Articles in this section

Export Algorithm Data in a Crypto Bill of Materials (CBOM)

Avatar
Fred from TrustSource Support
  • Updated
Follow

After having defined all the details for the algorithms identified, you may want to export the data. As of now TrustSource supports CycloneDX CBOMs in v 1.6. v1.7 made already in the backlog. 

To export the information go to the Crypto Management section: INTERNAL > PROJECTS > YOUR PROJECT > YOUR MODULE > SETTINGS > CRYPTO MANAGEMENT. There you will two sections:

  • as detected
  • as managed

The first section will hold the algorithms as they have been discovered during code scans. This section is populated by the scans that have been uploaded to TrustSource and can't be managed. It shall help you to indicate, what will have to be managed. 

Defining the Attributes

The list of as managed algorithms, can be modified by you as you want. You may add or drop algorithms. The ADD ALGORITHM dialogue allows to define the following attributes:

Crypto_Attributes.jpg

  • Name:
    Select the name of the algorithm you want to add. Currently it is not possible to add your own algorithms. Please contact support, if you need to add algorithms, that are not included in the list provided.
  • Primitive:
    Basic, low level function of the algorithm. 
  • Parameter set identifier:
    Defining characteristics of the algorithm. Would be 256 for SHA256. 
  • Elliptic curve:
    Given the algorithm mkes use of ellyptic curves, you may specify in more detail. 
  • Padding:
    Selection of the padding mechanism. (adding of extra data to ensure a certain length of the message to encrypt)
  • Cryptographic functions:
    Select one or more functions that the algorithm could be used for. You may also choose to select only the options that are actively used in your implementation.  
  • Execution environment:
    Typically this will be in memory. But there are other options. Pick one.
  • Implementation platform:
    This is about the hardware it is intended to run, respectively built for, w..g x86_64 for a standard modern PC. 
  • Certification level:
    If the algorithm has been certified by any standard, it could be added here. Typically this remains empty.
  • Classical security level:
    You may give a known classification , e.g. by NIST or FIPS, 
  • NIST QSL:
    The NIST Quantum Security Level. There 
  • Comment:
    Comments you want to give, feel free.
  • Checkbox "in use":
    Select, if the algorithm is actively applied. This selection will have an impact on import and export controls management as well as the results of the impact report. Algorithms that are not in use will not be reported, even when broken.

It is not necessary to add all details. The name and the selection of the cryptographic functions as well as the checkbox "in use"  will be the most relevant. However, the rest is available in the specification and that's why it is made available.

PLEASE NOTE: At the current state of implementation, it is not possible to edit an entry. To change the values given in the dialogue, you must first delete and then add the algorithm again. 

Exporting the CBOM

Crypto_CBOMExport.jpg

To export the defined details, click the "Export as CycloneDX" button next to the ADD button and select CBOM.

This will trigger the creation of the CycloneDX JSON document and download it directly to your browser. 

PLEASE NOTE: Currently only version v1.6 of the standard is supported. v1.7 is the making and will be available soon.Please follow our release updates.

 

 

  

 

Comments

0 comments

Article is closed for comments.