Category: wolfCrypt FIPS

In the rapidly changing landscape of cybersecurity, ensuring compliance with rigorous standards like FIPS 140-3 is essential for organizations in sensitive sectors such as government, finance, and healthcare. By integrating FIPS-certified cryptography into Mozilla’s Network Security Services (NSS) library through the PKCS#11 standard—an API for cryptographic operations—we are contributing to a broader goal of achieving FIPS 140-3 compliance across an entire Linux distribution.

Firefox employs the NSS library for its cryptographic functions. The NSS library utilizes the PKCS#11 standard—a widely adopted application programming interface (API) that enables secure cryptographic operations—to interact with its default cryptographic library, freebl.

The Role of FIPS Certification

FIPS certification ensures that cryptographic implementations meet rigorous security standards set by the National Institute of Standards and Technology (NIST). Achieving FIPS compliance is vital for organizations requiring high-security assurance, as it validates the integrity and reliability of cryptographic operations. wolfCrypt has attained FIPS 140-3 certification, making it a robust choice for environments where security cannot be compromised.

Integrating wolfCrypt into NSS

To integrate wolfCrypt into NSS, we substitute the default softokn-freebl library with wolfPKCS11. This enables NSS to utilize wolfCrypt’s FIPS-certified algorithms through the PKCS#11 interface, allowing applications to leverage secure cryptographic functions seamlessly and efficiently. By utilizing the PKCS#11 interface, we are able to provide a binary drop-in replacement without modifying anything outside of configuration files. You can follow our progress over at the nss feature branch in the wolfPKCS11 repository at github.

Benefits Beyond Firefox

This initiative is part of a larger effort to provide FIPS-certified cryptography across entire Linux distributions. Similar projects include integrating wolfCrypt with libraries such as libgcrypt and GnuTLS. These efforts aim to create a uniform cryptographic layer, reducing complexity and potential vulnerabilities associated with managing multiple cryptographic libraries.

For more information or to explore how your organization can benefit from integrating wolfCrypt FIPS, contact our team at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

We’re excited to announce our ongoing work integrating wolfCrypt with GnuTLS! Unlike traditional approaches that require extensive application rewrites, our solution operates entirely behind the scenes. By patching GnuTLS at the library level, we’re creating a seamless path for applications to leverage wolfCrypt’s powerful cryptographic capabilities without changing a single line of their application code. Our development strategy focuses on progressive implementation, tackling core cryptographic operations first and methodically expanding to cover the complete security spectrum. This approach means organizations can benefit from enhanced security immediately, with more capabilities rolling out steadily. For teams working in regulated environments requiring FIPS certification, this integration offers a remarkable advantage and immediate access to wolfCrypt’s FIPS 140-3 certified algorithms without the typical development and certification marathon.

What makes this integration particularly significant is GnuTLS’s central role in secure communications infrastructure. Our approach aims to transform what would typically be a massive certification challenge into a straightforward library update, allowing organizations to achieve FIPS compliance without disrupting their existing architecture. For Linux distribution maintainers, this integration will eliminate the traditional compromise between security and compatibility when deploying certified cryptography. Certificate validation and protocol handling will continue through the familiar GnuTLS interface while benefiting from wolfCrypt’s certified implementation underneath. Our goal is to help reduce the time needed for certification processes, enabling organizations to more efficiently deploy secure communications in regulated environments without compromising on compatibility or performance.

Take a more in depth look here: https://github.com/wolfssl/gnutls-wolfssl

For more details or questions about this effort, please reach out to facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfCrypt Python, a Python wrapper for wolfSSL’s cryptographic library wolfCrypt, now has supported Python APIs that can utilize the PQC algorithms ML-KEM and ML-DSA.

The ML-KEM (Module Lattice-based Key Encapsulation Mechanism) APIs provide quantum-resistant key exchange with three parameter sets (512/768/1024). The implementation includes key generation, encapsulation, decapsulation, and key import/export functionality.

The ML-DSA (Module Lattice-based Digital Signature Algorithm) APIs provide quantum-resistant digital signatures with three parameter sets (44/65/87). Features include key generation, signing, and verification.

Using the Python API, you can try out the PQC algorithm quickly with little effort. The following links show information to start the PQC trials with wolfCrypt Python.

