Added cryptography

stevespringett · stevespringett · commit 0887a0466ca2 · 2024-02-25T16:34:33.000-06:00
diff --git a/SBOM/en/0x30-Use_Cases.md b/SBOM/en/0x30-Use_Cases.md
@@ -86,9 +86,7 @@ CycloneDX is capable of describing the following types of components:
 > system or design. They also aid Software Asset Management (SAM) and IT Asset Management (ITAM) systems in classifying
 > the inventory of software and constituent parts.
 
-
-Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods to assert
-identity including:
+CycloneDX supports multiple methods to assert identity including:
 
 - Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
 - Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to. 
@@ -102,26 +100,24 @@ information.
 The following example illustrates component identity in CycloneDX.
 
 ```json
-"components": [
-  {
-    "type": "library",
-    "group": "com.example",
-    "name": "awesome-library",
+{
+  "type": "library",
+  "group": "com.example",
+  "name": "awesome-library",
+  "version": "1.0.0",
+  "cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
+  "purl": "pkg:maven/com.example/awesome-library@1.0.0",
+  "swid": {
+    "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
+    "name": "Acme Awesome Library",
     "version": "1.0.0",
-    "cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
-    "purl": "pkg:maven/com.example/awesome-library@1.0.0",
-    "swid": {
-      "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
-      "name": "Acme Awesome Library",
-      "version": "1.0.0",
-      "text": {
-        "contentType": "text/xml",
-        "encoding": "base64",
-        "content": "U1dJRCBkb2N1bWVudCBkb2VzIGhlcmU="
-      }
+    "text": {
+      "contentType": "text/xml",
+      "encoding": "base64",
+      "content": "U1dJRCBkb2N1bWVudCBkb2VzIGhlcmU="
     }
   }
-]
+}
 ```
 
 CycloneDX also supports several identifiers specific to hardware devices. Refer to https://cyclonedx.org/capabilities/hbom/
@@ -519,6 +515,69 @@ Bill of Material (MBOM). The SBOM references the MBOM that describes the environ
 all other considerations necessary to replicate a build with utmost precision. This capability allows other parties to
 independently verify inputs and outputs from a build which can increase the software's assurance.
 
