RECENT BLOG NEWS

wolfSSL is implementing MIKEY-SAKKE!

MIKEY-SAKKE is a standard created by the UK government’s National Cyber Security Center (NCSC). MIKEY-SAKKE is a standard designed to enable secure, cross-platform multimedia communications. It is highly scalable, requiring no prior setup between users or distribution of user certificates. It is designed to be centrally-managed, giving a domain manager full control of the security of the system. But even so, it maintains high-availability, as calling does not require interaction with centralized architecture.

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Secure communications are needed across all governments. As a result governments create policies encouraging the development of security solutions. MIKEY-SAKKE is the answer to the security requirements from the UK government to specify secure, open and patent free cryptographic methods in order to empower private industry to provide UK government interoperable secure communication solutions. As a result many private and commercial organizations perceive a sizable advantage being MIKEY-SAKKE compliant.

If there are any specific questions about how wolfSSL integrates, please contact our team at facts@wolfssl.com. If there is a desire for wolfSSL to include other cybersecurity standards, please let the wolfSSL team know!

Are you a user of Deos? If so, you will be happy to know that wolfSSL supports the Deos Safety Critical RTOS for FAA Certifiable Avionics Applications and has added TLS client/server examples to the wolfSSL embedded SSL/TLS library for Deos!

Deos is an embedded RTOS used for safety-critical avionics applications on commercial and military aircraft. Certified to DO-178C DAL A, the time and space partitioned RTOS features deterministic real-time response and employs patented “slack scheduling” to deliver higher CPU utilization. DO-178C DAL A refers to a specification that is required for software to be used in aerospace software systems.

The Deos port in wolfSSL is activated by using the “WOLFSSL_DEOS” macro. For instructions on how to build and run the examples on your projects, please see the “/IDE/ECLIPSE/DEOS/README” file.

wolfSSL provides support for the latest and greatest version of the TLS protocol, TLS 1.3! Using the wolfSSL port with your device running Deos will allow your device to connect to the Internet in one of the most secure ways possible.

For more information, please contact facts@wolfssl.com.

Resources:

• The most recent version of wolfSSL can be downloaded from our download page, here: https://www.wolfssl.com/download/
• wolfSSL GitHub repository: https://github.com/wolfssl/wolfssl.git
• wolfSSL support for TLS 1.3: https://www.wolfssl.com/docs/tls13/
• Deos RTOS homepage: https://www.ddci.com/category/deos/

Two weeks ago, Apple announced a transition from Intel-based Macs to their very own ‘world-class custom silicon’ chip. This marks a new era for Apple, as they further establish a common architecture throughout their product ecosystem, making it easy for developers to write, update and optimize applications.

Underlying this recent development is Apple’s Universal App Quick Start Program that includes the ‘limited use of a Developer Transition Kit (DTK), a Mac development system based on Apple’s A12Z Bionic System on a Chip (SoC)’ among other services like forums support, beta version of macOS Big Sur and Xcode 12.

So why is this important? 

wolfSSL is a direct partner with ARM, the architecture A12Z Bionic is based upon, and we fully support all the crypto extensions that are built into the new chip. We aim to have the first FIPS certificate for A12Z and will be pushing out benchmarks on the A12Z soon, so stay tuned!

For more information, please contact facts@wolfssl.com.

Additional Resources:
The most recent version of wolfSSL can be downloaded from our download page, here: https://www.wolfssl.com/download/
wolfSSL GitHub repository: https://github.com/wolfssl/wolfssl.git
Check out the latest addition of the wolfSSL ARM mbed-os Port of the wolfSSL embedded SSL/TLS library!

wolfSSL is looking to hire a C# programmer to work on our TLS interface and wolfCrypt interface for C#.

If interested in applying, please send your resume to facts@wolfssl.com. wolfSSL product and company details can be found online at www.wolfssl.com.

All of the wolfSSL team prides themselves on offering the Best Tested SSL/TLS library on the market. wolfSSL is able to do so by conducting regular, diligent, and well-planned testing to maintain a robust and secure library. wolfSSL knows that it is impossible to test every single possible path through the software, but opts to practice an approach that is focused on lowering risk of failure. wolfSSL implements an extensive internal testing plan that not only uses automated testing but makes sure to test well-known use cases. A key process in wolfSSLs’ internal testing plan is Fuzz Testing.

What is Fuzz Testing?

Fuzz testing, also known as fuzzing, is an automated software testing technique that is conducted to reveal coding errors and security loopholes in softwares, networks, or operating systems. A fuzz test is a technique that is widely used to discover defects which otherwise would not be identified by merely using traditional functional testing methods. Fuzzing is a Black Box testing technique that bombards a library with invalid, unexpected, or random data (known as fuzz to the system) in an attempt to expose inputs that cause the system to crash, fail in unexpected ways, or leak memory. This allows wolfSSL to catch bugs that could turn into potential vulnerabilities before they are able to make it into a release!

Fuzzing at wolfSSL

wolfSSL firmly believes that if a TLS and cryptography provider does not do fuzz testing, they are extremely exposed. wolfSSL runs 7 fuzz testers internally, every night to insure the most secure library on the market. wolfSSL tests using several different software fuzzers, including an in-memory fuzzer, a network fuzzer, OSS-fuzz, libfuzzer, tlsfuzzer, and AFL.

As a testament to wolfSSLs’ commitment to security, highly respected external testers are utilized when possible, for example: Guido Vranken in Holland and Robert Horr of T-Systems in Germany (check out this post by Guido Vranken on Fuzzing for wolfSSL).