• Installation guide: https://github.com/wolfSSL/wolfcrypt-py/blob/master/README.rst
• Examples: https://github.com/wolfSSL/wolfcrypt-py/blob/master/docs/asymmetric.rst
• Source code: https://github.com/wolfSSL/wolfcrypt-py/blob/master/wolfcrypt/ciphers.py

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

We are pleased to announce the start of an official wolfSSL project to port wolfCrypt FIPS into libgcrypt. This initiative aims to replace the underlying cryptography in applications using libgcrypt with wolfCrypt’s certified algorithms. With wolfCrypt already achieving FIPS 140-3 certification, applications using libgcrypt’s API can immediately be deployed in environments that require certified cryptography, such as government, military, finance, and medical applications. This port not only enhances security but also saves developers significant time and effort. For developers, this integration means they can focus on building their applications without the burden of transitioning applications to meet cryptographic compliance. By using wolfCrypt, developers can ensure that their applications meet the highest security standards without the need for extensive testing and validation of multiple cryptographic libraries. This project also provides a seamless way to explore and evaluate wolfCrypt for future projects, offering a pathway to potentially transition applications to natively use wolfCrypt.

Furthermore, this effort has significant implications for Linux distributions, which often incorporate a wide array of cryptographic dependencies, such as libgcrypt, to provide comprehensive functionality to many packages. By ensuring that all cryptographic dependencies use a consistent cryptography provider like wolfCrypt, distributions can maintain uniform security standards across the entire system and applications. This consistency is crucial for reducing complexity and potential vulnerabilities that arise from using multiple cryptographic libraries. It simplifies the management of cryptographic standards and reduces the risk of incompatibilities or security gaps, particularly in environments where security and compliance are paramount.

Take a deeper look here: https://github.com/wolfSSL/libgcrypt-wolfssl/tree/libgcrypt-1.11.0-wolfCrypt

For more details or questions about this effort, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

This is an update to previous post Everything wolfSSL is Preparing for Post-Quantum as of Spring 2024 and an extension to post wolfSSL Support for Post-Quantum.

The National Institute of Standards and Technology (NIST) has recently updated its guidelines, enabling the certification of several post-quantum cryptographic algorithms through the Cryptographic Module Validation Program (CMVP). Notably, the digital signature algorithms ML-DSA (CRYSTALS-Dilithium), LMS, and XMSS are now fully certifiable under the updated SP800-140C standards.

In response to these developments, wolfSSL Inc. is proactively planning submissions to the CMVP for these algorithms. wolfSSL Inc. has a strong track record in cryptographic module validation, having previously achieved FIPS 140-3 Certificate #4718 for its wolfCrypt Module, the world’s first SP 800-140Br1 validated certificate.

While ML-KEM (CRYSTALS-Kyber) is not yet included in the approved security function list of SP 800-140C, wolfSSL is taking a forward-thinking approach by incorporating ML-KEM into its offerings. This strategic inclusion ensures that once ML-KEM receives approval and is certifiable, wolfSSL will be prepared to submit all four algorithms, ML-DSA, LMS, XMSS, and ML-KEM, for certification.

By staying ahead of regulatory changes and actively engaging in the certification process, wolfSSL continues to demonstrate its commitment to providing robust and compliant cryptographic solutions in the evolving landscape of post-quantum security.

Please don’t hesitate to contact us at support@wolfSSL.com or fips@wolfSSL.com anytime to share your feedback or input on this subject!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

When it comes to securing data, cryptographic algorithms are the backbone of many systems. 3DES (Triple Data Encryption Standard) was once a FIPS (Federal Information Processing Standards) algorithm but is no longer supported by NIST as of 1 Jan 2024 (over 1 year ago!) Having 3DES in a FIPS module today could spell trouble on the near horizon, not only for security but also for compliance.

Early Expiration of Certificates

A FIPS certificate comes with an expiration date, but the CMVP has the authority to move a certificate to the “historical list” before that date or to “Revoke” a certificate if a non-compliance issue is found. Either action makes the certificate no longer valid for new procurements or for use in certain scenarios if already deployed in the field. The CMVP exercised this authority during the transition from SP 800-56Arev[1,2] to SP 800-56Arev3, which tightened the standards for key establishment methods. Modules that did not meet the updated criteria by July of 2022 were moved to the historical list ahead of their expected expiration dates.

The same could happen with certificates that include 3DES now. Should the CMVP decide to enforce a hard transition on 3DES, any certificate with that algorithm could be revoked or made historical sooner than its listed expiration date. This means one could suddenly lose compliance, disrupting operations and requiring urgent updates to systems which can take many months or years to complete as anyone in the FIPS space is well aware.

An Example of Future-Proofing

An excellent example of future-proofing is the wolfSSL FIPS 140-3 module certificate #4718. Unlike many competing solutions, wolfSSL ensured that 3DES was not included in the boundary of this module. This proactive decision protects users of the wolfSSL Inc. wolfCrypt FIPS 140-3 module from the risks associated with 3DES and potential early certificate invalidation by the CMVP. By contrast, most of the competition did not do this future planning and still include 3DES in their boundary. This leaves users of those modules exposed to potential compliance issues and security risks.

What Should You Do?

1. Avoid 3DES in New Designs: Choose FIPS modules that use stronger algorithms like AES. Ensure your vendors are aware of the risks and are providing compliant solutions.
2. Audit Your Current Systems: If you’re already using a FIPS-certified module with 3DES, plan to migrate to a more secure alternative or re-validate that module without 3DES included in the boundary. Don’t wait for the CMVP to force your hand.
3. Stay Informed: Keep an eye on updates from NIST and the CMVP. Understanding upcoming changes can help one with planning and preparing before CMVP decisions impact their systems.
4. Test Your Transition Plans: Ensure that moving away from deprecated algorithms like 3DES won’t cause unexpected issues. Test thoroughly in a controlled environment.

Conclusion

3DES served its purpose in its time, but it is simply a liability now. If your systems rely on a FIPS certificate that includes 3DES, it’s time to act. By planning ahead and staying informed, you can ensure your systems remain secure and compliant, no matter what changes the CMVP enforces. Choosing solutions like wolfSSL’s FIPS 140-3 module, which proactively excludes outdated algorithms, can give you peace of mind and protect you from future disruptions.

If you have any questions or would like to talk with one of our team about this subject please send an email to fips@wolfssl.com or support@wolfssl.com. For general inquiries, you can also reach out to facts@wolfssl.com or +1 425 245 8247. Our staff are more than happy to help any way they can.

Download wolfSSL Now

wolfSSL’s crypto library, wolfCrypt, has obtained a 5-year FIPS 140-3 Validated Certificate #4718. wolfCrypt FIPS is known for its unmatched portability, runs on everything, and is highly optimized for dozens of hardware targets.

WolfCrypt is commonly utilized in standard operating environments due to its royalty-free pricing model and exceptional support across multiple platforms. The wolfCrypt FIPS module has been validated on numerous Operating Environments (OEs). The current list of planned OEs for the wolfCrypt FIPS 140-3 certificate (#4718) is listed here for reference. wolfSSL can easily add additional OEs to existing wolfCrypt FIPS certificates. To learn more about this process, contact us at fips@wolfssl.com today!

Certificate #4718 Current OE List:

