RECENT BLOG NEWS
What’s new in DTLS 1.3
The DTLS 1.3 standard has recently been published in April 2022 in RFC 9147. It features many improvements and additions to increase security and efficiency of the DTLS protocol. At wolfSSL, we like to be very quick adopters of new standards which is why initial support for DTLS 1.3 was merged in June and appeared in wolfSSL release 5.4.0. In this blog post we will go through the list of changes from DTLS 1.2 described in sections 12 and 13 of RFC 9147 and expand on what they mean for your security.
Another exciting feature of DTLS 1.3 is post quantum cryptography! It is available in wolfSSL using the same interface as for TLS 1.3. See this blog post for more details.
- New handshake pattern, which leads to a shorter message exchange.
In TLS 1.3, the handshake protocol has been simplified to 1 round trip from the previous 2 round trips. DTLS 1.2 and 1.3 both add an extra round trip for the stateless cookie exchange.
Old DTLS 1.2 handshake
Client Server ------ ------ ClientHello --------> Flight 1 <------- HelloVerifyRequest Flight 2 ClientHello --------> Flight 3 ServerHello \ Certificate* \ ServerKeyExchange* Flight 4 CertificateRequest* / <-------- ServerHelloDone / Certificate* \ ClientKeyExchange \ CertificateVerify* Flight 5 [ChangeCipherSpec] / Finished --------> / [ChangeCipherSpec] \ Flight 6 <-------- Finished /
New DTLS 1.3 handshake
Client Server +--------+ ClientHello | Flight | --------> +--------+ +--------+ <-------- HelloRetryRequest | Flight | + cookie +--------+ +--------+ ClientHello | Flight | + cookie --------> +--------+ ServerHello {EncryptedExtensions} +--------+ {CertificateRequest*} | Flight | {Certificate*} +--------+ {CertificateVerify*} {Finished} <-------- [Application Data*] {Certificate*} +--------+ {CertificateVerify*} | Flight | {Finished} --------> +--------+ [Application Data] +--------+ <-------- [ACK] | Flight | [Application Data*] +--------+
- Only AEAD ciphers are supported. Additional data calculation has been simplified.
AEAD ciphers provide a unified encryption and authentication operation. Before (D)TLS 1.3, authentication would be accomplished using a technique called MAC-then-Encrypt. This would use an HMAC to compute an authenticated code of the data and then encrypt the concatenation of the plaintext and the code into ciphertext. The recipient can check the authenticity of the data by computing the HMAC code and comparing with the one received. AEAD ciphers simplify this into one operation.
- Removed support for weaker and older cryptographic algorithms.
All legacy ciphersuites have been removed and are no longer valid with DTLS 1.3. This improves security by only allowing peers to communicate using strong ciphersuites.
- HelloRetryRequest of TLS 1.3 used instead of HelloVerifyRequest.
The HelloRetryRequest replaces the DTLS 1.2 HelloVerifyRequest. This allows peers to negotiate security parameters and perform a cookie exchange at the same time.
- More flexible cipher suite negotiation.
Ciphersuite negotiation has been separated into different extensions. Previous versions of (D)TLS had included all possible permutations of symmetric and asymmetric ciphers in the ciphersuite list. In (D)TLS 1.3 the ciphersuites only contain the AEAD and hash algorithms that will be used for the connection. Other security parameters are negotiated in extensions like supported_groups, signature_algorithms, key_share, or pre_shared_key.
- New session resumption mechanism. PSK authentication redefined.
In (D)TLS 1.3, session resumption and PSK have been combined into one mechanism. To resume a session, the server sends NewSessionTicket messages to the client containing tickets that can be used in subsequent connections. "session IDs" and "session tickets" are now obsolete.
Additionally, when resuming a session, the client can immediately send “early data” in its first flight of the handshake. This is also called 0-RTT Data since it allows peers to exchange data in the first round trip. This is useful to drastically cut down on the latency of a new connection and speed up the initial round of communication between the peers.
- New key derivation hierarchy utilizing a new key derivation construct.
TLS 1.3 has introduced a new key schedule for deriving secrets using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) primitive. This separates the multiple secrets used in the TLS connection. See this section for the specifics.
- Improved version negotiation.
