RECENT BLOG NEWS

Hi!  Would you be interested in wolfSSL ported into Dropbear? We have been thinking about putting wolfSSL into Dropbear SSH, and would like your feedback.  Contact us at info@yassl.com if you think wolfSSL should be ported into Dropbear.

Many of our users are curious about how the wolfSSL embedded SSL library will perform on a specific hardware device or in a specific environment. Because of the wide variety of different platforms and compilers used today in embedded, enterprise, and cloud-based environments, it is hard for us to give generic performance calculations across the board.

To help our users and customers in determining SSL performance for wolfSSL / CTaoCrypt, we provide a benchmark application which is bundled with wolfSSL. wolfSSL uses the CTaoCrypt cryptography library for all crypto operations by default. Because the underlying crypto is a very performance-critical aspect of SSL/TLS, our benchmark application runs performance tests on CTaoCrypt’s algorithms.

The benchmark utility is located in ctaocrypt/benchmark. Typical output may look like:

./ctaocrypt/benchmark/benchmark
AES 5 megs took 0.033 seconds, 149.84 MB/s
ARC4 5 megs took 0.017 seconds, 297.23 MB/s
HC128 5 megs took 0.004 seconds, 1185.10 MB/s
RABBIT 5 megs took 0.011 seconds, 453.14 MB/s
3DES 5 megs took 0.236 seconds, 21.18 MB/s

MD5 5 megs took 0.011 seconds, 444.13 MB/s
SHA 5 megs took 0.019 seconds, 261.73 MB/s
SHA-256 5 megs took 0.041 seconds, 122.98 MB/s
SHA-512 5 megs took 0.023 seconds, 213.44 MB/s

RSA 2048 encryption took 0.11 milliseconds, avg over 100 iterations
RSA 2048 decryption took 2.36 milliseconds, avg over 100 iterations
DH 2048 key generation 0.88 milliseconds, avg over 100 iterations
DH 2048 key agreement 0.92 milliseconds, avg over 100 iterations

This is especially useful for comparing the public key speed before and after changing the math library. You can test the results using the normal math library (./configure), the fastmath library (./configure –enable-fastmath), and the fasthugemath library (./configure –enable-fasthugemath).

As always, please contact info@yassl.com with any questions or comments.

Hi!  Team yaSSL has been considering the addition of the GOST block cipher to our wolfSSL embedded SSL library.  If you are unfamiliar with GOST, there is a great wikipedia article here:  http://en.wikipedia.org/wiki/GOST_(block_cipher).  If you think wolfSSL should include GOST, then let us know.  We appreciate your feedback.  Just contact us at info@yassl.com.

We`ve started implementing Galois/Counter Mode (GCM) into wolfSSL.  Specifically for use with AES and as a cipher suite for embedded SSL.  One of the benefits of GCM is its efficiency and its performance appears to be pretty good as well.  As an authenticated encryption algorithm it provides both integrity and confidentiality.  We expect to see it more widely adopted in the near future.  If you`re interested in testing AES with GCM or have any question or comments please let us know.

GCM (Wikipedia): http://en.wikipedia.org/wiki/Galois/Counter_Mode

-Team yaSSL

A short time ago, we announced the unveiling of the online Embedded Software Store by ARM and Avnet (previous post). Since that time, there has been some feedback on the site itself and many bugs and errors have been fixed.

We wanted to point our readers to the wolfSSL product page on the Embedded Software Store, now that it has been updated. Do you have any feedback on the store itself or on the wolfSSL product page? Do you like the idea of having an online store for your embedded software needs?

wolfSSL Product Page (Embedded Software Store):
http://embeddedsoftwarestore.com/store/em/SearchCommand?storeId=500201&langId=-1&catalogId=500201&action=Product&R=5001841600038

We look forward to hearing your thoughts at info@yassl.com.

Thanks!
– yaSSL

Version 2.0.2 of the wolfSSL embedded SSL/TLS library has been released and is now available for download! The first final release of wolfSSL 2.0 after three release candidates provides users and customers with additional bug fixes and feature enhancements. Specifically, version 2.0.2 adds:

– Bug fixes
– CTaoCrypt Runtime library detection settings when directly using the crypto library
– Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation
– All test certificates now use 2048-bit and SHA-1 for better modern browser support
– Direct AES block access and AES-CTR (counter) mode
– Microchip pic32 support

To download the open source, GPLv2-licensed version of wolfSSL 2.0.2, please visit our Download Page. If you have any questions or comments or would like more information on commercial versions of wolfSSL, please contact us at info@yassl.com.

For build instructions, a full feature list, API reference, and more, please see the wolfSSL Manual.

We`ve noticed a couple articles lately mentioning printers as potential attack vectors.  One is particularly disturbing in that not only is a network breach possible, as if that`s not bad enough, but cracked firmware could cause a printer to heat up enough to start a fire: http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say .  

