Quantum computing is a groundbreaking technology that has the potential to revolutionize various industries by solving complex mathematical problems at exponential speeds compared to classical computers. While this opens up a realm of opportunities, there is a looming threat to traditional cryptographic algorithms, such as RSA, which could become vulnerable to quantum attacks.
Experts from NIST and the National Security Agency predict that within the next five to 10 years, quantum computing will reach a point where it could pose a significant risk to existing cryptographic systems. In light of this, organizations are being urged to start their post-quantum cryptography (PQC) migrations now to mitigate the risk of potential “harvest now, decrypt later” attacks and ensure they are prepared for the future cryptographic landscape.
One critical aspect of enhancing quantum security hygiene and initiating a PQC migration is the development of a cryptographic bill of materials (CBOM). This involves taking inventory of all cryptographic systems being used, evaluating their interactions with the organization’s software, and identifying any systems that may require updating to align with the requirements of a post-quantum world.
A CBOM serves as a comprehensive record of all the open source, proprietary, and commercial software utilized by a company to manage its cryptographic assets. It not only highlights the current usage of cryptography within the organization but also aids in assessing potential future needs and vulnerabilities in the face of quantum computing advancements.
By creating a CBOM, organizations can achieve several key objectives, including identifying and monitoring the use of cryptographic algorithms, evaluating the adequacy of existing standards, determining which algorithms require updating, fostering crypto-agility, and ensuring compliance with industry regulations. Additionally, CBOMs play a vital role in planning for a PQC migration by helping organizations assess their risk posture and make informed risk management decisions.
It is essential to distinguish between a CBOM and a software bill of materials (SBOM). While an SBOM details all software components and dependencies within an organization, a CBOM provides an added layer specifically focused on cryptographic assets, encompassing hardware, firmware, and software components.
Creating a CBOM involves a systematic approach that begins with defining the scope of the inventory, using existing asset-tracking databases or developing new ones if necessary. The next step involves identifying the encryption algorithms used by every component of the systems, which can be time-consuming but made more efficient with the assistance of SBOM tools like CycloneDX, which now offers CBOM capabilities.
In addition to standard SBOM contents, a CBOM should include detailed information on cryptographic algorithms, dependencies, standards compliance, certificates, keys, security protocols, and policies. For organizations preparing for quantum readiness, conducting a thorough risk assessment of each cryptographic asset is crucial, as some legacy applications may pose challenges in upgrading cryptographic algorithms.
Part of the risk management process for PQC migration involves engaging with vendors to determine their support for post-quantum cryptography and assessing the need for potential vendor and product changes to align with PQC requirements. With a completed CBOM, organizations can effectively analyze their software landscape for PQC implementation and prioritize the deployment of quantum-safe software.
It is important to note that a CBOM is a dynamic document that requires regular updates as new software is introduced or removed from the organization’s infrastructure to maintain cryptographic and PQC security standards. As organizations embark on their PQC migration journey, staying proactive and vigilant in managing cryptographic assets will be key to mitigating the risks posed by quantum computing advancements.