Security IP icon

Security

TLS Toolkit 4.0

The Rambus TLS Toolkit (formerly known as MatrixSSL from Inside Secure) is a TLS protocol implementation in C language with minimalistic system dependencies, making it easily portable on any platform. Rambus’ TLS Toolkit powers millions of products ranging from embedded devices with lightweight capabilities to high-end network equipment.

Complete, compact and portable

Delivered in clear, readable, cross-platform and well documented C source code optimized for size and performance

TLS 1.3 protocol

TLS Toolkit is quick to adopt the latest IETF specifications

Robust security

TLS Toolkit is available with FIPS 140-2 validated Rambus Crypto Modules

How the TLS Toolkit works

The TLS Toolkit provides secure connectivity to devices with a small memory footprint. It has evolved to also serve networking devices requiring the highest levels of performance. TLS Toolkit is a lean and efficient C source code SDK that is easy to integrate, and is the SDK to replace RSA BSAFE or OpenSSL.

With clear and well documented source code, integration is faster and smoother than alternatives. Further simplifying and accelerating integration, Rambus offers developer-level support. The TLS Toolkit has always been quick to adopt the latest TLS specifications. The standard TLS Toolkit can be configured to a minimal code footprint of 66 KB (PSK). Manual optimization can further reduce the code footprint to meet the needs of memory constrained devices.

For applications that require FIPS validation, TLS Toolkit is also offered with a state-of-the-art FIPS 140-2 validated crypto module, which has been deployed in hundreds of millions of devices. For applications switching from OpenSSL a compatibility layer is provided to ease and accelerate migration to the Rambus TLS Toolkit.

CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.

Solution Offerings

  • Supports the latest TLS specifications: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 DTLS 1.0, DTLS 1.2
  • Supports server and client roles
  • Crypto library included supporting all major algorithms
    • Ciphersuites
        • AES 128/256 GCM with SHA256/384
        • CHACHA20 POLY1305 with SHA256 
    • Key exchange modes
        • DHE (ffdhe2048, ffdhe3072, ffdhe4096)
        • ECDHE (P-256, P-384, P-521, Curve25519) 
        • PSK and PSK with DHE and ECDHE
    • Signature algorithms
        • ECDSA (P-256, P-384, P-521)
        • Ed25519
        • RSASSA-PSS, RSA PKCS#1.5 (certificates only)
  • Available with FIPS 140-2 validated Rambus Crypto Module
  • Pluggable crypto provider interface
  • Pluggable operating system and malloc interface
  • Standards compliant proven interoperability
  • Portable on any platform, minimum use of system calls
  • Better alternative to OpenSSL and RSA BSAFE
  • Available with an OpenSSL compatibility layer
  • Small footprint and optimized performance for IoT devices
  • Delivered in clear, readable, cross-platform, well documented and commented C source code
  • Developer level support available
  • Less than 50 KB total footprint with crypto provider and certificates
  • Less than 10 KB total footprint with PSK only (tiny version)
  • Assembly language optimizations for Intel, ARM and MIPS platforms
  • Deployed on Bare Metal, FreeRTOS, eCos, VxWorks, uClinux, eCos, FreeRTOS, ThreadX, PocketPC, Palm, pSOS, SMX, BREW, MacOS X and Linux.
  • Used on hardware platforms including ARM, MIPS32, PowerPC, H-8, SH3, i386 and x86-64. TILE-Gx, CAVIUM Octeon
  • Support for asynchronous crypto hardware
  • Fully cross platform, portable codebase; minimum use of system calls
  • Pluggable cipher suite interface
  • Pluggable crypto provider interface
  • Pluggable operating system and malloc interface
  • TCP/IP optional
  • Multi-threading optional
  • Only a handful of external APIs, all non-blocking
  • Example client and server code included
  • Clean, heavily-commented portable C code
  • RFC 2246 The Transport Layer Security (TLS) Protocol Version 1.0: Supported
  • RFC 3274 Compressed Data Content Type for Cryptographic Message Syntax (CMS): Supported with commercial license
  • RFC 4279 Pre-Shared Key Ciphersuites for Transport Layer Security (TLS): Supported
    • TLS_DHE_PSK_WITH_AES_256_CBC_SHA
    • TLS_DHE_PSK_WITH_AES_128_CBC_SHA
    • TLS_PSK_WITH_AES_256_CBC_SHA
    • TLS_PSK_WITH_AES_128_CBC_SHA
  • RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1: Supported
  • RFC 4347 Datagram Transport Layer Security (DTLS) Version 1.0: Supported
  • RFC 4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS): Supported 
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • Supported Elliptic Curves: secp192r1, secp224r1, secp256r1, secp384r1, secp521r1
    • Supported Point Formats: uncompressed
  • RFC 5077 Transport Layer Security (TLS) Session Resumption without Server-Side State: Supported (Session Tickets).
  • RFC 5083 Cryptographic Message Syntax (CMS) – Authenticated-Enveloped-Data Content Type: Supported with commercial license
  • RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2: Supported
  • RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS: Supported
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_GCM_SHA256
  • RFC 5289 TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM): Supported 
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • RFC 5430 Suite B Profile for Transport Layer Security (TLS): Supported via compile time configuration.
  • RFC 5487 Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode: Supported
    • TLS_PSK_WITH_AES_256_CBC_SHA384
    • TLS_PSK_WITH_AES_128_CBC_SHA256
  • RFC 5652 Cryptographic Message Syntax (CMS)
    • Signed-Data Content Type: Supported with commercial license.
  • RFC 5746Transport Layer Security (TLS) Renegotiation Indication Extension: Supported
    • Extension required by compile time default.
  • RFC 6066 Transport Layer Security (TLS) Extensions: Extension Definitions 
    • server_name Server Name Indication: Supported
    • max_fragment_length: Supported
    • client_certificate_url: Unsupported
    • trusted_ca_keys: Supported
    • truncated_hmac: Supported
    • status_request OCSP Client: Supported
  • RFC 6176 Prohibiting Secure Sockets Layer (SSL) Version 2.0: Supported
    • SSL 2.0 (including ClientHello) deprecated.
  • RFC 6347 Datagram Transport Layer Security Version 1.2: Supported
  • RFC 7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS): Supported Curves
    • brainpoolP224r1
    • brainpoolP256r1 
    • brainpoolP384r1 
    • brainpoolP512r1
  • RFC 7301Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension: Supported
  • RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS): Supported
  • RFC 7465 Prohibiting RC4 Cipher Suites: Supported 
    • RC4 ciphers are disabled by default at compile time.
  • RFC 7525 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS): Supported
  • RFC 7568 Deprecating Secure Sockets Layer Version 3.0: Supported
    • SSL 3.0 is disabled by default at compile time.
  • RFC 7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension: Supported
  • RFC 7925 TLS/DTLS Profiles for the Internet of Things: Supported via compile time configuration.
  • RFC 7905 ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS): Supported
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256