Enhancing Linux Cryptography: Integrating wolfCrypt FIPS 140-3 via NSS and PKCS#11

In the rapidly changing landscape of cybersecurity, ensuring compliance with rigorous standards like FIPS 140-3 is essential for organizations in sensitive sectors such as government, finance, and healthcare. By integrating FIPS-certified cryptography into Mozilla’s Network Security Services (NSS) library through the PKCS#11 standard—an API for cryptographic operations—we are contributing to a broader goal of achieving FIPS 140-3 compliance across an entire Linux distribution.

Firefox employs the NSS library for its cryptographic functions. The NSS library utilizes the PKCS#11 standard—a widely adopted application programming interface (API) that enables secure cryptographic operations—to interact with its default cryptographic library, freebl.

The Role of FIPS Certification

FIPS certification ensures that cryptographic implementations meet rigorous security standards set by the National Institute of Standards and Technology (NIST). Achieving FIPS compliance is vital for organizations requiring high-security assurance, as it validates the integrity and reliability of cryptographic operations. wolfCrypt has attained FIPS 140-3 certification, making it a robust choice for environments where security cannot be compromised.

Integrating wolfCrypt into NSS

To integrate wolfCrypt into NSS, we substitute the default softokn-freebl library with wolfPKCS11. This enables NSS to utilize wolfCrypt’s FIPS-certified algorithms through the PKCS#11 interface, allowing applications to leverage secure cryptographic functions seamlessly and efficiently. By utilizing the PKCS#11 interface, we are able to provide a binary drop-in replacement without modifying anything outside of configuration files. You can follow our progress over at the nss feature branch in the wolfPKCS11 repository at github.

Benefits Beyond Firefox

This initiative is part of a larger effort to provide FIPS-certified cryptography across entire Linux distributions. Similar projects include integrating wolfCrypt with libraries such as libgcrypt and GnuTLS. These efforts aim to create a uniform cryptographic layer, reducing complexity and potential vulnerabilities associated with managing multiple cryptographic libraries.

For more information or to explore how your organization can benefit from integrating wolfCrypt FIPS, contact our team at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

GnuTLS Gets a wolfCrypt Boost

We’re excited to announce our ongoing work integrating wolfCrypt with GnuTLS! Unlike traditional approaches that require extensive application rewrites, our solution operates entirely behind the scenes. By patching GnuTLS at the library level, we’re creating a seamless path for applications to leverage wolfCrypt’s powerful cryptographic capabilities without changing a single line of their application code. Our development strategy focuses on progressive implementation, tackling core cryptographic operations first and methodically expanding to cover the complete security spectrum. This approach means organizations can benefit from enhanced security immediately, with more capabilities rolling out steadily. For teams working in regulated environments requiring FIPS certification, this integration offers a remarkable advantage and immediate access to wolfCrypt’s FIPS 140-3 certified algorithms without the typical development and certification marathon.

What makes this integration particularly significant is GnuTLS’s central role in secure communications infrastructure. Our approach aims to transform what would typically be a massive certification challenge into a straightforward library update, allowing organizations to achieve FIPS compliance without disrupting their existing architecture. For Linux distribution maintainers, this integration will eliminate the traditional compromise between security and compatibility when deploying certified cryptography. Certificate validation and protocol handling will continue through the familiar GnuTLS interface while benefiting from wolfCrypt’s certified implementation underneath. Our goal is to help reduce the time needed for certification processes, enabling organizations to more efficiently deploy secure communications in regulated environments without compromising on compatibility or performance.

Take a more in depth look here: https://github.com/wolfssl/gnutls-wolfssl

For more details or questions about this effort, please reach out to facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfCrypt Python: PQC Algorithm Support

wolfCrypt Python, a Python wrapper for wolfSSL’s cryptographic library wolfCrypt, now has supported Python APIs that can utilize the PQC algorithms ML-KEM and ML-DSA.

The ML-KEM (Module Lattice-based Key Encapsulation Mechanism) APIs provide quantum-resistant key exchange with three parameter sets (512/768/1024). The implementation includes key generation, encapsulation, decapsulation, and key import/export functionality.

The ML-DSA (Module Lattice-based Digital Signature Algorithm) APIs provide quantum-resistant digital signatures with three parameter sets (44/65/87). Features include key generation, signing, and verification.

