RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL 5.7.0 Now Available!

Version 5.7.0 of wolfSSL is now available! Many new and exciting features were added in this release. Near the top of that list is the addition of our Kyber implementation along with other post quantum algorithm support. This empowers you to future-proof your security measures, ensuring robust protection against evolving threats. In addition to introducing new features, we’ve addressed three vulnerabilities in this release. Two of these fixes target vulnerabilities related to row hammer attacks, while the other addresses a TLS 1.3 server-side issue. We take security seriously, and you can find more information about these fixes on our vulnerability page (https://www.wolfssl.com/docs/security-vulnerabilities/).

A full list of fixes, additions, and optimizations can be found in the ChangeLog, here are some of the highlights!

  • Experimental framework for using wolfSSL’s XMSS and LMS implementation. Explore and test advanced cryptographic techniques within the wolfSSL ecosystem. (PR 7161 & PR 7283)
  • Experimental wolfSSL Kyber implementation and assembly optimizations, enabled with –enable-experimental –enable-kyber. Proactively prepare for quantum computing threats with Kyber integration and assembly optimizations. (PR 7318)
  • The Linux kernel module now supports registration of AES-GCM, AES-XTS, AES-CBC, and AES-CFB with the kernel cryptosystem through the new –enable-linuxkm-lkcapi-register option, enabling automatic use of wolfCrypt implementations by the dm-crypt/luks and ESP subsystems. In particular, wolfCrypt AES-XTS with –enable-aesni is faster than the native kernel implementation.
  • BER content streaming support for PKCS7_VerifySignedData and sign/encrypt operations. Handles large data streams more effectively during PKCS7 operations. (PR 6961 & 7184)
  • Microchip PIC24 support and example project expands compatibility, facilitating integration with Microchip’s PIC24 microcontrollers. (PR 7151)
  • AutoSAR shim layer provides a standardized interface for RNG, SHA256, and AES (PR 7296)
  • wolfSSL_CertManagerUnloadIntermediateCerts API to clear intermediate certs added to certificate store (PR 7245)

This is a small subset of the optimizations and enhancements made in the last release are as follows:

  • Remove obsolete user-crypto functionality and Intel IPP support (PR 7097)
  • Support for RSA-PSS signatures with CRL use (PR 7119)
  • Enhancement for AES-GCM use with Xilsecure on Microblaze (PR 7051)
  • Improve liboqs integration adding locking and init/cleanup functions (PR 7026)
  • Update Arduino example TLS Client/Server and improve support for ESP32 (PR 7304 & 7177)
  • Improvements for Espressif use; SHA HW/SW selection and use on ESP32-C2/ESP8684, wolfSSL_NewThread() type, component cmake fix, and update TLS client example for ESP8266 (PR 7081, 7173, 7077, 7148, 7240)

Visit our download page or wolfSSL GitHub repository to download the latest release. If you have questions about any of the above, feel free to email us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Our Live Webinar: wolfHSM Desgin for Automotive Hardware Security Modules

You are invited to register for our upcoming webinar “wolfHSM Design for Automotive Hardware Security Modules” on May 30th at 10am PT. This webinar is presented by wolfSSL Software Engineer, Bill Phipps.

Register Now: wolfHSM Design for Automotive Hardware Security Modules

Security is paramount in the automotive industry to protect the integrity, confidentiality, and authenticity of data. Automotive HSMs (Hardware Security Modules) play a crucial role. It enhances the security of cryptographic keys and cryptographic processing.

During this webinar, Bill will explore a wide range of topics from the functionality and design of wolfHSM to its application in AUTOSAR/SHE/PKCS11, and provide a demonstration on the Infineon Aurix Tricore TC375.

You can expect to learn:

  • The essentials of Hardware Security Modules
  • Functional design insights of wolfHSM
  • Application of wolfHSM in AUTOSAR, SHE, and PKCS11
  • Hardware porting and support strategies for wolfHSM
  • A demonstration using the Infineon Aurix Tricore TC375
    And much more…

Register now to secure your spot and learn how wolfHSM can boost your security, offering a portable and open-source abstraction to hardware cryptography, non-volatile memory, and isolated secure processing.

As always, our webinars will include Q&A sessions throughout. If you have questions on any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

CNSA 2.0 Update Part 2: NIAP

On April 18th, 2024, the NSA released updates and clarifications to their CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) advisory in the form of an FAQ. This is the second in a multipart series of postings about the questions and answers that we feel are most interesting and our reactions to them.

