Hi All
Cryptography is a foundational technology of security-critical systems and organizations; however, the correct and secure application of cryptographic algorithms is prone to error due to its inherent complexity, nuances of their configurations and cryptographic APIs, lack of domain knowledge by practitioners, etc. Moreover, assessing an organization or application’s cryptographic posture or targeting where upgrades are required is complex. The application of cryptography is often dispersed across various systems, opaque and hardcoded. Even when cryptography is applied correctly, secure software systems exist in an ever-evolving, adversarial ecosystem. New technological advances or weaknesses may immediately render previously accepted cryptographic approaches obsolete and insecure.
This whitepaper provides an overview of the concepts of a cryptography inventory, which is a complete list of cryptographic entities in a system or organization. A systematic representation of such an inventory is commonly referred to as a Cryptographic Bill of Materials (CBOM). We discuss what a CBOM is, its purpose, how it might be applied and where, and the challenges and considerations that must be undertaken in its development. The target audience is any individual or organization seeking to understand and explore the problem of creating an inventory, inventory tools, or standards of cryptography inventories. The goal is to initiate a dialogue towards developing maturity in cryptography inventory capabilities and practice and to enable an efficient long-term solution to discover and manage system cryptography.
Regards
Caute_Cautim
Thanks for sharing this, very interesting and nicely presented.
As far as I'm aware, there are already some offerings regarding crypto-inventory.
Some of them are features of network-security products, others stand-alone products.
@panosvl Hi it would be good to collate and present those options, because everyone is going to do this discovery at some point in the future, even if they ignore today.
Regards
Caute_Cautim
Here are some useful links regarding CBOM and automatic discovery through source and object code scanning.
Not sure if listing products/services here is beneficial, but something like IBM's Quantum Safe Explorer is what I had in mind. This page from them has some interesting use-cases as well.