Version negotiation no longer uses the value found in the Record header. Now an extension is used to advertise all supported (D)TLS versions. This new mechanism is to overcome some middleboxes failing when presented with a new (D)TLS version value.
- Optimized record layer encoding and thereby its size. Sequence numbers are encrypted.
DTLS 1.3 introduces a very efficient “unified header”. This new header format also obfuscates the epoch and sequence numbers to make traffic analysis harder.
0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |0|0|1|C|S|L|E E| +-+-+-+-+-+-+-+-+ | Connection ID | Legend: | (if any, | / length as / C - Connection ID (CID) present | negotiated) | S - Sequence number length +-+-+-+-+-+-+-+-+ L - Length present | 8 or 16 bit | E - Epoch |Sequence Number| +-+-+-+-+-+-+-+-+ | 16 bit Length | | (if present) | +-+-+-+-+-+-+-+-+
Figure 3: DTLS 1.3 Unified Header
- Added CID functionality.
RFC 9146 has introduced connection identifiers in DTLS 1.2. A similar mechanism is defined in DTLS 1.3. Users of CID’s can mark packets so that they are multiplexed according to the CID instead of the IP 4-tuple allowing records to be sent through multiple paths at once!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Customized ad-hoc secure boot with wolfBoot
wolfBoot is known for being the universal secure bootloader for all types of embedded systems.
While initially targeting 32-bit microcontrollers, wolfBoot has grown into a full framework to implement secure boot solutions on a wide range of different systems and architectures.
This is mostly due to wolfBoot modularity and flexibility, which makes our solution easy to reshape and adapt to the most peculiar use cases. Here are a few examples of customizations we have facilitated in the past, taken from real-life use cases.
Update images stored on external devices
This type of customization is perhaps the most popular. wolfBoot offers an interface to interact with external storage devices or anything that can be abstracted as such: the “ext_flash” interface.
Ext_flash is an interface that connects wolfBoot to a driver that implements the following function calls, to access the content of specific storage devices:
ext_flash_lock() ext_flash_write() ext_flash_read() ext_flash_erase() ext_flash_unlock()
On microprocessor-based embedded systems, ‘external’ devices are often the only solution, requiring specific drivers to access the kernel images on different supports (USB, SD, eMMC, SSD, etc.). Microcontroller architectures often integrate external NOR SPI/QSPI flash memories that can be used as persistent storage, where generally it’s not possible to execute code in place.
wolfBoot has an additional layer directly supporting several types of SPI flash memory chips. The SPI support is also implemented on top of the ext_flash API interface, and provides another level of abstraction. In this case porting to a new target with an SPI controller only requires to implement the following single SPI transfer functions, and the SPI layer will link the required functions to access the flash through this interface:
spi_init() spi_cs_on() spi_cs_off() spi_read() spi_write() spi_release()
SPI access is just one of the possibilities available in wolfBoot to extend the support to any non-volatile memory, and beyond.
Update images downloaded on-demand from neighbor systems
By design choice, wolfBoot does not include any network stack or communication capabilities besides the access to storage devices and internal flash memory. This is an advantage both in terms of security because it makes the attack surface very small, and from the safety point of view keeping all the structures and code flow simple to follow and predictable.
In some cases it’s required to communicate with other systems during the boot stage, because the firmware image or the updates received may be stored elsewhere, avoiding to split the flash memory to make room for a second partition. In these cases, wolfBoot may be required to open a communication channel (usually through a serial bus such as UART or SPI) to retrieve the firmware images from a neighbor system. This is in fact a rather common requirement when wolfBoot is securing the boot procedure on asymmetric multiprocessor systems or in general systems with multiple heterogeneous cores.
The recommended way to access remote content from wolfBoot consists in defining a custom ext_flash driver that abstracts a virtual addressable memory space. wolfBoot codebase contains an example of ext_uart driver running the client endpoint connecting to the uart_flash_server POSIX application provided, that can export signed and encrypted files for wolfBoot to handle and stage. EXT_UART is yet again one of the possible modes to extend the external flash support to both physical storage supports and virtualized abstractions.
