Category: Uncategorized

Ever wondered what the difference between a block cipher and a stream cipher was?  A block cipher has to be encrypted in chunks that are the block size for the cipher.  For example, AES has block size of 16 bytes.  So if you`re encrypting a bunch of small, 2 or 3 byte, chucks back and forth, over 80% of the data is useless padding, decreasing the speed of the encryption/decryption process and needlessly wasting network bandwidth to boot.  So basically block ciphers are designed for large chucks of data, have block sizes requiring padding, and use a fixed, unvarying transformation.

Stream ciphers work well for large or small chucks of data.  They`re suitable for smaller data sizes because no block size is required.  And if speed is a concern, stream ciphers are your answer, because they use a simpler transformation that typically involves an xor`d keystream.  So if you need to stream media, encrypt various data sizes including small ones, or have a need for a fast cipher then stream ciphers are your best bet.

SSL uses RC4 as the default stream cipher.  It`s a pretty good one, though it`s getting a little older.  There are some interesting advancements being made in the field and nearly two years ago wolfSSL added two ciphers from the eStream project into the code base, RABBIT and HC-128.  RABBIT is nearly twice as fast as RC4 and HC-128 is about 5 times as fast!  So if you`ve ever decided not to use SSL because of speed concerns, using wolfSSL`s stream ciphers should lessen or eliminate that performance doubt.

Both RABBIT and HC-128 are built by default into wolfSSL.  Please see the examples or the docs for usage.

Hi!  The next wolfSSL release should be ready this week, barring unforeseen testing issues.  Our big feature addition for this release is key generation.  The addition of key generation to wolfSSL clears the way for us to add certificate generation, with planned availability in September.  We’ve had a number of our commercial customers as well as open source users asking us for these features for various reasons, and we’re happy to add them for the enjoyment of all. 
 
One use case that we are particularly excited about is enabling digital signing for embedded systems and devices.  Essentially, we’ll be providing the key components in our next release for our users to set up digital signing for their various embedded systems.  Watch this space for our white paper on the topic.  The white paper will go through the process of setting up your own private certificate authority, as you would do if you were setting up your own private app store or secure firmware download site.  Many users like to do this sort of thing if they have closed systems, and don’t need certificates from a standard certificate authority.  Who knows, perhaps one of our users will use wolfSSL certificate generation to break the monopolies currently enjoyed by the current batch of certificate authorities. 
 
If you are a device vendor, you might ask the broader question of why to use SSL secure firmware download to your devices?  First, you will know where the firmware updated and installed on your device is coming from.  It won’t be random, it will be coming from a server you control.  Second, you will know that the software updated to the device has not been tampered with during delivery. 
 
As we saw from the recent Security B-Sides presentation “Fun with VxWorks” (The presentation can be found here: https://speakerdeck.com/hdm/fun-with-vxworks), the attack vector of current interest is embedded systems and devices.  As such, vendors of connected devices such as printers, cameras, etc, will need to be setting up their own private secure delivery mechanisms for applying firmware updates, etc. 
 
As always, we’re here to help.  Contact us at info@yassl.com if you need help with this stuff, either on the server side or the device side.

If you are an adopter of IPv6 and want to use an embedded ssl implementation, then you may have been wondering if wolfSSL supports IPv6.  The answer is yes, we do support wolfSSL running on top of IPv6.  Note that our current test applications default to IPv4, so as to apply to a broader number of systems.  Please see https://www.wolfssl.com/docs/wolfssl-manual/ch2/ –enable-ipv6 to change the test applications to IPv6.  You can contact us at facts@wolfssl.com if you need assistance with IP version issues.
 
Further information on IPv6 can be found here:  http://en.wikipedia.org/wiki/IPv6.

1.       Size:  wolfSSL can be built as small as 30k.
2.       Supports the newest standards: TLS 1.1 and 1.2, DTLS, and Stream Ciphers
3.       Multi-platform
4.       Royalty Free
5.       OpenSSL compatibility API to ease porting into older applications

Here’s another informative blog post from John Sawyer of DarkReading:  http://www.darkreading.com/blog/archives/2010/08/gaining_a_footh.html.

Here’s another warning from the media with regard to adding proper security to embedded systems: https://www.darkreading.com/risk/embedded-systems-can-mean-embedded-vulnerabilities/d/d-id/1134205.  It’s a good article that reminds us how many vulnerable embedded systems are out there that need to be retrofitted with embedded ssl.

As stated in previous blog posts, we have ported wolfSSL into a number of embedded web servers on behalf of our customers and community users.  wolfSSL can be included in Mongoose , Lighttpd (aka Lighty), Nginx, GoAhead, and others.  As a part of the work of enabling these embedded web servers to use SSL, we have learned a lot about all of these excellent products, including how they are used in embedded environments, what their code is like, and their feature support. 
 