An easy way to prevent attack vectors like these is to build in a secure firmware updater.  Of course we think the embedded SSL solution wolfSSL is a perfect fit for this job.  Several printer models already use wolfSSL to secure documents and resources on the network.  We`d like to assist and provide tools to printer vendors (or any device vendor really) to protect the firmware, preventing attacks against data, property, and even lives.  Let us know if you have any questions or comments or are interested in building/using tools for firmware protection.

Team yaSSL.

Ever wondered what forward secrecy is and how it applies to SSL/TLS?  Forward secrecy protects current encryption even in the event of a future crack of a long term private key.  Using ephemeral keying in TLS with DHE or ECDHE yields this protection because the temporary key is unique and never used again.  So even if the server`s private key is cracked two years from now your current communication is still secure.  wolfSSL offers several cipher suites that give users this added security:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  
If you have any comments or questions please let us know.

Happy Thanksgiving, 
Team yaSSL

We often get asked how wolfSSL compares to OpenSSL and what advantages it brings to a project if it replaces a current OpenSSL implementation. To give you a short comparison, see the points below.

• Size: With a 30-100kB build size and runtime memory usage between 3-36kB, wolfSSL can be up to 20 times smaller than OpenSSL. In an embedded environment where footprint size is critical or a large cloud environment where memory usage per connection makes a big impact on the performance and success of a project, wolfSSL is an optimal SSL and cryptography solution.

• Standards Support: wolfSSL is up-to-date with the most recent standards of TLS 1.2 and DTLS which OpenSSL has yet to address. With the recently-presented crack in TLS 1.0, your project should use either TLS 1.1 or TLS 1.2 for maximum security – both of which wolfSSL fully supports on both the client and server side.

• Progressive Cipher Support: wolfSSL is kept progressive with support for new and secure ciphers. wolfSSL includes some of the best current ciphers for streaming media support, including the HC-128 and RABBIT stream ciphers. Standard ciphers are supported as well including EDH on both the client and server side.

• Portability: wolfSSL is the leading SSL library for real-time, mobile, embedded, and enterprise systems, by virtue of its breadth of platform support and successful implementations. With a long list of supported platforms out of the box, your time to market can be decreased dramatically by using wolfSSL. OpenSSL requires porting to many platforms, which can cost your team both time and money.

• License: wolfSSL is dual licensed and available both under the GPLv2 as well as a standard commercial license. OpenSSL is available under a unique license from multiple sources.

• Support: wolfSSL was written from the ground up and is maintained and developed by the original developers. With a wolfSSL license comes one full year of support. Available directly through phone, email or the yaSSL product support forums, your questions are answered quickly and accurately to help you make progress on your project as quickly as possible.

• Ease of Use: OpenSSL is burdened with legacy code that must be maintained and kept up to date. wolfSSL was written from the beginning with developers in mind. Because of this mindset, wolfSSL has been developed with a simple and documented API, easy-to-use abstraction layers for OS, Custom I/O, and Standard C library, and clear usage examples.

If you have any further questions about how wolfSSL compares to OpenSSL, please let us know at info@yassl.com.

yaSSL has recently ported the MIT Kerberos libraries to Android. The Android platform has previously been void of Kerberos support – forcing Android developers who are creating new applications or porting existing projects to either modify existing code or exclude Kerberos functionality from their apps and libraries altogether.

yaSSL has taken the first steps in bringing Kerberos to the Android platform. The native MIT Kerberos libraries have been cross-compiled for Android and are now able to be used natively with the Android NDK. yaSSL has added the wolfSSL embedded SSL library`s cryptography library (CTaoCrypt) as a crypto implementation for Kerberos, allowing embedded projects to use wolfSSL`s lightweight and fully functional crypto backend on Android.

In addition to the cross-compiled MIT Kerberos libraries, yaSSL has created a sample Android NDK application wrapping the functionality of kinit, klist, kvno, and kdestroy with a simple GUI front-end. We hope this application provides a starting place for application developers interested in using Kerberos on Android.

The MIT Kerberos libraries and sample application are distributed under the MIT license (using wolfSSL`s FLOSS exception) and the code will be in the MIT Kerberos code repository in the near future. Until it has been merged into the MIT repositories, you can find the sample application on GitHub at the following URL. The sample application includes cross-compiled Kerberos and wolfSSL libraries. Instructions on cross compiling MIT Kerberos yourself will be released in the near future.

https://github.com/cconlon/kerberos-android-ndk

Our next step is to work on adding Java bindings for the native Kerberos GSS-API library on Android. As we have looked into several methods of accomplishing this, we would like to hear what the community would like to see regarding the Java bindings. Also, we would like to explore if there are any existing solutions which could be useful. The options we have looked at thus far include:

– Porting over an existing org.ietf.jgss Java package to Android and tying that into the native GSS-API library through JNI.
– Using SWIG to generate Java wrappers to the native GSS-API.

Are you interested in using Kerberos on Android? What do you think the best path would be for adding Java bindings? Do you have any suggestions about the direction of the project so far? If so, please let us know your thoughts at info@yassl.com.

Thanks!

Team yaSSL
info@yassl.com