wolfSSL Year In Review, 2013

YEAR IN REVIEW
FOSDEM 2014
FEBRUARY 1, 2014
BRUSSELS, BELGIUM

© Copyright 2014 wolfSSL Inc.

CHRIS CONLON
Software Developer
Bozeman, MT, USA

© Copyright 2012 FishEyeGuyPhotography


Seattle, WA

Portland, OR

Bozeman, MT

San Jose, CA

João Pessoa

Tokyo, JP

BRAZIL

A GROWING COMPANY!
10 employees in 3 countries.

500 million endpoints secured.

Automotive

Factory Automation
Routers

Cloud Services

Smart Grid
Databases

Battlefield Communication

VoIP
Connected Home

Sensors

M2M

Smart Energy
Games

Internet of Things

Applications

500 MILLION
Over lots of different markets.

Appliances

PRESENTATION OUTLINE
1. Our Products
2. What’s New
3. Questions & Wrap-Up


OUR PRODUCTS
CyaSSL

wolfCrypt

yaSSLEWS

wolfSSL JNI

Lightweight SSL/TLS

Crypto Engine

Embedded Web Server

CyaSSL Java Wrapper

Secure
memcached

wolfSCEP

wolfCrypt
SSL Inspection

SSL Proxy
On top of Squid Proxy


CyaSSL
Lightweight SSL / TLS Library

LIGHTWEIGHT. PORTABLE. C-BASED.

CyaSSL

ü  Up to TLS 1.2 and DTLS 1.2

Lightweight SSL/TLS

ü  20-100 kB footprint
ü  1-36 kB RAM per session

wolfCrypt

ü  Long list of supported operating systems:

Windows, Linux, Mac OS X,
Solaris, ThreadX, VxWorks,
FreeBSD, NetBSD, OpenBSD,
embedded Linux, WinCE

Haiku, OpenWRT, iPhone (iOS),
Android, Nintendo Wii and
Gamecube through DevKitPro,
QNX, MontaVista, NonStop


SSL Inspection

TRON/ITRON/uITRON, Micrium uC/OS,
FreeRTOS, SafeRTOS, Freescale MQX,
Nucleus, TinyOS, HP/UX, ARC MQX

…

wolfCrypt
Cryptography Engine

PORTABLE MODULAR CRYPTOGRAPHY
wolfCrypt

ü  Previously called “CTaoCrypt”

Crypto Engine

ü  Working on splitting into separate product
ü  Progressive list of supported ciphers
ü  Modular design, assembly optimizations

AES (CBC, CTR, CCM, GCM),
DES, 3DES, Camellia,
ARC4, RABBIT, HC-128

MD2, MD4, MD5, SHA-1,
SHA-256, SHA-384, SHA-512,
BLAKE2b, RIPEMD-160


RSA, ECC, DSS, DH, EDH, NTRU
HMAC, PBKDF2, PKCS#5
ECDH-ECDSA, ECDHE-ECDSA,
ECDH-RSA, ECDHE-RSA

…

yaSSLEWS
Embedded Web Server

LOW RESOURCE, EMBEDDABLE, WEB SERVER

ü  Fast, easy-to-use webserver
ü  Small footprint (100kB with HTTPS)
ü  CGI, SSI, IP restrictions, logging, aliases
ü  Multiple operating environments supported


yaSSLEWS
Embedded Web Server

W!

NE

wolfSSL JNI
CyaSSL Java Wrapper

BRINGING CYASSL TO JAVA USERS

ü  JNI wrapper around CyaSSL
ü  Current Java doesn’t support DTLS 1.2
ü  Users no longer need to write their own!
ü  Same licensing model – GPLv2 or commercial


wolfSSL JNI
CyaSSL Java Wrapper

W!

NE

wolfSCEP
Simple Certificate Enrollment Protocol

PORTABLE SCEP IMPLEMENTATION

ü  Issuing and revocation of certificates
ü  Protocol originally developed by CISCO
ü  Lightweight, portable SCEP implementation
ü  Uses wolfCrypt for crypto operations
ü  Currently under development


wolfSCEP

WHAT’S NEW?
IN THE PAST YEAR.

I. 
II. 
III. 
IV. 
V. 
VI. 

Protocol Enhancements
Crypto Additions / Changes
Library Control / Portability
Examples and Documentation
Porting Progress
Business News


PROTOCOL ENHANCEMENTS
•  Fix for Lucky13 Attack
Nadhem AlFardan, Kenneth Paterson

•  DTLS 1.2 Support
Updated to match TLS 1.2
Addition of AEAD ciphers

•  DTLS reliability enhancements


PROTOCOL ENHANCEMENTS
•  New TLS Extension Support:
Server Name Indication

Client can send name of server it is
connecting to.

Max Fragment Length

Client can negotiate smaller maximum
fragment size (default of 2^14).

Truncated HMAC

Use 80-bit truncated HMAC instead of
using entire hash output as MAC

./configure --enable-tlsx!


CRYPTO ADDITIONS / CHANGES
•  SHA-3 Finalist BLAKE2b (256 – 512bit digests)

400

int InitBlake2b(…);!
int Blake2bUpdate(…);!
int Blake2bFinal(…);!

350
300

MB/s

250
200
150
100
50
0
SHA-256


SHA-512

SHA

BLAKE2b

MD5

•  AES-CCM-8 crypto and cipher suites

./configure --enable-aesccm!
 
!
aes.c / aes.h!
!
void AesCcmSetKey(…);!
void AesCcmEncrypt(…);!
int AesCcmDecrypt(…);!

