Marin Ivezic<p>CBOM (Cryptography Bill of Materials) is the new buzzword. Think SBOM but for encryption. IBM’s approach uses static analysis to list all algorithms/keys (your CBOM) and dynamic monitoring to see them in action. Why does it matter? Because to migrate to <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a>, you first need a map of every place cryptography lives in your org. This article shows how various tools help assemble that map. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/cryptographic-inventory-vendors/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/c</span><span class="invisible">ryptographic-inventory-vendors/</span></a></p>
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
8.6Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#cryptoagility
0 posts · 0 participants · 0 posts today
Marin Ivezic<p>What’s a CBOM? A Cryptographic Bill of Materials is an inventory of all crypto assets in a system – algorithms, key lengths, certificates, libraries, protocols, etc. In the age of <a href="https://defcon.social/tags/QuantumThreats" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumThreats</span></a> and new regulations, CBOMs are becoming crucial. They give security teams X-ray vision into “what crypto are we using and where,” so we can find weak links (e.g., an obsolete cipher or a short RSA key) and plan upgrades to <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a>. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/cryptographic-bill-of-materials-cbom/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/c</span><span class="invisible">ryptographic-bill-of-materials-cbom/</span></a></p>
Marin Ivezic<p>TL;DR from this deep-dive: transparency is security. A CBOM brings cryptography out of the shadows. It’s not just a compliance checkbox – it helps identify legacy crypto that needs replacing (e.g., “oh wow, this app still uses SHA-1 certs”), ensures you meet standards, and guides your PQC migration. Expect CBOMs to become as routine as SBOMs in audits. It’s a bit more work now for a lot more peace of mind later. <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a> <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/cryptographic-bill-of-materials-cbom/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/c</span><span class="invisible">ryptographic-bill-of-materials-cbom/</span></a></p>
Marin Ivezic<p>Quantum readiness isn’t just future-proofing – it’s a chance to fix lingering security debt. By embarking on a PQC migration, you finally fund that full cryptographic inventory (you can’t protect what you don’t know you have) and clean up “crypto junk” (weak algorithms, expired certs) . It’s like spring cleaning your security while prepping for the future. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/quantum-ciso-budget/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/q</span><span class="invisible">uantum-ciso-budget/</span></a></p>
Marin Ivezic<p>Regulators are mandating comprehensive cryptographic inventories for quantum readiness - but what if that’s not feasible yet?</p><p>My latest article explores a pragmatic, risk-driven alternative to begin mitigating quantum threats without boiling the ocean.</p><p><a href="https://defcon.social/tags/QuantumRisk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumRisk</span></a> <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a> <a href="https://defcon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://defcon.social/tags/QuantumReady" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumReady</span></a> <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a></p><p><a href="https://postquantum.com/post-quantum/risk-driven-quantum-crypto-inventory/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/r</span><span class="invisible">isk-driven-quantum-crypto-inventory/</span></a></p>
Marin Ivezic<p>CBOM (Cryptography Bill of Materials) is the new buzzword. Think SBOM but for encryption. Why does it matter? Because to migrate to <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a>, you first need a map of every place cryptography lives in your org. This article shows how various tools help assemble that map. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/cryptographic-inventory-vendors/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/c</span><span class="invisible">ryptographic-inventory-vendors/</span></a></p>
Marin Ivezic<p>You can’t secure what you can’t see. Thankfully, a growing ecosystem of tools can map out all your organization’s cryptography. This article surveys leading cryptographic inventory solutions – static code analyzers, network sniffers, host scanners, etc. – that together build a full picture of where and how encryption is used. For true <a href="https://defcon.social/tags/QuantumReadiness" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumReadiness</span></a>, these tools are your new best friends. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/cryptographic-inventory-vendors/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/c</span><span class="invisible">ryptographic-inventory-vendors/</span></a></p>
Marin Ivezic<p>Quantum readiness isn’t just future-proofing – it’s a chance to fix lingering security debt. By embarking on a PQC migration, you finally fund that full cryptographic inventory (you can’t protect what you don’t know you have) and clean up “crypto junk” (weak algorithms, expired certs). It’s like spring cleaning your security while prepping for the future. <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://postquantum.com/post-quantum/quantum-ciso-budget/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">postquantum.com/post-quantum/q</span><span class="invisible">uantum-ciso-budget/</span></a></p>