Using the Python API, you can try out the PQC algorithm quickly with little effort. The following links show information to start the PQC trials with wolfCrypt Python.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfCrypt Takes Over libgcrypt

We are pleased to announce the start of an official wolfSSL project to port wolfCrypt FIPS into libgcrypt. This initiative aims to replace the underlying cryptography in applications using libgcrypt with wolfCrypt’s certified algorithms. With wolfCrypt already achieving FIPS 140-3 certification, applications using libgcrypt’s API can immediately be deployed in environments that require certified cryptography, such as government, military, finance, and medical applications. This port not only enhances security but also saves developers significant time and effort. For developers, this integration means they can focus on building their applications without the burden of transitioning applications to meet cryptographic compliance. By using wolfCrypt, developers can ensure that their applications meet the highest security standards without the need for extensive testing and validation of multiple cryptographic libraries. This project also provides a seamless way to explore and evaluate wolfCrypt for future projects, offering a pathway to potentially transition applications to natively use wolfCrypt.

Furthermore, this effort has significant implications for Linux distributions, which often incorporate a wide array of cryptographic dependencies, such as libgcrypt, to provide comprehensive functionality to many packages. By ensuring that all cryptographic dependencies use a consistent cryptography provider like wolfCrypt, distributions can maintain uniform security standards across the entire system and applications. This consistency is crucial for reducing complexity and potential vulnerabilities that arise from using multiple cryptographic libraries. It simplifies the management of cryptographic standards and reduces the risk of incompatibilities or security gaps, particularly in environments where security and compliance are paramount.

Take a deeper look here: https://github.com/wolfSSL/libgcrypt-wolfssl/tree/libgcrypt-1.11.0-wolfCrypt

For more details or questions about this effort, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL Inc. SP800-140C and Post-Quantum efforts update!

This is an update to previous post Everything wolfSSL is Preparing for Post-Quantum as of Spring 2024 and an extension to post wolfSSL Support for Post-Quantum.

The National Institute of Standards and Technology (NIST) has recently updated its guidelines, enabling the certification of several post-quantum cryptographic algorithms through the Cryptographic Module Validation Program (CMVP). Notably, the digital signature algorithms ML-DSA (CRYSTALS-Dilithium), LMS, and XMSS are now fully certifiable under the updated SP800-140C standards.

In response to these developments, wolfSSL Inc. is proactively planning submissions to the CMVP for these algorithms. wolfSSL Inc. has a strong track record in cryptographic module validation, having previously achieved FIPS 140-3 Certificate #4718 for its wolfCrypt Module, the world’s first SP 800-140Br1 validated certificate.

While ML-KEM (CRYSTALS-Kyber) is not yet included in the approved security function list of SP 800-140C, wolfSSL is taking a forward-thinking approach by incorporating ML-KEM into its offerings. This strategic inclusion ensures that once ML-KEM receives approval and is certifiable, wolfSSL will be prepared to submit all four algorithms, ML-DSA, LMS, XMSS, and ML-KEM, for certification.

By staying ahead of regulatory changes and actively engaging in the certification process, wolfSSL continues to demonstrate its commitment to providing robust and compliant cryptographic solutions in the evolving landscape of post-quantum security.

Please don’t hesitate to contact us at support@wolfSSL.com or fips@wolfSSL.com anytime to share your feedback or input on this subject!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The Risks of 3DES in FIPS Certificates

When it comes to securing data, cryptographic algorithms are the backbone of many systems. 3DES (Triple Data Encryption Standard) was once a FIPS (Federal Information Processing Standards) algorithm but is no longer supported by NIST as of 1 Jan 2024 (over 1 year ago!) Having 3DES in a FIPS module today could spell trouble on the near horizon, not only for security but also for compliance.

Early Expiration of Certificates

A FIPS certificate comes with an expiration date, but the CMVP has the authority to move a certificate to the “historical list” before that date or to “Revoke” a certificate if a non-compliance issue is found. Either action makes the certificate no longer valid for new procurements or for use in certain scenarios if already deployed in the field. The CMVP exercised this authority during the transition from SP 800-56Arev[1,2] to SP 800-56Arev3, which tightened the standards for key establishment methods. Modules that did not meet the updated criteria by July of 2022 were moved to the historical list ahead of their expected expiration dates.

