Preparing for Post-Quantum? Learn What Cryptography You HaveDaniel Cuthbert Details Free Tools That Generate a Cryptographic Bill of Materials
A funny thing happened on the path to preparing for post-quantum computing: A team of researchers discovered that many organizations have no idea what cryptography they're currently using or where it resides. That begs the question of how will they know where to deploy quantum-resistant cryptography that is secure against both quantum and classical computers.
So said Daniel Cuthbert, who's part of a research team that over the past year has been developing tools to generate what he calls a cryptographic bill of materials, or CBOM, that can now be used with GitHub open-source software repositories.
The initial idea was to build tools that looked at how open-source tools did or didn't use post-quantum cryptography. "As we started to build out the tooling, we were, like, well, we can do a lot more," he said, including looking at key exchanges and how algorithms and ciphers are being used, after which "the quantum side kind of disappeared a little bit," he said.
At Black Hat Europe in London last week, the research team unveiled its project in a presentation titled "The Magnetic Pull of Mutable Protection: Worked Examples in Cryptographic Agility." It also released its first set of tools, which can be used to generate a CBOM for any GitHub repository written in C, C++, or Python. Adding that capability for Java code is due to happen next.
In this interview with Information Security Media Group at Black Hat Europe 2023, Cuthbert also discussed:
- Surprising CBOM discoveries, including greater than expected use of the long-since deprecated algorithms MD4, MD5 and SHA-1;
- His quest to help everyone get over the "weird misconception that cryptography can't be challenged";
- The importance of giving back to the cybersecurity community and what the project team plans to do next.
With a career spanning more than 20 years on both the offensive and defensive sides, Cuthbert has seen the evolution of hacking from a small group of curious minds tothe organized criminal networks and nation-states we see today. He is the original co-author of the Open Worldwide Application Security Project Testing Guide, released in 2003, and he's now the co-author of the OWASP Application Security Verification Standard. Cuthbert serves on the U.K. government's Cybersecurity Advisory Board.