Sujith's Library

Appearance

The Discovery Phase: Mapping Your Cryptographic Landscape

Introduction

The discovery phase forms the foundation of post-quantum cryptography migration. Without comprehensive knowledge of where and how cryptographic systems are deployed, organizations cannot assess quantum risk, prioritize migration efforts, or execute systematic transitions. This article explores the discovery process, its critical importance, and the tools available for building cryptographic inventories.

Why Discovery Is Critical

The Invisible Cryptography Problem

Cryptographic implementations permeate modern systems but often remain invisible to organizational awareness:

Implicit Dependencies: Applications invoke cryptographic libraries without explicit documentation in architecture diagrams or technical specifications.

Embedded Implementations: Firmware, IoT devices, and appliances contain hardcoded cryptographic algorithms inaccessible through standard configuration interfaces.

Third-Party Components: Software dependencies and vendor-supplied modules include cryptographic implementations not directly controlled by organizations.

Protocol-Level Cryptography: Network protocols (TLS, IPsec, SSH) perform cryptographic operations transparently, requiring infrastructure-level discovery.

Without systematic discovery, organizations significantly underestimate cryptographic deployment scope, leading to incomplete migrations and residual quantum vulnerabilities.

Consequences of Incomplete Discovery

Unmitigated Quantum Risk: Undiscovered cryptographic implementations remain vulnerable after partial migrations, creating security gaps attackers can exploit.

Failed Compliance: Regulatory frameworks increasingly mandate comprehensive cryptographic inventories. Incomplete discovery results in audit failures and potential penalties.

Migration Delays: Discovering previously unknown cryptographic systems mid-migration forces reactive planning, extending timelines and increasing costs.

Interoperability Failures: Unknown cryptographic dependencies cause production outages when upgraded systems cannot communicate with undiscovered legacy implementations.

The Cryptographic Bill of Materials (CBOM)

Discovery culminates in a CBOM—a comprehensive inventory documenting:

Algorithm Identification: Specific cryptographic primitives deployed (e.g., RSA-2048, ECDSA P-256, AES-128-GCM)

Location Mapping: Where algorithms are implemented (applications, libraries, network devices, certificates)

Usage Context: How cryptography is invoked (encryption-at-rest, TLS handshakes, digital signatures, key exchange)

Lifecycle Information: Certificate validity periods, key rotation schedules, algorithm version tracking

Dependencies: Relationships between cryptographic components and dependent systems

The CBOM serves as the authoritative reference for risk assessment, migration planning, and ongoing cryptographic governance.

Discovery Methodology

A structured discovery process addresses multiple layers of IT infrastructure.

Source Code Analysis

Objective: Identify cryptographic API calls and algorithm usage in application source code.

Approach:

  • Static analysis tools scan repositories for cryptographic function invocations
  • Pattern matching detects library usage (OpenSSL, BouncyCastle, Java Cryptography Extension, Microsoft CNG)
  • Manual code review validates automated findings and identifies custom implementations

Challenges:

  • False positives from non-cryptographic functions with similar names
  • Obfuscated or dynamically loaded cryptographic code
  • Legacy codebases lacking maintainer knowledge

Output: List of source files, functions, and line numbers invoking cryptographic operations with algorithm identifications.

Binary and Firmware Analysis

Objective: Discover cryptographic implementations in compiled code and embedded systems where source code is unavailable.

Approach:

  • Reverse engineering tools disassemble binaries to identify cryptographic function signatures
  • Pattern matching detects cryptographic constants (S-boxes, prime numbers, magic values)
  • Firmware extraction and analysis for embedded devices

Challenges:

  • Requires specialized reverse engineering expertise
  • Proprietary firmware may lack analysis tools
  • Legal restrictions on reverse engineering certain products

Output: Cryptographic algorithm identifications in executable files, shared libraries, and firmware images.

Infrastructure and Network Scanning

Objective: Map cryptographic configurations in network services and infrastructure devices.

Approach:

  • TLS/SSL scanners probe network endpoints to enumerate supported cipher suites, protocol versions, certificate chains
  • Network appliance configuration reviews extract cryptographic settings from firewalls, load balancers, VPN gateways
  • Traffic analysis observes cryptographic handshakes in production communications

Challenges:

  • Network segmentation may restrict scanner access
  • Passive monitoring requires decryption capabilities or session key access
  • Dynamic configurations may vary by client or request parameters

Output: Inventory of TLS/SSL configurations, VPN cryptographic parameters, network device certificates, and protocol usage patterns.

PKI and Certificate Discovery

Objective: Catalog digital certificates, certificate authorities, and key management infrastructure.

Approach:

  • Certificate store enumeration from operating systems, applications, and browsers
  • Certificate transparency log queries for publicly issued certificates
  • Hardware security module and key management system inventories
  • CA infrastructure mapping including root CAs, intermediate CAs, and trust chains

Challenges:

  • Distributed certificate stores across workstations, servers, mobile devices
  • Shadow IT certificates issued outside formal PKI processes
  • Expiring certificates requiring immediate renewal during discovery

Output: Comprehensive certificate inventory with issuers, validity periods, algorithms, key sizes, and deployment locations.

Dependency Analysis

Objective: Identify cryptographic libraries and third-party components contributing cryptographic functionality.

Approach:

  • Software composition analysis (SCA) tools generate software bills of materials (SBOM) listing dependencies
  • Vulnerability databases correlate dependencies with known cryptographic weaknesses
  • Transitive dependency analysis identifies indirect cryptographic components

Challenges:

  • Nested dependencies create complex dependency trees
  • Private or internal libraries may lack public vulnerability data
  • Version pinning may prevent straightforward vulnerability remediation

Output: Dependency graphs mapping cryptographic libraries, their versions, known vulnerabilities, and dependent applications.

Discovery Tools

Numerous tools support cryptographic discovery across different infrastructure layers. The following represents established solutions suitable for organizational deployment.

Source Code Analysis Tools

Semgrep

  • Pattern-based static analysis supporting 30+ programming languages
  • Community rulesets for cryptographic API detection
  • CI/CD integration for continuous scanning
  • Open-source with commercial supported offerings

SonarQube with Cryptography Plugin

  • Code quality platform with dedicated cryptographic asset detection
  • Generates CycloneDX-format CBOMs automatically
  • Multi-language support (Java, Python, C/C++, JavaScript)
  • Open-source plugin integrating with SonarQube Community or Commercial editions

Crypto Scanner (QRAMM)

  • CLI tool scanning codebases for quantum-vulnerable cryptography
  • Multi-language support with risk assessment output
  • Integration with CI/CD pipelines via GitHub Actions, GitLab CI
  • Open-source community tool

qproof

  • Python-based scanner classifying quantum risk levels
  • Recommends PQC replacements per NIST standards
  • Scans source code and dependencies
  • Open-source Python package

Binary and Firmware Analysis Tools

Ghidra with FindCrypt Plugin

  • NSA-developed reverse engineering framework
  • FindCrypt plugin detects cryptographic constants in binaries
  • Multi-architecture support (x86, ARM, MIPS)
  • Open-source with extensive plugin ecosystem

IDA Pro

  • Commercial disassembler and debugger
  • FindCrypt plugin for cryptographic primitive identification
  • Advanced decompilation and scripting capabilities
  • Industry standard for professional reverse engineering (commercial licensing)

Infrastructure and Network Scanners

testssl.sh

  • Comprehensive TLS/SSL testing shell script
  • Enumerates cipher suites, protocol versions, certificate details
  • Vulnerability detection (BEAST, CRIME, POODLE, Heartbleed)
  • Open-source command-line tool

sslscan

  • Fast SSL/TLS service scanner
  • Protocol and cipher suite discovery with XML output
  • Lightweight deployment for large-scale scanning
  • Open-source GPL-licensed tool

Nessus Professional

  • Commercial vulnerability scanner with extensive cryptographic protocol plugins
  • SSL/TLS cipher suite enumeration and weakness detection
  • Enterprise reporting and SIEM integration
  • Commercial licensing (Tenable)

OpenVAS

  • Open-source vulnerability scanner identifying weak cryptographic configurations
  • Detection of outdated protocols and cipher suites
  • Part of Greenbone Vulnerability Management ecosystem
  • Open-source GPL-licensed

Wireshark

  • Network protocol analyzer for packet-level inspection
  • TLS handshake dissection and certificate chain analysis
  • Deep packet inspection capabilities
  • Open-source network analysis standard

Certificate and PKI Discovery Tools

Venafi TrustAuthority

  • Enterprise machine identity management platform
  • Automated network and machine-based certificate discovery
  • Certificate lifecycle automation and remediation
  • Commercial enterprise platform (CyberArk Venafi)

Keyfactor Command

  • Certificate lifecycle automation with cryptographic discovery capabilities
  • PKI infrastructure mapping and HSM integration
  • Crypto-agility enablement features
  • Commercial platform (SaaS or on-premises)

cert-manager (Kubernetes)

  • Native Kubernetes certificate management
  • Automated certificate discovery within clusters
  • Integration with multiple CA providers
  • Open-source cloud-native tool