The same could happen with certificates that include 3DES now. Should the CMVP decide to enforce a hard transition on 3DES, any certificate with that algorithm could be revoked or made historical sooner than its listed expiration date. This means one could suddenly lose compliance, disrupting operations and requiring urgent updates to systems which can take many months or years to complete as anyone in the FIPS space is well aware.

An Example of Future-Proofing

An excellent example of future-proofing is the wolfSSL FIPS 140-3 module certificate #4718. Unlike many competing solutions, wolfSSL ensured that 3DES was not included in the boundary of this module. This proactive decision protects users of the wolfSSL Inc. wolfCrypt FIPS 140-3 module from the risks associated with 3DES and potential early certificate invalidation by the CMVP. By contrast, most of the competition did not do this future planning and still include 3DES in their boundary. This leaves users of those modules exposed to potential compliance issues and security risks.

What Should You Do?

  1. Avoid 3DES in New Designs: Choose FIPS modules that use stronger algorithms like AES. Ensure your vendors are aware of the risks and are providing compliant solutions.
  2. Audit Your Current Systems: If you’re already using a FIPS-certified module with 3DES, plan to migrate to a more secure alternative or re-validate that module without 3DES included in the boundary. Don’t wait for the CMVP to force your hand.
  3. Stay Informed: Keep an eye on updates from NIST and the CMVP. Understanding upcoming changes can help one with planning and preparing before CMVP decisions impact their systems.
  4. Test Your Transition Plans: Ensure that moving away from deprecated algorithms like 3DES won’t cause unexpected issues. Test thoroughly in a controlled environment.

Conclusion

3DES served its purpose in its time, but it is simply a liability now. If your systems rely on a FIPS certificate that includes 3DES, it’s time to act. By planning ahead and staying informed, you can ensure your systems remain secure and compliant, no matter what changes the CMVP enforces. Choosing solutions like wolfSSL’s FIPS 140-3 module, which proactively excludes outdated algorithms, can give you peace of mind and protect you from future disruptions.

If you have any questions or would like to talk with one of our team about this subject please send an email to fips@wolfssl.com or support@wolfssl.com. For general inquiries, you can also reach out to facts@wolfssl.com or +1 425 245 8247. Our staff are more than happy to help any way they can.

Download wolfSSL Now

wolfCrypt FIPS 140-3 Operating Environments

wolfSSL’s crypto library, wolfCrypt, has obtained a 5-year FIPS 140-3 Validated Certificate #4718. wolfCrypt FIPS is known for its unmatched portability, runs on everything, and is highly optimized for dozens of hardware targets.

WolfCrypt is commonly utilized in standard operating environments due to its royalty-free pricing model and exceptional support across multiple platforms. The wolfCrypt FIPS module has been validated on numerous Operating Environments (OEs). The current list of planned OEs for the wolfCrypt FIPS 140-3 certificate (#4718) is listed here for reference. wolfSSL can easily add additional OEs to existing wolfCrypt FIPS certificates. To learn more about this process, contact us at fips@wolfssl.com today!

Certificate #4718 Current OE List:

