The Importance of Security
At NetBurner, we pride ourselves on providing the hardware, software, and tools that enable engineers worldwide to accelerate their product design and development process. As the IoT and embedded systems industries continue to explode, an increasingly important aspect of the support and service we provide revolves around providing security libraries that you can use to keep your precious products and systems safe and secure.
That is a responsibility that we take very seriously. In order to stay up to date with the latest ciphers and security protocols, we are proud to announce that we have incorporated wolfSSL as a standard offering in our NNDK tools. It is currently already available in our NNDK 3.3 tools, and we are presently migrating support to our NNDK 2.9.x tools.
As you can imagine, integrating a new SSL/TLS security library into an existing software suite is a significant undertaking. “Why,” you might be asking, “would you do such a thing if what you have already works?” That is an excellent question, and we’re glad you asked! Migrating from our previous security library to wolfSSL has allowed us to provide several significant benefits. These range from immediately improving our capabilities to laying the foundation for future updates.
Let’s take a moment to run through the list, shall we?
SSL/TLS and SSH Security Suite Now Free with Development Kits
We want to encourage good security practices when making design decisions, and a large part of that is making it as easy and accessible as possible for you to do so. To give you a boost in the right direction, we are now including the SSL/TLS and SSH Security Suite with all development kits at no extra cost.
Starting with NNDK 3.3 and our soon-to-be-released NNDK 2.9.3, it will be installed automatically with our tools. For previous versions, contact sales for a key that can be used during the installation process to get access. Please note that this doesn’t mean all platforms are able to support SSL/TLS and SSH. See our development kit comparison for details.
Session Resumption with Session Tickets
In our first homegrown implementation of SSL/TLS way back when, we implemented support for session tickets. Unfortunately, in moving to a third-party solution, we ended up losing that feature (though we retained support for session ids). With our move to wolfSSL, we have thankfully regained it, and are excited to deliver it to your waiting arms.
It’s also worth mentioning that session tickets are supported for both client and server applications. Regardless of which side of the connection your device happens to be sitting on, you’ll be covered.
Support for Server-Side Peer Verification
We have long supported client-side peer verification in our SSL/TLS library. Up until this point, unfortunately, the server-side of the connection had been left out of the loop. We’re happy to announce that with the migration to wolfSSL, that’s all changed. Server side-peer verification is officially supported in NNDK 3.3, and will be as well in 2.9.3. Now regardless of their role in your design, your applications will know who they’re talking to.
Faster Key Generation for Onboard Certificate Generation
As if having the ability to generate a self-signed certificate on your device wasn’t enough, now it can happen even more quickly. Below we have a table comparison comparing times for both the MOD5441X and the MODM7AE70 for RSA and ECC. When it comes to ECC, the times are neck and neck, but when it comes to RSA keys, wolfSSL wins hands down.
|Platform||Library||RSA 1024||RSA 2048||RSA 4096||ECC (256)|
Easier To Work With Certificate Authority (CA) Lists
Previously, due to the constraints of the library we were using, changes to the device’s certificate authority list required a restart of the module before they would take effect. Now, wolfSSL gives us the flexibility to change a certificate authority list dynamically at runtime (though it will only take effect for new connections). We have added several new function calls to facilitate this feature:
SSL_AddCertToClientCaList() // Adds a certificate to the client’s CA list
SSL_AddCertToServerCaList() // Adds a certificate to the server’s CA list
SSL_ClearClientCaList() // Clears all certificates for the client’s CA list
SSL_ClearServerCaList() // Clears all certificates for the server’s CA list
It is still possible to set them through calls to SSL_connect(). However, because they previously referenced objects that were tied to the underlying library directly, their signatures have been altered to use parameters that are library agnostic. Additionally, the following functions used to set the certificate authority lists were removed as they also relied on specific library objects that are no longer available.
Support for DER Encoded Certificates
Previous versions of our library required that you store certificates and keys in PEM format. However, now you can additionally store them as DER encoded, which is a binary format.
Laying Groundwork for Future Improvements
wolfSSL has a strong commitment to continually developing and testing its products. As security practices and needs evolve, wolfSSL is consistently at the forefront of integrating the newest supported ciphers and protocols, as well as planning for the future by laying the groundwork for anticipated improvements.
Some of these are already available, and we plan to integrate them into our system soon. These include TLS v1.3 and DTLS, which provides encryption for the UDP protocol. Future changes we are exploring include the option for Federal Information Processing Standards (FIPS) validation, and a quantum-safe handshake (QSH) extension. You can find more information on these can on the wolfSSL website
We’re extremely excited about the new changes to our Embedded IoT Security Suite and where we’re going in the future. The importance of security will only increase in the IoT and embedded space as more and more of our work, life, and play are put online. NetBurner is here to ease that burden for you as you design and build your next network-enabled project. If you have any questions or thoughts about security or our updates, please feel free to leave a comment below, or email us directly at firstname.lastname@example.org.