Product of the Week: wolfSSL’s wolfCrypt FIPS 140-3 Ready Library
March 14, 2021
Are your systems secured to FIPS 140-2? Do you want the good news or the bad news first?
The bad news is that FIPS 140-2 has been superseded. The good news is that wolfSSL’s wolfCrypt crypto library has been validated to FIPS 140-3.
The Federal Information Processing Standard (FIPS), first issued in 1994, is a standard for approving cryptographic modules that are used by U.S. government agencies and any organizations that work with them. Now, more than 25 years later, the FIPS standard has been updated for a second time to FIPS 140-3 to incorporate refreshes in underlying ISO/IEC standards. As a result, government agencies and contractors must begin the transition to FIPS 140-3-validated components.
The FIPS Ready version of the wolfSSL wolfCrypt lightweight embedded crypto engine is provided as cryptography-layer code in the wolfSSL source tree. This provides all the components required for an organization to achieve FIPS approval and receive a FIPS validation certificate in their upcoming or existing system designs.
The lightweight, C-based wolfCrypt library includes hashes, ciphers, and encryption algorithms such as:
- Hashes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, BLAKE2b, etc.
- Authentication Ciphers: AES, DES, ARC4, ChaCha20, etc.
- Public Key Algorithms: RSA, DSS, ECDH-ECDSA, NTRU, etc.
Other features of the wolfCrypt FIPS Ready module include TLS 1.3 algorithm support, status as a validated entropy source, and support for extensible hardware encryption for via instructions like AES-NI.
The FIPS Ready wolfCrypt module has completed the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). Because the wolfCrypt encryption engine serves as the foundation for many other wolfSSL products, components like wolfSSH, wolfMQTT, wolfBoot, and more are also ready for FIPS 140-3 validation.
wolfSSL FIPS Ready wolfCrypt Library in Action
The updated FIPS 140-3 standard was primarily driven by additions and changes to ISO 19790:2012 (security requirements for cryptographic modules) and ISO 24759:2017 (testing requirements for cryptographic modules). wolfSSL subsequently made changes to its FIPS 140-2-validated wolfCrypt offering to bring it in line with the requirements of FIPS 140-3, which included:
- Removed support for 3DES
- Added TLS 1.2, TLS 1.3, and SSH KDF support
- Added 4096-bit RSA support
- Added KAS_ECC_SSC and KAS_FFC_SSC support
- Added ECDSA with SHA3 hash support
- Improved boot times with on-use-only known answer tests
- Streamlined CAST testing
- And more
The wolfSSL source tree, which contains the FIPS Ready code inherent in the FIPS 140-3-validated wolfCrypt module, was designed to be integrated into systems as a mechanism of ensuring it operates according to FIPS-enforced best practices related to default entry point and power-on self-test. The module also supports API calls for approved security functions and services such as symmetric encryption/decryption, keyed hashes, random number generation, digital signatures, message digest, key generation, key agreement, DSA keys, key transport, and others.
As a result of the aforementioned upgrades and flexibility of the software package, the module can be used as a FIPS-compliant, drop-in replacement for OpenSSL engines.
Getting Started with the wolfSSL FIPS Ready wolfCrypt Library
The open-source, dual-licensed FIPS Ready wolfCrypt Library can be downloaded from www.wolfssl.com/download. Once downloaded, wolfSSL’s FIPS Ready User Guide provides an easy, six-step process for installing and building the wolfSSL FIPS Ready library and headers into an application.
More information on wolfCrypt FIPS Ready can be found on the wolfSSL website or in the resources below.
wolfCrypt Embedded Crypto Library Product Page: www.wolfssl.com/products/wolfcrypt-2
- wolfCrypt FIPS 140-2 and 140-3 Explainer: www.wolfssl.com/license/fips
- wolfSSL FIPS Ready Users Guide: www.wolfssl.com/docs/fips-ready-user-guide