As a result of our evaluation, we put a lot of energy into determining which open source embedded web server should receive the bulk of our attention.  We want to focus on the one that maps most closely to the needs of our customer base.  The wolfSSL customer generally wants the following in their open source embedded web server, in order of priority:
 
1.       Support for real time and embedded operating systems.
2.       Commercially available support
3.       Size:  Small, tight code.
4.       Well enabled security features
5.       Speed
 
As a result of our evaluation, we determined that the Mongoose embedded web server should receive the bulk of our attention.  Mongoose is the winner because it fits our customer’s needs, via the following metrics:
 
1.       Default size, with wolfSSL enabled, of less than 200k.
2.       Excellent code base and community.
3.       Portability to real time and embedded operating systems.
 
Based on all of the above, and more, we have decided to sell and market a version of Mongoose we’re calling the yaSSL Embedded Web Server.  We have agreed with the leader of the Mongoose community, Sergey Lyubka, to collaborate on feature development and bug fixes.  Bug fixes, feature additions, and general improvements that we generate to the code base will be rolled back into the main source tree subject to Sergey’s approval.  We will endeavor to be a good citizen and quality partner to the Mongoose community!
 
Versions of the yaSSL Embedded Web Server for RTOS and embedded environments are available immediately, upon request, on a subscription basis.  Annual subscriptions are available at the price of $5,000 USD per year.  Subscriptions include the following, per product line within which you embed: 
 
1.       Commercial support for wolfSSL and the yaSSL Embedded Web server
2.       Updates and upgrades
3.       Porting of both the SSL and Web Server to your  embedded environment and chipset.
4.       Commercial licenses
5.       Size and speed optimization support
 
Supported environments include ThreadX, VxWorks, QNX, OpenWRT, Tron, iTron, Microitron, Android, OpenCL, and MontaVista.  Other supported environments are available on a per request basis.  We’ll also support *nix and the gaggle of *bsd’s, which we’ll port to as requested. 
 
As always, we’d like your feedback and questions!  Please contact us at info@yassl.com.

Competitive upgrade pricing for wolfSSL is now available.  We’ll help you move from an outdated or expensive ssl library to wolfSSL with low cost and minimal disturbance to your code base.    
 
How does it work?  Here’s an outline of the program:
 
1. You need to currently be using a commercial competitor to wolfSSL.
2. You will receive up to two weeks of onsite consulting to switch out your old ssl library for wolfSSL.  Travel expenses are not included.
3. Normally, two weeks is the right amount of time for us to make the replacement in your code and do initial testing.  Additional consulting on a replacement is available as needed.
4. You will receive the standard wolfSSL royalty free license to ship with your product.
5. The price is $10,000.
 
The purpose of this program is to enable users who are currently spending too much on their embedded ssl implementation to move to wolfSSL with ease.  If you are interested in learning more, then please contact us at info@yassl.com.

We have released an Alpha of our Java SSL Provider for the Android Platform.  This can be installed alongside the existing Apache Harmony provider and can be used through the javax.net.ssl Java API package.  By using our provider, Java developers can use familiar syntax and API calls of Java to gain the speed and size advantages that the CyaSSL embedded SSL library offers.  By using CyaSSL on Android, you can reduce the overall image footprint by 500k to 600k.

Being in the Alpha stage, this provider currently only offers client functionality.  If you want to give our provider a try, please download it from our additional downloads page here.  Instructions for installation into the Android Platform can be found in the README file included with the download.

We look forward to your feedback!  Please keep in mind that this is an alpha release.  Please contact us at info@yassl.com if you need support.

Hi!  Two months ago we announced the availability of a version of memcached that we’ve been calling secure memcached.  This current branch of memcached includes ssl encryption between client and server.  Currently, client support is limited to libmemcached, but we’ll work with our beta sites to support additional clients as needed.  Our plan is to submit our branch as a patch to the project once we receive more feedback from betas.

Our upcoming Beta 2 version of secure memcached will add encryption for data held inside the server.  As such, if someone gets their hands on your memcached server, they won’t be able to read the data.  The level of security in Beta 2 will resolve the vulnerability faced by memcached users recently discussed on Slashdot:  http://it.slashdot.org/story/10/08/07/035255/Cache-On-Delivery-mdash-Memcached-Opens-an-Accidental-Security-Hole.

Beta 2 is slated for release in a couple of weeks.  Please contact us at info@yassl.com if you would like to participate in the beta program.

For performance results for secure memcache, please contact us.

A copy of our presentation on secure memcached  given at OSCON is available here:  PPT Download