Key insight
Cryptography hides in six places: your code, your certificates/keys, live network protocols, data at rest, bought products, and the supply chain/firmware. You hunt it with code scanning, certificate inventories, passive network monitoring, cloud-config queries, and vendor questionnaires. The output is a Cryptographic Bill of Materials (CBOM) — a living ingredient label for crypto that anchors every later decision.
The CBOM is the single most valuable artefact of the whole assessment — without it you’re flying blind into the migration.
Where cryptography hides
Discovery techniques
| Technique | Finds |
|---|---|
| Source-code & dependency scanning | Hard-coded algorithms, vulnerable crypto libraries |
| Certificate & key inventory | PKI estate: TLS certs, code-signing keys, expiry, algorithms |
| Passive network monitoring | What TLS/VPN/SSH actually negotiate in production |
| Cloud-configuration queries | Key Vault/KMS keys, TLS policies, managed-service crypto |
| Vendor questionnaires | Bought products’ PQC roadmaps and current algorithms |
No single technique is complete — you triangulate. What’s documented often differs from what’s negotiated live, so passive monitoring is invaluable ground truth.
The CBOM: what to record
A Cryptographic Bill of Materials (CBOM) is like a food ingredient label, but for cryptography. For every place crypto is used, record:
| Field | Why it matters |
|---|---|
| Algorithm & key size | Is it quantum-vulnerable (RSA/ECC) or safe (AES-256)? |
| Purpose | Key exchange, signature, data-at-rest — drives which fix |
| System & owner | Who must act |
| Data sensitivity | Feeds classification |
| Data shelf life | The X in Mosca’s X+Y>Z — urgency |
| Dependency / source | Own code vs vendor vs firmware |
| Migration status | Not started / hybrid / done |
There’s an emerging standard: CycloneDX extends the software-bill-of-materials (SBOM) format with a CBOM schema, so tools can generate and exchange these automatically.
Why it must be living
Systems change constantly — certificates rotate, apps ship, vendors update. A CBOM filed away is stale within weeks. Treat it as a living inventory, generated automatically wherever possible and refreshed on every deploy. This is where crypto-agility and CBOM reinforce each other: an agile system is easier to inventory and easier to change.
“Automated wherever possible” splits by where the crypto lives. Your own code and cloud services can be scanned in CI on every build (dependency scanners and CycloneDX generators emit CBOM fragments automatically). Certificates and live protocols refresh from your certificate inventory and passive monitoring on a schedule. But firmware, vendor products, and embedded devices rarely self-report — those entries are captured manually from questionnaires and re-attested periodically (say, quarterly or at each contract review). The practical shape is: auto-generate what you can, flag the rest as manually-maintained, and record a last-verified date on every entry so stale rows are visible rather than silently trusted.
Common pitfalls
- Trusting documentation over what the wire actually negotiates.
- Stopping at your own code and forgetting bought products & firmware.
- Treating the CBOM as a one-time snapshot, not a living feed.
- Recording the algorithm but not the data shelf life — losing the urgency signal.
- Ignoring embedded/IoT devices that can’t easily be updated.
- Cryptographic discovery
- The hunt to find every place cryptography is used.
- CBOM
- Cryptographic Bill of Materials — a living inventory of cryptographic usage.
- SBOM
- Software Bill of Materials — the component inventory the CBOM extends.
- CycloneDX
- An open BOM standard with a schema for expressing CBOM data.
- Data shelf life
- How long protected data must stay secret — the urgency driver.
- TLS / VPN / SSH
- The network protocols to inventory: TLS (Transport Layer Security), VPN (Virtual Private Network) and SSH (Secure Shell) — each negotiates cryptography live on the wire.
- PKI (Public-Key Infrastructure)
- The certificate-and-key estate — TLS certs, code-signing keys and their algorithms and expiry.
- RSA / ECC / AES
- Algorithms you flag in the CBOM: RSA (Rivest–Shamir–Adleman) and ECC (Elliptic-Curve Cryptography) are quantum-vulnerable; AES (Advanced Encryption Standard, e.g. AES-256) stays safe.
- KMS (Key Management Service)
- A cloud key store (e.g. Azure Key Vault, AWS KMS) whose keys and TLS policies you query during discovery.
- PQC (Post-Quantum Cryptography)
- The quantum-resistant algorithms a vendor’s roadmap should commit to.
- IoT (Internet of Things)
- Embedded devices that often can’t be updated easily — flag them explicitly rather than scoping them out.
What to carry forward
- Crypto hides in six places — go beyond your own code to certs, wire, data, products, and firmware.
- Triangulate discovery: scan, inventory, monitor, query, and ask vendors.
- The CBOM records algorithm, purpose, owner, sensitivity, and shelf life — the urgency signal.
- Keep it living and automated (CycloneDX). Without a current CBOM, you’re flying blind.
Next: Crypto-Agility → — building systems that can swap algorithms without a rebuild.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning cryptographic discovery and the CBOM. Quiz me one question at
a time, correcting me gently:
1. Name the six places cryptography hides, with one example each.
2. Why is passive network monitoring valuable when I already have docs?
3. What fields should a CBOM record, and which one captures urgency?
4. What is CycloneDX and how does the CBOM relate to an SBOM?
5. Why must the CBOM be a living document rather than a one-time snapshot?
References & further reading
- CISA, NSA & NIST, Quantum-Readiness: Migration to PQC — inventory guidance. cisa.gov/quantum
- OWASP CycloneDX, Cryptography Bill of Materials (CBOM). cyclonedx.org/capabilities/cbom
- NIST NCCoE, Migration to Post-Quantum Cryptography — discovery tools. nccoe.nist.gov
- NIST, SP 1800-38: Migration to Post-Quantum Cryptography (practice guide). csrc.nist.gov/pubs/sp/1800/38