Operating SystemProcessorProcessor Algorithm AccelerationProduct (TBA = To Be Announced at a later time)
Android 13Exynos 9611 without PAA NoSamsung Galaxy XCover Pro
Linux 5.4BCM56260B0IFSBG - Sabre2NoWTM 4000 (Aviat)
Red Hat Enterprise Linux Workstation 8.9Intel® Xeon® W-2255 @ 3.7GHzNoPrecision 5820 Tower
FreeRTOS v10.4Renesas R7FA6E10FNoTBA
Linux 5.15Freescale i.MX7 Dual Arm Cortex A-7NoTBA
Linux 4.14Intel® Atom® E3930 @1.30GHzNoTBA
Linux 4.14Intel® Atom® E3940 @1.60GHzNoTBA
NET+OS v7.6Digi International NS9210NoTBA
Yocto (kirkstone) 4.0NXP i.MX6ULNoTBA
MQX 3.4NXP PowerQUICC II MPC8313e 32bitNoTBA
CodeOS v1.4CodeCorp CT8200 (ARM FA626TE)NoSeries CR2700 Code Reader(s)
OpenRTOS v10.5STM32L4R5NoTeledyne Webb SOM Module
Endace Crypto Firmware 2.1Intel® Xeon® Silver 4316 CPU @2.30GHzNoEndaceProbe 2144
Endace Crypto Firmware 2.1Intel® Xeon® Silver 4316 CPU @2.30GHzYesEndaceProbe 2144
Endace Crypto Firmware 2.1Intel® Xeon® Gold 6338N CPU @2.20GHzNoEndaceProbe 2184
Endace Crypto Firmware 2.1Intel® Xeon® Gold 6338N CPU @2.20GHzYesEndaceProbe 2184
Endace Crypto Firmware 2.1Intel® Xeon® Gold 5418N CPU @1.80GHzYesTBA
Endace Crypto Firmware 2.1Intel® Xeon® Gold 6230N CPU @2.30GHzYesEndaceProbe 92C8
Anyware Trusted Zero Client Firmware Kernel 6.1
AMD Ryzen Embedded R1305GNoAnyware Trusted Zero Client
Anyware Trusted Zero Client Firmware Kernel 6.1AMD Ryzen Embedded R1305GYesAnyware Trusted Zero Client
Anyware Trusted Zero Client Firmware Kernel 6.1AMD Ryzen Embedded R2314YesHP tz655 Trusted Zero Client
Fusion Embedded RTOS 5.0Analog Devices ADSP-BF516 (Blackfin)NoClassone ® IP Radio Gateway
Linux 5.4NXP i.MX8MNoHarman MUSE MU Controller
Linux 4.9ARM Cortex-A7NoHarman N2612S Video encoder/decoder
Linux 5.10NXP i.MX8NoHarman N4321D audio transcoder
HP Imaging & Printing Linux 4.9 KernelARM Cortex-A72NoHP PN 3PZ95-60002
HP Imaging & Printing Linux 4.9 KernelARM Cortex-A72YesHP PN 3PZ95-60002
HP Imaging & Printing Linux 4.9 KernelARM Cortex-A53NoHP PN 6QN27-67002
HP Imaging & Printing Linux 4.9 KernelARM Cortex-A53YesHP PN 6QN27-67002
Microsoft Windows CE 6.0ARM Cortex-A8NoHP LaserJet Enterprise
Android 13Qualcomm Snapdragon 8 Gen 2 (SoC)NoTBA
Android 13Qualcomm Snapdragon 8 Gen 2 (SoC)YesTBA
iOS 17.3Apple A15 BionicNoTBA
iOS 17.3Apple A15 BionicYesTBA
Windows 11 ProIntel® Core™ i7-1255U @ 1.70 Ghz NoTBA
Windows 11 ProIntel® Core™ i7-1255U @ 1.70 Ghz YesTBA
RHEL 8.10 running on RHEL 8.10 KVMIntel® Xeon® Gold 6526Y @2.80GHzNoTBA
RHEL 8.10 running on RHEL 8.10 KVMIntel® Xeon® Gold 6526Y @2.80GHzYesTBA
REDACTED Linux 5.4Xilinx Zynq-7000 SoCNoTBA
REDACTED Linux 5.4Xilinx Zynq-7000 SoCYesTBA
REDACTED Linux 4.19Xilinx Zynq Ultrascale+NoTBA
REDACTED Linux 4.19Xilinx Zynq Ultrascale+YesTBA
REDACTED Linux 4.9Ambarella S5L SoCNoTBA
REDACTED Linux 4.9Ambarella S5L SoCYesTBA
REDACTED Linux 5.4i.MX8 Quad Max SoCNoTBA
REDACTED Linux 5.4i.MX8 Quad Max SoCYesTBA
FreeRTOS v10.4NXP i.MX RT1051NoHarman CE-REL8 Universal Control Extender
Linux 5.15MTK MT8395NoHarman N3322D Video encoder/decoder
Android 14Qualcomm SM8350 SnapdragonNoSamsung Galaxy S21
Android 14Qualcomm SM8350 SnapdragonYesSamsung Galaxy S21
Linux 6.6Xilinx Zynq Ultrascale+NoSEL Switch
Linux 6.6Altera SoC FPGANoSEL-2740
Linux 5.15i.MX6ULNoTBA
Linux 5.4Dual ARM Cortex A7 YesLenovo XClarity Controller
Debian 12.5Intel® Xeon® E3-1275v6 @3.80GHzNoTBA
Ubuntu Version 22.04 running on VMWare ESXi Version 7.0.3Intel® Xeon® ES*-2697 v3 NoTBA
Linux 5.15 Freescale i.MX7 Dual Arm Cortex A-7 NoTBA
Linux 6.6Dual ARM Cortex A7YesLenovo XClarity Controller