But first, some clarifications on terms and acronyms:

  • NIST SP 800-208 National Institute of Standard and Technology Special Publication 800-208 titled: Recommendation for Stateful Hash-Based Signature Schemes
  • NIAP: National Information Assurance Partnership: A United States government organization that oversees evaluations of commercial information technology products for use in national security systems
  • LMS: Leighton-Micali Signatures; a stateful hash-based signature scheme
  • XMSS: eXtended Merkle Signature Scheme; a stateful hash-based signature scheme
  • CAVP: The Cryptographic Algorithm Validation Program; provides guidelines for validation testing which is a pre-requisite for CMVP testing
  • CMVP: Cryptographic Module Validation Program; security accreditation program for cryptographic modules.

Q: As a commercial vendor, how do I know if my NIST SP 800-208 implementation meets CNSA 2.0?

A: NIAP validates products against its published Protection Profiles, which will start including quantum-resistant signatures in line with our published transition timelines. For commercial vendors, we do not anticipate NIAP Protection Profiles will perform signature generation within the Target of Evaluation (TOE) boundary, only signature verification. As signature generation is the component of LMS/XMSS that requires state management, if only signature verification is being performed, only CAVP validation (not CMVP) will be expected for such products.

Anyone who has been following wolfSSL’s progress with post-quantum algorithms knows we have our own implementations of LMS/HSS and XMSS/XMSS^MT and they are integrated into the wolfBoot product! wolfBoot only uses them to verify the signature of the firmware, therefore one only needs to build these algorithms with verification functionalities. Check out sections 17 and 20 of our wolfSSL INSTALL file.

Requiring only CAVP validation is an excellent bonus for our customers. It means that validation will be a simpler and easier process for our team to help you achieve. You can count on fast turnaround times and little if any paperwork.

Preparing for NIAP and need the best cryptography? If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

CNSA 2.0 Update Part 1: Today

On April 18th, 2024, the NSA released updates and clarifications to their CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) advisory. They did it in the form of an FAQ document (list of Frequently Asked Questions with answers). The FAQ document was sent to the PQC Forum. This will be the first in a multipart series of postings about the questions and answers that we feel are most interesting and our reactions to them.

Q: Is there a quantum-resistant public-key algorithm that commercial vendors should adopt today?

A: NSA encourages vendors to use CNSA 2.0 approved hash-based signatures for software- and firmware-signing. NSA does not approve using pre-standardized or non-FIPS-validated CNSA 2.0 algorithms (even in hybrid modes) for NSS missions. However, NSA does recommend limited use of pre-standardized or non-FIPS-validated CNSA 2.0 algorithms and modules in research settings to prepare for the transition. NSA requests vendors begin preparing to implement CNSA 2.0 algorithms so they are primed to provide products soon after NIST completes standardization.

The NSA has spoken and they expect the industries from which they purchase to provide products that support the CNSA 2.0 Algorithm Suite upon standardization. That means DO NOT start when standardization is complete; start now.

You need to be prepared with these algorithms already integrated into your products. Here at wolfSSL we have been saying the same message for years. You need to prepare for and understand the impacts that the larger keys, cipher text and signatures are going to have on your systems. Will these larger cryptographic artifacts require more memory resources? Will they slow down your transmissions? Will the answer to those questions cascade into new requirements and trade-offs? Now is the time to find those answers. Contact us at support@wolfssl.com for benchmarking details.

If you haven’t already, go ahead and get started today. See Appendix G of our wolfSSL manual. Have further questions about getting started with CNSA 2.0 using wolfSSL, contact us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfEngines for OpenSSL in Yocto

What Is wolfEngine?

Recently added to meta-wolfssl, wolfEngine bridges the gap between OpenSSL 1.x and wolfCrypt’s robust cryptographic functionality. This integration allows OpenSSL 1.x consumers to leverage wolfSSL’s FIPS 140-3 algorithms.

Why Choose wolfEngine?

  • Seamless Integration: Easily combine OpenSSL 1.x with the cryptographic algorithms of wolfCrypt.
  • Enhanced Security: Benefit from advanced, high-performance cryptographic capabilities.
  • FIPS-Ready: Smooth path to FIPS 140-3 compliance, making your project future-proof.