As stated in the wolfSSL 2019 Annual Report, wolfSSL is the best – tested cryptography on market, due to consistent implementation of additional fuzz testing resources from both internal and external sources.

For further details regarding the internal wolfSSL process of testing to ensure code quality and security, please reference this blog page.

If there are any specific questions about how wolfSSL tests, please contact our team at facts@wolfssl.com. If there is a desire for wolfSSL to include other SSL/TLS or crypto implementations in wolfSSL interop testing, please let the wolfSSL team know! Likewise, if users would like to include wolfSSL in their own test framework, wolfSSL would be happy to discuss!

As a Cybersecurity company we have to make sure all of our products are state of the art. In accordance, wolfSSL is conducting Stages of Involvement (SOI) audit on our wolfCrypt product.

Last year wolfSSL added support for complete RTCA DO-178C level A certification. wolfSSL offers DO-178 wolfCrypt as a commercial off -the-shelf (COTS) solution for connected avionics applications. The primary goal of this was to provide the proper cryptographic underpinnings for secure boot and secure firmware update in commercial and military avionics. Avionics developers now have a flexible, compact, economical, high-performance COTS solution for quickly delivering FIPS 140-2 validated crypto algorithms can be used in DO-178 mode for combined FIPS 140-2/DO-178 consumption.

Any aviation system development requires Stages of Involvement (SOI) audits to review the overall software project and ensure that it complies with the objectives of DO-178. Originally, DO-178 based development did not require SOI’s, however a problem arose because of divergence between different development organizations and what the certification authorities wanted. As a result, SOI’s have become an informal de facto standard applied to most projects.

To assess compliance, there are four Stages of Involvement. The four stages are:

1. Planning Review
2. Design review
3. Validation and Verification review
4. Final Review

We have fully completed SOI #1 through #4.

For more information regarding wolfSSL, wolfCrypt, DO-178, or any additional questions, please contact facts@wolfssl.com.

Are you interested in having the best tested cryptography ported to libest? wolfSSL has many ports to various devices and projects. We are constantly working on and expanding our collection of ports and will soon be working on porting wolfSSL/wolfCrypt into libest.

The libest project is a library that implements RFC 7030 (Enrollment over Secure Transport). EST is used to provision certificates from a CA or RA. EST is a replacement for SCEP, providing several security enhancements and support for ECC certificates. Libest is written in C and currently is set up to use OpenSSL 1.0.1.  This port will allow libest to use wolfSSL in place of OpenSSL.

If you are interested in using wolfSSL with libest, or are looking to use wolfSSL with a different open source project, contact us at facts@wolfssl.com.

We hope everyone is enjoying this June weather. We understand due to current circumstances we have been under lockdown and cannot enjoy the weather as we have in the past. It is however a fantastic time to start a new project, or update and get proper support for your existing ones. That is why we are offering a 20% discount on support for NTLM + cURL users this June.

cURL is a computer software project providing a library for transferring data using various protocols. These protocols include (but are not limited to) FTP, FTPS, HTTP, HTTPS, and more. This version of the cURL library is nearly identical to the original library, except for a major difference: it is available for dual-licensing like many of the other wolfSSL products. Additionally, wolfSSL provides commercial curl support as well as support for wolfCrypt FIPS and FIPS ready.

NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

Contact us at facts@wolfssl.com to take advantage of this offer!

wolfSSL has added support for secure renegotiation in DTLS 1.2 as defined in RFC 5746. Secure renegotiation is an extension to (D)TLS 1.2 which fixes the vulnerability found in the original specification. Previously, a third party could use renegotiation to inject malicious data preceding valid data from the client. This could be accomplished by establishing a (D)TLS connection with the target server and sending data over this connection. The third party can then intercept a handshake initiation attempt from the client and send this over its already established connection to trigger a renegotiation. The client’s connection is then established over the third party’s connection. From the perspective of the server the client sent data and then initiated a renegotiation. This is dangerous as the application layer could interpret this as a single valid stream of data causing the malicious traffic to be used in the context of the client’s valid traffic.

RFC 5746 (D)TLS Renegotiation Indication Extension creates a cryptographic binding between the renegotiation and the underlying (D)TLS to disallow a man in the middle attack on the secure connection. In a secure renegotiation, the client and server dismiss an invalid renegotiation attempt.

(D)TLS secure renegotiation may be used for example to establish new cryptographic parameters to increase security. It may also be used to request a certificate from the other party to require authentication before completing some action in the application layer.

To use secure renegotiation in wolfSSL use the “–enable-secure-renegotiation” configure option. For more build options refer to the second chapter of the wolfSSL User Manual.

The wolfSSL DTLS 1.2 secure renegotiation implementation is also compatible with our asynchronous module! Use hardware acceleration and don’t wait on pending cryptographic operations! If you have any questions, contact us at facts@wolfssl.com.

Recently the Treck (https://treck.com/) TCP stack has had some notable vulnerabilities reported. Though this TCP stack is not a part of the wolfSSL software, it is an embedded TCP stack, and we would like to help with notifying the embedded community that if you are using the Treck TCP stack then it should be updated. Attacks from these reports can range anywhere from a denial of service to leaking information. Further reading about the report can be found at the CERT coordinating center site here: https://kb.cert.org/vuls/id/257161.

For questions about integrating wolfSSL into your product for SSL/TLS and cryptography, contact us at facts@wolfssl.com.  wolfSSL supports TLS 1.3, FIPS 140, DO-178, and more!