Upgrade to Pro — share decks privately, control downloads, hide ads and more …

wolfSSL Year In Review -

wolfSSL
February 01, 2014

wolfSSL Year In Review -

wolfSSL, author of the open source CyaSSL embedded SSL library has made significant progress in 2013 towards bringing the community a more usable, feature-rich, and better supported library for use in an ever-growing range of embedded platforms and environments. This talk will provide an overview of technical progress in the last year and news on the current state of wolfSSL. Details on what's new include the addition of new crypto ciphers and algorithms, better hardware cryptography support, more flexible abstraction layers, a JNI wrapper, new platform support, and better development tool integration. www.wolfssl.com

wolfSSL

February 01, 2014
Tweet

More Decks by wolfSSL

Other Decks in Technology

Transcript

  1. YEAR IN REVIEW
    FOSDEM 2014
    FEBRUARY 1, 2014
    BRUSSELS, BELGIUM
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  2. Software Developer
    Bozeman, MT, USA
    CHRIS CONLON
    © Copyright 2012 FishEyeGuyPhotography
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  3. 10 employees in 3 countries. 500 million endpoints secured.
    A GROWING COMPANY!
    © Copyright 2014 wolfSSL Inc.
    Tokyo, JP
    João Pessoa
    BRAZIL
    Bozeman, MT
    Seattle, WA
    Portland, OR
    San Jose, CA

    View full-size slide

  4. Over lots of different markets.
    500 MILLION
    © Copyright 2014 wolfSSL Inc.
    Databases
    Sensors
    VoIP
    Smart Grid
    Smart Energy
    Factory Automation
    Battlefield Communication
    Automotive
    Routers
    Connected Home
    M2M Games
    Appliances
    Cloud Services
    Internet of Things
    Applications

    View full-size slide

  5. PRESENTATION OUTLINE
    1. Our Products
    2. What’s New
    3. Questions & Wrap-Up
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  6. OUR PRODUCTS
    © Copyright 2014 wolfSSL Inc.
    CyaSSL
    Lightweight SSL/TLS
    wolfCrypt
    Crypto Engine
    yaSSLEWS
    Embedded Web Server
    wolfCrypt
    wolfSSL JNI
    CyaSSL Java Wrapper
    SSL Proxy
    On top of Squid Proxy
    SSL Inspection
    Secure
    memcached
    wolfSCEP

    View full-size slide

  7. CyaSSL
    LIGHTWEIGHT. PORTABLE. C-BASED.
    ü  Up to TLS 1.2 and DTLS 1.2
    ü  20-100 kB footprint
    ü  1-36 kB RAM per session
    ü  Long list of supported operating systems:
    Lightweight SSL / TLS Library
    CyaSSL
    Lightweight SSL/TLS
    wolfCrypt
    SSL Inspection
    © Copyright 2014 wolfSSL Inc.
    Windows, Linux, Mac OS X,
    Solaris, ThreadX, VxWorks,
    FreeBSD, NetBSD, OpenBSD,
    embedded Linux, WinCE
    Haiku, OpenWRT, iPhone (iOS),
    Android, Nintendo Wii and
    Gamecube through DevKitPro,
    QNX, MontaVista, NonStop
    TRON/ITRON/uITRON, Micrium uC/OS,
    FreeRTOS, SafeRTOS, Freescale MQX,
    Nucleus, TinyOS, HP/UX, ARC MQX

    View full-size slide

  8. wolfCrypt
    PORTABLE MODULAR CRYPTOGRAPHY
    ü  Previously called “CTaoCrypt”
    ü  Working on splitting into separate product
    ü  Progressive list of supported ciphers
    ü  Modular design, assembly optimizations
    Cryptography Engine
    wolfCrypt
    Crypto Engine
    © Copyright 2014 wolfSSL Inc.
    AES (CBC, CTR, CCM, GCM),
    DES, 3DES, Camellia,
    ARC4, RABBIT, HC-128
    MD2, MD4, MD5, SHA-1,
    SHA-256, SHA-384, SHA-512,
    BLAKE2b, RIPEMD-160
    RSA, ECC, DSS, DH, EDH, NTRU
    HMAC, PBKDF2, PKCS#5
    ECDH-ECDSA, ECDHE-ECDSA,
    ECDH-RSA, ECDHE-RSA

    View full-size slide

  9. yaSSLEWS
    Embedded Web Server
    yaSSLEWS
    LOW RESOURCE, EMBEDDABLE, WEB SERVER
    ü  Fast, easy-to-use webserver
    ü  Small footprint (100kB with HTTPS)
    ü  CGI, SSI, IP restrictions, logging, aliases
    ü  Multiple operating environments supported
    Embedded Web Server
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  10. wolfSSL JNI
    CyaSSL Java Wrapper
    wolfSSL JNI
    BRINGING CYASSL TO JAVA USERS
    ü  JNI wrapper around CyaSSL
    ü  Current Java doesn’t support DTLS 1.2
    ü  Users no longer need to write their own!
    ü  Same licensing model – GPLv2 or commercial
    CyaSSL Java Wrapper
    © Copyright 2014 wolfSSL Inc.
    NEW!

    View full-size slide

  11. wolfSCEP
    wolfSCEP
    PORTABLE SCEP IMPLEMENTATION
    ü  Issuing and revocation of certificates
    ü  Protocol originally developed by CISCO
    ü  Lightweight, portable SCEP implementation
    ü  Uses wolfCrypt for crypto operations
    ü  Currently under development
    Simple Certificate Enrollment Protocol
    © Copyright 2014 wolfSSL Inc.
    NEW!

    View full-size slide

  12. WHAT’S NEW?
    IN THE PAST YEAR.
    © Copyright 2014 wolfSSL Inc.
    I.  Protocol Enhancements
    II.  Crypto Additions / Changes
    III.  Library Control / Portability
    IV.  Examples and Documentation
    V.  Porting Progress
    VI.  Business News

    View full-size slide

  13. •  Fix for Lucky13 Attack
    •  DTLS 1.2 Support
    •  DTLS reliability enhancements
    PROTOCOL ENHANCEMENTS
    © Copyright 2014 wolfSSL Inc.
    Updated to match TLS 1.2
    Addition of AEAD ciphers
    Nadhem AlFardan, Kenneth Paterson

    View full-size slide

  14. •  New TLS Extension Support:
    PROTOCOL ENHANCEMENTS
    © Copyright 2014 wolfSSL Inc.
    Server Name Indication
    Max Fragment Length
    Truncated HMAC
    Client can send name of server it is
    connecting to.
    Client can negotiate smaller maximum
    fragment size (default of 2^14).
    Use 80-bit truncated HMAC instead of
    using entire hash output as MAC
    ./configure --enable-tlsx!

    View full-size slide

  15. •  SHA-3 Finalist BLAKE2b (256 – 512bit digests)
    CRYPTO ADDITIONS / CHANGES
    © Copyright 2014 wolfSSL Inc.
    int InitBlake2b(…);!
    int Blake2bUpdate(…);!
    int Blake2bFinal(…);!
    0
    50
    100
    150
    200
    250
    300
    350
    400
    SHA-256 SHA-512 SHA BLAKE2b MD5
    MB/s

    View full-size slide

  16. •  AES-CCM-8 crypto and cipher suites
    CRYPTO ADDITIONS / CHANGES
    © Copyright 2014 wolfSSL Inc.
    ./configure --enable-aesccm!

    !
    aes.c / aes.h!
    !
    void AesCcmSetKey(…);!
    void AesCcmEncrypt(…);!
    int AesCcmDecrypt(…);!
    TLS_RSA_WITH_AES_128_CCM_8!
    TLS_RSA_WITH_AES_256_CCM_8!
    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8!
    TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8!
    TLS_PSK_WITH_AES_128_CCM!
    TLS_PSK_WITH_AES_256_CCM!
    TLS_PSK_WITH_AES_128_CCM_8!
    TLS_PSK_WITH_AES_256_CCM_8!

    View full-size slide

  17. •  Camellia crypto and cipher suites
    CRYPTO ADDITIONS / CHANGES
    © Copyright 2014 wolfSSL Inc.
    ./configure --enable-camellia!
    !
    !
    camellia.c / camellia.h!
    !
    int CamelliaSetKey(…);!
    int CamelliaSetIV(…);!
    void CamelliaEncryptDirect(…);!
    void CamelliaDecryptDirect(…);!
    void CamelliaCbcEncrypt(…);!
    void CamelliaCbcDecrypt(…);!
    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA!
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA!
    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256!
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256!
    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA!
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA!
    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256!
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256!

    View full-size slide

  18. •  SHA-384 cipher suites
    •  HMAC now supports SHA-512
    •  AES-NI support for AES-CCM and AES-GCM
    CRYPTO ADDITIONS / CHANGES
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  19. •  PKCS #7 (Cryptographic Message Syntax)
    •  PKCS #10 (Certificate Signing Request)
    CRYPTO ADDITIONS / CHANGES
    © Copyright 2014 wolfSSL Inc.
    ü  Used to sign / encrypt messages
    ü  Request certificate of public key from CA

    View full-size slide

  20. •  Persistent session cache
    LIBRARY CONTROL / PORTABILITY
    © Copyright 2014 wolfSSL Inc.
    ./configure --enable-savesession!
    !
    !
    /* using files */!
    int CyaSSL_save_session_cache(const char*);!
    int CyaSSL_restore_session_cache(const char*);!
    !
    !
    /* using buffers */!
    int CyaSSL_memsave_session_cache(void*, int);!
    int CyaSSL_memrestore_session_cache(const void*, int);!
    int CyaSSL_get_session_cache_memsize(void);!

    View full-size slide

  21. •  Persistent CA certificate cache
    LIBRARY CONTROL / PORTABILITY
    © Copyright 2014 wolfSSL Inc.
    ./configure --enable-savecert!
    !
    !
    /* using files */!
    int CyaSSL_CTX_save_cert_cache(CYASSL_CTX*, const char*);!
    int CyaSSL_CTX_restore_cert_cache(CYASSL_CTX*, const char*);!
    !
    !
    /* using buffers */!
    int CyaSSL_CTX_memsave_cert_cache(CYASSL_CTX*, void*, int, int*);!
    int CyaSSL_CTX_memrestore_cert_cache(CYASSL_CTX*, const void*, int);!
    int CyaSSL_CTX_get_cert_cache_memsize(CYASSL_CTX*);!

    View full-size slide

  22. •  Atomic record callbacks
    •  Public key callbacks
    LIBRARY CONTROL / PORTABILITY
    © Copyright 2014 wolfSSL Inc.
    ü  MAC / Encrypt
    ü  Decrypt / Verify
    ü  ECC sign & verify
    ü  RSA sign & verify
    ü  RSA encrypt & decrypt
    **Can be useful when
    offloading to hardware
    module

    View full-size slide

  23. •  Ability to unload keys and certificates
    LIBRARY CONTROL / PORTABILITY
    © Copyright 2014 wolfSSL Inc.
    int CyaSSL_CTX_UnloadCAs(CYASSL_CTX*);!
    int CyaSSL_UnloadCertsKeys(CYASSL*);!
    !
    int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm);!

    View full-size slide

  24. •  Enhanced example applications
    ü  Track stack usage
    ü  Track memory allocation
    ü  Better IPv6 support
    EXAMPLES AND DOCUMENTATION
    © Copyright 2014 wolfSSL Inc.
    ./examples/client/client –t!
    ./examples/server/server -t!
    ./configure --enable-stacksize!
    ./configure --enable-ipv6!

    View full-size slide

  25. •  Updated API documentation
    EXAMPLES AND DOCUMENTATION
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  26. •  New CyaSSL Porting Guide
    EXAMPLES AND DOCUMENTATION
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  27. •  Microchip PIC32MX and PIC32MZ
    •  Microchip TCP/IP V6 support
    •  Microchip Harmony support
    PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  28. •  Freescale RNGA and RNGB support
    •  Freescale mmCAU support
    PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.
    #define FREESCALE_K70_RNGA!
    #define FREESCALE_K53_RNGB!
    #define FREESCALE_MMCAU!

    View full-size slide

  29. PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.
    Freescale K60 TWR (100 MHz)
    Software Crypto Software Hardware Percent Increase
    AES 25 kB took 0.050 seconds, 0.49 MB/s 2.71 MB/s 453% (5.5x)
    DES 25 kB took 0.080 seconds, 0.31 MB/s 3.49 MB/s 1025% (11.3x)
    DES3 25 kB took 0.204 seconds, 0.12 MB/s 1.74 MB/s 1350% (14.5x)
    MD5 25 kB took 0.006 seconds, 4.07 MB/s 4.88 MB/s 19.9% (1.2x)
    SHA 25 kB took 0.014 seconds, 1.74 MB/s 2.71 MB/s 55.7% (1.6x)
    SHA-256 25 kB took 0.021 seconds, 1.16 MB/s 2.22 MB/s 91.4% (1.9x)

    View full-size slide

  30. PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.
    0
    1
    2
    3
    4
    5
    6
    AES DES DES3 MD5 SHA SHA-256
    MB / sec.
    Kinetis K60 mmCAU vs. CTaoCrypt Software
    Software
    Hardware

    View full-size slide

  31. •  Cavium NITROX
    •  HP/UX
    •  Better ThreadX support + NetX I/O callbacks
    PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.
    #define THREADX!
    #define HAVE_NETX!

    View full-size slide

  32. •  STM32F2 support, hardware crypto and RNG integration
    PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.
    0
    5
    10
    15
    20
    25
    AES DES 3DES MD5 SHA
    MB/sec
    STM32F217 (ARM Cortex-M3, 120 MHz )
    Software Crypto
    Hardware Crypto

    View full-size slide

  33. •  KEIL MDK-ARM support
    •  KEIL MDK5 software pack
    PORTING PROGRESS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  34. BUSINESS NEWS
    A STORY OF GROWTH AND SUCCESS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  35. •  Name Change!
    BUSINESS NEWS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  36. •  More developers!
    •  Increased onsite consulting activity
    •  Launched our Kickstart consulting service
    BUSINESS NEWS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  37. •  Began FIPS 140-2 validation with wolfCrypt
    BUSINESS NEWS
    © Copyright 2014 wolfSSL Inc.
    ü  Federal Information Processing Standard
    ü  NIST Publication 140-2
    ü  Requires additional documentation, power-on self tests, etc.

    View full-size slide

  38. •  Moved to Zendesk to better handle customer support
    BUSINESS NEWS
    © Copyright 2014 wolfSSL Inc.

    View full-size slide

  39. THANKS!
    WOLFSSL
    [email protected]
    +1 (425) 245 - 8247
    © Copyright 2014 wolfSSL Inc.
    CHRIS CONLON
    [email protected]

    View full-size slide