Leveraging wolfEngine

wolfEngine allows wolfCrypts FIPS 140-3 cryptography to be seamlessly integrated in your OpenSSL 1.x projects. Take the steps to prepare for FIPS 140-3 certification by using FIPS-Ready wolfSSL with wolfEngine.

Questions?

For further insights into our Standard and Commercial Bundles or if you have any inquiries, feel free to contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Elevate OpenSSL in Yocto with wolfProvider

What Is wolfProvider?

New to meta-wolfssl, wolfProvider marries OpenSSL 3.x with wolfCrypt’s cutting-edge cryptography, empowering Yocto projects to utilize wolfCrypt’s FIPS 140-3 algorithms seamlessly.

Why Choose wolfProvider?

  • Effortless Integration: Fuse OpenSSL 3.x with wolfSSL’s algorithms swiftly.
  • Superior Security: Access wolfSSL’s lightweight, high-performance cryptography and wide range of supported operating environments.
  • FIPS-Ready: Smooth path to FIPS 140-3 compliance, making your project future-proof.

Leveraging wolfProvider

wolfProvider unlocks the potential to incorporate wolfCrypt’s FIPS 140-3 cryptography within your OpenSSL 3.x applications. Kickstart your project now with wolfProvider and our FIPS-Ready bundle, setting the foundation for FIPS 140-3 compliance in your project.

Questions?

If you have questions about any of the above or wish to explore more about FIPS and commercial bundles, contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Our Live Webinar: Enhanced Security: SM Ciphers Integrated with wolfSSL

Please join us for our informative webinar titled “Enhanced Security: SM Ciphers Integration with wolfSSL,” scheduled for May 23rd at 2 pm PT. This session, led by wolfSSL Senior Software Engineer Sean Parkinson, will explore the integration of SM Ciphers and their effective employment within the wolfSSL framework. Sean will provide in-depth insights into the ShangMi algorithms, highlighting their benefits and applications in various critical systems.

Save the date: May 23rd | 2pm PT

As mandated by Chinese government regulations, the use of SM2, SM3, and SM4 is now required in critical systems such as automobiles, avionics, power systems, and communication networks. In response to these requirements and the needs of our multinational clients operating in China, we have integrated these algorithms into our wolfSSL products. Our latest release supports SM2, SM3, and SM4, and we plan to introduce the ZUC stream cipher later this year to fully comply with SM9 standards. We are also working towards achieving OSCCA certification, enhancing our appeal in the Chinese market.

For those considering wolfSSL for your security needs, here are 6 benefits of our ShangMi ciphers implementation:

  1. The SM Ciphers are fully supported in wolfSSL’s TLS 1.3 and DTLS 1.3 implementations.
  2. wolfSSH, wolfBoot and our other products will support ShangMi ciphers.
  3. ARM, Intel, and RiscV assembly is in the works for our SM implementations for maximum performance
  4. We support bare metal for SM2, SM3, and SM4.
  5. We have maximized performance and minimized size, so the ShangMi algorithms will work well for embedded systems use cases on a wide variety of microcontrollers (MCU’s). They will be available for all of the MCU silicon that we currently support, including STM32, NXP i.MX, RISC-V, Renesas RA, RX, and Synergy, Nordic NRF32, Microchip PIC32, Infineon Aurix, TI MSP, and many others.
  6. Our GPLv2 versions of the SM ciphers are available on GitHub and for download.
    Commercial licenses are also available.

Don’t miss this opportunity to discover comprehensive security solutions and compliance strategies during our webinar on SM cipher implementations from wolfSSL. Register now!

As always, the webinar will feature interactive Q&A sessions. If you have any questions about the ShangMi ciphers and algorithms, please contact us at facts@wolfSSL.com, or call us at +1 425 245 8247.

Download wolfSSL Now

Participate Now | curl User Survey 2024

We are excited to announce the opening of the 11th annual curl user survey 2024. As part of our ongoing commitment to enhance your experience and adapt to community needs, we invite all curl and libcurl users to share their invaluable feedback.

Take the Survey

This survey serves as the primary channel to connect with url and libcurl users, understanding their views and preferences without any tracking, cookies, or advertisements on our website. Your participation helps us maintain our privacy-focused user feedback tools, ensuring that we respect your digital space while gathering essential insights.