+## Cryptography Asset Management
+CycloneDX can describe a comprehensive inventory of cryptographic assets, encompassing keys,
+certificates, tokens, and more. This is a requirement of the [OMB M-23-02](https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf),
+where such a system is characterized as a [...”software or hardware implementation of one or more cryptographic algorithms
+that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections;
+or (3) creation and validation of digital signatures.”]
+
+CycloneDX provides a structured framework for organizations to catalog and track their cryptographic resources, facilitating
+efficient management and ensuring security and compliance standards are met. By maintaining a detailed record of
+cryptographic assets, including their usage, expiration dates, and associated metadata, CycloneDX enables proactive 
+monitoring and streamlined auditing processes. With CycloneDX, organizations can effectively safeguard their cryptographic
+infrastructure, mitigate risks associated with unauthorized access or misuse, and maintain the integrity and confidentiality
+of sensitive data across diverse digital environments.
+
+## Identifying Weak Cryptographic Algorithms
+CycloneDX enables organizations to discover weak algorithms or flawed implementations that could compromise security. 
+Through analysis of cryptographic data, including algorithms, key management practices, and usage patterns, organizations
+can pinpoint areas of concern and prioritize remediation efforts. CycloneDX facilitates proactive identification of 
+weaknesses and vulnerabilities, allowing organizations to enhance the resilience of their cryptographic infrastructure 
+and mitigate the risk of exploitation, thereby bolstering overall cybersecurity posture and safeguarding sensitive data 
+against potential threats.
+
+## Post-Quantum Cryptography (PQC) Readiness
+CycloneDX is crucial in preparing applications and systems for an impending post-quantum reality, aligning with
+guidance from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). As
+quantum computing advancements threaten the security of current cryptographic standards, CycloneDX provides a structured
+approach to inventorying cryptographic assets and evaluating their resilience against quantum threats.
+
+Most notably, public key algorithms like RSA, DH, ECDH, DSA or ECDSA are considered not quantum-safe. These algorithms
+occur in various components and may be hardcoded in applications but are more commonly and preferably used via dedicated
+cryptographic libraries or services. Developers often don’t directly interact with cryptographic algorithms such as RSA
+or ECDH but use them via protocols like TLS 1.3 or IPsec, by using certificates, keys, or other tokens. With upcoming
+cryptographic agility it becomes less common to put in stone (or software) the algorithms that will be used. Instead,
+they are configured during deployment or negotiated in each network protocol session. CycloneDX is designed with these
+considerations in mind and to allow insight into the classical and quantum security level of cryptographic assets and
+their dependencies.
+
+By cataloging cryptographic algorithms and their respective parameters, CycloneDX enables organizations to identify vulnerable
+or weak components that require mitigation or replacement with quantum-resistant alternatives recommended by NSA and NIST.
+Through comprehensive analysis and strategic planning facilitated by CycloneDX, organizations can proactively transition to
+post-quantum cryptographic primitives, ensuring the long-term security and integrity of their systems and applications.
+
+## Assess Cryptographic Policies and Advisories
+A cryptographic inventory in machine-readable form brings benefits if one wants to check for compliance with
+cryptographic policies and advisories. An example of such an advisory is [CNSA 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF),
+which was announced by NSA in September of 2022. CNSA 2.0 states, among other things, that National Security Systems (NSS)
+for firmware and software signing needs to support and prefer CNSA 2.0 algorithms by 2025 and exclusively use them by 2030.
+The advised algorithms are the stateful hash-based signature schemes LMS and XMSS from [NIST SP 800-208](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf).
+With a cryptographic inventory that documents the use of LMS and XMSS by such systems, compliance with CNSA 2.0 can be 
+assessed in an automated way.
+
+## Identify Expiring and Long-Term Cryptographic Material
+An RSA certificate expiring in one week poses less cryptographic risk than the same certificate expiring in 20 years.
+Service downtime due to an expired certificate is another risk to be considered. Therefore, we argue that an inventory
+that captures the life cycle of cryptographic material as allowed by CycloneDX gives context to an inventory that is
+instrumental for managing cryptographic risk.
+
+## Ensure Cryptographic Certifications
+Higher cryptographic assurance is provided by certifications such as [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final)
+(levels 1 to 4) or [Common Criteria](https://www.commoncriteriaportal.org/) (EAL1 to 7). To obtain these certifications,
+cryptographic modules need to undergo certification processes. For regulated environments such as FedRAMP, such
+certifications are important requirements. CycloneDX allows the capture of certification levels of cryptographic assets 
+so that this property can be easily identified.
 
 <div style="page-break-after: always; visibility: hidden">
 \newpage
diff --git a/SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md b/SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md
@@ -22,16 +22,17 @@ CycloneDX highly encourages organizations to exceed the NTIA minimum elements wh
 types of data will vary by use case but generally should include:
 
