You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: CBOM/en/0x10-Introduction.md
+15
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,21 @@ typically buried deep within components that are used to compose and build syste
7
7
minimize this effort through alignment and reuse of concepts and components used to implement the Software Supply Chain
8
8
Security (SSCS).
9
9
10
+
Advances in quantum computing introduce the risk of previously-secure cryptographic algorithms becoming compromised
11
+
faster than ever before. In May of 2022, the White House released a [National Security Memorandum](https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/)
12
+
outlining the government’s plan to secure critical systems against potential quantum threats. This memorandum contains
13
+
two key takeaways for both agency and commercial software providers: document the potential impact of a breach, and have
14
+
an alternative cryptography solution ready.
15
+
16
+
As cryptographic systems evolve from using classical primitives to quantum-safe primitives, there is expected to be more
17
+
widespread use of cryptographic agility, or the ability to quickly switch between multiple cryptographic primitives.
18
+
Cryptographic agility serves as a security measure or incident response mechanism when a system’s cryptographic
19
+
primitive is discovered to be vulnerable or no longer complies with policies and regulations.
20
+
21
+
As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are
22
+
using and facilitate the assessment of the risk posture to provide a starting point for mitigation. CycloneDX designed
23
+
CBOM for this purpose.
24
+
10
25
## CBOM Design
11
26
The overall design goal of CBOM is to provide an abstraction that allows modeling and representing crypto assets in a
12
27
structured object format. This comprises the following points.
Copy file name to clipboardexpand all lines: CBOM/en/0x20-Use-Cases.md
+45-17
Original file line number
Diff line number
Diff line change
@@ -2,12 +2,17 @@
2
2
3
3
## Cryptography Asset Management
4
4
The Cryptography Bill of Materials (CBOM) is a comprehensive inventory of cryptographic assets, encompassing keys,
5
-
certificates, tokens, and more. CBOM provides a structured framework for organizations to catalog and track their
6
-
cryptographic resources, facilitating efficient management and ensuring security and compliance standards are met.
7
-
By maintaining a detailed record of cryptographic assets, including their usage, expiration dates, and associated
8
-
metadata, CBOM enables proactive monitoring and streamlined auditing processes. With CBOM, organizations can effectively
9
-
safeguard their cryptographic infrastructure, mitigate risks associated with unauthorized access or misuse, and maintain
10
-
the integrity and confidentiality of sensitive data across diverse digital environments.
5
+
certificates, tokens, and more. This is a requirement of the [OMB M-23-02](https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf),
6
+
where such a system is characterized as a [...”software or hardware implementation of one or more cryptographic algorithms
7
+
that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections;
8
+
or (3) creation and validation of digital signatures.”]
9
+
10
+
CBOM provides a structured framework for organizations to catalog and track their cryptographic resources, facilitating
11
+
efficient management and ensuring security and compliance standards are met. By maintaining a detailed record of
12
+
cryptographic assets, including their usage, expiration dates, and associated metadata, CBOM enables proactive monitoring
13
+
and streamlined auditing processes. With CBOM, organizations can effectively safeguard their cryptographic infrastructure,
14
+
mitigate risks associated with unauthorized access or misuse, and maintain the integrity and confidentiality of sensitive
15
+
data across diverse digital environments.
11
16
12
17
## Identifying Weak Algorithms
13
18
CBOM enables organizations to conduct thorough assessments and discover weak algorithms or flawed implementations that
@@ -21,20 +26,43 @@ safeguarding sensitive data against potential threats.
21
26
CBOM is crucial in preparing applications and systems for an impending post-quantum reality, aligning with
22
27
guidance from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). As
23
28
quantum computing advancements threaten the security of current cryptographic standards, CBOM provides a structured
24
-
approach to inventorying cryptographic assets and evaluating their resilience against quantum threats. By cataloging
25
-
cryptographic algorithms and their respective parameters, CBOM enables organizations to identify vulnerable or weak
26
-
components that require mitigation or replacement with quantum-resistant alternatives recommended by NSA and NIST.
