RECENT BLOG NEWS

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

Please do not hesitate to contact us at facts@wolfssl.com with any questions, comments, or suggestions.

wolfSSL and Intel have jointly published a white paper on the advantages of using the wolfBoot secure bootloader together with 11th Gen Intel Core processors.  The white paper has been published on wolfSSL’s White Paper page and can be downloaded today!

This white paper introduces the wolfBoot secure bootloader and 11th Gen Intel Core i7 Processors, talks about potential advantages of replacing the Intel Slim Bootloader with wolfBoot, and shows performance benchmarks of how the wolfCrypt cryptography library benefits from leveraging Intel AES-NI, AVX2, and AVX-512.

11th Gen Intel Core i7 processors include security features out of the box that make them an ideal processor choice for a number of project designs. Some of these include Intel Advanced Encryption Standard New Instructions (Intel AES-NI) , Intel Advanced Vector Extensions (Intel AVX2, Intel AVX-512), and UEFI Secure Boot. Given an excellent set of features offered by Intel processors, some users and Intel-based projects will benefit from extending the boot process using a second stage bootloader subsequent to Intel’s UEFI. This paper will introduce the wolfBoot secure bootloader, 11th Gen Intel® CoreTM i7 processors, and how wolfBoot can replace Intel® Slim Bootloader to provide certified and customized solutions such as securely unlocking a SATA drive using the trusted platform module version 2.0 (TPM 2.0) during boot.

wolfBoot is flexible and customizable in its use of hardware-based cryptography and secure key storage solutions.  It can leverage the wolfCrypt FIPS 140-2 (and upcoming 140-3) module for applications needing validated cryptography, or wolfCrypt DO-178C for secure boot requirements in avionics applications.  For more details, download our white paper today, or email wolfSSL at facts@wolfssl.com with any questions.

One of the primary distinctions between wolfSSL and other security libraries is the availability of commercial support packages (https://www.wolfssl.com/products/support-and-maintenance/).

The Premium Support package includes these benefits:

• Optimization Assistance
• Unlimited Support Incidents
• Contact via email, phone, and shared screen debug session
• Dedicated Support Engineer
• 4 Business Hour Response Time
• Build Config Added to Nightly CI Tests

Having your build configuration tested by our Nightly CI ensures that any changes made to the library will not cause regressions to your project! Having a highly configurable library means having a high level of complexity. We make every effort to test against the most common configurations, and having your project’s wolfSSL configuration added to that matrix removes any uncertainty that you’ll be able to painlessly update to future releases of the library.

Customers with our 24×7 Support package gain the additional advantage of having their target hardware added to our Nightly CI Tests.

wolfSSL wants to help you achieve your project’s security goals! Please contact us (facts@wolfssl.com) with any questions.

A little while ago, we wrote a blog post (https://www.wolfssl.com/nsa-announces-cnsa-suite-2-0/) and did a webinar (https://www.youtube.com/watch?v=IiykMe-pjqo) about the CNSA 2.0 announcement(https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF).  It discusses the need for preparing to use post-quantum algorithms.  For signature schemes, it specifies Dilithium Level 5 as a good general purpose algorithm and LMS and XMSS as being good for signing software and firmware updates.

Here at wolfSSL, plans are underway to make our wolfBoot product use post-quantum algorithms to sign the image updates.  Whether we start with Dilithium Level 5, LMS or XMSS  is up in the air. On the one hand, the time lines as prescribed in CNSA 2.0 for LMS and XMSS are accelerated. On the other hand, Dilithium is already supported through our integration with liboqs.

Want us to accelerate our plans and get them a higher priority? Have a preference for one of Dilithium, LMS or XMSS? Make yourself heard and reach out to facts@wolfssl.com with your thoughts!!

This past December, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life.  While wolfSSL does not use or recommend SHA-1 for new designs, we do implement and support it in our products.  With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfSSL FIPS 140-3 cryptographic module currently in process at NIST includes SHA-1.  Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement under that certificate once it has been issued.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3.  wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out.  We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

For more information on the announcement from NIST, see
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Celebrate 25 Years of curl with a Zoom Birthday Party on March 20, 2023 at 17:00 UTC. Join fellow curl developers and enthusiasts online for a presentation on the major changes done over the years. Come and contribute to the discussion by asking questions or sharing your own insights. Let’s make this a memorable birthday party for curl!

Follow this link to register for the event: https://us02web.zoom.us/webinar/register/WN_J8VYX7IgRaaAZ1AB-hRKsQ

Follow this link to Daniel Stenberg’s blog providing more detail on the event: https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/

Earlier this month, we issued the final beta release of wolfSentry, the wolfSSL
embedded IDPS/firewall. This set the stage for our first production release of
wolfSentry, with increasingly mature and comprehensive facilities for securing
embedded endpoints.

Version 1.0.0 of wolfSentry delivers high-performance thread safety — in
multithreaded builds, all internal structures are protected, with shared locks
allowing for high concurrency on multithreaded/multicore targets. Realtime/TSN
use cases are supported with hard deadlines for return of control to the caller.

