remains the same whether you are using the software-only implementation or offloading to a hardware-backed SHE module in production.
    • Lightweight & Portable: No dependencies beyond wolfCrypt’s AES and CMAC modules. This allows the same library and API to run anywhere, from provisioning servers and key management systems down to resource-constrained embedded targets.

    Choosing Between wolfCrypt SHE and wolfHSM

    The wolfCrypt SHE module handles the cryptographic computation of the M1–M5 messages. It does not provide the persistent storage for the keys themselves.

    • Use wolfHSM: if you need an all-encompassing solution that includes a secure vault, slot management, and a full HSM framework.
    • Use the wolfCrypt SHE module: if you need to generate update messages on a provisioning server or if you want to integrate with an existing HSM. By using wolfCrypt as the front-end, you can unify your APIs across different hardware platforms, using the same code to talk to your existing HSM via crypto callbacks.

    Questions?

    If you have questions about using SHE in wolfSSL or wolfHSM, please contact us at facts@wolfssl.com or +1 425 245 8247.

    Download wolfSSL Now