Category: Uncategorized

wolfSSL release 3.9.10 fixes 3 medium level security vulnerabilities:

CVE-2016-7440 The C software version of AES Encryption and Decryption in wolfSSL 3.9.8 and earlier uses a T-table based implementation where Table lookups do not properly consider cache-bank access times.  This makes it easier for a local user to discover AES keys by running a crafted application on the same machine as a victim and leveraging cache-bank timing differences.

CVE-2016-7439 The C software implementation of RSA in wolfSSL 3.9.8 and earlier uses a different variable during squaring depending on the key state and does not properly consider cache bank monitoring.  This makes it easier for a local user to discover RSA keys by running a crafted application on the same CPU core as a victim and leveraging cache-bank hit differences.

CVE-2016-7438 The C software implementation of ECC in wolfSSL 3.9.8 and earlier uses a different variable during doubling depending on the key state and does not properly consider cache bank monitoring.  This makes it easier for a local user to discover RSA keys by running a crafted application on the same CPU core as a victim and leveraging cache-bank hit differences.

VM users, hyper-threading users, and users where potential attackers have access to the CPU cache will need to update if they utilize AES, RSA private keys, or ECC private keys.

Thanks to Gorka Irazoqui Apecechea and Xiaofei Guo from Intel Corporation for the reports.

If you have a need for an embedded SSL/TLS library or any questions please contact us today at facts@wolfssl.com.

Hi! We are currently embarking on a mission to support TPM 2.0 with the wolfSSL embedded SSL library. If you are interested in being an alpha tester, please let us know at facts@wolfssl.com.

Are you looking to use cryptography on an ARMv8 board? wolfSSL is in the process of optimizing AES and SHA256 operations using ARMv8 hardware acceleration. This gives the embedded TLS/SSL library a large performance boost when enabled and using AES-SHA256 cipher suites. The current development state can be found on our GitHub repository and enabled with “./configure —enable-armasm”.

For more information contact us at facts@wolfssl.com

Come join wolfSSL at NXP Technology Days and Smarter World Tour
 
The wolfSSL Team, will be in Paris at the ENOVA show the 2nd week of September.  The event takes place on September 14th and September 15th in the mobile showroom at ENOVA Paris from 9:00am to 6:00pm on Wednesday and 9:00am to 5:00pm on Thursday.  
 
If you are attending or planning on attending please stop by our table or schedule an appointment with one of our engineers to talk cryptography at the show. You can contact us by phone at (425)245-8247 or by email at facts@wolfssl.com.

Microsoft and Canonical`s new tools Windows Subsystem for Linux and Bash on Ubuntu on Windows brings a familiar bash environment based on the Ubuntu user-space to Windows 10.  This allows developers to use tools available on Linux and other Unix-like systems from within Windows.

Before developers can utilize Windows Subsystem for Linux, the feature has to be installed.   

1. Open Settings
2. Click Update & Security
3. Click For Developers
4. Click Developer Mode  
5. Now open Control Panel
6. Click Programs and Features
7. Click Turn Windows features on or off.
8. Find and check Windows Subsystem for Linux (Beta)
9. Click OK and follow prompts to finish installation.

Now that WSL is installed it is time to install the Ubuntu image.  This is accomplished by launching the Windows Command Prompt and typing “bash.exe”.  Follow the prompts to finish the installation.

You now have a fully installed Linux image on Windows!  You can launch bash by either running a Windows command prompt and entering the command “bash” or you can find the shortcut “Bash on Ubuntu on Windows” in your start menu.

To setup your environment to build wolfSSL you`ll need the following:

– make
– autoconf
– gcc

These can be installed with “$ sudo apt-get install make autoconf gcc” in bash.  Finally, the steps to build and install wolfSSL for Linux are:

1. $ ./autogen.sh
2. $ ./configure
3. $ make
4. $ make install

This was tested and verified with GCC version 4.8.4 and Linux kernel 3.4.0. make in our test environment was able to build wolfSSL in 28.415s.

Additional references:
wolfSSL Embedded SSL/TLS Library
https://blogs.windows.com/buildingapps/2016/07/22/fun-with-the-windows-subsystem-for-linux/
https://msdn.microsoft.com/en-us/commandline/wsl/about
https://msdn.microsoft.com/en-us/commandline/wsl/install_guide

wolfSSL is a growing company looking to add a top notch embedded systems software engineer to our organization. We develop, market and sell the leading Open Source embedded SSL/TLS protocol implementation, wolfSSL. Our users are primarily building devices or applications that need security. Other products include wolfCrypt embedded cryptography engine, wolfMQTT client library, and wolfSSH.

Operating environments of particular interest to us include Embedded Linux and RTOS varieties (VxWorks, QNX, ThreadX, uC/OS, MQX, FreeRTOS, etc). Experience with mobile environments like Android and iOS is a plus.

Currently, we are seeking to add a senior level C engineer interested in a fun company with tremendous upside. Backgrounds that are useful to our team include networking, security, and hardware optimizations. Assembly experience is a plus. Experience with encryption software is a plus. RTOS experience is a plus.

Location is flexible. For the right candidate, we’re open to this individual working from virtually any location.