We have also improved support for dynamic/stateful rules, including constant
time garbage collection. These capabilites are demonstrated in the updated and
refined examples/notification-demo, our sample implementation of dynamic
defenses and event notifications integrated with an embedded web server.

Configuration of user plugins can now be driven with deep user-defined JSON
trees embedded within the unified JSON configuration package. These trees are
parsed at configuration time, and the pre-parsed contents are then available to
plugins through high performance btree lookups. This highly expressive, high
performance configuration mechanism streamlines configuration of complex
application-specific plugins. Moreover, the pre-parsed JSON trees can be
updated and expanded by plugin logic, using lock upgrades and DOM accessors, as
a supplementary stateful mechanism.

wolfSentry is available now, and is an ideal endpoint security solution for
deeply embedded use cases, with close and easy integration with user
applications, embedded IP stacks, and common libraries like wolfSSL.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

The wolfSSL Python wrapper provides a Python interface to the wolfSSL library, a lightweight and portable SSL/TLS library optimized for performance in embedded and IoT devices.

The wolfSSL Python wrapper allows Python developers to use the wolfSSL library, simplifying the development process and reducing time-to-market. Furthermore, The wolfSSL port allows you to use Python with our FIPS 140-2/3 certified wolfCrypt library, ensuring that it meets strict security standards for developers working with sensitive data.

To use the wolfSSL Python wrapper, developers can follow the instructions provided in the wolfSSL open source projects repository on GitHub. Once installed, developers can easily integrate wolfSSL into their Python applications, from IoT devices to embedded systems.

wolfSSL also has a very simple Golang wrapper. While GO has its own tls/crypto library, wolfSSL is a proven and optimized solution that is a viable option for GO projects. For some insight on how it would work, follow the instructions in this README to view/build a simple server/client example secured by wolfSSL TLS.

Are you interested in extensions to our Golang wrapper?  Let us know at facts@wolfssl.com.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

WolfSSL will attend two major tradeshows from March 14 to 16: Embedded World 2023 in Nuremberg, Germany, and Satellite 2023 in Washington D.C. At Embedded World, attendees will explore the latest trends in embedded systems, IoT, and edge computing. At Satellite 2023, the focus is on new developments in satellite technology, ground stations, and launch services.

WolfSSL offers highly optimized TLS and cryptography libraries that secure IoT devices and embedded systems against cyber attacks. At both tradeshows, the wolfSSL team will meet with attendees and discuss how their products can support their projects. They have the expertise and experience to help you achieve your security goals and enhance system performance.

By scheduling a meeting with the wolfSSL team at Embedded World 2023 or Satellite 2023, attendees can gain valuable insights into the latest trends and technologies in embedded and satellite systems security. . Don’t miss out on this opportunity to meet with wolfSSL and explore the latest advancements in embedded and satellite systems security.

Email facts@wolfssl.com to schedule a meeting with the wolfSSL team at either tradeshow.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

Under UN Regulations 155 and 156, auto makers and their contractors take on the daunting responsibility for security across the entire lifecycle of the vehicle.  To meet this challenge, designers must consider security from the start of product planning, and at every stage thereafter, designing in sustainable, best-in-class solutions.

The two crucial approaches to secure the endpoint are access controls and cryptographic encapsulation.  wolfSSL offers best-in-class enabling technology for both.  wolfCrypt, wolfSSL, wolfSSH, and wolfBoot are turnkey embedded solutions to secure software and messaging in the embedded endpoint with best-in-class cryptography.  The wolfSentry embedded IDPS, in turn, secures the embedded endpoint with a flexible, field-configurable policy engine, and facilitates integration into central cybersecurity monitoring solutions.

wolfSentry, and the rest of the wolf suite, align with the specific mitigations directed by R155:

• “Measures to detect and recover from a denial of service attack shall be employed”
• “Security controls shall be applied to systems that have remote access”
• “Access control techniques and designs shall be applied to protect system data/code.”
• “Measures to prevent and detect unauthorized access shall be employed”
• “Measures to detect malicious internal messages or activity should be considered”
• “The vehicle shall verify the authenticity and integrity of messages it receives”
• “Security controls shall be implemented for storing cryptographic keys (e.g. use of Hardware Security Modules)”

wolfSentry, in concert with other wolf suite components and application-specific plugin logic, implements these mitigations in a fully embeddable, easily integrated, highly portable form.  And the foundational requirements of R156, which relates to software update management systems for vehicles, are fully met by the wolf suite.

By adopting the wolf suite of solutions as key components of a comprehensive security architecture, designers can assure the sustainability of their engineering investment, with all major algorithms, target silicon, and runtime environments supported.

Further reading:

Full text of R155 (30 pages): https://unece.org/sites/default/files/2021-03/R155e.pdf

R156 (16 pages): https://unece.org/sites/default/files/2021-03/R156e.pdf