{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:56:12Z","timestamp":1781567772777,"version":"3.54.5"},"publisher-location":"Cham","reference-count":41,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032195661","type":"print"},{"value":"9783032195678","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-19567-8_10","type":"book-chapter","created":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:39:52Z","timestamp":1781566792000},"page":"202-221","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Towards Cryptography Bill of\u00a0Materials Compliance"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-4000-3760","authenticated-orcid":false,"given":"Claudio","family":"Foroncelli","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7684-7189","authenticated-orcid":false,"given":"Pietro","family":"De Matteis","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7291-7780","authenticated-orcid":false,"given":"Luis Augusto Dias","family":"Knob","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7530-4119","authenticated-orcid":false,"given":"Luca","family":"Piras","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3518-9400","authenticated-orcid":false,"given":"Alessandro","family":"Tomasi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7269-9285","authenticated-orcid":false,"given":"Silvio","family":"Ranise","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2026,5,1]]},"reference":[{"key":"10_CR1","unstructured":"ANSSI: M\u00e9canismes cryptographiques: R\u00e8gles et recommandations (2020), https:\/\/cyber.gouv.fr\/publications\/mecanismes-cryptographiques"},{"key":"10_CR2","doi-asserted-by":"publisher","unstructured":"Barker, E.: Guideline for using cryptographic standards in the federal government: cryptographic mechanisms (2020). https:\/\/doi.org\/10.6028\/NIST.SP.800-175Br1, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/175\/b\/r1\/final, NIST SP 800-175B Revision 1","DOI":"10.6028\/NIST.SP.800-175Br1"},{"key":"10_CR3","doi-asserted-by":"publisher","unstructured":"Barker, E., et al.: Considerations for achieving crypto agility: strategies and practices (2025). https:\/\/doi.org\/10.6028\/NIST.CSWP.39.2pd, https:\/\/csrc.nist.gov\/pubs\/cswp\/39\/considerations-for-achieving-cryptographic-agility\/2pd, NIST CSWP 39 (2pd)","DOI":"10.6028\/NIST.CSWP.39.2pd"},{"key":"10_CR4","doi-asserted-by":"publisher","unstructured":"Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R.: Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography (2018). https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/56\/a\/r3\/final , NIST SP 800-56A Revision 3","DOI":"10.6028\/NIST.SP.800-56Ar3"},{"key":"10_CR5","doi-asserted-by":"publisher","unstructured":"Barker, E., Roginsky, A.: Transitioning the use of cryptographic algorithms and key lengths (2019). https:\/\/doi.org\/10.6028\/NIST.SP.800-131Ar2, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/131\/a\/r2\/final, NIST SP 800-131A Rev. 2","DOI":"10.6028\/NIST.SP.800-131Ar2"},{"key":"10_CR6","doi-asserted-by":"publisher","unstructured":"Barker, E., Roginsky, A.: Transitioning the use of cryptographic algorithms and key lengths (2024). https:\/\/doi.org\/10.6028\/NIST.SP.800-131Ar3.ipd, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/131\/a\/r3\/ipd, NIST SP 800-131Ar3 ipd","DOI":"10.6028\/NIST.SP.800-131Ar3.ipd"},{"key":"10_CR7","doi-asserted-by":"publisher","unstructured":"Bradner, S.O.: Key words for use in RFCs to indicate requirement levels (RFC 2119). (1997). https:\/\/doi.org\/10.17487\/RFC2119, https:\/\/www.rfc-editor.org\/info\/rfc2119","DOI":"10.17487\/RFC2119"},{"key":"10_CR8","unstructured":"BSI: Technical Guideline TR-02102 Cryptographic Mechanisms (2025). https:\/\/www.bsi.bund.de\/EN\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr02102\/tr02102_node.html"},{"key":"10_CR9","doi-asserted-by":"publisher","unstructured":"Chen, L., Moody, D., Regenscheid, A., Robinson, A., Randall, K.: Recommendations for discrete logarithm-based cryptography: elliptic curve domain parameters (2023). https:\/\/doi.org\/10.6028\/NIST.SP.800-186, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/186\/final","DOI":"10.6028\/NIST.SP.800-186"},{"key":"10_CR10","unstructured":"CISA and the National Security Agency (NSA): A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. https:\/\/www.cisa.gov\/resources-tools\/resources\/shared-vision-software-bill-materials-sbom-cybersecurity, Accessed 07 Oct 2025"},{"key":"10_CR11","unstructured":"CycloneDX Project: cdxgen: Cyclonedx generator. https:\/\/github.com\/CycloneDX\/cdxgen"},{"key":"10_CR12","doi-asserted-by":"publisher","unstructured":"Dang, Q.: Recommendation for applications using approved hash algorithms. (2012). https:\/\/doi.org\/10.6028\/NIST.SP.800-107r1, https:\/\/csrc.nist.gov\/pubs\/sp\/800\/107\/r1\/final, NIST SP 800-107 Revision 1","DOI":"10.6028\/NIST.SP.800-107r1"},{"key":"10_CR13","unstructured":"EU: Cyber Resilience Act (CRA) (2024). https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX"},{"key":"10_CR14","doi-asserted-by":"publisher","unstructured":"Germenia, R., Manfredi, S., Rizzi, M., Sciarretta, G., Tomasi, A., Ranise, S.: Automating compliance for improving TLS security postures: an assessment of public administration endpoints. In: SECRYPT, pp. 450\u2013458. SciTePress (2024). https:\/\/doi.org\/10.5220\/0012764700003767","DOI":"10.5220\/0012764700003767"},{"key":"10_CR15","unstructured":"GitHub Advanced Security: CBOM action: Generate cryptography bill of materials with CodeQL. https:\/\/github.com\/advanced-security\/cbom-action"},{"key":"10_CR16","unstructured":"GitHub Security Lab: Addressing post-quantum cryptography with CodeQL (2023). https:\/\/github.blog\/security\/vulnerability-research\/addressing-post-quantum-cryptography-with-codeql\/"},{"key":"10_CR17","unstructured":"IANA: Transport Layer Security (TLS) parameters (2005). https:\/\/www.iana.org\/assignments\/tls-parameters\/"},{"key":"10_CR18","unstructured":"IANA: JSON Object Signing and Encryption (JOSE) (2025). https:\/\/www.iana.org\/assignments\/jose\/jose.xhtml"},{"key":"10_CR19","doi-asserted-by":"publisher","unstructured":"Jones, M.B.: JSON Web Algorithms (JWA). RFC 7518 (2015). https:\/\/doi.org\/10.17487\/RFC7518, https:\/\/www.rfc-editor.org\/info\/rfc7518","DOI":"10.17487\/RFC7518"},{"key":"10_CR20","unstructured":"Leurent, G., Peyrin, T.: SHA-1 is a shambles: first chosen-prefix collision on SHA-1 and application to the PGP web of trust. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1839\u20131856. USENIX Association (2020). https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/leurent"},{"key":"10_CR21","doi-asserted-by":"publisher","unstructured":"Liusvaara, I.: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE). RFC 8037 (2017). https:\/\/doi.org\/10.17487\/RFC8037, https:\/\/www.rfc-editor.org\/info\/rfc8037","DOI":"10.17487\/RFC8037"},{"key":"10_CR22","doi-asserted-by":"publisher","unstructured":"McKay, K.A., Cooper, D.A.: Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations (2019). https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2, https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-52r2.pdf","DOI":"10.6028\/NIST.SP.800-52r2"},{"key":"10_CR23","doi-asserted-by":"publisher","unstructured":"Moody, D., Perlner, R., Regenscheid, A., Robinson, A., Cooper, D.: Transition to post-quantum cryptography standards (2024). https:\/\/doi.org\/10.6028\/NIST.IR.8547.ipd, https:\/\/csrc.nist.gov\/pubs\/ir\/8547\/ipd, NIST IR 8547 (IPD)","DOI":"10.6028\/NIST.IR.8547.ipd"},{"key":"10_CR24","unstructured":"National Institute of Standards and Technology (NIST): National Vulnerability Database - CVE-2020-10148 (SolarWinds Orion API Vulnerability) . https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-10148, Accessed 08 Oct 2025"},{"key":"10_CR25","unstructured":"National Institute of Standards and Technology (NIST): National Vulnerability Database - CVE-2021-44228 (Apache Log4j2 Vulnerability). https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2021-44228, Accessed 07 Oct 2025"},{"key":"10_CR26","doi-asserted-by":"publisher","unstructured":"National Institute of Standards and Technology (NIST): NIST interagency report (NIST IR) 8547: Cryptographic asset management. Tech. Rep. NIST IR 8547 (Initial Public Draft), National Institute of Standards and Technology (NIST) (2024). https:\/\/doi.org\/10.6028\/NIST.IR.8547.ipd","DOI":"10.6028\/NIST.IR.8547.ipd"},{"key":"10_CR27","unstructured":"National Telecommunications and Information Administration (NTIA): The minimum elements for a software bill of materials (SBOM). https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/sbom_minimum_elements_report.pdf, Accessed 07 Oct 2025"},{"key":"10_CR28","unstructured":"Newhouse, W., Souppaya, M., Barker, W., Brown, C.: Migration to post-quantum cryptography: quantum readiness \u2013 cryptographic discovery (preliminary draft). Special Publication 1800-38B, National Institute of Standards and Technology (NCCoE), Gaithersburg (2023). https:\/\/www.nccoe.nist.gov\/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms, preliminary Draft; Released for public comment December 19, 2023"},{"key":"10_CR29","unstructured":"Newhouse, W., et al.: Migration to post-quantum cryptography: quantum readiness: cryptographic discovery (2023). https:\/\/www.nccoe.nist.gov\/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms, NIST SP 1800-38B (IPD)"},{"key":"10_CR30","unstructured":"OWASP Foundation: Cyclonedx (CDX). https:\/\/cyclonedx.org\/, Accessed 7 Oct 2025"},{"key":"10_CR31","unstructured":"OWASP Foundation: Authoritative guide to cryptography bill of materials (CBOM) (2024). https:\/\/cyclonedx.org\/guides\/OWASP_CycloneDX-Authoritative-Guide-to-CBOM-en.pdf"},{"key":"10_CR32","unstructured":"Post-Quantum Cryptography Alliance: CBOMkit: an open-source toolkit for cryptography bills of materials. https:\/\/github.com\/PQCA\/cbomkit"},{"key":"10_CR33","unstructured":"Post-Quantum Cryptography Alliance: Sonar cryptography: Detection rule structure. https:\/\/github.com\/PQCA\/sonar-cryptography\/blob\/main\/docs\/DETECTION_RULE_STRUCTURE.md"},{"key":"10_CR34","unstructured":"Preston-Werner, T.: TOML: Tom\u2019s Obvious, Minimal Language (2021). https:\/\/github.com\/toml-lang\/toml, Accessed 29 Aug 2025"},{"key":"10_CR35","unstructured":"Santander Security Research: CryptoMon: Network cryptography monitor - using eBPF, written in python. https:\/\/github.com\/Santandersecurityresearch\/CryptoMon"},{"key":"10_CR36","unstructured":"SECG: Recommended elliptic curve domain parameters (2010). https:\/\/www.secg.org\/sec2-v2.pdf, Standards for Efficient Cryptography (SEC) 2, Version 2.0"},{"key":"10_CR37","unstructured":"SOG-IS: SOG-IS crypto evaluation scheme: Agreed cryptographic mechanisms (2023). https:\/\/www.sogis.eu\/uk\/supporting_doc_en.html, version 1.3"},{"key":"10_CR38","doi-asserted-by":"publisher","unstructured":"Stevens, M.M., Lenstra, A.K., de\u00a0Weger, B.M.M.: Chosen-prefix collisions for MD5 and applications. Int. J. Appl. Cryptography 2(4), 322\u2013359 (2012). https:\/\/doi.org\/10.1504\/IJACT.2012.048084, https:\/\/marc-stevens.nl\/research\/hashclash\/","DOI":"10.1504\/IJACT.2012.048084"},{"key":"10_CR39","unstructured":"The Linux Foundation: The System Package Data Exchange (SPDX). https:\/\/spdx.dev\/, Accessed 07 Oct 2025"},{"key":"10_CR40","unstructured":"US Government: President\u2019s Executive Order (EO) 14028 on Improving the Nation\u2019s Cybersecurity (2021). https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity, Accessed 07 Oct 2025"},{"key":"10_CR41","unstructured":"Young, S.D.: Migrating to post-quantum cryptography. Memorandum M-23-02, Executive Office of the President, Office of Management and Budget (OMB), Washington, DC (2022). https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/11\/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf"}],"container-title":["Lecture Notes in Computer Science","Security Standardisation Research"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-19567-8_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:39:55Z","timestamp":1781566795000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-19567-8_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9783032195661","9783032195678"],"references-count":41,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-19567-8_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"1 May 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"SSR","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Research in Security Standardisation","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Passau","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 December 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 December 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ssr2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.uni-passau.de\/ssr2025","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}