How To Apply

To apply or discuss, please send your resume and cover letter to facts@wolfssl.com.

wolfSSL is interested in hiring an experienced web developer to redesign and maintain the wolfSSL website. This will be a full time position as an employee of wolfSSL. Responsibilities will include website redesign, development, and maintenance as well as writing and improving product documentation. The website will have both static and dynamic content, including a blog and product download pages.

The ideal candidate will have experience with modern web tools and frameworks, experience with web server setup and maintenance, good technical writing skills, and have a passion for cryptography and security fields.

Responsibilities:

+ Redesign of the wolfSSL website, based on a modern web framework
+ Integration of a dynamic blogging platform
+ Creation and maintenance of software documentation
+ Maintenance, expansion, and optimization of the wolfSSL website and forums

Requirements:

+ Knowledge of HTML, CSS, PHP, and modern web languages
+ Familiarity and experience with web and blog frameworks
+ Knowledge of web design best practices
+ Knowledge of back end database systems, such as MySQL
+ Knowledge of SEO and search engine compatibility
+ Team player, able to work well either individually or in a group
+ Interest in cryptography and security software
+ Proficient technical writing skills

How to Apply:

If interested in applying, please send your resume to facts@wolfssl.com.  wolfSSL product and company details can be found online at www.wolfssl.com.

Microchip recently released an end-to-end security solution for IoT devices that connects to the Amazon Web Services (AWS). The kit, AT88CKECC, allows users to easily and securely connect to AWS out of the box. It includes the ECC508 device which provides secure key generation and storage.

Full details and product links can be found in the Microchip press release, or on the Microchip website.

wolfSSL has partnered with Microchip / Atmel to add support for the ATECC508A module in wolfSSL’s embedded SSL/TLS library. Please visit our ATECC508A webpage for complete details and a link to our downloadable package.

wolfSSL is happy to help answer any questions you may have about using wolfSSL with Microchip or Atmel platforms. Please reach out to us at facts@wolfssl.com to get in touch.

The wolfSSL embedded SSL/TLS library and wolfCrypt embedded crypto engine have been integrated into the Atmel ATECC508A crypto element, adding support for ECC hardware acceleration and protected private key storage on the ATECC508A.

Using wolfSSL, ATECC508A users can benefit from both increased ECC performance and secure key storage, thus hardening their TLS connections.  The wolfCrypt ATECC508A port adds:

+ wolfCrypt support for ECC hardware acceleration using the ATECC508A.  The new defines for this port are WOLFSSL_ATMEL and WOLFSSL_ATECC508A
+ New PK callback for Pre Master Secret

For more info please visit: https://www.wolfssl.com/docs/atmel/

wolfSSL is dual licensed under both the GPLv2 as well as a standard commercial license.  For licensing information, please see the wolfSSL License Page, or contact us facts@wolfssl.com or call us at (425) 245-8247

wolfSSL’s progressive embedded TLS/SSL library has a new release available for download by our community. This new release contains new features, updates to existing code, and bug fixes. Some of the additional features added to wolfSSL version 3.9.8 are the use of custom ECC curves, support for Brainpool curves, and RSA blinding for private key operations. With the addition of RSA binding comes increased protection against timing attacks for users that have static RSA suites on their server. Static RSA cipher suites are not recommended and are turned off by default with wolfSSL.

Some fixes were also made to the IoT wolfSSL library. A few of these fixes were dealing with sanity checks on malformed certificates outside of a TLS connection, revisions to the recent static memory feature, and updated handling of math operations with compressed ECC keys. It is recommended that users update to the most recent wolfSSL release. Users that have server side static RSA cipher suites enabled should update to this version of wolfSSL for RSA blinding, and create new RSA private keys.

Here is a full list of highlighted changes for this release of our embedded SSL library.

– Add support for custom ECC curves. This allows use of non-standard ECC curves.
– Add cipher suite ECDHE-ECDSA-AES128-CCM.
– Add compkey enable option. This option is for enabling and disabling compressed ECC keys.
– Add in the option to use test.h without gettimeofday function using the macro WOLFSSL_USER_CURRTIME. This makes test.h more portable.
– Add RSA blinding for private key operations. Enable option of harden which is on by default. This negates timing attacks.
– Add ECC and TLS support for all SECP, Koblitz and Brainpool curves.
– Add helper functions for static memory option to allow getting optimum buffer sizes. This calculates the size of the needed buffer to have it completely used with no excess unused memory at the end.
– Update wolfSSL for use with MYSQL v5.6.30.
– Update LPCXpresso eclipse project to not include misc.c when not needed.
– Updates to DTLS 1.2.
– Fixes for code in math sections with compressed ECC keys. This includes edge cases for buffer size on allocation and adjustments for compressed curves build.
– Fix function argument mismatch for build with secure renegotiation.
– X.509 bug fixes for reading in malformed certificates, reported by researchers at Columbia University
– Fix GCC version 6 warning about hard tabs in poly1305.c. This was a warning produced by GCC 6 trying to determine the intent of code.
– Fixes for static memory option. These fixes include avoiding potential race conditions with
counters and decrementing handshake counter in the case of a failed client connection attempt.
– Fix for a possible output buffer overrun when using anonymous cipher and Diffie Hellman key exchange on the server side.

For more information contact wolfSSL at facts@wolfssl.com.  Support questions can be directed to support@wolfssl.com.