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

curl with FIPS 140-3 wolfSSL

cURL is a popular open-source project that is used to transfer data between client and server with URLs through various protocols. It is widely utilized and often serves as the backbone for data transfer and communication between systems. curl (the command line tool) and libcurl (the library underneath) both provide support for secure communication by leveraging SSL/TLS libraries, the FIPS 140-3 certified wolfSSL library being one of them.

With the wolfCrypt FIPS 140-3 module, wolfSSL provides and makes use of an array of cryptographic algorithms that are rigorously tested and validated under NIST’s CMVP (Cryptographic Module Validation Program). When leveraged with cURL, the result is a FIPS 140-3 compliant build with the full feature set and utility that cURL users have come to expect, in addition to the cryptographic assurance that can help them meet security standards and requirements.

Additionally, there is also the tinycurl library, designed for smaller systems and more embedded use cases. tinycurl has the same capability to utilize FIPS wolfSSL.

Are you interested in curl with FIPS 140-3 wolfSSL? Contact us!

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Achieving WireGuard GO FIPS Compliance with wolfCrypt

Last week we put out a blog post sharing our integration of wolfCrypt into WireGuard. But did you know that we’ve already ported our FIPS 140-3 certified cryptographic engine into WireGuard GO, the official user space implementation of WireGuard in golang?

In cases where WireGuard’s functionality is desired, but a kernel isn’t available or installing a kernel-level VPN isn’t feasible, WireGuard GO offers a flexible solution.

And if you require FIPS compliance in your WireGuard GO deployments, our latest efforts make this possible. Using our golang wrapper go-wolfssl, we replaced WireGuard GO’s standard crypto (ChachaPoly, Curve25519, Blake2s) with our own FIPS certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard GO end-points may only communicate with other FIPS-ified end-points. This is because the same set of algorithms would be required on both sides for interoperability.

Although the usual trade-off of WireGuard vs WireGuard GO is performance vs simplicity and flexibility, wolfCrypt’s ability to utilize hardware acceleration for AES and SHA can let you keep reaping WireGuard GO’s benefits without having to compromise on performance.

See the README here for instructions to get started using WireGuard GO with wolfCrypt.

Are you interested in WireGuard GO with wolfCrypt FIPS 140-3?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS-Certified WireGuard: Bringing wolfCrypt into the VPN Solution

As WireGuard continues to grow in popularity for its simplicity and efficiency in VPN deployments, security-conscious organizations are increasingly demanding solutions that adhere to stringent security standards, such as the Federal Information Processing Standard (FIPS 140-3). FIPS certification is a key requirement for governmental agencies and industries like healthcare and finance, where secure cryptographic implementations are mandatory. However, WireGuard’s default cryptographic implementations, while highly secure, are not FIPS-certified.

This is where wolfCrypt steps in. wolfCrypt is a lightweight, portable, and highly optimized cryptographic library that offers FIPS 140-3 certification, making it an ideal partner for users seeking FIPS compliance in their WireGuard deployments. With our planned integration, we’ll replace the standard crypto suite that WireGuard offers (ChachaPoly, Curve25519, Blake2s) with our own certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard end-points may only communicate with other FIPS-ified end-points. But this of course is not a bug, but a feature. FIPS can only talk to FIPS.

So by leveraging our incoming integration, users can gain access to a VPN solution that is both secure and FIPS-compliant. This is especially important for industries with strict security requirements. The performance of WireGuard, combined with the certified cryptographic operations of wolfCrypt, ensures that you don’t sacrifice speed or security. In fact, with wolfCrypt’s ability to utilize hardware acceleration for AES and SHA, you might end up with a much faster WireGuard. Additionally, wolfCrypt’s small footprint makes it a practical choice for deployments in constrained environments, including IoT devices, embedded systems, and edge computing setups. You get a robust, certified security layer without bogging down performance.

Are you interested in WireGuard with wolfCrypt?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4