Third-party key provisioning
Provisioning keys is a process that may involve third party tools and entities that generate, store and use the main private key to sign the firmware images. Thanks to the flexibility of the key tools distributed with wolfBoot, keypairs can be both generated or imported (in their public format) within the signing process. While the public keys must all be available and accessible by wolfBoot at run time, the private keys are used to sign the header of each authentic firmware.
The actual signature operation can be detached from the manifest header composition, by splitting the two phases. This way the signing is performed by an external tool, and the private key does not need to be accessed during the operation.
For more information on the possibilities of customizing the signing procedure, please see wolfBoot signing tools documentation.
Storing keys in a secure vault
Storing the public keys used to authenticate the firmware in a secure, write-protected area of persistent memory is the most important security requirement for proper secure-boot mechanism. In many cases it is sufficient to execute wolfBoot from a write-protected area, and keep the keys stored along with the bootloader code, in a C array. This is the default mechanism implemented in wolfBoot.
When the keygen tool generates or imports public keys, it creates two copies of the local archive of the public keys needed at runtime for signature verification, in two different formats. The C array (keystore.c), to be built in the bootloader image, and a binary file (keystore.der) containing the same structure in binary format.
By excluding keystore.c, it is possible to upload the content of keystore.der into a dedicated secure or write-protected storage. A driver to access the secure vault at runtime must be provided, through an API exporting three functions for wolfBoot to retrieve the public keys, their sizes and their permissions mask. Using a separate abstraction layer for the keystore provides an interface that can be customized beyond classic secure element or TPM interactions, to design a more complex structure to handle keys at runtime. More information available in the wolfBoot documentation page about keystore structure.
Unique partition/images and keys combination
Multiple-stage boot layouts can get very complex. Our development team has learned a lot when designing the boot process involving a set of partitions and firmware images with different levels of access permissions for the first time. Since then, we have dealt with several scenarios where multiple actors had to be capable of updating only one subset of partitions with firmware authenticated with specific subsets of public keys.
Consider the following scenario: an embedded device with a secure bootloader and two partitions: a “system” partition (perhaps running in secure mode from a TEE) and an “application” partition, containing configurable software that can be uploaded by a registered user that owns or has access to the device. Two separate keys are needed in this case: the user should only be able to send signed updates for the application partition, while the manufacturer must be able to update the system software (and the bootloader itself, if needed). The two levels of privilege in this case require two separate keypairs, the first one can be associated with the user, and the second with more powers should be kept by the manufacturer.
The latest wolfBoot, thanks to the keystore structure, supports up to 15 target partitions, and each one of these can be authenticated using one or more public keys from the keystore.
A firmware package in wolfBoot is always associated with an identification number (id) from 0 to 15, indicating the partition where the firmware must be installed. In the scenario described above, the ‘system’ would have id=1 and the ‘application’ software is associated with id=2. wolfBoot reserves id=0 for self-update procedure, i.e. update packages containing a new (signed) version of wolfBoot itself.
This mechanism allows the update mechanism to use the same update partition as temporary storage for all the updates, because wolfBoot will parse the incoming package and parse the manifest header to process the package using the right keys. The public key object elements in the keystore described earlier contain a bit mask that associates each key to the single target partition ids.
“Non-secure” boot
wolfBoot supports many different combinations of public key algorithms and key sizes. However, In some cases, authenticating the firmware is not a requirement. wolfBoot works properly when compiled with SIGN=NONE, excluding only the signature verification part, and keeping all the other features to facilitate the update, roll back in case of failure and verify the integrity of the firmware image after the transfer using SHA. That is, wolfBoot can be used as a non-secure bootloader, with a footprint of a few KB and very little impact on boot time. Especially useful in very small low-power systems with a tight amount of resources and CPU cycles.
wolfBoot as library: adding secure boot to legacy bootloaders
Among our customers, many have been upgrading older products and devices, reusing legacy software from previous versions, while stepping ahead with the security requirements which usually means adding a secure boot solution.
While starting a new bootloader from scratch is often an underestimated task from the development and testing point of view, many development teams rely on existing solutions that have been maintained and deployed on the field for years. Some custom bootloader solutions include network communication, sometimes with proprietary protocols and data links which would require a major effort to integrate into a vanilla wolfBoot. On the other hand, most of these legacy solutions lack the needed security features to implement cryptographic secure boot.
