MatrixSSL and MatrixDTLS are embedded TLS / DTLS libraries providing robust security and outstanding performances.
It was first released in 2004 to provide secure connectivity to devices with a small memory footprint, and has evolved to also serve networking device requiring top performance. MatrixSSL is a lean and efficient C source code that is easy to integrate, and where bugs have few places to hide. With no known security issues, an extensive implementation of TLS protocol and a FIPS certified cryptographic module, MatrixSSL is the SDK to look at to replace RSA/BSAFE or OpenSSL.
Low memory footprint
MatrixSSL and DTLS stacks, are modular source code implementations ideally suited for IoT usage due to their minimum memory footprint (<50KB) and efficient memory utilization (4KB per connection).
MatrixSSL Tiny, a PSK only version, demanding less than 10KB of flash memory and 600bytes of RAM, can even be used on the most limited 8-bit micro-processors.
High performance and scalability
Due to its compact design, MatrixSSL is scaling very well. It is more memory and CPU efficient than competing solutions, including those based on OpenSSL.
With true multi-threading, zero-copy processing and an asynchronous API for hardware integration, MatrixSSL is ideally suited to securing cloud access. It is integrated with network processors like Cavium Octeon and TILE-Gx, and support AES-NI to provide excellent performance on x86 architectures.
MatrixSSL-based customer solutions have achieved over 42 GBs of TLS throughput, 50,000 Handshakes per second for session setups, and 460,000 active sessions.
MatrixSSL has implemented the best practice from NIST Special Publication 800-52r1. For full compliance, MatrixSSL is available with FIPS validated SafeZone cryptographic module (certificate #2389)
MatrixSSL has not been affected by highly publicized vulnerabilities (e.g. Heartbleed, POODLE, FREAK, DROWN) found in OpenSSL.
MatrixSSL is fully downloadable under a dual licensing model: GNU Public License and a Standard Commercial license. The dual license means that one can easily evaluate the library for free, but that for commercial usage without the GPL constraints, one should acquire a license by contacting Inside Secure.
The open source package can be downloaded from: www.matrixssl.org/download
- < 50KB total footprint with crypto provider and certificates
- TLS 1.0, 1.1, 1.2 and DTLS1.0, 1.2 server and client support
- Included crypto library - RSA, ECC, 3DES, AES, ARC4, SHA1, SHA2, MD5
- Assembly language optimizations for Intel, ARM and MIPS
- Session re-keying and cipher renegotiation
- Full support for session resumption/caching
- Server and client X.509 certificate chain authentication
- Parsing of X.509 .pem and ASN.1 DER certificate formats
- PKCS#1.5, PKCS#5 PKCS#8 and PKCS#12 support for key formatting
- RSASSA-PSS Signature Algorithm support
- OCSP and Certificate Revocation List (CRL) support
- CMS and PKCS#10 support (commercial license only)
- OpenSSL Crypto integration providing high performance on certain platforms (e.g. CAVIUM Octeon)
- Fully cross platform, portable codebase; minimum use of system calls
- Pluggable cipher suite interface
- Pluggable crypto provider interface
- Pluggable operating system and malloc interface
- Multithreading optional
- Only a handful of external APIs, all non-blocking
- Example client and server code included
- Clean, heavily commented code in portable C
- User and developer documentation
Available from separate products:
- Ultra low memory footprint: < 10KB total footprint with PSK only (MatrixSSL Tiny)
- FIPS140-2 certification using SafeZone FIPS cryptographic module integration (SafeZone FIPS Security SDK)
- SSH command line support (MatrixSSH)
- Passive mode interceptor for SSL visibility (MatrixSSL Interceptor)
MatrixSSL is based on the following standards:
- RFC 2246 The Transport Layer Security (TLS) Protocol Version 1.0.
- RFC 3749 Transport Layer Security Protocol Compression Methods
Supported. Disabled by default due to security issues.
- RFC 4162 Addition of SEED Cipher Suites to Transport Layer Security (TLS)
Supported. Disabled by default at compile time.
- RFC 4279 Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- RFC4346 The Transport Layer Security (TLS) Protocol Version 1.1.
- RFC 4347 Datagram Transport Layer Security (DTLS) Version 1.0
- RFC 4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)
Supported Elliptic Curves: secp192r1, secp224r1, secp256r1, secp384r1, secp521r1
Supported Point Formats: uncompressed
- RFC5077 Transport Layer Security (TLS) Session Resumption without Server-Side State
- RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2.
- RFC 5288AES Galois Counter Mode (GCM) Cipher Suites for TLS
- RFC 5289 TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)
- RFC 5430 Suite B Profile for Transport Layer Security (TLS)
- RFC 5487 Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode
- RFC 5746 Transport Layer Security (TLS) Renegotiation Indication Extension
- RFC 6066 Transport Layer Security (TLS) Extensions: Extension Definitions
Supported: server_name, max_fragment_length, trusted_ca_keys, truncated_hmac, status_request (OCSP Client)
- RFC 6176 Prohibiting Secure Sockets Layer (SSL) Version 2.0
- RFC 6347Datagram Transport Layer Security Version 1.2
- RFC 7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)
Supported Curves: brainpoolP224r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
- RFC 7301 Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension
- RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
- RFC 7465 Prohibiting RC4 Cipher Suites
- RFC 7525 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- RFC 7568 Deprecating Secure Sockets Layer Version 3.0
- RFC 7627Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
- RFC 7925 TLS/DTLS Profiles for the Internet of Things
- RFC 7905 ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
- RFC 7918 Transport Layer Security (TLS) False Start
Disabled by default due to security concerns.
MatrixSSL has been ported to operating systems including FreeRTOS, Bare Metal, eCos, VxWorks, uClinux, eCos, FreeRTOS, ThreadX, WindowsCE, PocketPC, Palm, pSOS, SMX, BREW, MacOS X, Linux and Windows.
Ported hardware platforms include ARM, MIPS32, PowerPC, H-8, SH3, i386 and x86-64. TILE-Gx, CAVIUM Octeon