OpenSSL in Devices gets cracked when trying to “enhance” randomness

Hi!  The security world has been buzzing this week about two new sets of research into what we will call statistical key cracking.  The hack is one that we would not expect out of your average script kiddie, because it combines sophisticated scanning with mathematical prowess.  The overview story is the first link below.  The second and third links take you to the researchers previews.

We are particularly interested in the work from Nadia Heninger and her team, given that our user base is skewed towards embedded systems.

Our takeaways from this new research are high entropy seeds are vital to proper key generation.  If a high entropy device is available use it, if not, don`t try to write your own.  Connect securely to a remote server where a high entropy seed can be relayed over the SSL/TLS connection.  And don`t stir the RNG between (p) and (q) generation.  This crack is based on a low entropy seed and the stirring between (p) and (q) generation.  wolfSSL avoids this problem in two ways, by using a high entropy seed from /dev/random and by not stirring between (p) and (q) but before each (p) instead.

wolfSSL and LibSCS

wolfSSL is now available as a crypto provider for KoanLogic’s SCS library, LibSCS. SCS, a small cryptographic protocol layered on top of the HTTP cookie facility [RFC6265], allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text.

From the LibSCS README, “By having a non-tamperable proof of authorship attached, each SCS cookie can always be validated by the originator, making it possible for a server to handle clients` session state without the need to store it locally. In fact, an SCS enabled server could completely delegate the application state storage to the client (e.g. a web browser) and use it, in all respects, as a remote storage device. The result of the cryptographic transformations applied to state data can be used to ensure that its information authenticity and confidentiality attributes are the same as if they were stored privately on server-side.”

You can build LibSCS with wolfSSL by running the following commands. You must have KoanLogic’s makl installed on your development machine ( to build the package. See the libscs README and INSTALL files for more detailed instructions.

makl-conf –crypto=cyassl

libscs GitHub repository:

If you have any questions about wolfSSL with LibSCS, please contact KoanLogic (info@koanlogic) or yaSSL (

The Gravity

yaSSL currently secures over 50 million points on the internet.  We don’t talk about who is using CyaSSL, for obvious reasons, but the numbers are big and growing.

We take our work seriously, and hope you feel comfortable with our efforts.  We endeavor to build a business, a community, and do the right thing.  We welcome your feedback.  If you believe that we have failed at some point, then let us know.  We’ll correct it.  We’re open source and open minded about what you have to say.  Contact us at and let us know how we’re doing!

wolfSSL FreeRTOS / OpenRTOS Support

Did you know that the wolfSSL embedded SSL library supports FreeRTOS and OpenRTOS? FreeRTOS is a real-time operating system for embedded devices which is designed to be both small and simple. With an incredibly large user base, FreeRTOS/OpenRTOS supports 27 architectures and is downloaded from over 77 thousand times every year!

Just like wolfSSL, FreeRTOS is open source, royalty free, and very portable. To build wolfSSL for FreeRTOS, uncomment the #define for FREERTOS in ./cyassl/ctaocrypt/settings.h.

You can find a full list of FreeRTOS features on the FreeRTOS/OpenRTOS website. To learn more about wolfSSL, please visit the wolfSSL product page. If you have any questions about using wolfSSL with FreeRTOS, please contact us at

FreeRTOS / OpenRTOS:

yaSSL 2011 Annual Report on

Our 2011 annual report is now up on (see link below). yaSSL saw some great progress in 2011 which was very exciting! We’re looking forward to 2012 and seeing what the new year brings. If you have any questions about our annual report, please let us know at

yaSSL 2011 Annual Report (MarketWatch): (as of 26 March 2018 at 9:26am MDT, this link no longer works and has no alternative).

Team yaSSL

Interesting Article on Device Level Security

As the security of individual field devices (sensors, transmitters, acuators, etc.) is often overlooked, these devices can provide a target for cyber attacks. This article by Matt Luallen of Control Engineering explains this fact in more detail – once again reminding us that security of such devices should not be taken lightly. Luallen states that “If your technicians can configure a field device through the control system, dedicated handheld tools, or by plugging in a laptop to the network, an attacker can do the same thing if he follows the right path.”

Secure communication is an important building block of device security. The wolfSSL embedded SSL library has been designed for resource-constrained embedded systems and can easily be added to your device. To learn more about wolfSSL and how it can help with your device security, feel free to contact us at

Security At The Device Level:

yaSSL 2011 Annual Report

yaSSL has made great progress 2011!  Company growth, active partnerships, technical improvements, and our community have all made great strides forward.  We are very happy with the results of 2011 and look forward to an exciting year in 2012!  Looking to 2012, we are planning ongoing improvements to our technology and have doubled our technical resources in order to better serve our users in 2012.  

