Skip to content

Commit

Permalink
Added cryptography
Browse files Browse the repository at this point in the history
  • Loading branch information
@stevespringett
stevespringett committed Feb 25, 2024
1 parent 2417f97 commit 0887a04
Show file tree
Hide file tree
Showing 3 changed files with 148 additions and 30 deletions.
99 changes: 79 additions & 20 deletions SBOM/en/0x30-Use_Cases.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,7 @@ CycloneDX is capable of describing the following types of components:
> system or design. They also aid Software Asset Management (SAM) and IT Asset Management (ITAM) systems in classifying
> the inventory of software and constituent parts.

Component identity is an essential requirement for managing inventory. CycloneDX supports multiple methods to assert
identity including:
CycloneDX supports multiple methods to assert identity including:

- Coordinates: The combination of the group, name, and version fields form the coordinates of a component.
- Package URL: [Package URL](https://github.com/package-url/purl-spec) (PURL) standardizes how software package metadata is represented so that packages can universally be identified and located regardless of what vendor, project, or ecosystem the packages belongs to.
Expand All @@ -102,26 +100,24 @@ information.
The following example illustrates component identity in CycloneDX.

```json
"components": [
{
"type": "library",
"group": "com.example",
"name": "awesome-library",
{
"type": "library",
"group": "com.example",
"name": "awesome-library",
"version": "1.0.0",
"cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
"purl": "pkg:maven/com.example/[email protected]",
"swid": {
"tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
"name": "Acme Awesome Library",
"version": "1.0.0",
"cpe": "cpe:2.3:a:acme:awesome:1.0.0:*:*:*:*:*:*:*",
"purl": "pkg:maven/com.example/[email protected]",
"swid": {
"tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_1.0.0",
"name": "Acme Awesome Library",
"version": "1.0.0",
"text": {
"contentType": "text/xml",
"encoding": "base64",
"content": "U1dJRCBkb2N1bWVudCBkb2VzIGhlcmU="
}
"text": {
"contentType": "text/xml",
"encoding": "base64",
"content": "U1dJRCBkb2N1bWVudCBkb2VzIGhlcmU="
}
}
]
}
```

CycloneDX also supports several identifiers specific to hardware devices. Refer to https://cyclonedx.org/capabilities/hbom/
Expand Down Expand Up @@ -519,6 +515,69 @@ Bill of Material (MBOM). The SBOM references the MBOM that describes the environ
all other considerations necessary to replicate a build with utmost precision. This capability allows other parties to
independently verify inputs and outputs from a build which can increase the software's assurance.

## Cryptography Asset Management
CycloneDX can describe a comprehensive inventory of cryptographic assets, encompassing keys,
certificates, tokens, and more. This is a requirement of the [OMB M-23-02](https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf),
where such a system is characterized as a [...”software or hardware implementation of one or more cryptographic algorithms
that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections;
or (3) creation and validation of digital signatures.”]

CycloneDX provides a structured framework for organizations to catalog and track their cryptographic resources, facilitating
efficient management and ensuring security and compliance standards are met. By maintaining a detailed record of
cryptographic assets, including their usage, expiration dates, and associated metadata, CycloneDX enables proactive
monitoring and streamlined auditing processes. With CycloneDX, organizations can effectively safeguard their cryptographic
infrastructure, mitigate risks associated with unauthorized access or misuse, and maintain the integrity and confidentiality
of sensitive data across diverse digital environments.

## Identifying Weak Cryptographic Algorithms
CycloneDX enables organizations to discover weak algorithms or flawed implementations that could compromise security.
Through analysis of cryptographic data, including algorithms, key management practices, and usage patterns, organizations
can pinpoint areas of concern and prioritize remediation efforts. CycloneDX facilitates proactive identification of
weaknesses and vulnerabilities, allowing organizations to enhance the resilience of their cryptographic infrastructure
and mitigate the risk of exploitation, thereby bolstering overall cybersecurity posture and safeguarding sensitive data
against potential threats.

