Inventorying cryptographic assets is a foundational best practice for post-quantum cryptography (PQC) readiness, as emphasized by NIST SP 1800-38B. CycloneDX Cryptography Bill of Materials (CBOM) provides a structured way to document algorithms, keys, and protocols, helping organizations assess risks, ensure compliance, and prepare for the transition to quantum-safe systems.
Cryptographic keys are central to securing sensitive operations, yet their misuse or weak management can compromise entire systems. CBOM tracks key types, lifecycles, and dependencies, ensuring organizations can monitor expiring, inactive, or vulnerable keys. This visibility is essential for enforcing secure practices and transitioning to quantum-safe alternatives.
| Property | Usage Description |
|---|---|
| assetType | Specifies the category of the cryptographic asset, such as algorithm, certificate, protocol, or related-crypto-material. |
| type | Specifies the kind of related cryptographic asset, such as public-key, private-key, or digest indicating its role in cryptographic operations. |
| state | Denotes the current status of the key, such as active, suspended, or destroyed, reflecting its operational readiness and validity. This aligns with the key lifecycle states defined in NIST SP 800-57. |
| size | Indicates the length of the key, typically measured in bits, which correlates to its cryptographic strength. |
| algorithmRef | References the algorithm used to generate the related cryptographic material. |
| securedBy | Describes the protection mechanism applied to the key, detailing how it is safeguarded against unauthorized access or compromise. Common mechanisms include Software, HSM, and TPM. |
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
"version": 1,
"metadata": {
"timestamp": "2024-01-09T12:00:00Z",
"component": {
"type": "application",
"name": "my application",
"version": "1.0"
}
},
"components": [
{
"name": "RSA-2048",
"type": "cryptographic-asset",
"bom-ref": "crypto/key/[email protected]",
"cryptoProperties": {
"assetType": "related-crypto-material",
"relatedCryptoMaterialProperties": {
"type": "public-key",
"id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22",
"state": "active",
"size": 2048,
"algorithmRef": "crypto/algorithm/[email protected]",
"securedBy": {
"mechanism": "Software",
"algorithmRef": "crypto/algorithm/[email protected]"
},
"creationDate": "2016-11-21T08:00:00Z",
"activationDate": "2016-11-21T08:20:00Z"
},
"oid": "1.2.840.113549.1.1.1"
}
},
{
"name": "RSA-2048",
"type": "cryptographic-asset",
"bom-ref": "crypto/algorithm/[email protected]",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"parameterSetIdentifier": "2048",
"executionEnvironment": "software-plain-ram",
"implementationPlatform": "x86_64",
"cryptoFunctions": [ "encapsulate", "decapsulate" ]
},
"oid": "1.2.840.113549.1.1.1"
}
},
{
"name": "AES-128-GCM",
"type": "cryptographic-asset",
"bom-ref": "crypto/algorithm/[email protected]",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"parameterSetIdentifier": "128",
"primitive": "ae",
"mode": "gcm",
"executionEnvironment": "software-plain-ram",
"implementationPlatform": "x86_64",
"cryptoFunctions": [ "keygen", "encrypt", "decrypt" ],
"classicalSecurityLevel": 128,
"nistQuantumSecurityLevel": 1
},
"oid": "2.16.840.1.101.3.4.1.6"
}
}
]
}
The definitive reference for using Cryptography Bill of Materials (CBOM) for Post-Quantum Cryptography (PQC) readiness.
Migration to Post-Quantum Cryptography Quantum Readiness: Cryptographic Discovery