A number of organizations are framing the migration to post-quantum cryptography (PQC) as an opportunity to affect broader IT security modernization across their organizations, especially as it relates to managing the full life cycle of cryptographic algorithms, libraries, and protocols. This presentation introduces the idea of a Cryptographic Bill of Materials (CBOM), often considered a key element of this IT modernization effort. We compare and contrast CBOM with the more familiar Software Bill of Materials (SBOM), paying particular attention to how the cryptographic ecosystem poses unique challenges compared to software-at-large. For example, many cryptographic protocols include a negotiation phase over the wire, complicating the effort to know exactly which algorithm was used in any given protocol handshake. We explore the types of cryptographic assurance that a CBOM can and cannot provide for an organization. Finally, we describe how supplementary efforts such as key management, real-time cryptographic monitoring, and the ability to execute historical queries are needed to fill in the operational gaps of a CBOM.
Roman Cinkais - Co-founder at 3Key Company