For this reason we have introduced the possibility to build wolfBoot as a library. Instead of providing the entire bootloader implementation, including build-up, staging, specific hardware access and customized flows, ‘wolfBoot as library’ is completely portable anywhere and provides easy interfaces to parse the manifest header, check versioning, verify an image loaded or mapped in memory for integrity and authenticity against the provided keystore. The key tools on the hosts can be used exactly in the same way as with the full wolfBoot installation, as the format remains the same and it is completely independent from the hardware or the architecture. To learn more about using wolfBoot as a library, check the documentation page about the library API.
Find out more about wolfBoot! Download the source code and documentation from our download page], or clone the repository from github. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfCrypt JCE Provider and JNI Wrapper 1.5.0 Now Available
Version 1.5.0 of the wolfCrypt JCE Provider and JNI wrapper is now available for download!
wolfCrypt JNI/JCE provide Java-based applications with an easy way to use the native wolfCrypt cryptography library. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfCrypt JNI/JCE can work with wolfCrypt FIPS 140-2 (and upcoming 140-3) as well!
Release 1.5.0 of wolfCrypt JNI has bug fixes and new features including:
- Add build compatibility for Java 7 (PR 38)
- Add support for “SHA” algorithm string in wolfJCE (PR 39)
- Add rpm package support (PR 40)
- Add wolfJCE MessageDigest.clone() support (PR 41)
- Improve error checking of native Md5 API calls (PR 41)
- Add unit tests for com.wolfssl.wolfcrypt.Md5 (PR 41)
Version 1.5.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfCrypt JNI/JCE User Manual can be found here. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Announcing New Capabilities in wolfSentry
As wolfSentry gets ever closer to its first production release, we are introducing some exciting new capabilities, among them:
- Mature dynamic rule management, with automatic peer tracking, penalty boxing, O(1) release from penalty box, and realtime-safe (O(1)) limits on resource usage.
- Robust support in the configuration file and public API for user-defined data (key-value pairs) with freeform JSON values, to arbitrary (user-limited) depth, with a fully integrated API for processing and exporting JSON in DOM (random-access) mode.
- An API for setting user-defined configuration nodes as read-only.
- Improvements and extensions to the API for use by user plugins (action handlers) streamlining typical use cases involving dynamic rule insertion and update.
- Added examples/notification-demo/log_server
- A standalone web server demonstrating HTTPS with dynamic insertion of limited-lifespan wolfSentry rules blocking (penalty boxing) abusive peers.
- Mutual authentication using TLS, role-based authorizations pivoting on client certificate issuer (certificate authority), and wolfSentry event log retrieval, as a dynamically generated JSON array.
All of these and more are featured in wolfSentry preview release 7. For more details, clone wolfSentry from https://github.com/wolfSSL/wolfsentry, review ChangeLog.md and README.md, and “make test”. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL running on Xilinx Versal Hardware Encryption
Our Xilinx Versaldemo shows wolfSSL making calls to Xilinx hardened crypto, doing both basic unit tests and benchmarking with it. Xilinx hardened crypto is accelerated crypto operations (SHA3-384 / AES-GCM / RSA / ECDSA) available on Ultrascale+ devices and is available for use with the latest and greatest Versal boards. wolfSSL makes these calls using the API from Xilinx’s XilSecure library (https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilsecure) and with the addition of Versal there was minor changes to the existing calls to make use of the new features available (ECC / RNG / AES-GCM with AAD). Benchmark numbers are being fine tuned but you can see well over a Gigabyte per second with AES-GCM operations in the demo and improvements in performance of RSA, ECDSA, and SHA3-384 over software only implementations.
A previous white paper going into the setup and use of wolfSSL on older Ultrascale+ devices with Xilinx hardened crypto can be found here (https://docs.xilinx.com/v/u/en-US/wp512-accel-crypto).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL TriCore HSM Support
The Infineon Tricore TC2xx and the new TC3xx series chips are popular chips among safety and security critical applications. As the name implies, these chips come with multiple CPU cores to meet the demands of real time computing, however some variants come with a built in HSM core that is an ARM Cortex M3 operating at a frequency of 100MHz, 96KB RAM, MPU and offers a few useful secure applications.
