Inventorying cryptographic assets is a foundational best practice for post-quantum cryptography (PQC) readiness, as emphasized by NIST SP 1800-38B. CycloneDX Cryptography Bill of Materials (CBOM) provides a structured way to document algorithms, keys, and protocols, helping organizations assess risks, ensure compliance, and prepare for the transition to quantum-safe systems.
Cryptographic algorithms form the core of data security but are vulnerable to evolving threats, including quantum advancements. By cataloging algorithms and their dependencies, CBOM enables proactive identification of weak implementations, supports cryptographic agility, and facilitates compliance with emerging standards.
| Property | Usage Description |
|---|---|
| assetType | Specifies the category of the cryptographic asset, such as algorithm, certificate, protocol, or related-crypto-material. |
| primitive | Fundamental cryptographic routines, such as encryption, hashing, or key agreement, used as building blocks for cryptographic systems and protocols. |
| parameterSetIdentifier | Represents the specific configuration or attributes of a cryptographic algorithm, such as key length or digest size that define its operational characteristics. |
| mode | Defines the operational mode of a cryptographic block cipher, such as CBC or GCM, determining how the algorithm processes data for encryption or decryption. |
| certificationLevel | The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). |
| cryptoFunctions | Lists the cryptographic functions the algorithm supports, such as key generation, encryption, decryption, signing, or verification, detailing its capabilities within a cryptographic system. |
| classicalSecurityLevel | Represents the algorithm's security strength against classical computational attacks, often measured in bits, indicating the effort required to break the encryption using traditional computing methods |
| nistQuantumSecurityLevel | Specifies the algorithm's security level as defined by NIST in the context of quantum-resistant cryptography, assessing its robustness against potential quantum computing attacks. |
| oid | The object identifier, a globally unique identifier assigned to the algorithm, facilitating unambiguous reference across systems and standards. |
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
"version": 1,
"metadata": {
"timestamp": "2024-01-09T12:00:00Z",
"component": {
"type": "application",
"name": "my application",
"version": "1.0"
}
},
"components": [
{
"type": "cryptographic-asset",
"name": "AES-128-GCM",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "ae",
"parameterSetIdentifier": "128",
"mode": "gcm",
"executionEnvironment": "software-plain-ram",
"implementationPlatform": "x86_64",
"certificationLevel": [ "none" ],
"cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ],
"classicalSecurityLevel": 128,
"nistQuantumSecurityLevel": 1
},
"oid": "2.16.840.1.101.3.4.1.6"
}
},
{
"name": "SHA512withRSA",
"type": "cryptographic-asset",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "signature",
"parameterSetIdentifier": "512",
"executionEnvironment": "software-plain-ram",
"implementationPlatform": "x86_64",
"certificationLevel": [ "none" ],
"cryptoFunctions": [ "sign", "verify" ],
"nistQuantumSecurityLevel": 0
},
"oid": "1.2.840.113549.1.1.13"
}
}
]
}
The definitive reference for using Cryptography Bill of Materials (CBOM) for Post-Quantum Cryptography (PQC) readiness.
Migration to Post-Quantum Cryptography Quantum Readiness: Cryptographic Discovery