Discovering, managing, and reporting on cryptographic as- sets is a critical step for the transition to quantum-safe systems and applications. Cryptography Bills of Materials (CBOMs) have been pro- posed as an aid to cryptographic inventory, agility, and compliance with guidelines to create more secure software and services. Writing policies and automating compliance checks for cryptography is a valuable but complex task. We present a prototype framework for auto- mated evaluation of cryptographic compliance extending existing CBOM tools with a policy-driven engine that classifies cryptographic assets ac- cording to customizable rules and compliance levels. Machine-readable policies enable flexible adaptation to different guidelines while support- ing analysts in performing semi-automatic assessments. The prototype is validated through experiments on both synthetic and real-world software. Results show that the system correctly identifies deprecated and disallowed primitives, producing clear compliance re- ports. While we highlight some difficulties common to automating com- pliance checks, our findings demonstrate the potential of CBOM-based approaches to enhance visibility, governance, and readiness for the post- quantum cryptography transition.
Towards Cryptography Bill of Materials Compliance
Claudio Foroncelli;Alessandro Tomasi;Luca Piras;Luis Augusto Dias Knob;Pietro De Matteis;Silvio Ranise
2025-01-01
Abstract
Discovering, managing, and reporting on cryptographic as- sets is a critical step for the transition to quantum-safe systems and applications. Cryptography Bills of Materials (CBOMs) have been pro- posed as an aid to cryptographic inventory, agility, and compliance with guidelines to create more secure software and services. Writing policies and automating compliance checks for cryptography is a valuable but complex task. We present a prototype framework for auto- mated evaluation of cryptographic compliance extending existing CBOM tools with a policy-driven engine that classifies cryptographic assets ac- cording to customizable rules and compliance levels. Machine-readable policies enable flexible adaptation to different guidelines while support- ing analysts in performing semi-automatic assessments. The prototype is validated through experiments on both synthetic and real-world software. Results show that the system correctly identifies deprecated and disallowed primitives, producing clear compliance re- ports. While we highlight some difficulties common to automating com- pliance checks, our findings demonstrate the potential of CBOM-based approaches to enhance visibility, governance, and readiness for the post- quantum cryptography transition.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
