Category: wolfCrypt FIPS

Space missions require strong security to guard against cyber threats. The wolfCrypt cryptography library meets all encryption requirements in NASA’s Space System Protection Standard (NASA-STD-1006A), providing lightweight cryptography suited for resource-constrained secure command communications.

Understanding NASA-STD-1006A

NASA-STD-1006A, titled “Space System Protection Requirements,” establishes agency-level guidelines to make NASA missions resilient against cyber threats. Approved in 2019 and updated as needed, the standard focuses on safeguarding command stacks, backup links, and critical program information (CPI). Key encryption mandates include protecting command paths with cryptography that meets or exceeds Federal Information Processing Standard (FIPS) 140 Level 1.

You can access the full standard on NASA’s official standards portal: NASA-STD-1006A.

How wolfCrypt Meets These Requirements

wolfCrypt is a lightweight, ANSI C-based crypto library designed for embedded and RTOS environments, making it ideal for space applications where size, speed, and power efficiency are critical. With a small footprint and royalty-free licensing, it’s deployed in millions of devices worldwide.

At the heart of its compliance is wolfCrypt’s FIPS 140-3 validation (Certificate #4718), which meets the standard’s FIPS 140 Level 1 requirement. This validation confirms that wolfCrypt’s implementations are secure and reliable. wolfCrypt’s validated algorithms can be directly used to address NASA-STD-1006A’s core requirements, such as encrypting command stacks (SSPR 1) and supporting authentication for backups (SSPR 2). For CPI protection (SSPR 3), wolfCrypt integrates seamlessly with NIST SP 800-171 practices, ensuring data confidentiality at rest and in transit.

Additionally, wolfCrypt supports progressive ciphers, post-quantum options (ML-KEM, ML-DSA, LMS, XMSS), and assembly optimizations for a variety of architectures.

If needed, wolfSSL also offers a secure bootloader for microcontrollers (wolfBoot), a software HSM library (wolfHSM), a secure SSL/TLS implementation (wolfSSL), and more!

wolfCrypt in Space: Real-World Applications

wolfSSL has a proven track record in high-stakes environments, including aerospace and defense. Our recent collaboration with Frontgrade Gaisler enhances cybersecurity for space applications by integrating wolfCrypt into radiation-hardened processors, ensuring secure communications in harsh orbital conditions. Read more about this partnership: Frontgrade Gaisler and wolfSSL Collaboration.

wolfCrypt’s modular design also supports DO-178C DAL A certification for avionics, further demonstrating its suitability for space systems. If you’re working on NASA-compliant projects, wolfCrypt provides the tools to build resilient, threat-resistant architectures.

Why Choose wolfCrypt for Your Space System?

• Lightweight and Efficient: Minimal runtime memory and build size, perfect for embedded space hardware.
• Comprehensive Support: Backed by wolfSSL’s expert team, with resources like benchmarks, hardware integration guides, and an OpenSSL compatibility layer.
• Future-Proof Security: Includes post-quantum cryptography to guard against emerging threats.
• Easy Integration: Simple API, extensive documentation, and examples available in our GitHub repository: wolfSSL Examples.

Ready to Secure Your Mission?

If you’re ready to integrate wolfCrypt into your space system, need support, or have questions about any of the above, please contact our team at facts@wolfssl.com, call +1 425 245 8247, or visit our support page: wolfSSL Support.

Download wolfSSL Now

We’re proud to announce that our copy of wolfCrypt has officially again received FIPS 140-3 validation, listed under certificate #5041, posted on July 18, 2025 by NIST. This validation reflects our continued commitment to building secure, standards-compliant products using rigorously tested cryptography.

This FIPS 140-3 version of wolfCrypt improves on the earlier 140-2 validation in several key ways:

• Faster boot times: Self-tests are deferred until the first use of each algorithm, rather than running all at startup.
• Optimized for embedded systems: Minimal footprint, low power consumption, and efficient performance for real-time and resource-constrained environments.
• Expanded algorithm support, including:
  • AES-OFB mode
  • RSA 3072, 4096, and PSS
  • TLS 1.2 and TLS 1.3 key derivation functions (KDF)
  • SSH KDF
• New degraded mode: If an algorithm self-test fails, others can remain available, improving system resilience.

We selected Acumen Security as our FIPS lab partner for this effort and sincerely appreciate their professionalism and expertise throughout the validation process.

wolfCrypt’s FIPS-validated module can be used as a drop-in OpenSSL engine or provider, making it easy to integrate into existing applications. It’s ideally suited for embedded use cases like secure networking, medical devices, and industrial control systems.

Certificate #5041 offers all the same algorithms as certificate #4718, but will sunset on July 17, 2030. After that, continued use will require revalidation or transition to a newer certificate.

To learn more about FIPS 140-3 and the transition from 140-2, wolfSSL has published helpful resources:

• What is FIPS? (Short version)
• Differences between FIPS 140-2 and 140-3
• FIPS 140-3 Certificate #5041

For questions or integration support for FIPS, contact us at fips@wolfssl.com

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

What is 802.1AE?

802.1AE (MACsec) is a network layer 2 protocol for protecting ethernet frames with encryption and authentication across ethernet links. It introduces a new MACsec ethernet frame format, which carries an additional security tag (SecTAG) field inserted between the ethernet header and payload, as well as an integrity check value (ICV) trailer field at the end.

MACsec is built on the Galois/Counter Mode (GCM) construction, and uses AES-GCM to encrypt and integrity check ethernet payloads. It also supports an integrity-only mode of operation, where payloads are sent cleartext and GMAC is used for the ICV. It should be noted there is no “encrypt-only” MACsec mode, as integrity checks and origin authentication are fundamental to its design and choice of AES-GCM/GMAC.

Hop-by-hop vs end-to-end

The network topology of MACsec is fundamentally different from that of TLS or IPsec. MACsec protects data “hop-by-hop” along individual ethernet links, and does not have a concept of larger scale “end-to-end” protection as is the case between IP addresses in IPsec, or between network sockets in TLS.

There are benefits to this narrower scope. By protecting data only along individual ethernet links, there is no need to manage connection or session state across an entire network, which means latency is low. Also, the hop-by-hop scope allows for incremental deployment of MACsec, and utilization of device hardware acceleration along individual links.

This difference in scope means that MACsec is purely complementary to TLS and IPsec, and typically will be used in layered topologies (IPsec over MACsec, TLS over MACsec, etc). Furthermore, 802.1AE specifies nothing about key management and establishing MACsec, and typically will rely on higher level constructions such as EAP over TLS for provisioning.

Because MACsec happens hop-by-hop along ethernet links, it is typically implemented at a lower level by specialized devices and drivers: e.g. MACsec PHY hardware, or in the linux kernel as a specialized MACsec network driver. These will utilize hardware acceleration, and will have the added benefit of isolating key material to the device or kernel. The linux kernel is an especially interesting case that we’ll consider next.

MACsec in the linux kernel with wolfCrypt

The kernel MACsec driver itself does not contain any cryptographic implementations. Instead, it utilizes the kernel crypto API to allocate transforms for performing AES-GCM and GMAC on ethernet payloads. The kernel crypto API functions similar to a provider framework: different kernel modules register their cryptographic drivers, which in turn are used by device drivers for e.g. filesystem and network encryption. This makes sense, as cryptography in kernel-space has a number of strong advantages over user-space.

wolfSSL’s kernel module now supports registering wolfCrypt algorithms in the kernel crypto API (e.g. they will become listed in /proc/crypto). This means when kernel device drivers allocate cryptographic transforms for e.g. encrypted filesystems, IPsec, or MACsec, they are getting wolfCrypt’s registered implementations! In the case of wolfCrypt FIPS, one now has a very simple recipe for getting FIPS crypto into the linux kernel.

There are interesting possibilities with this. One could hypothetically have triple-layered network protection (TLS over IPsec over MACsec), with each utilizing wolfCrypt FIPS at different OSI layers!

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

As WireGuard continues to grow in popularity for its simplicity and efficiency in VPN deployments, security-conscious organizations are increasingly demanding solutions that adhere to stringent security standards, such as FIPS 140-3 or CMMC 2.0. FIPS certification is a key requirement for governmental agencies and industries like defense and healthcare, where secure cryptographic implementations are mandatory and or in spaces where CMMC 2.0 compliance is a must. However, WireGuard’s default cryptographic implementations, while highly secure, are not FIPS-certified.

This is where wolfCrypt steps in. wolfCrypt is a lightweight, portable, and highly optimized cryptographic library that offers FIPS 140-3 certification, making it an ideal partner for users seeking FIPS compliance in their WireGuard deployments.

wolfCrypt FIPS integrates seamlessly with both the C and Go implementations of WireGuard, offering developers flexibility in choosing their preferred solution. For those using the C version of WireGuard, wolfCrypt can also be directly employed in kernel space via the wolfSSL kernel module.

So by leveraging our integration, users can gain access to a VPN solution that is both secure and FIPS-compliant. The performance of WireGuard, combined with the certified cryptographic operations of wolfCrypt, ensures that you don’t sacrifice speed or security. In fact, with wolfCrypt’s ability to utilize hardware acceleration, you might end up with a much faster WireGuard. Additionally, wolfCrypt’s small footprint makes it a practical choice for deployments in constrained environments, including IoT devices, embedded systems, and edge computing setups. You get a robust, certified security layer without bogging down performance.

Are you interested in WireGuard with wolfCrypt FIPS?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

One of the biggest strengths of the wolfSSL portfolio is its ability to adapt and run in the most diverse environments, whether it’s a minimal bare-metal deployment or a complex, multi-layered operating system.

This blog highlights recent improvements in the wolfSSL products regarding integration with the Unified Extensible Firmware Interface (UEFI)—the modern way to interface with hardware firmware during the initial steps after booting a machine (UEFI has replaced the legacy BIOS).

wolfSSL can already enhance UEFI firmware with component authentication and secure updates, as wolfBoot—our secure boot solution—can run as a UEFI application inside UEFI environments (Check out the build instruction).

Recently, wolfSSL has made it even simpler for other UEFI applications to access wolfSSL cryptographic services (using wolfCrypt). wolfSSL has improved its use of UEFI features, leveraging TRNG and crypto accelerators exposed by UEFI.

UEFI applications can now consume a FIPS 140-3 certified range of wolfSSL cryptographic algorithms (AES, RSA, DSA, ECDSA, SHA), key derivation functions, and secure communication protocols (D)TLS up to v1.3.

As a leader in embedded FIPS certificates, wolfSSL can assist you in the certifying of your UEFI based operating environments (OE’s) and assists you in the ACVP (Automated Cryptographic Validation Protocol).

The use cases are many: OS-agnostic secure communication, TPM attestation, disk encryption, and more.

If you are interested in using wolfSSL cryptography, wolfSSL TLS communication, any wolfSSL product inside a UEFI environment, or have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

We’re excited to announce the next phase in our wolfCrypt-GnuTLS integration: full FIPS 140-2 Level 2 compliance and FIPS 140-3 validation capabilities! This enhancement builds directly on our ongoing work to bring wolfCrypt’s powerful cryptographic capabilities to GnuTLS.

Unlike traditional approaches that require extensive application rewrites, our solution continues to operate entirely behind the scenes. By patching GnuTLS at the library level, we’ve created a seamless path for applications to leverage wolfCrypt’s FIPS-certified cryptographic capabilities without changing a single line of application code.

What makes this integration particularly significant is GnuTLS’s central role in secure communications infrastructure. Our approach transforms what would typically be a massive certification challenge into a straightforward library update, allowing organizations to achieve FIPS compliance without disrupting their existing architecture.

For Linux distribution maintainers, this integration eliminates the traditional compromise between security and compatibility when deploying certified cryptography. Certificate validation and protocol handling will continue through the familiar GnuTLS interface while benefiting from wolfCrypt’s certified implementation underneath.

For teams working in regulated environments requiring FIPS certification, this integration offers a remarkable advantage: immediate access to wolfCrypt’s FIPS 140-3 validated algorithms without the typical development and certification marathon. Our goal is to help reduce the time needed for certification processes, enabling organizations to more efficiently deploy secure communications in regulated environments without compromising on compatibility or performance.

Take a more in-depth look here: https://github.com/wolfssl/gnutls-wolfssl

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

While having “all the algorithms, modes, and key sizes” available is nice, sometimes it is too much. wolfSSL is pleased to offer FIPS 140-3 tailoring services.

We can take any of our larger FIPS 140-3 module(s), strip them down to just the bare essentials, and validate just the subset. Need only ECDSA (verify) and SHA-512 for secure firmware verification and authentication, no entropy, nothing? No problem! Thanks to the wolfSSL modular design, we can custom-tune and validate smaller, more precise subsets of our larger module(s) that exist today.

Unlock efficient, targeted FIPS 140-3 security without unnecessary overhead. Contact us at fips@wolfssl.com to discuss your unique requirements and explore the possibilities of a right-sized FIPS 140-3 module!

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is launching new FIPS 140-3 level 2 and level 3 validation services to make achieving compliance easier than ever. Our team will test our software module on your target hardware for Level 2 and Level 3, guiding your device through the validation process with little to no burden on your team. You provide the hardware and physical elements, wolfSSL will deliver the certifiable software in any configuration you need, plus the validation expertise. Contact us today at fips@wolfSSL.com to get started on your FIPS 140-3 level 2 or level 3 validation journey.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Building on our legacy of FIPS 140-3 certified solutions, wolfSSL is in the planning stages of forging our full FIPS 140-3 submission. This next iteration will integrate cutting-edge post quantum cryptography, featuring ML-KEM (FIPS 203, derived from CRYSTALS-KYBER), ML-DSA (FIPS 204, derived from CRYSTALS-Dilithium), LMSS (verify), and XMSS (verify) (SP800-208, needed for NSA 2.0 Transition schedules), all securely contained within the latest FIPS 140-3 boundary.

Want to be at the forefront of this advancement? Become a Charter Member on this effort by collaborating with us while still in the planning stages! Reach out to us at fips@wolfssl.com to discuss options.

Charter Member Advantages: Ensure your Operating Environment is incorporated into the initial submission, accelerate your time-to-market by avoiding post-validation efforts to get your OE added. Time is of the essence!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is thrilled to announce a significant milestone in browser security: the successful integration of wolfPKCS11 to provide FIPS 140-3 validated cryptography for the Mozilla Firefox browser. This is achieved by enabling wolfPKCS11 to serve as the backend cryptographic provider for Firefox’s Network Security Services (NSS) layer. This development represents a major step forward, bringing robust, federally-certified security to one of the world’s most popular web browsers.

This achievement builds directly upon a previously shared vision. Many may recall an earlier post, Why replace NSS with wolfSSL in Firefox?, which demonstrated the possibility of such an integration. It is with great excitement that this possibility is announced as a working reality. The core concept, replacing the underlying authentication implementations within NSS with the FIPS-validated capabilities of wolfCrypt via wolfPKCS11, has been brought to fruition.

For users and organizations operating in environments that require or prefer the assurances of FIPS 140-3 validated cryptography, this development is transformative. It means that Firefox can soon be leveraged with the formidable security backing of wolfSSL’s FIPS-certified cryptographic engine, wolfCrypt. While this advanced capability is fully functional and has been rigorously tested internally, it is important to note that it is not yet part of an official public release. Further announcements regarding public availability will be forthcoming. This progression from a proof-of-concept to a tangible, working solution underscores a commitment to not only innovate but also to deliver on complex technical challenges, reinforcing the reliability that is paramount in the security domain.