- Secure boot
- Shared memory bridge module with “Firewall” functionality
- Debug support with authentication
- Secure data storage and logging
- 1KB shared cryptography memory
- Configurable OTP and HSM exclusive flash sections
- Hardware cryptography (AES, Hash, PKC, TRNG)
- Immobilizer (theft protection)
- Secure flash loading
We are excited to announce that we have ported wolfCrypt to the TriCore HSM. This will extend the HSM functionality beyond the hardware cryptography support to include the full wolfCrypt suite in the HSM environment. This adds useful features such as:
- AES256-ECB/CBC/GCM
- ECDSA-384
- ECC
- RSA (2048/3072/4096)
- SHA-384/512
- NIST Compliant DRBG (with HW TRNG seed)
- CMAC/GMAC/HMAC
Technicals
- Built and tested using arm-none-eabi-gcc 12.2 toolchain
- Executed on a TC3XX HSM module with -O2 optimizations at clock of 100Mhz
- Verified heap-only as well as stack-only usage
- Benchmarks executed with a 10ms timer
wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each) RNG 775 KB took 1.010 seconds, 767.327 KB/s AES-128-CBC-enc 325 KB took 1.010 seconds, 321.782 KB/s AES-128-CBC-dec 325 KB took 1.000 seconds, 325.000 KB/s AES-192-CBC-enc 250 KB took 1.040 seconds, 240.385 KB/s AES-192-CBC-dec 250 KB took 1.020 seconds, 245.098 KB/s AES-256-CBC-enc 200 KB took 1.010 seconds, 198.020 KB/s AES-256-CBC-dec 200 KB took 1.000 seconds, 200.000 KB/s AES-128-GCM-enc 275 KB took 1.050 seconds, 261.905 KB/s AES-128-GCM-dec 275 KB took 1.050 seconds, 261.905 KB/s AES-192-GCM-enc 225 KB took 1.100 seconds, 204.545 KB/s AES-192-GCM-dec 225 KB took 1.110 seconds, 202.703 KB/s AES-256-GCM-enc 175 KB took 1.030 seconds, 169.903 KB/s AES-256-GCM-dec 175 KB took 1.020 seconds, 171.569 KB/s GMAC Table 4-bit 1 MB took 1.000 seconds, 1.288 MB/s AES-128-ECB-enc 314 KB took 1.000 seconds, 313.672 KB/s AES-128-ECB-dec 343 KB took 1.000 seconds, 342.578 KB/s AES-192-ECB-enc 225 KB took 1.000 seconds, 225.000 KB/s AES-192-ECB-dec 236 KB took 1.000 seconds, 235.938 KB/s AES-256-ECB-enc 200 KB took 1.000 seconds, 199.609 KB/s AES-256-ECB-dec 189 KB took 1.000 seconds, 189.453 KB/s SHA 2 MB took 1.000 seconds, 1.953 MB/s SHA-256 2 MB took 1.000 seconds, 2.051 MB/s SHA-384 275 KB took 1.030 seconds, 266.990 KB/s AES-128-CMAC 300 KB took 1.030 seconds, 291.262 KB/s AES-256-CMAC 200 KB took 1.070 seconds, 186.916 KB/s HMAC-SHA 2 MB took 1.000 seconds, 2.222 MB/s HMAC-SHA256 2 MB took 1.000 seconds, 2.051 MB/s HMAC-SHA384 275 KB took 1.040 seconds, 264.423 KB/s RSA 2048 public 38 ops took 1.010 sec, avg 26.579 ms, 37.624 ops/sec RSA 2048 private 2 ops took 1.950 sec, avg 975.000 ms, 1.026 ops/sec ECC [ SECP384R1] 384 key gen 6 ops took 1.080 sec, avg 180.000 ms, 5.556 ops/sec ECDHE [ SECP384R1] 384 agree 4 ops took 1.560 sec, avg 390.000 ms, 2.564 ops/sec ECDSA [ SECP384R1] 384 sign 6 ops took 1.340 sec, avg 223.333 ms, 4.478 ops/sec ECDSA [ SECP384R1] 384 verify 2 ops took 1.020 sec, avg 510.000 ms, 1.961 ops/sec Benchmark complete Benchmark Test: Return code 0
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL 5.5.3 release
wolfSSL 5.5.3 is available! This is a minor release, containing some enhancements, fixes and one vulnerability fix. The vulnerability fix was thanks to a report from the Trail of Bits team! It affects a very specific build, having the debug macro WOLFSSL_CALLBACKS set. If using WOLFSSL_CALLBACKS it is recommended to upgrade to wolfSSL version 5.5.3 or later. For more information about the vulnerability visit the vulnerabilities page here (https://www.wolfssl.com/docs/security-vulnerabilities/).