 
-| **Field**            | **CycloneDX Field**                    | **Description**                                                                                                                            |
-|----------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
-| BOM Lifecycles       | bom.metadata.lifecycles[]              | The stage in which data in the BOM was captured                                                                                            |
-| BOM Generation Tools | bom.metadata.tools[]                   | The tool(s) used to create the BOM                                                                                                         |
-| Component Hash       | bom.components[].hashes[]              | The hash values of the file or package                                                                                                     |
-| Component License    | bom.components[].licenses[]            | The license(s) in which the component is released under                                                                                    |
-| Component Evidence   | bom.components[].evidence[].identity.* | The evidence of identity including the methods, techniques, and confidence of how components were identified                               |
-| External References  | bom.components[].externalReferences[]  | Locations to advisories, version control and build systems, etc                                                                            |
-| Services             | bom.services[].*                       | A complete inventory of services including endpoint URLs, data classifications, etc which the product and/or individual components rely on |
-| Known Unknowns       | bom.compositions[].*                   | Assertions on the completeness of the inventory of components and services, along with the completeness of dependency relationships        |
+| **Field**                | **CycloneDX Field**                    | **Description**                                                                                                                            |
+|--------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
+| BOM Lifecycles           | bom.metadata.lifecycles[]              | The stage in which data in the BOM was captured                                                                                            |
+| BOM Generation Tools     | bom.metadata.tools[]                   | The tool(s) used to create the BOM                                                                                                         |
+| Component Hash           | bom.components[].hashes[]              | The hash values of the file or package                                                                                                     |
+| Component License        | bom.components[].licenses[]            | The license(s) in which the component is released under                                                                                    |
+| Component Evidence       | bom.components[].evidence[].identity.* | The evidence of identity including the methods, techniques, and confidence of how components were identified                               |
+| Cryptographic Properties | bom.components[].cryptoProperties.*    | The properties specific to cryptographic assets detailing the algorithms, keys, protocols, and other cryptographic material                |
+| External References      | bom.components[].externalReferences[]  | Locations to advisories, version control and build systems, etc                                                                            |
+| Services                 | bom.services[].*                       | A complete inventory of services including endpoint URLs, data classifications, etc which the product and/or individual components rely on |
+| Known Unknowns           | bom.compositions[].*                   | Assertions on the completeness of the inventory of components and services, along with the completeness of dependency relationships        |
 
 
 ## SCVS BOM Maturity Model
diff --git a/SBOM/en/0x45-Cryptographic_Components.md b/SBOM/en/0x45-Cryptographic_Components.md
@@ -0,0 +1,58 @@
+# Leveraging Cryptographic Components
+
+CycloneDX can describe cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic
+assets is necessary as the first step on the migration journey to quantum-safe systems and applications. Cryptography is
+typically buried deep within components that are used to compose and build systems and applications. 
+
+Advances in quantum computing introduce the risk of previously-secure cryptographic algorithms becoming compromised
+faster than ever before. In May of 2022, the White House released a [National Security Memorandum](https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/)
+outlining the government’s plan to secure critical systems against potential quantum threats. This memorandum contains
+two key takeaways for both agency and commercial software providers: document the potential impact of a breach, and have
+an alternative cryptography solution ready.
+
+As cryptographic systems evolve from using classical primitives to quantum-safe primitives, there is expected to be more
+widespread use of cryptographic agility, or the ability to quickly switch between multiple cryptographic primitives.
+Cryptographic agility serves as a security measure or incident response mechanism when a system’s cryptographic
+primitive is discovered to be vulnerable or no longer complies with policies and regulations.
+
+As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are
+using and facilitate the assessment of the risk posture to provide a starting point for mitigation.
+
+
+### Algorithm Example
+A cryptographic algorithm is added in the components array of the BOM. The examples below list the algorithm
+AES-128-GCM.
+
+```json
+"components": [
+  {
+    "type": "cryptographic-asset",
+    "name": "AES-128-GCM",
+    "cryptoProperties": {
+      "assetType": "algorithm",
+      "algorithmProperties": {
+        "primitive": "ae",
+        "parameterSetIdentifier": "128",
+        "mode": "gcm",
+        "executionEnvironment": "software-plain-ram",
+        "implementationPlatform": "x86_64",
+        "certificationLevel": [ "none" ],
+        "cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ],
+        "classicalSecurityLevel": 128,
+        "nistQuantumSecurityLevel": 1
+      },
+      "oid": "2.16.840.1.101.3.4.1.6"
+    }
+  }
+]
+```
+
+Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
+cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).
+
+Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
+CycloneDX for cryptographic use cases.
+
+<div style="page-break-after: always; visibility: hidden">
+\newpage
+</div>
