Cryptographic Protocol

Introduction

Inventorying cryptographic assets is a foundational best practice for post-quantum cryptography (PQC) readiness, as emphasized by NIST SP 1800-38B. CycloneDX Cryptography Bill of Materials (CBOM) provides a structured way to document algorithms, keys, and protocols, helping organizations assess risks, ensure compliance, and prepare for the transition to quantum-safe systems.

Protocols define secure communication standards but often embed outdated cryptographic primitives. CBOM allows organizations to inventory and evaluate protocol dependencies, identifying those reliant on weak or non-quantum-safe algorithms. This ensures timely updates and alignment with post-quantum cryptography standards.

Highlighted fields

PropertyUsage Description
assetTypeSpecifies the category of the cryptographic asset, such as algorithm, certificate, protocol, or related-crypto-material.
typeSpecifies the category of the cryptographic protocol, such as tls, ipsec, or ssh, indicating the protocol's primary function in securing communications.
versionDenotes the specific version of the protocol in use, providing clarity on the protocol's features and security capabilities.
cipherSuitesLists the combinations of cryptographic algorithms employed by the protocol to secure data transmission, detailing the methods for encryption, authentication, and key exchange.
algorithmsIdentifies the individual cryptographic algorithms utilized within the protocol, offering insight into the specific methods applied for securing communications.
identifiersProvides unique references or names associated with the protocol, facilitating precise identification and differentiation from other protocols.
cryptoRefArrayContains references to cryptographic assets related to the protocol, such as keys or certificates, establishing connections to the specific cryptographic materials in use.
This example describes the use of the TLS 1.2 protocol to secure application communications, including its supported cryptographic methods and associated assets like certificates and algorithms.

Examples

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-09T12:00:00Z",
    "component": {
      "type": "application",
      "name": "my application",
      "version": "1.0"
    }
  },
  "components": [
    {
      "name": "TLSv1.2",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/protocol/[email protected]",
      "cryptoProperties": {
        "assetType": "protocol",
        "protocolProperties": {
          "type": "tls",
          "version": "1.2",
          "cipherSuites": [
            {
              "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
              "algorithms": [
                "crypto/algorithm/[email protected]",
                "crypto/algorithm/[email protected]",
                "crypto/algorithm/[email protected]",
                "crypto/algorithm/[email protected]"
              ],
              "identifiers": [ "0xC0", "0x30" ]
            }
          ],
          "cryptoRefArray": [
            "crypto/certificate/google.com@sha256:1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4"
          ]
        },
        "oid": "1.3.18.0.2.32.104"
      }
    },
    {
      "name": "google.com",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/certificate/google.com@sha256:1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4",
      "cryptoProperties": {
        "assetType": "certificate",
        "certificateProperties": {
          "subjectName": "CN = www.google.com",
          "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3",
          "notValidBefore": "2016-11-21T08:00:00Z",
          "notValidAfter": "2017-11-22T07:59:59Z",
          "signatureAlgorithmRef": "crypto/algorithm/[email protected]",
          "subjectPublicKeyRef": "crypto/key/[email protected]",
          "certificateFormat": "X.509",
          "certificateExtension": "crt"
        }
      }
    },
    {
      "name": "SHA512withRSA",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "512",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "digest" ],
          "nistQuantumSecurityLevel": 0
        },
        "oid": "1.2.840.113549.1.1.13"
      }
    },
    {
      "name": "RSA-2048",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/key/[email protected]",
      "cryptoProperties": {
        "assetType": "related-crypto-material",
        "relatedCryptoMaterialProperties": {
          "type": "public-key",
          "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22",
          "state": "active",
          "size": 2048,
          "algorithmRef": "crypto/algorithm/[email protected]",
          "securedBy": {
            "mechanism": "Software",
            "algorithmRef": "crypto/algorithm/[email protected]"
          },
          "creationDate": "2016-11-21T08:00:00Z",
          "activationDate": "2016-11-21T08:20:00Z"
        },
        "oid": "1.2.840.113549.1.1.1"
      }
    },
    {
      "name": "ECDH",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "curve": "curve25519",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "keygen" ]
        },
        "oid": "1.3.132.1.12"
      }
    },
    {
      "name": "RSA-2048",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "2048",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "encapsulate", "decapsulate" ]
        },
        "oid": "1.2.840.113549.1.1.1"
      }
    },
    {
      "name": "AES-256-GCM",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "256",
          "primitive": "ae",
          "mode": "gcm",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "encrypt", "decrypt" ],
          "classicalSecurityLevel": 256,
          "nistQuantumSecurityLevel": 1
        },
        "oid": "2.16.840.1.101.3.4.1.46"
      }
    },
    {
      "name": "SHA384",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "384",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "digest" ],
          "nistQuantumSecurityLevel": 2
        },
        "oid": "2.16.840.1.101.3.4.2.9"
      }
    }
  ]
}

Related Guides and Resources