## Post-Quantum Cryptography (PQC) Readiness
CycloneDX is crucial in preparing applications and systems for an impending post-quantum reality, aligning with
guidance from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). As
quantum computing advancements threaten the security of current cryptographic standards, CycloneDX provides a structured
approach to inventorying cryptographic assets and evaluating their resilience against quantum threats.

Most notably, public key algorithms like RSA, DH, ECDH, DSA or ECDSA are considered not quantum-safe. These algorithms
occur in various components and may be hardcoded in applications but are more commonly and preferably used via dedicated
cryptographic libraries or services. Developers often don’t directly interact with cryptographic algorithms such as RSA
or ECDH but use them via protocols like TLS 1.3 or IPsec, by using certificates, keys, or other tokens. With upcoming
cryptographic agility it becomes less common to put in stone (or software) the algorithms that will be used. Instead,
they are configured during deployment or negotiated in each network protocol session. CycloneDX is designed with these
considerations in mind and to allow insight into the classical and quantum security level of cryptographic assets and
their dependencies.

By cataloging cryptographic algorithms and their respective parameters, CycloneDX enables organizations to identify vulnerable
or weak components that require mitigation or replacement with quantum-resistant alternatives recommended by NSA and NIST.
Through comprehensive analysis and strategic planning facilitated by CycloneDX, organizations can proactively transition to
post-quantum cryptographic primitives, ensuring the long-term security and integrity of their systems and applications.

## Assess Cryptographic Policies and Advisories
A cryptographic inventory in machine-readable form brings benefits if one wants to check for compliance with
cryptographic policies and advisories. An example of such an advisory is [CNSA 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF),
which was announced by NSA in September of 2022. CNSA 2.0 states, among other things, that National Security Systems (NSS)
for firmware and software signing needs to support and prefer CNSA 2.0 algorithms by 2025 and exclusively use them by 2030.
The advised algorithms are the stateful hash-based signature schemes LMS and XMSS from [NIST SP 800-208](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf).
With a cryptographic inventory that documents the use of LMS and XMSS by such systems, compliance with CNSA 2.0 can be
assessed in an automated way.

## Identify Expiring and Long-Term Cryptographic Material
An RSA certificate expiring in one week poses less cryptographic risk than the same certificate expiring in 20 years.
Service downtime due to an expired certificate is another risk to be considered. Therefore, we argue that an inventory
that captures the life cycle of cryptographic material as allowed by CycloneDX gives context to an inventory that is
instrumental for managing cryptographic risk.

## Ensure Cryptographic Certifications
Higher cryptographic assurance is provided by certifications such as [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final)
(levels 1 to 4) or [Common Criteria](https://www.commoncriteriaportal.org/) (EAL1 to 7). To obtain these certifications,
cryptographic modules need to undergo certification processes. For regulated environments such as FedRAMP, such
certifications are important requirements. CycloneDX allows the capture of certification levels of cryptographic assets
so that this property can be easily identified.

<div style="page-break-after: always; visibility: hidden">
\newpage
Expand Down
21 changes: 11 additions & 10 deletions SBOM/en/0x40-BOM_Coverage_Maturity_Quality.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,17 @@ CycloneDX highly encourages organizations to exceed the NTIA minimum elements wh
types of data will vary by use case but generally should include:


