Category: Uncategorized

Did you know that the wolfSSL embedded ssl solution includes DTLS support?  wolfSSL has supported DTLS functionality for over a year now.  Frankly, we have not had much user feedback on the feature, which means that either people are not using it or that those using it are perfectly satisfied.  If you care to comment, we’d love your feedback at info@yassl.com. 
 
DTLS was initially designed to serve the needs of secure VoIP designers, SIP users, internet game builders, and others that have an unreliable connection.  Further background on the genesis and purposing of DTLS can be found here:  http://crypto.stanford.edu/~nagendra/papers/dtls.pdf.  The RFC can be found here:  http://tools.ietf.org/html/rfc4347, and the Wikipedia page is here:  http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security.

Did you know that wolfSSL is available for iPhone/iOS?  We’ve been building and testing wolfSSL on iOS now for the last couple of years.  As wolfSSL users know, the code is extremely portable.  When iPhone originally launched, we decided to build for the device as yet another test for portability.  Everything moved over smoothly and we’ve been building and testing each incremental release ever since.  Let us know if you’re building cross platform applications and need support for iPhone  by contacting us at info@yassl.com.

Ever wondered what the difference between a block cipher and a stream cipher was?  A block cipher has to be encrypted in chunks that are the block size for the cipher.  For example, AES has block size of 16 bytes.  So if you`re encrypting a bunch of small, 2 or 3 byte, chucks back and forth, over 80% of the data is useless padding, decreasing the speed of the encryption/decryption process and needlessly wasting network bandwidth to boot.  So basically block ciphers are designed for large chucks of data, have block sizes requiring padding, and use a fixed, unvarying transformation.

Stream ciphers work well for large or small chucks of data.  They`re suitable for smaller data sizes because no block size is required.  And if speed is a concern, stream ciphers are your answer, because they use a simpler transformation that typically involves an xor`d keystream.  So if you need to stream media, encrypt various data sizes including small ones, or have a need for a fast cipher then stream ciphers are your best bet.

SSL uses RC4 as the default stream cipher.  It`s a pretty good one, though it`s getting a little older.  There are some interesting advancements being made in the field and nearly two years ago wolfSSL added two ciphers from the eStream project into the code base, RABBIT and HC-128.  RABBIT is nearly twice as fast as RC4 and HC-128 is about 5 times as fast!  So if you`ve ever decided not to use SSL because of speed concerns, using wolfSSL`s stream ciphers should lessen or eliminate that performance doubt.

Both RABBIT and HC-128 are built by default into wolfSSL.  Please see the examples or the docs for usage.

Hi!  The next wolfSSL release should be ready this week, barring unforeseen testing issues.  Our big feature addition for this release is key generation.  The addition of key generation to wolfSSL clears the way for us to add certificate generation, with planned availability in September.  We’ve had a number of our commercial customers as well as open source users asking us for these features for various reasons, and we’re happy to add them for the enjoyment of all. 
 
One use case that we are particularly excited about is enabling digital signing for embedded systems and devices.  Essentially, we’ll be providing the key components in our next release for our users to set up digital signing for their various embedded systems.  Watch this space for our white paper on the topic.  The white paper will go through the process of setting up your own private certificate authority, as you would do if you were setting up your own private app store or secure firmware download site.  Many users like to do this sort of thing if they have closed systems, and don’t need certificates from a standard certificate authority.  Who knows, perhaps one of our users will use wolfSSL certificate generation to break the monopolies currently enjoyed by the current batch of certificate authorities. 
 
If you are a device vendor, you might ask the broader question of why to use SSL secure firmware download to your devices?  First, you will know where the firmware updated and installed on your device is coming from.  It won’t be random, it will be coming from a server you control.  Second, you will know that the software updated to the device has not been tampered with during delivery. 
 
As we saw from the recent Security B-Sides presentation “Fun with VxWorks” (The presentation can be found here: https://speakerdeck.com/hdm/fun-with-vxworks), the attack vector of current interest is embedded systems and devices.  As such, vendors of connected devices such as printers, cameras, etc, will need to be setting up their own private secure delivery mechanisms for applying firmware updates, etc. 
 
As always, we’re here to help.  Contact us at info@yassl.com if you need help with this stuff, either on the server side or the device side.

