Is your software ready for the quantum era? Start with a cryptography inventory

The advancement of quantum computing technology has accelerated significantly during recent years. Large-scale fault-tolerant quantum computers retain exponentially greater computing power compared to classical computers in specific areas. This causes a substantial issue as many current cryptographic algorithms rely on the fact that computers lack the necessary computational resources to solve the underlying mathematical problems.

In November 2024 NIST published an Initial public draft about the transition to post-quantum cryptography. As presumed, the draft states that current digital signature algorithms (ECDSA, EdDSA, RSA) and key establishment schemes (FFDH, ECDH, RSA) will be deprecated after 2030 and disallowed after 2035. This sets a concrete timeline for the transition to quantum-safe cryptography. The European Commission has also published a recommendation on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography in 2024. This joint statement from partners from 18 EU member states has also emphasized the importance of the matter.

The message is clear: action is needed. One of the first steps in the path of successful transition to quantum-safe cryptography is to start maintaining a cryptographic bill of materials.

A Cryptography Bill of Materials (CBOM) is a detailed inventory that describes cryptographic assets and their dependencies. Cryptographic assets include algorithms, protocols, certificates, keys, tokens, secrets, and passwords. Algorithms and protocols are usually implemented in cryptographic libraries (e.g., OpenSSL). However, many assets may also be hardcoded into software components. Assets also have properties that define their functionality. For example, an algorithm (e.g., AES) is a cryptographic asset, and the specific variant of the algorithm (e.g., AES-128-GCM) specifies the properties of the asset (key length and mode of operation). These properties define the algorithm's security level and suitability for certain use cases.

Below, we describe some of the common cryptographic assets:

• Cryptographic Keys:
  • Essential for encryption and decryption processes.
  • Document details like storage type, ownership, algorithm identifier, format, and status (active or deprecated).
• Certificates:
  • Act as electronic identifiers linked to public keys used in encryption.
  • Include information about validity period, ownership, and issuing authority.
• Algorithms:
  • Various cryptographic algorithms perform functions such as data encryption, authentication, and digital signatures.
  • Track which algorithms are in use and identify those vulnerable to quantum attacks.
• Protocols:
  • Protocols like TLS or IPsec facilitate cryptographic operations between entities.
  • Include protocol version and implementation details to track dependencies.

Once the cryptographic bill of materials has been established, it is possible to perform automatic reasoning based on its contents. Such automatic reasoning includes identifying weak cryptographic algorithms, identifying expiring and long-term cryptographic material, assessing system against cryptographic policies, etc.

Technologically speaking, performing cryptographic asset management and generating a CBOM does not have a one-stop-shop solution. Organizations must make several technical decisions when developing a CBOM tool or evaluating the suitability of a commercial solution for cryptographic asset management

Technologically speaking, performing cryptographic asset management and generating a CBOM does not have a one-stop-shop solution. Organizations must make several technical decisions when developing a CBOM tool or evaluating the suitability of a commercial solution for cryptographic asset management

One of the first considerations is the scan target. This could be a directory in the file system, a source code repository, a container image, or network traffic between APIs. Another consideration is the scanning method, which depends heavily on the scan target. For example, scanning a source code repository requires a different approach than scanning a container image. Additionally, different tools are implemented using different technologies. Depending on the use case, you might be looking into network port scanning for services that need to be updated, static source-code analysis for cryptographic library dependency checks or perhaps file system monitoring to perform certificate and key management.

Whatever the technological choices of your use case are, the important thing is to start maintaining a cryptographic bill of materials as soon as possible. Even if the quantum risk never materializes, cryptographic bill of materials offers clear benefits for software supply chain security. Existing cryptographic inventory makes it easier to track down bugs in security critical software, thus reducing incident response times in cases where secrets are compromised or expired. It also eases the process of updating obsolete or critically vulnerable algorithms. This is all part of the software supply chain security.

Whatever the technological choices of your use case are, the important thing is to start maintaining a cryptographic bill of materials as soon as possible. Even if the quantum risk never materializes, cryptographic bill of materials offers clear benefits for software supply chain security. Existing cryptographic inventory makes it easier to track down bugs in security critical software, thus reducing incident response times in cases where secrets are compromised or expired. It also eases the process of updating obsolete or critically vulnerable algorithms. This is all part of the software supply chain security.

Don't wait until it's too late. Visit our website to learn more about how you can secure your software supply chain and prepare for the quantum future. Take the first step towards safeguarding your digital assets today!