CBOM Evaluation and Benchmarking for Cryptographic Inventory Management

Assessing CBOM standards and tools, developing benchmarking and evaluation strategies for cryptographic inventory management.

Context

A Cryptographic Bill of Materials (CBOM) aims to systematically track and document cryptographic components in IT systems. While various CBOM generation tools and standards exist, their real-world effectiveness, efficiency, and comparability requires further research. This project aims to bridge this gap by establishing unified benchmarks for baseline comparisons and unbiased evaluations.

Motivation

Quantum computers pose a significant threat to classical cryptographic primitives. With NIST’s selection of PQC algorithms (see  press release) the focus now shifts to migrating existing software landscapes toward PQC. Governments are also accelerating this transition through initiatives like  NSM-10 and the  Quantum Computing Cybersecurity Preparedness Act in the US. To facilitate a smooth migration, security teams need reliable CBOM tools to generate, manage, and audit cryptographic inventories. Benchmarking utilities play a key role in this process, supporting informed decision-making on CBOM methodologies and best practices.

Goal

The project is structured into three work packages (WP):

1. Scaffolding: The first work package (WP) examines CBOMs, their purpose, and associated challenges. It includes a high-level comparison with the widely adopted Software Bill of Materials (SBOM) in software security and supply chain transparency. Additionally, the WP will summarize key challenges in CBOM generation, their integration into security workflows, and their role in maintaining cryptographic inventories.

2. CBOM Tools and Standards: The second WP provides an overview of evolving CBOM reporting standards, examining their scope, structure, and industry adoption. It analyzes how frameworks like CycloneDX, SPDX, and others define and manage cryptographic inventories. Further, the WP explores existing CBOM generator tools, evaluating their methodologies, focus areas, and compliance with these standards.

3. CBOM Testbed: The final WP focuses on conceptualizing and prototyping a CBOM testbed for benchmarking CBOM tools. It begins by defining testbed requirements and evaluating implementation approaches, such as containerized (Docker) or declarative (NixOS) environments for reproducibility. The student will design an extensible testbed for controlled execution, assessing CBOM tools based on accuracy, performance, and integration feasibility. The expected outcome is a proof-of-concept design detailing the testbed’s architecture and potential implementation paths.

Requirements

Students interested in this project should have:

• A general understanding of software security concepts and cryptographic primitives.
• Experience with Linux-based environments and system configuration tools. Familiarity with containerization (Docker, Podman) or declarative system management (NixOS) is a plus.
• Solid data modeling and programming skills (at least in one of them: Python, Java, Rust, C#, C++, Bash)
• Able to work independently, excited about learning new things, and ready to overcome obstacles.

Pointers

• N. Alnahawi, et al., “ On the State of Crypto-Agility,” 2023, 2023/487. Accessed: Apr. 15, 2024.
• O. Grote, A. Ahrens, and C. Benavente-Peces, “ A Review of Post-quantum Cryptography and Crypto-agility Strategies,” in 2019 International Interdisciplinary PhD Workshop (IIPhDW), May 2019, pp. 115-120.
• D. Joseph et al., “Transitioning organizations to post-quantum cryptography,” Nature, vol. 605, no. 7909, pp. 237-243, May 2022, doi: 10.1038/s41586-022-04623-2.
• L. Marchesi, M. Marchesi, and R. Tonelli, “ Reviewing Crypto-Agility and Quantum Resistance in the Light of Agile Practices,” in Agile Processes in Software Engineering and Extreme Programming - Workshops, 2024, pp. 213-221.
• B. Rodes et al., “ Transitioning to Quantum-Safe Cryptography: Exploring the Role and Value for Developing and Implementing a Cryptographic Bill of Materials,” Post-Quantum Cryptography Coalition. Accessed: Nov. 06, 2024.
• S. Springett, “ CycloneDX v1.6 Released, Advances Software Supply Chain Security with Cryptographic Bill of Materials and Attestations,” OWASP. Accessed: Apr. 10, 2024.
• F. Schröck, “ Theoretical and Practical Aspects of the Migration to Post Quantum Cryptography,” Master’s Thesis, Hochschule für Technik, Wirtschaft und Kultur Leipzig (HTWK), 2024.
• B. Westerbaan, “ The state of the post-quantum Internet,” The Cloudflare Blog. Accessed: Apr. 24, 2024.
• A. Wiesmaier et al., “ On PQC Migration and Crypto-Agility,” Jun. 17, 2021, arXiv.
• IBM,  CBOMkit. GitHub. Accessed: Feb. 19, 2025.