Diego Córdoba 🇦🇷<p>Crypto agility, qué importante es este concepto en el mundo de la criptografía actual, la facilidad de poder cambiar un algoritmo criptográfico vulnerable por otro, sin necesidad de cambiar detalles internos de los protocolos.</p><p><a href="https://en.wikipedia.org/wiki/Cryptographic_agility?wprov=sfla1" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Cryptogr</span><span class="invisible">aphic_agility?wprov=sfla1</span></a></p><p><a href="https://mstdn.io/tags/cryptoagility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptoagility</span></a> <a href="https://mstdn.io/tags/criptografia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>criptografia</span></a> <a href="https://mstdn.io/tags/pqc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pqc</span></a> <a href="https://mstdn.io/tags/postquantumcryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>postquantumcryptography</span></a> <a href="https://mstdn.io/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a></p>
DACBARBOS Brand<p>MT @digicert@x.com <br><a href="https://mastodon.social/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a> cert lifetimes are shrinking to 47 days by 2029. The message is clear: <a href="https://mastodon.social/tags/automation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>automation</span></a> isn’t optional anymore. As DigiCert’s Dean Coclin says, “success depends on <a href="https://mastodon.social/tags/cryptoagility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptoagility</span></a> + treating <a href="https://mastodon.social/tags/DigitalTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DigitalTrust</span></a> as a strategy, not a set-it-and-forget-it task.” 🔐<br><a href="https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">digicert.com/blog/tls-certific</span><span class="invisible">ate-lifetimes-will-officially-reduce-to-47-days</span></a> <a href="https://mastodon.social/tags/pki" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pki</span></a> <a href="https://mastodon.social/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>news</span></a> <a href="https://mastodon.social/tags/x509" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>x509</span></a></p>
Marin Ivezic<p>At the upcoming SANS Emerging Threats Summit on May 14, I will be delivering a session: "Preparing for the Quantum Threat: Practical Steps for Cybersecurity Teams"</p><p>SANS Emerging Threats Summit is a free live online event and you can register here: <a href="https://sans.org/u/1zh8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sans.org/u/1zh8</span><span class="invisible"></span></a></p><p>This is a practical, engineering-led conversation about preparing for Q-Day — not years from now, but starting today.</p><p><a href="https://defcon.social/tags/EmergingThreatsSummit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EmergingThreatsSummit</span></a> <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a> <a href="https://defcon.social/tags/PostQuantumSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PostQuantumSecurity</span></a> <a href="https://defcon.social/tags/QuantumComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumComputing</span></a> <a href="https://defcon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://defcon.social/tags/Quantum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Quantum</span></a> <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a></p>
Marin Ivezic<p>At the upcoming SANS Emerging Threats Summit on May 14, I will be delivering a session: "Preparing for the Quantum Threat: Practical Steps for Cybersecurity Teams"</p><p>SANS Emerging Threats Summit is a free live online event and you can register here: <a href="https://sans.org/u/1zh8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sans.org/u/1zh8</span><span class="invisible"></span></a></p><p>This is a practical, engineering-led conversation about preparing for Q-Day — not years from now, but starting today.</p><p><a href="https://defcon.social/tags/EmergingThreatsSummit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EmergingThreatsSummit</span></a> <a href="https://defcon.social/tags/PostQuantumSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PostQuantumSecurity</span></a> <a href="https://defcon.social/tags/QuantumComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QuantumComputing</span></a> <a href="https://defcon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://defcon.social/tags/Quantum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Quantum</span></a> <a href="https://defcon.social/tags/CryptoAgility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAgility</span></a> <a href="https://defcon.social/tags/PQC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PQC</span></a></p>
Rory<p>Cryptography gadget of the day: Javascript Object Signing and Encryption (JOSE) <a href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">datatracker.ietf.org/wg/jose/d</span><span class="invisible">ocuments/</span></a> and the <code>jose</code> command line utility (h/t Nathan McCallum)</p><p>I appreciate this little set of (draft) standards because they codify quite a bit of best practice. The input and output formats (JSON or condensed base64url) are highly portable, and even printable, resulting in good crypto agility. The algorithm selections are limited to reasonable, recommended combinations, key sizes and padding. Proper key wrapping or key encryption is automatic and relatively effortless.</p><p><code>jose</code> is such a better choice for the uninitiated than <code>openssl</code> and the vast troves of crap advice on Stackoverflow. It's also a decent learning tool. If there's any question about the algorithm in use, the JWA RFC7518 describes the details and operation of each in a manner more readable than most RFCs.</p><p>Looking for a tool to encrypt log files before shipping them off to NFS or S3 storage? How about creating a signed message? <code>jose</code> is probably going to be easier than openssl. Heck, openssl doesn't even do AEAD on the CLI anymore. </p><p><a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> <a href="https://infosec.exchange/tags/cli" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cli</span></a> <a href="https://infosec.exchange/tags/tooloftheday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tooloftheday</span></a> <a href="https://infosec.exchange/tags/portability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>portability</span></a> <a href="https://infosec.exchange/tags/cryptoagility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptoagility</span></a></p>