Operating System	Processor	Processor Algorithm Acceleration	Product (TBA = To Be Announced at a later time)
Android 13	Exynos 9611 without PAA	No	Samsung Galaxy XCover Pro
Linux 5.4	BCM56260B0IFSBG - Sabre2	No	WTM 4000 (Aviat)
Red Hat Enterprise Linux Workstation 8.9	Intel® Xeon® W-2255 @ 3.7GHz	No	Precision 5820 Tower
FreeRTOS v10.4	Renesas R7FA6E10F	No	TBA
Linux 5.15	Freescale i.MX7 Dual Arm Cortex A-7	No	TBA
Linux 4.14	Intel® Atom® E3930 @1.30GHz	No	TBA
Linux 4.14	Intel® Atom® E3940 @1.60GHz	No	TBA
NET+OS v7.6	Digi International NS9210	No	TBA
Yocto (kirkstone) 4.0	NXP i.MX6UL	No	TBA
MQX 3.4	NXP PowerQUICC II MPC8313e 32bit	No	TBA
CodeOS v1.4	CodeCorp CT8200 (ARM FA626TE)	No	Series CR2700 Code Reader(s)
OpenRTOS v10.5	STM32L4R5	No	Teledyne Webb SOM Module
Endace Crypto Firmware 2.1	Intel® Xeon® Silver 4316 CPU @2.30GHz	No	EndaceProbe 2144
Endace Crypto Firmware 2.1	Intel® Xeon® Silver 4316 CPU @2.30GHz	Yes	EndaceProbe 2144
Endace Crypto Firmware 2.1	Intel® Xeon® Gold 6338N CPU @2.20GHz	No	EndaceProbe 2184
Endace Crypto Firmware 2.1	Intel® Xeon® Gold 6338N CPU @2.20GHz	Yes	EndaceProbe 2184
Endace Crypto Firmware 2.1	Intel® Xeon® Gold 5418N CPU @1.80GHz	Yes	TBA
Endace Crypto Firmware 2.1	Intel® Xeon® Gold 6230N CPU @2.30GHz	Yes	EndaceProbe 92C8
Anyware Trusted Zero Client Firmware Kernel 6.1	AMD Ryzen Embedded R1305G	No	Anyware Trusted Zero Client
Anyware Trusted Zero Client Firmware Kernel 6.1	AMD Ryzen Embedded R1305G	Yes	Anyware Trusted Zero Client
Anyware Trusted Zero Client Firmware Kernel 6.1	AMD Ryzen Embedded R2314	Yes	HP tz655 Trusted Zero Client
Fusion Embedded RTOS 5.0	Analog Devices ADSP-BF516 (Blackfin)	No	Classone ® IP Radio Gateway
Linux 5.4	NXP i.MX8M	No	Harman MUSE MU Controller
Linux 4.9	ARM Cortex-A7	No	Harman N2612S Video encoder/decoder
Linux 5.10	NXP i.MX8	No	Harman N4321D audio transcoder
HP Imaging & Printing Linux 4.9 Kernel	ARM Cortex-A72	No	HP PN 3PZ95-60002
HP Imaging & Printing Linux 4.9 Kernel	ARM Cortex-A72	Yes	HP PN 3PZ95-60002
HP Imaging & Printing Linux 4.9 Kernel	ARM Cortex-A53	No	HP PN 6QN27-67002
HP Imaging & Printing Linux 4.9 Kernel	ARM Cortex-A53	Yes	HP PN 6QN27-67002
Microsoft Windows CE 6.0	ARM Cortex-A8	No	HP LaserJet Enterprise
Android 13	Qualcomm Snapdragon 8 Gen 2 (SoC)	No	TBA
Android 13	Qualcomm Snapdragon 8 Gen 2 (SoC)	Yes	TBA
iOS 17.3	Apple A15 Bionic	No	TBA
iOS 17.3	Apple A15 Bionic	Yes	TBA
Windows 11 Pro	Intel® Core™ i7-1255U @ 1.70 Ghz	No	TBA
Windows 11 Pro	Intel® Core™ i7-1255U @ 1.70 Ghz	Yes	TBA
RHEL 8.10 running on RHEL 8.10 KVM	Intel® Xeon® Gold 6526Y @2.80GHz	No	TBA
RHEL 8.10 running on RHEL 8.10 KVM	Intel® Xeon® Gold 6526Y @2.80GHz	Yes	TBA
REDACTED Linux 5.4	Xilinx Zynq-7000 SoC	No	TBA
REDACTED Linux 5.4	Xilinx Zynq-7000 SoC	Yes	TBA
REDACTED Linux 4.19	Xilinx Zynq Ultrascale+	No	TBA
REDACTED Linux 4.19	Xilinx Zynq Ultrascale+	Yes	TBA
REDACTED Linux 4.9	Ambarella S5L SoC	No	TBA
REDACTED Linux 4.9	Ambarella S5L SoC	Yes	TBA
REDACTED Linux 5.4	i.MX8 Quad Max SoC	No	TBA
REDACTED Linux 5.4	i.MX8 Quad Max SoC	Yes	TBA
FreeRTOS v10.4	NXP i.MX RT1051	No	Harman CE-REL8 Universal Control Extender
Linux 5.15	MTK MT8395	No	Harman N3322D Video encoder/decoder
Android 14	Qualcomm SM8350 Snapdragon	No	Samsung Galaxy S21
Android 14	Qualcomm SM8350 Snapdragon	Yes	Samsung Galaxy S21
Linux 6.6	Xilinx Zynq Ultrascale+	No	SEL Switch
Linux 6.6	Altera SoC FPGA	No	SEL-2740
Linux 5.15	i.MX6UL	No	TBA
Linux 5.4	Dual ARM Cortex A7	Yes	Lenovo XClarity Controller
Debian 12.5	Intel® Xeon® E3-1275v6 @3.80GHz	No	TBA
Ubuntu Version 22.04 running on VMWare ESXi Version 7.0.3	Intel® Xeon® ES*-2697 v3	No	TBA
Linux 5.15	Freescale i.MX7 Dual Arm Cortex A-7	No	TBA
Linux 6.6	Dual ARM Cortex A7	Yes	Lenovo XClarity Controller

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

cURL is a popular open-source project that is used to transfer data between client and server with URLs through various protocols. It is widely utilized and often serves as the backbone for data transfer and communication between systems. curl (the command line tool) and libcurl (the library underneath) both provide support for secure communication by leveraging SSL/TLS libraries, the FIPS 140-3 certified wolfSSL library being one of them.

With the wolfCrypt FIPS 140-3 module, wolfSSL provides and makes use of an array of cryptographic algorithms that are rigorously tested and validated under NIST’s CMVP (Cryptographic Module Validation Program). When leveraged with cURL, the result is a FIPS 140-3 compliant build with the full feature set and utility that cURL users have come to expect, in addition to the cryptographic assurance that can help them meet security standards and requirements.

Additionally, there is also the tinycurl library, designed for smaller systems and more embedded use cases. tinycurl has the same capability to utilize FIPS wolfSSL.

Are you interested in curl with FIPS 140-3 wolfSSL? Contact us!

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Last week we put out a blog post sharing our integration of wolfCrypt into WireGuard. But did you know that we’ve already ported our FIPS 140-3 certified cryptographic engine into WireGuard GO, the official user space implementation of WireGuard in golang?

In cases where WireGuard’s functionality is desired, but a kernel isn’t available or installing a kernel-level VPN isn’t feasible, WireGuard GO offers a flexible solution.

And if you require FIPS compliance in your WireGuard GO deployments, our latest efforts make this possible. Using our golang wrapper go-wolfssl, we replaced WireGuard GO’s standard crypto (ChachaPoly, Curve25519, Blake2s) with our own FIPS certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard GO end-points may only communicate with other FIPS-ified end-points. This is because the same set of algorithms would be required on both sides for interoperability.

Although the usual trade-off of WireGuard vs WireGuard GO is performance vs simplicity and flexibility, wolfCrypt’s ability to utilize hardware acceleration for AES and SHA can let you keep reaping WireGuard GO’s benefits without having to compromise on performance.

See the README here for instructions to get started using WireGuard GO with wolfCrypt.

Are you interested in WireGuard GO with wolfCrypt FIPS 140-3?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

As WireGuard continues to grow in popularity for its simplicity and efficiency in VPN deployments, security-conscious organizations are increasingly demanding solutions that adhere to stringent security standards, such as the Federal Information Processing Standard (FIPS 140-3). FIPS certification is a key requirement for governmental agencies and industries like healthcare and finance, where secure cryptographic implementations are mandatory. However, WireGuard’s default cryptographic implementations, while highly secure, are not FIPS-certified.

This is where wolfCrypt steps in. wolfCrypt is a lightweight, portable, and highly optimized cryptographic library that offers FIPS 140-3 certification, making it an ideal partner for users seeking FIPS compliance in their WireGuard deployments. With our planned integration, we’ll replace the standard crypto suite that WireGuard offers (ChachaPoly, Curve25519, Blake2s) with our own certified algorithms (AES GCM, ECC P-256, SHA-256). One thing to note here is that FIPS-ified WireGuard end-points may only communicate with other FIPS-ified end-points. But this of course is not a bug, but a feature. FIPS can only talk to FIPS.

So by leveraging our incoming integration, users can gain access to a VPN solution that is both secure and FIPS-compliant. This is especially important for industries with strict security requirements. The performance of WireGuard, combined with the certified cryptographic operations of wolfCrypt, ensures that you don’t sacrifice speed or security. In fact, with wolfCrypt’s ability to utilize hardware acceleration for AES and SHA, you might end up with a much faster WireGuard. Additionally, wolfCrypt’s small footprint makes it a practical choice for deployments in constrained environments, including IoT devices, embedded systems, and edge computing setups. You get a robust, certified security layer without bogging down performance.

Are you interested in WireGuard with wolfCrypt?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now