Summary:
In this episode, host Timothy De Block sits down with John Morello to dive into the world of Cryptography Bill of Materials (CBOM) and the looming transition to Post-Quantum Cryptography (PQC). They discuss why tracking cryptographic assets is becoming a critical security requirement, how CBOMs are being integrated into existing SBOM standards, and why organizations need to start future-proofing their encrypted data against quantum computing threats today.
Key Topics Discussed
What is a CBOM? A Cryptography Bill of Materials provides a trustworthy, structured, and machine-readable way to represent what cryptographic components exist in your software and how they are configured.
Beyond the Basic SBOM: While a standard SBOM might tell you that a component like OpenSSL is present, a CBOM details the specific algorithms, key lengths, and operational modes in use.
The Consolidation of Standards: CBOMs are actively being merged into broader SBOM frameworks like CycloneDX and SPDX. Over the coming months, CBOM data will simply become a subset of the tags and artifacts within standard SBOM files, reducing complexity for developers and security teams.
The Post-Quantum Threat: The mathematical foundations of common encryption algorithms like RSA, DES, and SHA will eventually be defeatable by quantum computers.
"Harvest Now, Decrypt Later": Adversaries may already be recording encrypted traffic today with the intention of decrypting it years down the line once quantum computing becomes viable.
NIST and Regulatory Standards: NIST has been running a Post-Quantum Cryptography (PQC) project for several years and is expected to finalize approved algorithms soon. This guidance will likely be codified into future standards, such as a FIPS 140-4 update.
Who Owns the CBOM? DevOps and developer teams should be responsible for creating and maintaining the CBOM data alongside their existing SBOM processes. Security teams will then consume this data to understand exposure, measure adoption of quantum-resistant algorithms, and prioritize risk mitigation.
Memorable Quotes
On the need for CBOMs: "It's less about dealing with cryptographic based vulnerabilities. It's more to help you inventory what you've got to find whether you have weak algorithms in weak key links in place and to be able to do that discovery in a consistent way."
On preparing for the future: "If you wait to move to postquantum or quantum resistant algorithms only after those quantum computers are widely available or at least available to your adversaries... basically everything that you've encrypted before with these non-resistant algorithms is subject for decryption in the future."
Resources & Links Mentioned
NIST Post-Quantum Cryptography (PQC) Project: The central hub for NIST's ongoing work to standardize quantum-resistant algorithms.
Minimus.io: John Morello's company, which provides hardened container images that automatically build CBOMs and integrate post-quantum capabilities out of the box.
Link: minimus.io
Minimus CBOM Blog Series: Check out the articles mentioned in the episode for a deeper dive into Cryptographic Bill of Materials:
Support the Podcast:
Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.
Contact Information:
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.