Gottfried Szing :unverified:<p>Maybe <a href="https://fosstodon.org/tags/quantumcomputing" class="mention hashtag" rel="tag">#<span>quantumcomputing</span></a> will change this from "HARD" to "NOT SO HARD" or even "EASY". 🤷♂️</p><p>No no, don't worry. Not today, not tomorrow. But like MD5 was "unbreakable" long time ago, technical advances are coming fast.</p><p>Source <a href="https://fosstodon.org/tags/xkcd" class="mention hashtag" rel="tag">#<span>xkcd</span></a> <a href="https://xkcd.com/936/" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">xkcd.com/936/</span><span class="invisible"></span></a> </p><p><a href="https://fosstodon.org/tags/quantumsecurity" class="mention hashtag" rel="tag">#<span>quantumsecurity</span></a> <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a> <a href="https://fosstodon.org/tags/cryptoagility" class="mention hashtag" rel="tag">#<span>cryptoagility</span></a></p>
Gottfried Szing :unverified:<p>I am afraid that if current encryption schemes are broken by <a href="https://fosstodon.org/tags/quantumcomputing" class="mention hashtag" rel="tag">#<span>quantumcomputing</span></a> it will more like being hit by a deadly meteroit then an earthquake. ☄️ This will not leave any technological component untouched.</p><p>"Quantum computing looms in our future like a technological earthquake, because quantum decryption threatens to compromise a foundational element of data encryption schemes."</p><p><a href="https://fosstodon.org/tags/pqc" class="mention hashtag" rel="tag">#<span>pqc</span></a> <a href="https://fosstodon.org/tags/postquantum" class="mention hashtag" rel="tag">#<span>postquantum</span></a> <a href="https://fosstodon.org/tags/cryptograhpy" class="mention hashtag" rel="tag">#<span>cryptograhpy</span></a> <a href="https://fosstodon.org/tags/cryptoagility" class="mention hashtag" rel="tag">#<span>cryptoagility</span></a> </p><p><a href="https://www.mondaq.com/unitedstates/fin-tech/1267752/quantum-computing-the-looming-threat-of-quantum-decryption" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">mondaq.com/unitedstates/fin-te</span><span class="invisible">ch/1267752/quantum-computing-the-looming-threat-of-quantum-decryption</span></a></p>
Gottfried Szing :unverified:<p>"Even if the Schnorr-based technique won’t break the Internet, quantum computers could eventually do so by running Shor’s algorithm. Security researchers have been busy developing a number of alternative cryptographic systems that are seen as less likely to succumb to a quantum attack, called post-quantum or quantum-safe. "</p><p><a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="tag">#<span>security</span></a> <a href="https://fosstodon.org/tags/quantumcomputing" class="mention hashtag" rel="tag">#<span>quantumcomputing</span></a> <a href="https://fosstodon.org/tags/pqc" class="mention hashtag" rel="tag">#<span>pqc</span></a> <a href="https://fosstodon.org/tags/postquantumcryptography" class="mention hashtag" rel="tag">#<span>postquantumcryptography</span></a> <a href="https://fosstodon.org/tags/cryptoagility" class="mention hashtag" rel="tag">#<span>cryptoagility</span></a> </p><p>Are quantum computers about to break online privacy?<br /><a href="https://www.nature.com/articles/d41586-023-00017-0#ref-CR1" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">nature.com/articles/d41586-023</span><span class="invisible">-00017-0#ref-CR1</span></a></p>
Gottfried Szing :unverified:<p>Since it is often believed that replacing crypto is easy, <a href="https://fosstodon.org/tags/NIST" class="mention hashtag" rel="tag">#<span>NIST</span></a> shows here that it isn't. There are from now on 8 years for fixing software and hardware using sha-1. Maybe as a reminder for those who still believe that this is an easy job. </p><p>“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” Celi said.</p><p><a href="https://fosstodon.org/tags/cryptography" class="mention hashtag" rel="tag">#<span>cryptography</span></a> <a href="https://fosstodon.org/tags/cryptoagility" class="mention hashtag" rel="tag">#<span>cryptoagility</span></a> <a href="https://fosstodon.org/tags/quantumcomputing" class="mention hashtag" rel="tag">#<span>quantumcomputing</span></a> </p><p><a href="https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">nist.gov/news-events/news/2022</span><span class="invisible">/12/nist-retires-sha-1-cryptographic-algorithm</span></a></p>
@WinstonSmith@techhub.social @tc Hopefully the companies are re-encrypting as well. I guess this is the big issue with companies: this won't happen fast if there is not some kind of -- lets call it -- #cryptoagility setup. And the appropriate #architecture to support this.
If not, it can talk years before an alternative storage encryption is setup up. I have seen this where a replacement of a DMS took almost 5 years. 
The threat: #QuantumComputer, the solution: #PQC by National Institute of Standards and Technology (NIST).
"In 2019, a team of researchers factored a 795-bit RSA key, making it the biggest key size ever to be solved." and "The researchers estimated that the sum of the computation time for both of the new records was about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1 GHz)."
https://arstechnica.com/information-technology/2022/07/nist-selects-quantum-proof-algorithms-to-head-off-the-coming-cryptopocalypse/ #cryptoagility #cryptography
Ars TechnicaThe cryptopocalypse is nigh! NIST rolls out new encryption standards to prepareDecision will be binding on many companies and change the way they protect your data.
Still some way to go but it is time to start to experiment with new algorithms and to get the hands dirty with #pqc. Expertise in #cryptoagility won't come over night. Changing systems will take years.
"Governments need to invest in cybersecurity that can defend against the future threat of bad actors using quantum computers that are exponentially faster than ordinary machines, a cryptography expert said."
BusinessWorld OnlineIBM raises cybersecurity red flag, warns against quantum computing threats - BusinessWorld OnlineGovernments need to invest in cybersecurity that can defend against the future threat of bad actors using quantum computers that are exponentially faster than ordinary machines, a cryptography expert said.
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload