Standardization of Cryptography Bill of Materials in OWASP CycloneDX

Abstract

Migration strategies to quantum-safe cryptography often emphasize the need to establish an inventory of cryptographic assets to be able to prioritize the migration. A standard way to describe cryptography is however missing to date, which poses a challenge when inventory information should be exchanged or systematically used. To address this issue, we present our efforts in OWASP CycloneDX to standardize Cryptography Bill of Materials (CBOM), a standard format to describe cryptographic assets and their dependencies. The CBOM standard is planned to be included in the upcoming release of CycloneDX and will enable SBOM related tooling to inventory cryptography with CBOM. We will walk through the use cases addressed by CBOM, discuss some challenges, and demonstrate how to use it to describe different scenarios such as: - Cryptographic algorithms in software and their properties (e.g. classical and quantum security level) - Dependencies between applications and cryptographic software providers - Network end-points using protocols like TLS or IPsec and their cipher suites - Cryptographic material like certificates and key material We will give an insight in how CBOM can be used to automate the assessment of the "quantum-safe" state of an inventory and to check for compliance with advisories like the CNSA 2.0. We also want to highlight the use of CBOM beyond a one-time quantum-safe migration with the integration with SDLC or CI/CI pipelines, allowing to swiftly identify cryptographic vulnerabilities.