Encryption & Key Management , Security Operations , Video

Preparing for Post-Quantum? Learn What Cryptography You Have

Daniel Cuthbert Details Free Tools That Generate a Cryptographic Bill of Materials
Daniel Cuthbert, member, Black Hat Review Board

A funny thing happened on the path to preparing for post-quantum computing: A team of researchers discovered that many organizations have no idea what cryptography they're currently using or where it resides. That begs the question of how will they know where to deploy quantum-resistant cryptography that is secure against both quantum and classical computers.

See Also: OnDemand | Extended Access Management: Securing Access for All Identities, Devices and Applications

So said Daniel Cuthbert, who's part of a research team that over the past year has been developing tools to generate what he calls a cryptographic bill of materials, or CBOM, that can now be used with GitHub open-source software repositories.

The initial idea was to build tools that looked at how open-source tools did or didn't use post-quantum cryptography. "As we started to build out the tooling, we were, like, well, we can do a lot more," he said, including looking at key exchanges and how algorithms and ciphers are being used, after which "the quantum side kind of disappeared a little bit," he said.

At Black Hat Europe in London last week, the research team unveiled its project in a presentation titled "The Magnetic Pull of Mutable Protection: Worked Examples in Cryptographic Agility." It also released its first set of tools, which can be used to generate a CBOM for any GitHub repository written in C, C++, or Python. Adding that capability for Java code is due to happen next.

In this interview with Information Security Media Group at Black Hat Europe 2023, Cuthbert also discussed:

  • Surprising CBOM discoveries, including greater than expected use of the long-since deprecated algorithms MD4, MD5 and SHA-1;
  • His quest to help everyone get over the "weird misconception that cryptography can't be challenged";
  • The importance of giving back to the cybersecurity community and what the project team plans to do next.

With a career spanning more than 20 years on both the offensive and defensive sides, Cuthbert has seen the evolution of hacking from a small group of curious minds tothe organized criminal networks and nation-states we see today. He is the original co-author of the Open Worldwide Application Security Project Testing Guide, released in 2003, and he's now the co-author of the OWASP Application Security Verification Standard. Cuthbert serves on the U.K. government's Cybersecurity Advisory Board.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.