TLS_RSA_WITH_AES_128_CCM_8!
TLS_RSA_WITH_AES_256_CCM_8!
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8!
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8!
TLS_PSK_WITH_AES_128_CCM!
TLS_PSK_WITH_AES_256_CCM!
TLS_PSK_WITH_AES_128_CCM_8!
TLS_PSK_WITH_AES_256_CCM_8!


•  Camellia crypto and cipher suites

./configure --enable-camellia!
!
!
camellia.c / camellia.h!
!
int CamelliaSetKey(…);!
int CamelliaSetIV(…);!
void CamelliaEncryptDirect(…);!
void CamelliaDecryptDirect(…);!
void CamelliaCbcEncrypt(…);!
void CamelliaCbcDecrypt(…);!

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA!
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA!
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256!
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256!
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA!
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA!
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256!
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256!


•  SHA-384 cipher suites

•  HMAC now supports SHA-512

•  AES-NI support for AES-CCM and AES-GCM


•  PKCS #7 (Cryptographic Message Syntax)
ü  Used to sign / encrypt messages

•  PKCS #10 (Certificate Signing Request)
ü  Request certificate of public key from CA


LIBRARY CONTROL / PORTABILITY
•  Persistent session cache
./configure --enable-savesession!
!
!
/* using files */!
int CyaSSL_save_session_cache(const char*);!
int CyaSSL_restore_session_cache(const char*);!
!
!
/* using buffers */!
int CyaSSL_memsave_session_cache(void*, int);!
int CyaSSL_memrestore_session_cache(const void*, int);!
int CyaSSL_get_session_cache_memsize(void);!


•  Persistent CA certificate cache
./configure --enable-savecert!
!
!
/* using files */!
int CyaSSL_CTX_save_cert_cache(CYASSL_CTX*, const char*);!
int CyaSSL_CTX_restore_cert_cache(CYASSL_CTX*, const char*);!
!
!
/* using buffers */!
int CyaSSL_CTX_memsave_cert_cache(CYASSL_CTX*, void*, int, int*);!
int CyaSSL_CTX_memrestore_cert_cache(CYASSL_CTX*, const void*, int);!
int CyaSSL_CTX_get_cert_cache_memsize(CYASSL_CTX*);!


•  Atomic record callbacks
ü  MAC / Encrypt
ü  Decrypt / Verify

**Can be useful when
offloading to hardware
module

•  Public key callbacks
ü  ECC sign & verify
ü  RSA sign & verify
ü  RSA encrypt & decrypt


•  Ability to unload keys and certificates
int CyaSSL_CTX_UnloadCAs(CYASSL_CTX*);!
int CyaSSL_UnloadCertsKeys(CYASSL*);!
!
int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm);!


EXAMPLES AND DOCUMENTATION
•  Enhanced example applications
ü  Track stack usage

./configure --enable-stacksize!

ü  Track memory allocation

ü  Better IPv6 support

./examples/client/client –t!
./examples/server/server -t!

./configure --enable-ipv6!


•  Updated API documentation


•  New CyaSSL Porting Guide


PORTING PROGRESS
•  Microchip PIC32MX and PIC32MZ
•  Microchip TCP/IP V6 support
•  Microchip Harmony support


PORTING PROGRESS
•  Freescale RNGA and RNGB support
#define FREESCALE_K70_RNGA!
#define FREESCALE_K53_RNGB!

•  Freescale mmCAU support
#define FREESCALE_MMCAU!


PORTING PROGRESS
Freescale K60 TWR (100 MHz)
Software Crypto
AES
DES
DES3
MD5
SHA
SHA-256

25 kB took 0.050 seconds,

Software
0.49 MB/s
0.31 MB/s
0.12 MB/s
4.07 MB/s
1.74 MB/s
1.16 MB/s


Hardware
2.71 MB/s
3.49 MB/s
1.74 MB/s
4.88 MB/s
2.71 MB/s
2.22 MB/s

Percent Increase
453%
(5.5x)
1025% (11.3x)
1350% (14.5x)
19.9%
(1.2x)
55.7%
(1.6x)
91.4%
(1.9x)

PORTING PROGRESS
Kinetis K60 mmCAU vs. CTaoCrypt Software
6

5

MB / sec.

4

Software

3

Hardware
2

1

0
AES

DES

DES3

MD5


SHA

SHA-256

PORTING PROGRESS
•  Cavium NITROX
•  HP/UX
•  Better ThreadX support + NetX I/O callbacks

#define THREADX!
#define HAVE_NETX!


PORTING PROGRESS
•  STM32F2 support, hardware crypto and RNG integration
STM32F217 (ARM Cortex-M3, 120 MHz )
25

20

MB/sec

15
Software Crypto
Hardware Crypto

10

5

0
AES

DES

3DES

MD5


SHA

PORTING PROGRESS
•  KEIL MDK-ARM support
•  KEIL MDK5 software pack


BUSINESS NEWS

A STORY OF GROWTH AND SUCCESS


BUSINESS NEWS
•  Name Change!


BUSINESS NEWS
•  More developers!
•  Increased onsite consulting activity
•  Launched our Kickstart consulting service


BUSINESS NEWS
•  Began FIPS 140-2 validation with wolfCrypt
ü  Federal Information Processing Standard
ü  NIST Publication 140-2
ü  Requires additional documentation, power-on self tests, etc.


BUSINESS NEWS
•  Moved to Zendesk to better handle customer support


THANKS!
WOLFSSL

CHRIS CONLON

in fo @wo lfssl .com

chris@wolfssl.com

+1 (425) 245 - 8247


wolfSSL Year In Review, 2013

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (10)

Similaire à wolfSSL Year In Review, 2013

Similaire à wolfSSL Year In Review, 2013 (20)

Dernier

Dernier (20)

wolfSSL Year In Review, 2013