SBOM and CBOM Generation Tools

CycloneDX cdxgen

  • Universal SBOM generator supporting multiple languages and package managers
  • CycloneDX JSON/XML output format with cryptography BOM extensions
  • CI/CD integration for automated SBOM generation
  • Open-source Apache 2.0 licensed

IBM CBOM Project

  • Dedicated Cryptography Bill of Materials framework
  • Schema for cryptographic asset inventory
  • Quantum risk tagging support
  • Open-source IBM-led initiative

syft (Anchore)

  • Container and filesystem SBOM generator
  • Package and library detection in container images
  • CycloneDX and SPDX output formats
  • Open-source Apache 2.0 licensed

Dependency Analysis Tools

OWASP Dependency-Check

  • Software composition analysis identifying vulnerable dependencies
  • CVE correlation for known vulnerabilities
  • Multi-language support with build tool integration (Maven, Gradle, npm)
  • Open-source Apache 2.0 licensed

Snyk

  • Developer-first SCA platform with proprietary vulnerability database
  • Reachability analysis determining if vulnerable code is invoked
  • IDE and CI/CD integration
  • Commercial platform with free tier

Mend (formerly WhiteSource)

  • Comprehensive SCA with license compliance and vulnerability detection
  • Entire dependency tree analysis
  • Enterprise policy enforcement
  • Commercial platform

Quantum Risk Assessment Tools

cryptoscan (QRAMM)

  • Quantum risk assessment for cryptographic assets
  • Risk scoring and classification
  • Open-source community tool
  • Part of QRAMM (Quantum Readiness Assurance Maturity Model) initiative

PQC Navigator

  • Full-spectrum PQC migration platform
  • Asset scanning, risk assessment, migration planning
  • Commercial SaaS offering

BPI Quantum Risk Calculator

  • Interactive quantum risk timeline assessment
  • Free web-based tool for risk evaluation
  • Considers data shelf-life, migration time, threat timeline

Building a Comprehensive CBOM

Discovery tool outputs require consolidation into a unified CBOM.

CBOM Structure

Effective CBOMs include:

Asset Identification:

  • Unique asset ID
  • Asset name and description
  • Owner/responsible party
  • Location (server, application, network zone)

Cryptographic Details:

  • Algorithm type (RSA, ECDSA, AES, etc.)
  • Key size or security parameter
  • Protocol context (TLS, SSH, VPN, etc.)
  • Library/implementation (OpenSSL, BouncyCastle, etc.)

Risk Assessment:

  • Quantum vulnerability classification (High/Medium/Low)
  • Data shelf-life estimate
  • Migration complexity score
  • Priority ranking

Lifecycle Information:

  • Last verification date
  • Certificate expiry (if applicable)
  • Scheduled update/migration date
  • Compliance status

Consolidation Process

  1. Data Collection: Gather outputs from all discovery tools (source scanners, network scanners, PKI inventories)

  2. Normalization: Standardize algorithm naming conventions and asset identifiers across tool outputs

  3. Deduplication: Merge duplicate entries discovered by multiple tools

  4. Enrichment: Add contextual information from architecture documentation, interviews with system owners, vendor specifications

  5. Validation: Manual review of high-priority assets confirming accuracy

  6. Versioning: Establish version control for CBOM updates as infrastructure changes

Maintenance and Continuous Discovery

The CBOM is not a one-time deliverable but a living document requiring:

Change Management Integration: Triggering CBOM updates when systems are deployed, modified, or decommissioned

Automated Scanning: Scheduled periodic scans detecting new or changed cryptographic implementations

Ownership Assignment: Designated crypto owners responsible for CBOM accuracy within their domains

Quality Metrics: Tracking coverage (% assets discovered), accuracy (false positive rates), freshness (time since last validation)

Conclusion

The discovery phase transforms cryptographic infrastructure from invisible complexity to mapped, manageable inventory. Comprehensive CBOM development enables organizations to assess quantum risk accurately, prioritize migration efforts effectively, and execute transitions systematically.

While discovery demands significant effort—deploying multiple tools, coordinating across technical teams, validating findings—the investment proves foundational. Organizations skipping or rushing discovery face incomplete migrations, residual vulnerabilities, and reactive crisis management when undiscovered systems fail.

The tools outlined provide practical starting points for organizations at various maturity and budget levels. Open-source solutions enable bootstrap approaches for resource-constrained teams, while commercial platforms offer enterprise-scale automation and support.

Successful discovery requires executive support, cross-functional collaboration, and sustained commitment. Organizations treating discovery as the critical foundation it represents position themselves for successful post-quantum cryptography transitions, protecting digital assets against the quantum threat.

References: