Good news from wolfSSL Inc! The upcoming update to our cryptography library, wolfCrypt v4.0, is on the NIST CMVP Modules in Process list and is in the Coordination phase. Our FIPS 140-2 revalidation certificate is just around the corner. Included on the new certificate will be key generation of RSA, ECC, DH keys; SHA-3 and HMAC with SHA-3; CMAC; AES-GCM with internally generated IVs and externally supplied IVs; and use of RDSEED, AES-NI, and AVX1/2 with Intel processors. All the algorithms from our original certificate #2425 are also included. For more information about our new FIPS 140-2 certificate, please contact us at fips@wolfssl.com.
Category: Uncategorized
wolfSSH v1.3.0 Released
wolfSSL has released wolfSSH v1.3.0 to the public! Included in this release are two major features, SCP and SFTP. wolfSSH can now act as a server for copying files with SCP. We can also act like a client or server for SFTP connections! Now you can copy new firmware or configuration files to your embedded device with the ease of a file copy.
Also included are several small bug fixes and improvements.
wolfSSH was developed to with work with our wolfCrypt cryptography library. If you want FIPS 140-2, wolfSSH will seamlessly work with the FIPS version of wolfCrypt.
For more information about wolfSSH, wolfSSL, or wolfCrypt, please email facts@wolfssl.com or contact sales@wolfssl.com. If you want to know more about wolfSSH with wolfCrypt FIPS, contact fips@wolfssl.com. You can download wolfSSH 1.3.0 today from our download page!
wolfSSL Intel SGX (#SGX) + FIPS 140-2 (#FIPS140)!
wolfSSL is pleased to announce the following addition to the wolfSSL FIPS certificate!
Debian 8.7.0 | Intel ® Xeon® E3 Family with SGX support | Intel®x64 Server System R1304SP |
Windows 10 Pro | Intel ® Core TM i5 with SGX support | Dell LatitudeTM 7480 |
The wolfCrypt FIPS validated cryptographic module has been validated while running inside an Intel SGX enclave and examples have been setup for both Linux and Windows environments.
Intel ® SGX (Software Guard Extensions) can be thought of as a black-box where no other application running on the same device can see inside regardless of privilege. From a security standpoint this means that even if a malicious actor were to gain complete control of a system including root privileges, that actor, no matter what they tried, would not be able to access data inside of this “black-box”.
An Intel enclave is a form of user-level Trusted Execution Environment (TEE) which can provide both storage and execution. Meaning one can store sensitive information inside and also move sensitive portions of a program or an entire application inside.
While testing, wolfSSL has placed both individual functions and entire applications inside the enclave. One of the wolfSSL examples shows a client inside the enclave with the only entry/exit points being “start_client”, “read”, and “write”. The client is pre-programmed with a peer to connect with and specific functionality. When “start_client” is invoked it connects to the peer using SSL/TLS and executes the pre-programmed tasks where the only data entering and leaving the enclave is the info being sent to and received from the peer. Other examples show placing a single cryptographic operation inside the enclave, passing in plain-text data and receiving back encrypted data masking execution of the cryptographic operations.
If you are working with SGX and need FIPS validated crypto running in an enclave contact us at fips@wolfssl.com or support@wolfssl.com with any questions. We would love the opportunity to field your questions and hear about your project!
wolfSSL FAQ page
wolfSSL Example Applications
Upcoming wolfTPM Support for ST33 TPM 2.0
wolfSSL will soon be adding support for the ST33 secure microcontroller to wolfTPM! The ST33 includes an ARM® SecurCore® SC300 32-bit RISC processor, which provides a Secure Element. From the ST33 webpage:
The device features hardware accelerators for advanced cryptographic functions. The EDES peripheral provides a secure DES (Data Encryption Standard) algorithm implementation, while the NESCRYPT cryptoprocessor efficiently supports the public key algorithm. The AES peripheral ensures secure and fast AES algorithm implementation.
If you are interested in using wolfTPM in your project, or using wolfTPM with the STM33 or ARM® SecurCore® SC300, contact us today at facts@wolfssl.com! In recent news, wolfSSL recently released a new version of wolfTPM that now supports TLS from the wolfSSL embedded SSL/TLS library. Learn more here!
Announcing wolfTPM v1.3 with TLS support
wolfSSL Enables Gesytec to Easily Secure Communications Between Embedded Systems and the Cloud
wolfTPM Now Tested Nightly with Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB 9670
wolfTPM is a portable TPM 2.0 project designed for embedded use.
We have expanded our automated tests to ensure hardware support and functionality for wolfTPM in our commitment to having the best tested cryptography product lineup. Our Jenkins CI setup now tests the following build configuration every night!
Testing Hardware Setup
- Raspberry Pi 2 Model B Rev 1.2 (ARMv7 Processor rev 4 (v7l))
- Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB 967 (IRIDIUM9670 TPM2.0 LINUX).
wolfTPM Features
- This implementation provides all TPM 2.0 API’s in compliance with the specification.
- This uses the TPM Interface Specification (TIS) to communicate over SPI.
- The design allows for easy portability to different platforms:
- Native C code designed for embedded use.
- Single IO callback for hardware SPI interface.
- No external dependencies.
- Compact code size and minimal memory use.
- Examples for the Raspberry Pi and STM32 with CubeMX.
- Includes example code for most TPM2 native API’s.
- Includes wrappers for Key Generation, RSA encrypt/decrypt, ECC sign/verify and ECDH.
- Testing done using the Infineon OPTIGA SLB9670 module and LetsTrust TPM for Raspberry Pi.
Check out how to quickly build wolfSSL and wolfTPM on GitHub.
https://github.com/wolfSSL/wolfTPM
For examples on using the wolfTPM library check out the wrapper and native tests.
https://github.com/wolfSSL/wolfTPM/blob/master/examples/wrap/wrap_test.c
https://github.com/wolfSSL/wolfTPM/blob/master/examples/native/native_test.c
Please send any feedback or questions to us at facts@wolfssl.com
wolfCrypt JCE Provider Now Tested with Google Project Wycheproof
wolfCrypt JNI provides a Java, JNI-based wrapper to the native wolfCrypt API and implements wolfJCE as a JCE provider for Java’s built in security packages. wolfSSL is committed to providing the best tested cryptography available, and as such have expanded our automated testing of wolfCrypt JNI and JCE. Both FIPS 140-2 and non-FIPS builds of wolfCrypt JNI and wolfJCE are tested nightly through our Jenkins CI, with JUnit and Project Wycheproof unit tests.
Project Wycheproof is a test suite developed and maintained by the Google Security Team. Their unit tests use Java security packages (java.security and javax.crypto) to allow for multiple JCA/JCE provider implementations to be tested, including wolfJCE. Over 80 of their unit tests attempt to detect unexpected behavior, vulnerabilities to attacks, and other known weaknesses.
wolfSSL has confidence in having high quality security software built on a foundation of continuously expanding unit tests.
Please send any feedback or questions to us at facts@wolfssl.com.
wolfCrypt-JNI
Download: https://wolfssl.com/download
GitHub: https://github.com/wolfSSL/wolfcrypt-jni
Manual: https://www.wolfssl.com/docs/wolfcrypt-jni-jce-manual
Project Wycheproof
GitHub: https://github.com/google/wycheproof
And a shout out to Project Wycheproof maintainers:
- Daniel Bleichenbacher
- Thai Duong
- Emilia Kasper
- Quan Nguyen