Upgrade to Pro — share decks privately, control downloads, hide ads and more …

wolfSSL Year In Review -

wolfSSL
February 01, 2014

wolfSSL Year In Review -

wolfSSL, author of the open source CyaSSL embedded SSL library has made significant progress in 2013 towards bringing the community a more usable, feature-rich, and better supported library for use in an ever-growing range of embedded platforms and environments. This talk will provide an overview of technical progress in the last year and news on the current state of wolfSSL. Details on what's new include the addition of new crypto ciphers and algorithms, better hardware cryptography support, more flexible abstraction layers, a JNI wrapper, new platform support, and better development tool integration. www.wolfssl.com

wolfSSL

February 01, 2014
Tweet

More Decks by wolfSSL

Other Decks in Technology

Transcript

  1. Software Developer Bozeman, MT, USA CHRIS CONLON © Copyright 2012

    FishEyeGuyPhotography © Copyright 2014 wolfSSL Inc.
  2. 10 employees in 3 countries. 500 million endpoints secured. A

    GROWING COMPANY! © Copyright 2014 wolfSSL Inc. Tokyo, JP João Pessoa BRAZIL Bozeman, MT Seattle, WA Portland, OR San Jose, CA
  3. Over lots of different markets. 500 MILLION © Copyright 2014

    wolfSSL Inc. Databases Sensors VoIP Smart Grid Smart Energy Factory Automation Battlefield Communication Automotive Routers Connected Home M2M Games Appliances Cloud Services Internet of Things Applications
  4. OUR PRODUCTS © Copyright 2014 wolfSSL Inc. CyaSSL Lightweight SSL/TLS

    wolfCrypt Crypto Engine yaSSLEWS Embedded Web Server wolfCrypt wolfSSL JNI CyaSSL Java Wrapper SSL Proxy On top of Squid Proxy SSL Inspection Secure memcached wolfSCEP
  5. CyaSSL LIGHTWEIGHT. PORTABLE. C-BASED. ü  Up to TLS 1.2 and

    DTLS 1.2 ü  20-100 kB footprint ü  1-36 kB RAM per session ü  Long list of supported operating systems: Lightweight SSL / TLS Library CyaSSL Lightweight SSL/TLS wolfCrypt SSL Inspection © Copyright 2014 wolfSSL Inc. Windows, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, WinCE Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop TRON/ITRON/uITRON, Micrium uC/OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, ARC MQX …
  6. wolfCrypt PORTABLE MODULAR CRYPTOGRAPHY ü  Previously called “CTaoCrypt” ü  Working

    on splitting into separate product ü  Progressive list of supported ciphers ü  Modular design, assembly optimizations Cryptography Engine wolfCrypt Crypto Engine © Copyright 2014 wolfSSL Inc. AES (CBC, CTR, CCM, GCM), DES, 3DES, Camellia, ARC4, RABBIT, HC-128 MD2, MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512, BLAKE2b, RIPEMD-160 RSA, ECC, DSS, DH, EDH, NTRU HMAC, PBKDF2, PKCS#5 ECDH-ECDSA, ECDHE-ECDSA, ECDH-RSA, ECDHE-RSA …
  7. yaSSLEWS Embedded Web Server yaSSLEWS LOW RESOURCE, EMBEDDABLE, WEB SERVER

    ü  Fast, easy-to-use webserver ü  Small footprint (100kB with HTTPS) ü  CGI, SSI, IP restrictions, logging, aliases ü  Multiple operating environments supported Embedded Web Server © Copyright 2014 wolfSSL Inc.
  8. wolfSSL JNI CyaSSL Java Wrapper wolfSSL JNI BRINGING CYASSL TO

    JAVA USERS ü  JNI wrapper around CyaSSL ü  Current Java doesn’t support DTLS 1.2 ü  Users no longer need to write their own! ü  Same licensing model – GPLv2 or commercial CyaSSL Java Wrapper © Copyright 2014 wolfSSL Inc. NEW!
  9. wolfSCEP wolfSCEP PORTABLE SCEP IMPLEMENTATION ü  Issuing and revocation of

    certificates ü  Protocol originally developed by CISCO ü  Lightweight, portable SCEP implementation ü  Uses wolfCrypt for crypto operations ü  Currently under development Simple Certificate Enrollment Protocol © Copyright 2014 wolfSSL Inc. NEW!
  10. WHAT’S NEW? IN THE PAST YEAR. © Copyright 2014 wolfSSL

    Inc. I.  Protocol Enhancements II.  Crypto Additions / Changes III.  Library Control / Portability IV.  Examples and Documentation V.  Porting Progress VI.  Business News
  11. •  Fix for Lucky13 Attack •  DTLS 1.2 Support • 

    DTLS reliability enhancements PROTOCOL ENHANCEMENTS © Copyright 2014 wolfSSL Inc. Updated to match TLS 1.2 Addition of AEAD ciphers Nadhem AlFardan, Kenneth Paterson
  12. •  New TLS Extension Support: PROTOCOL ENHANCEMENTS © Copyright 2014

    wolfSSL Inc. Server Name Indication Max Fragment Length Truncated HMAC Client can send name of server it is connecting to. Client can negotiate smaller maximum fragment size (default of 2^14). Use 80-bit truncated HMAC instead of using entire hash output as MAC ./configure --enable-tlsx!
  13. •  SHA-3 Finalist BLAKE2b (256 – 512bit digests) CRYPTO ADDITIONS

    / CHANGES © Copyright 2014 wolfSSL Inc. int InitBlake2b(…);! int Blake2bUpdate(…);! int Blake2bFinal(…);! 0 50 100 150 200 250 300 350 400 SHA-256 SHA-512 SHA BLAKE2b MD5 MB/s
  14. •  AES-CCM-8 crypto and cipher suites CRYPTO ADDITIONS / CHANGES

    © Copyright 2014 wolfSSL Inc. ./configure --enable-aesccm! 
 ! aes.c / aes.h! ! void AesCcmSetKey(…);! void AesCcmEncrypt(…);! int AesCcmDecrypt(…);! TLS_RSA_WITH_AES_128_CCM_8! TLS_RSA_WITH_AES_256_CCM_8! TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8! TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8! TLS_PSK_WITH_AES_128_CCM! TLS_PSK_WITH_AES_256_CCM! TLS_PSK_WITH_AES_128_CCM_8! TLS_PSK_WITH_AES_256_CCM_8!
  15. •  Camellia crypto and cipher suites CRYPTO ADDITIONS / CHANGES

    © Copyright 2014 wolfSSL Inc. ./configure --enable-camellia! ! ! camellia.c / camellia.h! ! int CamelliaSetKey(…);! int CamelliaSetIV(…);! void CamelliaEncryptDirect(…);! void CamelliaDecryptDirect(…);! void CamelliaCbcEncrypt(…);! void CamelliaCbcDecrypt(…);! TLS_RSA_WITH_CAMELLIA_128_CBC_SHA! TLS_RSA_WITH_CAMELLIA_256_CBC_SHA! TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256! TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256! TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA! TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA! TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256! TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256!
  16. •  SHA-384 cipher suites •  HMAC now supports SHA-512 • 

    AES-NI support for AES-CCM and AES-GCM CRYPTO ADDITIONS / CHANGES © Copyright 2014 wolfSSL Inc.
  17. •  PKCS #7 (Cryptographic Message Syntax) •  PKCS #10 (Certificate

    Signing Request) CRYPTO ADDITIONS / CHANGES © Copyright 2014 wolfSSL Inc. ü  Used to sign / encrypt messages ü  Request certificate of public key from CA
  18. •  Persistent session cache LIBRARY CONTROL / PORTABILITY © Copyright

    2014 wolfSSL Inc. ./configure --enable-savesession! ! ! /* using files */! int CyaSSL_save_session_cache(const char*);! int CyaSSL_restore_session_cache(const char*);! ! ! /* using buffers */! int CyaSSL_memsave_session_cache(void*, int);! int CyaSSL_memrestore_session_cache(const void*, int);! int CyaSSL_get_session_cache_memsize(void);!
  19. •  Persistent CA certificate cache LIBRARY CONTROL / PORTABILITY ©

    Copyright 2014 wolfSSL Inc. ./configure --enable-savecert! ! ! /* using files */! int CyaSSL_CTX_save_cert_cache(CYASSL_CTX*, const char*);! int CyaSSL_CTX_restore_cert_cache(CYASSL_CTX*, const char*);! ! ! /* using buffers */! int CyaSSL_CTX_memsave_cert_cache(CYASSL_CTX*, void*, int, int*);! int CyaSSL_CTX_memrestore_cert_cache(CYASSL_CTX*, const void*, int);! int CyaSSL_CTX_get_cert_cache_memsize(CYASSL_CTX*);!
  20. •  Atomic record callbacks •  Public key callbacks LIBRARY CONTROL

    / PORTABILITY © Copyright 2014 wolfSSL Inc. ü  MAC / Encrypt ü  Decrypt / Verify ü  ECC sign & verify ü  RSA sign & verify ü  RSA encrypt & decrypt **Can be useful when offloading to hardware module
  21. •  Ability to unload keys and certificates LIBRARY CONTROL /

    PORTABILITY © Copyright 2014 wolfSSL Inc. int CyaSSL_CTX_UnloadCAs(CYASSL_CTX*);! int CyaSSL_UnloadCertsKeys(CYASSL*);! ! int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm);!
  22. •  Enhanced example applications ü  Track stack usage ü  Track

    memory allocation ü  Better IPv6 support EXAMPLES AND DOCUMENTATION © Copyright 2014 wolfSSL Inc. ./examples/client/client –t! ./examples/server/server -t! ./configure --enable-stacksize! ./configure --enable-ipv6!
  23. •  Microchip PIC32MX and PIC32MZ •  Microchip TCP/IP V6 support

    •  Microchip Harmony support PORTING PROGRESS © Copyright 2014 wolfSSL Inc.
  24. •  Freescale RNGA and RNGB support •  Freescale mmCAU support

    PORTING PROGRESS © Copyright 2014 wolfSSL Inc. #define FREESCALE_K70_RNGA! #define FREESCALE_K53_RNGB! #define FREESCALE_MMCAU!
  25. PORTING PROGRESS © Copyright 2014 wolfSSL Inc. Freescale K60 TWR

    (100 MHz) Software Crypto Software Hardware Percent Increase AES 25 kB took 0.050 seconds, 0.49 MB/s 2.71 MB/s 453% (5.5x) DES 25 kB took 0.080 seconds, 0.31 MB/s 3.49 MB/s 1025% (11.3x) DES3 25 kB took 0.204 seconds, 0.12 MB/s 1.74 MB/s 1350% (14.5x) MD5 25 kB took 0.006 seconds, 4.07 MB/s 4.88 MB/s 19.9% (1.2x) SHA 25 kB took 0.014 seconds, 1.74 MB/s 2.71 MB/s 55.7% (1.6x) SHA-256 25 kB took 0.021 seconds, 1.16 MB/s 2.22 MB/s 91.4% (1.9x)
  26. PORTING PROGRESS © Copyright 2014 wolfSSL Inc. 0 1 2

    3 4 5 6 AES DES DES3 MD5 SHA SHA-256 MB / sec. Kinetis K60 mmCAU vs. CTaoCrypt Software Software Hardware
  27. •  Cavium NITROX •  HP/UX •  Better ThreadX support +

    NetX I/O callbacks PORTING PROGRESS © Copyright 2014 wolfSSL Inc. #define THREADX! #define HAVE_NETX!
  28. •  STM32F2 support, hardware crypto and RNG integration PORTING PROGRESS

    © Copyright 2014 wolfSSL Inc. 0 5 10 15 20 25 AES DES 3DES MD5 SHA MB/sec STM32F217 (ARM Cortex-M3, 120 MHz ) Software Crypto Hardware Crypto
  29. •  More developers! •  Increased onsite consulting activity •  Launched

    our Kickstart consulting service BUSINESS NEWS © Copyright 2014 wolfSSL Inc.
  30. •  Began FIPS 140-2 validation with wolfCrypt BUSINESS NEWS ©

    Copyright 2014 wolfSSL Inc. ü  Federal Information Processing Standard ü  NIST Publication 140-2 ü  Requires additional documentation, power-on self tests, etc.