Why Your Feedback Matters

Your feedback is crucial. By dedicating a few minutes of your time to our survey, you not only contribute to our knowledge but directly influence the future development of curl and libcurl. The insight from the curl user survey help us identify trends and understand the broader impact of curl on developers.

Community Insights and Trends

By asking similar questions as in previous years, such as those features in the curl user survey 2023 analysis, we aim to track changes and emerging trends within our community. This consistency allows us to compare data year-over-year and better understand how our tools are being used.

This survey will be available from May14th until the end of May 27th, 2024. We aspire to surpass last year’s participation, where 606 people shared their thoughts. If you know friends or colleagues who use curl or libcurl, encourage them to participate as well. Every response adds value and enhances our community-driven project.

Participate in curl User Survey 2024

We appreciate your continued support and honest opinions. Your feedback not only guides us but is integral to the ongoing success and improvement of curl.

See also:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

MQTT v5.0 versus v3.1.1

wolfMQTT was updated to support the draft MQTT v5.0 version of the specification in 2018. The specification was finalized in 2019, and wolfSSL has been a proponent of the new version ever since!

  1. Enhanced Session Management:
    • MQTT v5.0 introduces improved session management, allowing clients to resume sessions seamlessly. This feature ensures continuity and reliability, especially in scenarios where connections may be unstable or intermittent.
  2. Extended Message Properties:
    • Version 5.0 introduces extended message properties. These properties offer richer metadata for messages, enabling more sophisticated message routing, filtering, and processing.
  3. Payload Format Indicators:
    • With MQTT v5.0, publishers can indicate the format of the message payload, providing valuable information to subscribers. This feature enhances interoperability and simplifies message handling, especially in heterogeneous IoT environments.
  4. Message Expiry Interval:
    • MQTT v5.0 allows publishers to specify a message expiry interval, ensuring that messages are delivered within a defined timeframe or discarded if they expire. This capability enhances message reliability and resource efficiency, particularly in constrained IoT networks.
  5. Request/Response Model:
    • Version 5.0 introduces a request/response messaging pattern, enabling clients to make requests and receive responses over MQTT. This feature simplifies communication in IoT applications, facilitating interactions between devices and servers.
  6. Flow Control Enhancements:
    • MQTT v5.0 provides improved flow control mechanisms, including the ability to specify maximum packet size and rate limits. These enhancements help prevent network congestion and improve overall system stability and performance.
  7. Topic Alias:
    • In MQTT v5.0, topic aliasing allows clients to use shorter topic identifiers, reducing bandwidth usage and improving efficiency, especially in scenarios with long or complex topic names.
  8. Shared Subscriptions:
    • Shared subscriptions enable multiple clients to share the processing of messages from a single subscription, distributing the workload efficiently across subscribers. This feature enhances scalability and resource utilization in MQTT v5.0 compared to v3.1.1.
  9. Support for Binary Data:
    • MQTT v5.0 introduces native support for binary data transmission, eliminating the need for encoding and decoding payloads, which simplifies application development and improves performance.
  10. Authentication Enhancements:
    • Version 5.0 offers enhanced authentication mechanisms, including support for more robust authentication methods such as OAuth 2.0. These enhancements bolster security and authentication capabilities, addressing evolving IoT security requirements.

wolfMQTT has excellent examples that demonstrate the capabilities of MQTT v5.0: Property handling callback for incoming messages

During connect:

LWT delay
Request problem info
Max packet size

During subscribe:

Subscription identifier

During publish:

Payload format indicator
Topic alias

As the MQTT specification continues to evolve, wolfSSL will stay on top of the latest improvements. Want to try out MQTT v5.0? You’ll need a broker that supports MQTT v5.0. You can find a list of brokers that we tested.

You can run the wolfMQTT client examples after building the code from here.

While you’re there, show us some love and give the wolfMQTT project a Star!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL now supported on PlatformIO

The best encryption libraries are now available on the PlatformIO environment!

At wolfSSL, we continue to embrace rapid prototyping environments, including Arduino, Visual Studio, and now PlatformIO for VS Code, among other IDE applications.

There are hundreds of boards supported by PlatformIO on numerous frameworks and platforms.

We are providing two different Official wolfSSL libraries: standard and another specifically for Arduino:

There are also two different versions: the stable release versions (above) and these staging updates, with the latest post-release changes.

The stable release versions will generally follow our standard release cycle. The initial 5.7.0 versions include post stable-release updates needed for the Initial PlatformIO support.

