Requirement analysis Security techniques - UserXXX/vCom GitHub Wiki

This page gives an overview of the necessary security techniques.

secure connection between client and server
authenticated key agreement for keys obtained from the server
encryption, signing / MAC, hashing of messages send between users
efficient encryption of files (additionally to the points for messages)
encryption for archive files and key creating from plain text passwords

#Content

###1. Library 1.1. wolfSSL 1.2. wolfSSL JNI (wrapper) 1.3. wolfCrypt 1.4. General information 1.5. Further reading

###2. Application 2.1. Setup 2.2. User and server identification 2.3. Server-side security 2.4. Client-side security 2.5. Connecting to a server 2.6. 1on1 communication 2.7. Group communication 2.8. Information & message storage 2.9. Further reading

###3. Implementation 3.1. Server 3.2. Client

#1. Library

##1.1. wolfSSL

https://www.wolfssl.com/wolfSSL/Products-wolfssl.html

https://github.com/wolfssl/wolfssl

###wolfSSL Embedded SSL Library (formerly CyaSSL)

####GPLv2 ,Version: 3.6.8 released 17.9.2015

###DESCRIPTION The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set.

It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current TLS 1.2 and DTLS 1.2 levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b.

User benchmarking and feedback reports dramatically better performance when using wolfSSL over OpenSSL.

wolfSSL is powered by the wolfCrypt library. A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #2425). For additional information, visit the wolfCrypt FIPS FAQ or contact [email protected]

####HIGHLIGHTS

-Up to TLS 1.2 and DTLS 1.2
-Full client and server support 	
-Progressive list of supported ciphers 	
-Key and Certificate generation 	
-OCSP, CRL support 	
-Support Available

####LIGHTWEIGHT

-Small Size: 20-100kB
-Runtime Memory:  1-36kB 	
-20X smaller than OpenSSL

####PORTABLE

-Abstraction Layers (OS, Custom I/O, Standard C library, and more)
-Simple API 	
-OpenSSL Compatibility Layer 	
-Long list of supported platforms

###Features

•SSL version 3.0 and TLS versions 1.0, 1.1 and 1.2 (client and server)

•DTLS 1.0, 1.2 support (client and server)

•Minimum footprint size of 20-100 kB, depending on build options and operating environment

•Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size)

•OpenSSL compatibility layer

•OCSP and CRL support

•Multiple Hashing Functions: MD2, MD4, MD5, SHA-1, SHA-2, SHA-256, SHA-384, SHA-512, BLAKE2b, RIPEMD-160, Poly1305

•Block, Stream, and Authenticated Ciphers: AES (CBC, CTR, GCM, CCM), Camellia, DES, 3DES, ARC4, RABBIT, HC-128, ChaCha20

•Public Key Options:
RSA, DSS, DH, EDH, NTRU

•Password-based Key Derivation:
HMAC, PBKDF2, PKCS#5

•ECC Support ECDH-ECDSA, ECDHE-ECDSA, ECDH-RSA,ECDHE-RSA

•RSA Key Generation

•Curve25519 and Ed25519 at wolfCrypt level

•Client authentication support

•PSK Pre-Shared Keys

•Simple API

•Persistent session and certificate cache

•zlib compression support

•Interchangeable crypto and certificate libraries

•PEM and DER certificate support

•x509 v3 RSA and ECC Signed Certificate Generation

•PKCS #7 - Cryptographic Message Syntax (CMS)

•PKCS #10 - Certificate Signing Request (CSR)

•PKCS #8, #5, #12 Private Key Encryption

•Supported TLS Extensions: SNI (Server Name Indication) Maximum Fragment Length Truncated HMAC Supported Elliptic Curves

•Certificate Manager

•QSH (quantum-safe handshake) extension

•SRP (Secure Remote Password)

•Hardware Cryptography Support Intel AES-NI support Cavium NITROX support STM32F2/F4 hardware crypto support Freescale CAU / mmCAU / SEC Microchip PIC32MZ

•SSL Sniffer (SSL Inspection) Support

•IPv4 and IPv6 support

•Abstraction Layers / User Callbacks C Standard Library, Custom I/O, Memory hooks, Logging callbacks, User Atomic Record Layer Processing, Public Key

•yaSSL Embedded Web Server support (see yaSSL EWS)

•MySQL integration

•Lighttpd, GoAhead, Mongoose web server support

•stunnel support

•OpenSSH support

##1.2. wolfSSL JNI (wrapper)

https://www.wolfssl.com/wolfSSL/Products-wolfssljni.html

###wolfSSL JNI (wrapper)

####Version: 1.2.0 released 6.2.2015

###Description For Java developers that want to leverage the industry-leading wolfSSL SSL/TLS implementation (formerly CyaSSL) for secure communication, wolfSSL JNI provides an interface to give Java applications support for the current SSL/TLS standards up to TLS 1.2 and DTLS 1.2.

wolfSSL JNI, backed by wolfSSL, provides current industry protocol standards, offers progressive ciphers, and gives applications flexibility over controlling their secure connection.

Existing Java implementations lack support for DTLS. wolfSSL JNI provides full DTLS 1.0 and 1.2 support.