29
+
approach to inventorying cryptographic assets and evaluating their resilience against quantum threats.
30
+
31
+
Most notably, public key algorithms like RSA, DH, ECDH, DSA or ECDSA are considered not quantum-safe. These algorithms
32
+
occur in various components and may be hardcoded in applications but are more commonly and preferably used via dedicated
33
+
cryptographic libraries or services. Developers often don’t directly interact with cryptographic algorithms such as RSA
34
+
or ECDH but use them via protocols like TLS 1.3 or IPsec, by using certificates, keys, or other tokens. With upcoming
35
+
cryptographic agility it becomes less common to put in stone (or software) the algorithms that will be used. Instead,
36
+
they are configured during deployment or negotiated in each network protocol session. CBOM is designed with these
37
+
considerations in mind and to allow insight into the classical and quantum security level of cryptographic assets and
38
+
their dependencies.
39
+
40
+
By cataloging cryptographic algorithms and their respective parameters, CBOM enables organizations to identify vulnerable
41
+
or weak components that require mitigation or replacement with quantum-resistant alternatives recommended by NSA and NIST.
27
42
Through comprehensive analysis and strategic planning facilitated by CBOM, organizations can proactively transition to
28
43
post-quantum cryptographic primitives, ensuring the long-term security and integrity of their systems and applications.
29
44
30
-
## Cryptographic Requirements and Certifications
31
-
CBOM facilitates the assessment of whether cryptographic implementations meet the stringent criteria outlined by
32
-
FIPS 140-2, FIPS 140-3, and Common Criteria. This includes ensuring the proper selection and configuration of
33
-
cryptographic algorithms and protocols to align with certification requirements. CBOM enables organizations to streamline
34
-
the certification process by providing clear documentation of cryptographic practices and facilitating communication
35
-
between stakeholders, auditors, and certification bodies, ultimately accelerating the attainment of compliance and
36
-
bolstering confidence in the security of cryptographic systems. Suppliers whose products include cryptographic assets
37
-
are encouraged to communicate certifications that have been obtained.
45
+
## Assess Cryptographic Policies and Advisories
46
+
A cryptographic inventory in machine-readable form like CBOM brings benefits if one wants to check for compliance with
47
+
cryptographic policies and advisories. An example of such an advisory is [CNSA 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF),
48
+
which was announced by NSA in September of 2022. CNSA 2.0 states, among other things, that National Security Systems (NSS)
49
+
for firmware and software signing needs to support and prefer CNSA 2.0 algorithms by 2025 and exclusively use them by 2030.
50
+
The advised algorithms are the stateful hash-based signature schemes LMS and XMSS from [NIST SP 800-208](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf).
51
+
With a CBOM inventory that documents the use of LMS and XMSS by such systems, compliance with CNSA 2.0 can be assessed
52
+
in an automated way.
53
+
54
+
## Identify Expiring and Long-Term Cryptographic Material
55
+
An RSA certificate expiring in one week poses less cryptographic risk than the same certificate expiring in 20 years.
56
+
Service downtime due to an expired certificate is another risk to be considered. Therefore, we argue that an inventory
57
+
that captures the life cycle of cryptographic material as allowed by CBOM gives context to an inventory that is
58
+
instrumental for managing cryptographic risk.
59
+
60
+
## Ensure Cryptographic Certifications
61
+
Higher cryptographic assurance is provided by certifications such as [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final)
62
+
(levels 1 to 4) or [Common Criteria](https://www.commoncriteriaportal.org/) (EAL1 to 7). To obtain these certifications,
63
+
cryptographic modules need to undergo certification processes. For regulated environments such as FedRAMP, such
64
+
certifications are important requirements. CBOM allows the capture of certification levels of cryptographic assets so that
0 commit comments