| **Field** | **CycloneDX Field** | **Description** |
|----------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| BOM Lifecycles | bom.metadata.lifecycles[] | The stage in which data in the BOM was captured |
| BOM Generation Tools | bom.metadata.tools[] | The tool(s) used to create the BOM |
| Component Hash | bom.components[].hashes[] | The hash values of the file or package |
| Component License | bom.components[].licenses[] | The license(s) in which the component is released under |
| Component Evidence | bom.components[].evidence[].identity.* | The evidence of identity including the methods, techniques, and confidence of how components were identified |
| External References | bom.components[].externalReferences[] | Locations to advisories, version control and build systems, etc |
| Services | bom.services[].* | A complete inventory of services including endpoint URLs, data classifications, etc which the product and/or individual components rely on |
| Known Unknowns | bom.compositions[].* | Assertions on the completeness of the inventory of components and services, along with the completeness of dependency relationships |
| **Field** | **CycloneDX Field** | **Description** |
|--------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| BOM Lifecycles | bom.metadata.lifecycles[] | The stage in which data in the BOM was captured |
| BOM Generation Tools | bom.metadata.tools[] | The tool(s) used to create the BOM |
| Component Hash | bom.components[].hashes[] | The hash values of the file or package |
| Component License | bom.components[].licenses[] | The license(s) in which the component is released under |
| Component Evidence | bom.components[].evidence[].identity.* | The evidence of identity including the methods, techniques, and confidence of how components were identified |
| Cryptographic Properties | bom.components[].cryptoProperties.* | The properties specific to cryptographic assets detailing the algorithms, keys, protocols, and other cryptographic material |
| External References | bom.components[].externalReferences[] | Locations to advisories, version control and build systems, etc |
| Services | bom.services[].* | A complete inventory of services including endpoint URLs, data classifications, etc which the product and/or individual components rely on |
| Known Unknowns | bom.compositions[].* | Assertions on the completeness of the inventory of components and services, along with the completeness of dependency relationships |


## SCVS BOM Maturity Model
Expand Down
58 changes: 58 additions & 0 deletions SBOM/en/0x45-Cryptographic_Components.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Leveraging Cryptographic Components

CycloneDX can describe cryptographic assets and their dependencies. Discovering, managing, and reporting on cryptographic
assets is necessary as the first step on the migration journey to quantum-safe systems and applications. Cryptography is
typically buried deep within components that are used to compose and build systems and applications.

Advances in quantum computing introduce the risk of previously-secure cryptographic algorithms becoming compromised
faster than ever before. In May of 2022, the White House released a [National Security Memorandum](https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/)
outlining the government’s plan to secure critical systems against potential quantum threats. This memorandum contains
two key takeaways for both agency and commercial software providers: document the potential impact of a breach, and have
an alternative cryptography solution ready.

As cryptographic systems evolve from using classical primitives to quantum-safe primitives, there is expected to be more
widespread use of cryptographic agility, or the ability to quickly switch between multiple cryptographic primitives.
Cryptographic agility serves as a security measure or incident response mechanism when a system’s cryptographic
primitive is discovered to be vulnerable or no longer complies with policies and regulations.

As part of an agile cryptographic approach, organizations should seek to understand what cryptographic assets they are
using and facilitate the assessment of the risk posture to provide a starting point for mitigation.


### Algorithm Example
A cryptographic algorithm is added in the components array of the BOM. The examples below list the algorithm
AES-128-GCM.

```json
"components": [
{
"type": "cryptographic-asset",
"name": "AES-128-GCM",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "ae",
"parameterSetIdentifier": "128",
"mode": "gcm",
"executionEnvironment": "software-plain-ram",
"implementationPlatform": "x86_64",
"certificationLevel": [ "none" ],
"cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ],
"classicalSecurityLevel": 128,
"nistQuantumSecurityLevel": 1
},
"oid": "2.16.840.1.101.3.4.1.6"
}
}
]
```

Organizations should consider including cryptographic assets in their SBOMs and optionally producing a BOM specific for
cryptographic material, otherwise known as a Cryptographic Bill of Material (CBOM).

Refer to the [Authoritative Guide to CBOM](https://cyclonedx.org/guides/) for in-depth information about leveraging
CycloneDX for cryptographic use cases.

<div style="page-break-after: always; visibility: hidden">
\newpage
</div>

0 comments on commit 0887a04

Please sign in to comment.