If you are an adopter of IPv6 and want to use an embedded ssl implementation, then you may have been wondering if wolfSSL supports IPv6.  The answer is yes, we do support wolfSSL running on top of IPv6.  Note that our current test applications default to IPv4, so as to apply to a broader number of systems.  Please see https://www.wolfssl.com/docs/wolfssl-manual/ch2/ –enable-ipv6 to change the test applications to IPv6.  You can contact us at facts@wolfssl.com if you need assistance with IP version issues.
 
Further information on IPv6 can be found here:  http://en.wikipedia.org/wiki/IPv6.

1.       Size:  wolfSSL can be built as small as 30k.
2.       Supports the newest standards: TLS 1.1 and 1.2, DTLS, and Stream Ciphers
3.       Multi-platform
4.       Royalty Free
5.       OpenSSL compatibility API to ease porting into older applications

Here’s another informative blog post from John Sawyer of DarkReading:  http://www.darkreading.com/blog/archives/2010/08/gaining_a_footh.html.

Here’s another warning from the media with regard to adding proper security to embedded systems: https://www.darkreading.com/risk/embedded-systems-can-mean-embedded-vulnerabilities/d/d-id/1134205.  It’s a good article that reminds us how many vulnerable embedded systems are out there that need to be retrofitted with embedded ssl.

As stated in previous blog posts, we have ported wolfSSL into a number of embedded web servers on behalf of our customers and community users.  wolfSSL can be included in Mongoose , Lighttpd (aka Lighty), Nginx, GoAhead, and others.  As a part of the work of enabling these embedded web servers to use SSL, we have learned a lot about all of these excellent products, including how they are used in embedded environments, what their code is like, and their feature support. 
 
As a result of our evaluation, we put a lot of energy into determining which open source embedded web server should receive the bulk of our attention.  We want to focus on the one that maps most closely to the needs of our customer base.  The wolfSSL customer generally wants the following in their open source embedded web server, in order of priority:
 
1.       Support for real time and embedded operating systems.
2.       Commercially available support
3.       Size:  Small, tight code.
4.       Well enabled security features
5.       Speed
 
As a result of our evaluation, we determined that the Mongoose embedded web server should receive the bulk of our attention.  Mongoose is the winner because it fits our customer’s needs, via the following metrics:
 
1.       Default size, with wolfSSL enabled, of less than 200k.
2.       Excellent code base and community.
3.       Portability to real time and embedded operating systems.
 
Based on all of the above, and more, we have decided to sell and market a version of Mongoose we’re calling the yaSSL Embedded Web Server.  We have agreed with the leader of the Mongoose community, Sergey Lyubka, to collaborate on feature development and bug fixes.  Bug fixes, feature additions, and general improvements that we generate to the code base will be rolled back into the main source tree subject to Sergey’s approval.  We will endeavor to be a good citizen and quality partner to the Mongoose community!
 
Versions of the yaSSL Embedded Web Server for RTOS and embedded environments are available immediately, upon request, on a subscription basis.  Annual subscriptions are available at the price of $5,000 USD per year.  Subscriptions include the following, per product line within which you embed: 
 
1.       Commercial support for wolfSSL and the yaSSL Embedded Web server
2.       Updates and upgrades
3.       Porting of both the SSL and Web Server to your  embedded environment and chipset.
4.       Commercial licenses
5.       Size and speed optimization support
 
Supported environments include ThreadX, VxWorks, QNX, OpenWRT, Tron, iTron, Microitron, Android, OpenCL, and MontaVista.  Other supported environments are available on a per request basis.  We’ll also support *nix and the gaggle of *bsd’s, which we’ll port to as requested. 
 
As always, we’d like your feedback and questions!  Please contact us at info@yassl.com.

Competitive upgrade pricing for wolfSSL is now available.  We’ll help you move from an outdated or expensive ssl library to wolfSSL with low cost and minimal disturbance to your code base.    
 
How does it work?  Here’s an outline of the program:
 
1. You need to currently be using a commercial competitor to wolfSSL.
2. You will receive up to two weeks of onsite consulting to switch out your old ssl library for wolfSSL.  Travel expenses are not included.
3. Normally, two weeks is the right amount of time for us to make the replacement in your code and do initial testing.  Additional consulting on a replacement is available as needed.
4. You will receive the standard wolfSSL royalty free license to ship with your product.
5. The price is $10,000.
 
The purpose of this program is to enable users who are currently spending too much on their embedded ssl implementation to move to wolfSSL with ease.  If you are interested in learning more, then please contact us at info@yassl.com.