Some of the enhancements included in this release were x86 assembly additions for performance, a port to Xilinx Versal with calls to the hardened crypto available and additional ARM 32bit assembly for performance increases. The full list of changes can be found in the ChangeLog.md bundled with wolfSSL or on the website www.wolfssl.com.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL in WebAssembly?
wolfSSL Inc. Positioning on OE tested configuration listings
Doing FIPS responsibly since 2014!
wolfSSL Inc. Stance:
OE Descriptions for software module “tested configurations” should include the toolchain used to compile the code and the OS the toolchain was employed on to allow for cross-compilation scenarios.
- OLD: <OS> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <OS> running on <platform> with <processor>
- OLD: <Guest OS> on <hypervisor> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> running on <platform> with <processor>
- OLD: <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>
wolfSSL Inc. Reasoning and Justification:
wolfSSL Inc recently experienced how a toolchain change caused issues with the software crypto module where there were no change(s) to the OS, processor or module code.
- Scenario 1: Unmodified code, compiled for Intel silicon on Linux OS using gcc or older clang version
- All CAVP vectors passing
- Scenario 2: Same exact code, same exact intel silicon, same exact Linux OS. Compiler updated to clang 15.0.1.
- CAVP vectors for a single public key algorithm failing (all other algorithms passing)
- Problem: The n-th bit of a signature blob was being set or cleared non-deterministically. The failure was highly repeatable in testing.
- Fix: Use an alternate version of clang and submit a bug report to the toolchain dev team (still waiting on a fix).
- CAVP vectors for a single public key algorithm failing (all other algorithms passing)
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!
wolfSSL Inc. Positioning on Vendor Affirmation for Software Modules
Doing FIPS responsibly since 2014!
wolfSSL Inc has been made aware of concerning practices in the FIPS space by certain software module vendors. The wolfSSL team feels these practices are to the detriment of the FIPS community and trust in the FIPS program.
- CLAIM 1: One does not need an operating environment (OE) listed on a FIPS cert, just having it mentioned in the security policy as “vendor affirmed” is good enough
- CLAIM 2: As long as the code compiles and no changes are made to the code it is “FIPS Validated”
wolfSSL Inc is not denying the first claim, some FIPS users may find a vendor affirmation sufficient for their FIPS needs however our team believes this practice has potential to be detrimental to trust in the FIPS program. Some software module vendors are abusing vendor affirmation as a loop-hole to avoid testing on new OEs’ that differ from tested configurations. Our team would outright refute the second claim as patently ridiculous. If software tested on Intel silicon and a Windows OS is compiled for VXWorks running on ARM silicon (regardless if no code changes were made) there is no way to predict (without testing) that the software crypto will behave the same under this new OE as it did under a previously tested configuration. To be clear the wolfSSL team is not discussing physical hardware modules, only software modules.
wolfSSL Inc. Stance:
- Vendor affirmation makes sense for a physical design. Hardware maker’s are capable of determining security relevant effect of a design change to a hardware module.
- Vendor affirmation in some select cases might make sense for software modules but certainly not in a general sense or as a de facto approach to FIPS, especially when the OE being vendor affirmed is wildly different from the original “tested configuration”. This scenario should raise a red flag.
It is near impossible for a software vendor to predict how changes to the processor or OS will affect the way the software executes regardless if it compiles without code changes. If/when the software vendor is unable to make a security relevant determination, testing should be performed to compensate.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!
Weekly updates
Archives
- June 2025 (5)
- May 2025 (25)
- April 2025 (24)
- March 2025 (22)
- February 2025 (21)
- January 2025 (23)
- December 2024 (22)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)