See the PlatformIO documentation for Getting Started with PlatformIO.

For Windows users using pio from command line:


set PATH=%PATH%;C:\Users\%USERNAME%\.platformio\penv\Scripts\
pio --help
pio account show

Our initial release has full support for Espressif ESP32 boards, but other boards should work with just a few modifications to the wolfSSL user_settings.h file. See the example configs:

https://github.com/wolfSSL/wolfssl/tree/master/examples/configs

Here’s an example platformio.ini file for the ESP32:


[env:esp32dev]
platform = espressif32
board = esp32dev
framework = espidf
upload_port = COM82
monitor_port = COM82
monitor_speed = 115200
build_flags = -DWOLFSSL_USER_SETTINGS, -DWOLFSSL_ESP32
monitor_filters = direct
lib_deps = wolfssl/wolfSSL@^5.7.0-rev.3b

See also: Espressif Systems Leverages PlatformIO Labs Next-Gen Technology for its Software Products.

Is your device working on the PlatformIO environment with wolfSSL? Send us a message and let us help you get started: support@wolfSSL.com or open an issue on GitHub.

Get Started with wolfSSL

Additional information on getting Started with wolfSSL on the Espressif environment is available on the wolfSSL GitHub repository as well as this YouTube recording:

There’s also a must-see 2024 Roadmap to review all the exciting new features:

Find out more

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

What is the difference between AES and ECC?

AES (Advanced Encryption Standard) and ECC (Elliptic Curve Cryptography) are both cryptographic algorithms used for securing data, but they operate in different ways and serve different purposes:

AES (Advanced Encryption Standard)

  • AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption.
  • It operates on blocks of data and is commonly used for encrypting large amounts of data, such as files or entire hard drives.
  • AES is widely adopted and considered secure when used with sufficiently long keys (128, 192, or 256 bits).
  • Code Size: The code size for implementing AES depends on factors such as the programming language, optimization techniques used, and the desired features (e.g., support for different key lengths).
    • In optimized implementations, the core AES algorithm (encryption and decryption) can be relatively compact. Implementations in low-level languages like C or assembly language are often more efficient in terms of code size.
    • Additional features such as key expansion, mode of operation (e.g., CBC, ECB), and padding schemes can increase the overall code size.
  • Memory Footprint: The memory footprint of AES implementations can vary depending on factors such as the key length, block size, and the specific operations being performed.
    • Memory requirements typically include space for storing the encryption/decryption keys, the input plaintext/ciphertext blocks, and intermediate values during computation.
    • For embedded systems or devices with limited resources, memory optimization techniques such as minimizing the number of lookup tables or precomputing values can be employed to reduce memory usage

ECC (Elliptic Curve Cryptography)

  • ECC is an asymmetric encryption algorithm, meaning it uses a pair of keys: a public key used on one end and a private key used on the other. For example, in signing, the encryption is done with the private key and verification is done with the public key.
  • It is based on the mathematics of elliptic curves over finite fields.
  • ECC is particularly well-suited for scenarios where computational resources are limited, such as mobile devices or IoT devices, as it offers equivalent security to RSA but with shorter key lengths, resulting in faster computations and less memory usage. That being said, ECC requires larger keys than AES to provide equivalent encryption strength.
  • ECC is often used for key exchange protocols like Diffie-Hellman key exchange and in digital signatures.
  • Code Size: Implementing ECC requires additional mathematical operations compared to AES, particularly involving elliptic curve arithmetic. However, optimized libraries are available that provide efficient ECC implementations.
    • Code size can vary depending on factors such as the choice of elliptic curve parameters, the underlying arithmetic field, and the desired level of optimization.
    • Libraries such as WolfSSL or OpenSSL provide ECC functionality and can be integrated into applications with relatively modest code size overhead.
  • Memory Footprint: ECC implementations typically require memory for storing various parameters, including public/private keys, intermediate values during computation, and precomputed tables for performance optimization.
    • Memory usage depends on factors such as the key size, the chosen elliptic curve, and the specific operations being performed (e.g., key generation, point multiplication).
    • ECC implementations optimized for memory-constrained environments often utilize techniques such as point compression to reduce memory usage.

In summary, AES is used for symmetric encryption of large amounts of data, while ECC is used for signing/verification and key exchange, particularly in resource constrained environments.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 190 191 192

Weekly updates

Archives