Discovering, managing, and reporting on cryptographic assets is a critical step for the transition to quantum-safe systems and applications. Cryptography Bills of Materials (CBOMs) have been proposed as an aid to cryptographic inventory, agility, and compliance with guidelines to create more secure software and services. Writing policies and automating compliance checks for cryptography is a valuable but complex task. We present a prototype framework for automated evaluation of cryptographic compliance extending existing CBOM tools with a policy-driven engine that classifies cryptographic assets according to customizable rules and compliance levels. Machine-readable policies enable flexible adaptation to different guidelines while supporting analysts in performing semi-automatic assessments. The prototype is validated through experiments on both synthetic and real-world software. Results show that the system correctly identifies deprecated and disallowed primitives, producing clear compliance reports. While we highlight some difficulties common to automating compliance checks, our findings demonstrate the potential of CBOM-based approaches to enhance visibility, governance, and readiness for the post-quantum cryptography transition.
Towards Cryptography Bill of Materials Compliance
Claudio Foroncelli;Alessandro Tomasi;Luca Piras;Luis Augusto Dias Knob;Pietro De Matteis;Silvio Ranise
2025-01-01
Abstract
Discovering, managing, and reporting on cryptographic assets is a critical step for the transition to quantum-safe systems and applications. Cryptography Bills of Materials (CBOMs) have been proposed as an aid to cryptographic inventory, agility, and compliance with guidelines to create more secure software and services. Writing policies and automating compliance checks for cryptography is a valuable but complex task. We present a prototype framework for automated evaluation of cryptographic compliance extending existing CBOM tools with a policy-driven engine that classifies cryptographic assets according to customizable rules and compliance levels. Machine-readable policies enable flexible adaptation to different guidelines while supporting analysts in performing semi-automatic assessments. The prototype is validated through experiments on both synthetic and real-world software. Results show that the system correctly identifies deprecated and disallowed primitives, producing clear compliance reports. While we highlight some difficulties common to automating compliance checks, our findings demonstrate the potential of CBOM-based approaches to enhance visibility, governance, and readiness for the post-quantum cryptography transition.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