Listed below is an overview of our progress in 2011.

Business and Company Progress

1.  We participated and/or exhibited in the following events: FOSDEM, ESC Silicon Valley, O`Reilly MySQL Conference & Expo, RSA Conference, Game Developers Conference, Infosecurity Europe, OSCON, ESC Boston, and the ARM Technology Conference

2.  We gave presentations at both FOSDEM 2011 (Lightning Talk) and the 2011 O`Reilly MySQL Conference (Securing MySQL with a Focus on SSL) and published an article in the Linux Journal (Installing an Alternate SSL Provider on Android). Our presentations can be found on our Media page.

3.  We made significant improvements to our documentation (including the wolfSSL Manual, wolfSSL API Reference, and SSL Tutorial) and to our website.

4.  Our customer base doubled in 2011 and we increased our revenues by 5X.

Meaningful progress with our partner community:

1.  ARM:  wolfSSL is now included in the ARM / Avnet Embedded Software Store (
2.  Intel:  Continued a successful partnership with Intel, along with becoming a general member of the Intel Embedded Alliance
3.  We added Security Innovation and SkypeKit as a new partners.
4.  We added KoanLogic as a new partner.

wolfSSL Technical Progress

Feature highlights from our five releases of the wolfSSL embedded SSL library in 2011 include:

1.  Added Elliptic Curve (ECC) cipher suites to wolfSSL
2.  Added support for ECC, EC-DSA, and EC-DH to our CTaoCrypt crypto library
3.  Better TLS 1.2 support through more comprehensive interoperability testing with other SSL implementations
4.  Added SHA256 cipher suites and certificate signatures
5.  Added PKCS8 private key encryption support
6.  Added Password based key derivation function 2 (PBKDF2)
7.  Added PKCS #12 PBKDF support as part of our plan to get to full PKCS12 support
8.  Included UID parsing for x509 certificates
9.  Included runtime memory hooks for users wanting to change memory functions at runtime
10.  Added runtime hooks for customizable logging ability
11.  Added compiler function visibility and better naming for less namespace pollution
12.  Created simpler header structure for users
13.  Added make test support
14.  CTaoCrypt runtime library detection ability
15.  Added AES counter (CTR) mode
16.  EDH on both client and server sides
17.  Made NTRU Cipher Suites available

yaSSL Embedded Web Server Progress

1.  Released version 0.2 with bug fixes and feature enhancements
1.  Improved documentation and examples

Porting Progress

1.  CURL port.  wolfSSL can now be built with CURL (as a build option).
2.  Mbed Release.  wolfSSL was ported to Mbed in late 2010 and is now available for the Mbed cloud compiler.
3.  KLone Web Application Framework.  wolfSSL is now ported to the KLone Web Application Framework by KoanLogic.
4.  memcached patch.  wolfSSL now provides SSL security for memcache.
5.  FreeRTOS support.  wolfSSL now supports FreeRTOS/OpenRTOS.
6.  Haiku OS.  wolfSSL now works with the Haiku Operating System.
7.  lwIP support.  wolfSSL now supports running on top of lwIP.
8.  Microchip pic32 support.  wolfSSL now supports running on the pic32.
9.  reSIPprocate port
10.  We now support wpa_supplicant as a compile time option.
11.  Added hostapd support
12.  Apple TV port:  wolfSSL and yasslEWS now can be run on the Apple TV.
13.  Added wolfSSL crypto provider to MIT Kerberos library.
14.  wolfSSL Android NDK package.  wolfSSL can now be used in Android NDK applications.
15.  Ported MIT Kerberos to Android using Google’s Android NDK.

Code & Community

1.  Migrated wolfSSL code to GitHub
2.  Introduced the yaSSL Support Forums
3.  Added BMX6 to the wolfSSL Community

We are looking forward to the upcoming year and sharing new features and technology improvements with our embedded SSL users and community.

yaSSL Embedded Web Server Porting Services

Are you interested in using the yaSSL Embedded Web Server in your project or on your device but have discovered that it currently lacks support for your desired platform? yaSSL offers a porting service for the yaSSL Embedded Web Server for just this occasion.

If you are interested in having us port the yaSSL Embedded Web Server to your platform, please contact us at for more information about cost and time estimates.

Born in the USA!

We receive a lot of questions about the origins of the CyaSSL and CTaoCrypt software packages.  We get asked where they were developed, and by who?  These questions usually come from US government agencies and their contractors.  Simply stated, mes amis, CyaSSL was Born in the USA and written by US citizens.

If you have any additional questions about the origins of the CyaSSL embedded SSL library, please contact us at

Posts navigation

1 2 3 165 166 167 168 169 170 171 186 187 188