Why FIPS 140-3 in Your Browser is a Big Deal

Understanding the significance of this development begins with understanding FIPS 140-3. The Federal Information Processing Standard (FIPS) Publication 140-3 is a U.S. government standard developed by the National Institute of Standards and Technology (NIST). It specifies the security requirements for cryptographic modules, covering both hardware and software components that execute cryptographic functions. The primary role of FIPS 140-3 is to ensure that these cryptographic implementations meet stringent security benchmarks, thereby effectively protecting sensitive information. The gravity of this validation is starkly highlighted by NIST and the Canadian Centre for Cyber Security, which state that “non-validated cryptography is viewed as providing no protection to information—equivalent to plaintext”. This underscores the profound level of assurance that FIPS validation provides.

The mandate to use FIPS-validated cryptography is explicit for U.S. federal agencies when protecting sensitive information within their computer and telecommunication systems. This requirement frequently extends beyond direct government use, impacting contractors, organizations in regulated industries such as healthcare and finance, and entities pursuing critical certifications like the Cybersecurity Maturity Model Certification (CMMC). For other organizations, employing FIPS-validated cryptography serves as a clear indicator of a commitment to a high standard of security assurance.

Mozilla Firefox, along with other Mozilla products, relies on a set of libraries known as Network Security Services (NSS) for all its SSL/TLS, S/MIME, and other cryptographic operations. NSS is engineered to support cross-platform development and implements a comprehensive suite of internet security standards. A critical architectural feature of NSS is its utilization of the PKCS#11 standard. PKCS#11 is an API that governs communication with cryptographic tokens, which can be hardware accelerators, smart cards, or, as in this case, software-based modules often referred to as a “Software Security Device”. This adherence by NSS to the PKCS#11 standard is fundamental to the integration of wolfPKCS11. The combination of FIPS 140-3 defining what constitutes trusted cryptography and PKCS#11 providing how that trusted cryptography can be interfaced is powerful. Without NSS’s support for this standardized interface, replacing its cryptographic engine would be an extraordinarily complex, if not impossible, endeavor. This successful integration demonstrates how adherence to open standards can foster innovation and interoperability, ultimately benefiting end-users by making high-assurance cryptography accessible in mainstream applications like Firefox, potentially elevating the baseline for general web security expectations.

The wolfSSL Solution: wolfPKCS11 Powering NSS with FIPS-Certified wolfCrypt

The key to this enhanced security for Firefox is wolfPKCS11. This is wolfSSL’s robust implementation of the PKCS#11 API. The wolfPKCS11 module functions as an essential interface, or bridge, enabling applications that are designed to use the PKCS#11 standard (such as NSS) to access and utilize the comprehensive suite of cryptographic algorithms available within wolfSSL’s core cryptographic engine, wolfCrypt.

The integration leverages the “magic” of the PKCS#11 standard, which facilitates a “drop-in” replacement mechanism. NSS, by design, uses the PKCS#11 API to communicate with its default cryptographic library, which is softokn-freebl. The wolfPKCS11 module has been engineered to serve as a binary drop-in replacement for this default software security device. This means that, through modifications to configuration files rather than extensive code changes to Firefox itself, NSS can be directed to utilize wolfPKCS11. Consequently, all cryptographic calls from NSS are re-routed through wolfPKCS11 to the wolfCrypt engine. This elegant modularity, made possible by the PKCS#11 standard, significantly reduces the complexity and effort typically associated with integrating a new cryptographic provider into an established application like Firefox. The existence of this well-defined standard is a direct enabler of this relatively seamless integration path.

The true cryptographic power behind this solution resides in wolfCrypt, wolfSSL’s FIPS 140-3 validated cryptographic engine. wolfSSL has a distinguished history of achieving FIPS certifications, and wolfCrypt stands as a testament to this commitment, having attained FIPS 140-3 validation (the wolfCrypt module was one of the first in the world to receive a FIPS 140–3 Validation Certificate). It is this validation that imbues the Firefox integration with its robust security backbone and its capability to meet stringent compliance requirements. Beyond its FIPS validation, wolfCrypt is renowned for its exceptional performance, minimal footprint optimized for embedded systems, and extensive support for a wide array of cryptographic algorithms.

Seeing is Believing: FIPS-Powered Browsing (And Yes, It’s Real!)