####HIGHLIGHTS

-Up to TLS 1.2 and DTLS 1.2
-Full client and server support
-Progressive list of supported ciphers
-OCSP, CRL support
-Support Available

####FLEXIBILITY

-Several callbacks make integration into existing applications easy
-Gives applications complete control over secure connection.

####TIME-SAVING

-Eliminates need to write custom JNI
-Based on industry-leading wolfSSL
-Includes support for Android NDK

###Features

•SSL version 3.0 and TLS versions 1.0, 1.1 and 1.2 (client and server)

•DTLS 1.0, 1.2 support (client and server)

•Minimum footprint size of 20-100 kB, depending on build options and operating environment

•Runtime memory usage between 1-36 kB (depending on I/O buffer sizes, public key algorithm, and key size)

•OpenSSL compatibility layer

•OCSP and CRL support

•Multiple Hashing Functions: MD2, MD4, MD5, SHA-1, SHA-2, SHA-256, SHA-384, SHA-512, RIPEMD-160

•Block, Stream, and Authenticated Ciphers: AES (CBC, CTR, GCM, CCM), Camellia, DES, 3DES, ARC4, RABBIT, HC-128

•Public Key Options:
RSA, DSS, DH, EDH, NTRU

•Password-based Key Derivation:
HMAC, PBKDF2, PKCS#5

•ECC Support ECDH-ECDSA, ECDHE-ECDSA, ECDH-RSA, ECDHE-RSA

•RSA Key Generation

•Client authentication support

•PSK Pre-Shared Keys

•Simple API

•Persistent session and certificate cache

•zlib compression support

•Interchangeable crypto and certificate libraries

•PEM and DER certificate support

•x509 v3 Signed Certificate Generation

•SNI (Server Name Indication) support

•Certificate Manager

•Intel AES-NI support

•STM32F2/F4 hardware crypto support

•Cavium NITROX support

•SSL Sniffer (SSL Inspection) Support

•IPv4 and IPv6 support

•Abstraction Layers / User Callbacks C Standard Library, Custom I/O, Memory hooks, Logging callbacks, User Atomic Record Layer Processing, Public Key

•PKCS #8, #5, #12 Private Key Encryption

•yaSSL Embedded Web Server support (see yaSSL EWS)

•MySQL integration

•Lighttpd, GoAhead, Mongoose web server support

•stunnel integration

##1.3. wolfCrypt

https://www.wolfssl.com/wolfSSL/Products-wolfcrypt.html

###wolfCrypt Embedded Crypto Engine

###DESCRIPTION The wolfCrypt cryptography engine is a lightweight crypto library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments - primarily because of its small size, speed, and feature set.

It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfCrypt supports the most popular algorithms and ciphers as well as progressive ones such as HC-128, RABBIT, and NTRU.

wolfCrypt is stable, production-ready, and backed by an excellent support team. It is used in millions of application and devices worldwide.

A version of the wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate #2425). For additional information, visit the wolfCrypt FIPS FAQ or contact [email protected]

####HIGHLIGHTS

-ECC, up to 521 bit 	
-Hash-based PRNG 	
-AES-NI, Cavium, STM32 	
-Progressive list of supported ciphers 	
-Key and Certificate generation 	
-Support Available

####LIGHTWEIGHT

-Small footprint size
-Low runtime memory

####PORTABLE

-Simple and Clean API 	
-H/W crypto support (AES-NI, Cavium, STM32) 	
-Custom Memory Hooks 	
-Modular Design 	
-Assembly Optimizations

###Features

•Multiple Hashing Functions: MD2, MD4, MD5, SHA-1, SHA-2 (SHA-256, SHA-384, SHA-512), SHA-3, RIPEMD-160

•Block, Stream, and Authenticated Ciphers:
AES (CBC, CTR, GCM, CCM), Camellia, DES, 3DES, ARC4, RABBIT, HC-128

•Public Key Options:
RSA, DSS, DH, EDH, NTRU

•Password-based Key Derivation:
HMAC, PBKDF2, PKCS#5

•ECC Support (up to 521-bit) ECDH-ECDSA, ECDHE-ECDSA, ECDH-RSA, ECDHE-RSA

•Hash-based PRNG

•X.509 Encoding / Decoding

•Simple API

•RSA and ECC Key Generation

•x509 v3 Signed Certificate Generation

•PKCS #1, #5, #8, #12 Private Key Encryption

•Assembly Optimizations

•Custom Memory Hooks

•Easily ties in to Hardware-based RNG solutions

•Intel AES-NI support

•STM32F2/F4 hardware crypto support

•Cavium NITROX support

•OpenSSL compatibility layer

##1.4. General information

###Supported Operating Environments •Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/µITRON, Micrium's µC/OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, ARC MQX, TI-RTOS 

Download of wolf products require a filled contact form (Company, Position, Phone, etc. as well as a license agreement (GPL)).

##1.5. Further reading

Further reading at: https://www.wolfssl.com/wolfSSL/Docs.html

A possible alternative might be http://www.cryptlib.com but the given information does not allow a well-grounded decision.

#2. Application

##2.1. Setup

###2.1.1. Server

tbd

###2.1.2. Client

tbd

##2.2. User and server identification

tbd