Understanding your cryptographic landscape is central to navigating your cybersecurity. Cryptographic assets, essential for securing communication and protecting data, are often deeply embedded and overlooked. A Cryptography Bill of Materials (CBOM) addresses this gap, providing a comprehensive inventory of cryptographic elements.
A CBOM is a detailed inventory of cryptographic assets within a system, akin to a Software Bill of Materials (SBOM) but focused entirely on cryptography assets and their dependencies. While an SBOM maps out software dependencies, a CBOM dives deep into cryptographic composition, offering visibility into encryption methods, algorithms, and the software component that contain them.
As organisations prepare for the migration to quantum-safe systems and applications, the need to discover, manage, and report on cryptography becomes the essential first step. Cryptographic elements are often deeply embedded within the components and dependencies that form systems and applications. By aligning this effort with the principles and practices of Software Supply Chain Security (SSCS), organisations can better identify potential vulnerabilities, ensure consistency in cryptographic implementations, and leverage existing cryptographic frameworks and best practices, reducing the risk of errors or gaps in security.
| Category | Name | Purpose | Version | Status | Notes |
|---|---|---|---|---|---|
|
Algorithm |
AES-256 |
Data encryption |
1.2.3 |
Active |
Meets compliance (FIPS-197) |
|
Algorithm |
RSA-2048 |
Key exchange |
2.1.0 |
Deprecated |
Migrate to quantum-safe alternative |
|
Library |
OpenSSL |
Cryptographic library |
1.1.1 |
Active |
Actively maintained |
|
Key |
TLS Private Key |
HTTPS encryption |
N/A |
Active |
2048-bit RSA key, expiry: 2025-12-31 |
|
Key |
API HMAC Key |
API authentication |
N/A |
Active |
256-bit symmetric key, rotated semi-annually |
|
Certificate |
Server TLS Cert |
HTTPS encryption |
N/A |
Active |
Issuer: Let’s Encrypt, expiry: 2024-01-01 |
Example of a CBOM
Consider a scenario where an organisation was unaware of outdated encryption algorithms embedded within their systems. Without proper visibility, these vulnerabilities could have been exploited by attackers to intercept sensitive communications. With a CBOM in place, the organisation could have identified and replaced these weak algorithms proactively, ensuring compliance with modern standards and safeguarding their data.
For instance, in cases where cryptographic assets like TLS/SSL certificates have expired, organizations often face service downtime or compliance violations. A CBOM enables proactive monitoring of expiration dates and ensures timely renewals, avoiding disruptions and maintaining trust. Similarly, in a post-quantum context, CBOMs help organizations identify and transition away from algorithms like RSA or ECDH, which may be vulnerable to quantum threats, toward quantum-resistant alternatives. To dive deeper into quantum-safe cryptography and its implications, visit our blog.
CycloneDX, a leading standard in software and hardware bill of materials (SBOM and HBOM), supports the integration of CBOMs into existing BOMs. By embedding cryptographic assets directly into SBOMs or HBOMs, organisations gain a holistic view of their systems, including:
-
A complete dependency graph of software and hardware components.
-
Identification of components providing specific cryptographic capabilities.
-
Streamlined risk assessment and mitigation workflows.
This integrated approach simplifies cryptographic management to adopt an agile cryptographic strategy.
The Cryptography Bill of Materials is more than a tool—it’s a strategic asset for navigating the future of cybersecurity. By leveraging CBOMs, organisations can prepare for quantum-safe systems and applications, ensuring the security and reliability of their systems in the face of emerging threats. With standards like CycloneDX supporting CBOM integration, now is the time to invest in understanding and managing your cryptographic landscape.