It is understandable that FIPS-grade cryptography seamlessly operating within Firefox might sound almost too good to be true. To demonstrate that this is far more than just theoretical, it was even tested with some, shall we say, critical internet operations.

Caption: “Never Gonna Give Your Data Up: Firefox running with wolfSSL FIPS 140-3 security!”

Yes, that’s Firefox streaming a timeless classic. While the choice of content might be a playful rickroll, rest assured, the underlying FIPS 140-3 validated cryptography being provided by wolfPKCS11 and wolfCrypt is absolutely real and fully functional. If the system can handle real-world HTTPS traffic for streaming video (even this particular video), it is capable of many of today’s demanding browser use cases.

For those curious about how this appears “under the hood,” if one were to inspect Firefox’s security device manager, wolfPKCS11 would be visible as a loaded module.

As mentioned, this powerful capability is confirmed and working seamlessly within our internal development environments. While it is not yet available in a public wolfPKCS11 release or as a standard component of Firefox distributions, work is progressing towards that goal. Keep an eye on the wolfSSL blog and official announcements for future updates.

Beyond the Browser: wolfSSL’s Commitment to Pervasive FIPS Security

The work to bring FIPS 140-3 validated cryptography to Firefox via NSS and wolfPKCS11 is not an isolated endeavor. It is a significant component of a much broader strategic initiative within wolfSSL: to make FIPS-certified cryptography readily and easily accessible across a diverse range of platforms and ecosystems.

This vision extends to enabling FIPS compliance across entire Linux distributions. There are ongoing efforts to integrate the wolfCrypt FIPS module with other critical system libraries, such as libgcrypt and GnuTLS. The ultimate objective is ambitious yet vital: “achieving FIPS 140-3 compliance across an entire Linux distribution”. Such an achievement would establish a unified, trusted cryptographic layer, thereby simplifying compliance efforts and significantly enhancing the security posture for countless applications and systems built upon these foundational open-source components. This strategy of embedding FIPS-validated technology deep within core operating system and application components positions wolfCrypt as a fundamental building block for secure systems, potentially establishing it as a de facto standard for FIPS cryptography in open-source environments.

Furthermore, the wolfPKCS11 module itself is designed with the future in mind. It is an evolving component, with enhancements such as upcoming support for the Leighton-Micali Signature (LMS) scheme planned. LMS is a stateful hash-based signature scheme, standardized in RFC 8554 and approved by NIST SP 800-208, notable for its quantum-resistant properties. This demonstrates a proactive stance towards emerging security threats. The engineering investment in wolfPKCS11 is therefore not limited to current FIPS standards; it is also paving a pathway towards post-quantum cryptography. This means that the very same integration mechanism being used to deliver FIPS 140-3 validated cryptography to Firefox today could potentially deliver post-quantum security in the future, thanks to the flexible and standards-compliant design of wolfPKCS11.

Conclusion: Secure Your Firefox Experience, Trust wolfSSL

To summarize this exciting development: wolfSSL has successfully made FIPS 140-3 validated cryptography a practical reality for the Firefox browser. This has been achieved by integrating the wolfPKCS11 module with Firefox’s Network Security Services (NSS), thereby allowing Firefox to leverage the proven strength of the wolfCrypt FIPS-certified engine.

The benefits of this integration are manifold. It provides access to high-assurance, FIPS-validated security within one of the world’s leading web browsers. For organizations with FIPS compliance mandates, it offers a significantly simplified path to meeting those requirements for browser-based activities. All of this is delivered with the robust, performant, and resource-efficient cryptography that wolfSSL is known for.

This advancement is another clear testament to wolfSSL’s leadership in embedded security, cryptography, and FIPS validation. The commitment at wolfSSL is to provide cutting-edge, reliable security solutions that meet the evolving challenges of the digital world. This successful integration reinforces that commitment and highlights the dedication to enhancing security for users everywhere.

Get in Touch / Download wolfSSL

Stay tuned to our blog for updates on the public availability of this feature!

If you have questions about any of the above, or how wolfSSL can help secure your applications, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now