General Architecture

This document provides a high-level overview of the main architectural components of ANKA Secure. The architecture supports both SaaS (Ankatech Private Tenant) and On-Premise deployments, ensuring flexibility, security, and regulatory compliance.

---

1. Conceptual Layers

ANKA Secure API operates on multiple conceptual layers that handle incoming REST (and streaming) requests, translate them for internal processing, and execute core business logic. Below is an outline of these layers:

1.1. Controller Layer

• Controls: A set of controllers that receive external REST requests, including streaming requests.
• Each controller corresponds to a specific functionality or endpoint.
• These controllers handle request validation and initial processing before passing the request to the next layer.
• Key Controllers:
• AuthController (Authentication and token refresh)
• CryptoApiController (Cryptographic operations - non-stream)
• CryptoStreamingApiController (Cryptographic operations - streaming)
• KeyManagementApiController (Key management: generate, import, export, list, delete)
• LicenseUsageController (License usage tracking)

1.2. Service Layer

• Each controller delegates the business logic to corresponding services.
• These services act as intermediaries between the REST interface and the Secure Core Controller.
• Example services:
• AuthenticationService
• CryptoService
• KeyManagementService

1.3. Secure Core Controller

• Main entry point for core functionalities in ANKA Secure.
• Orchestrates calls to specialized services to ensure consistency in cryptographic operations.
• Acts as a unified façade to the application’s internal logic.

1.4. Core Services

These services execute the core cryptographic functionalities of ANKA Secure:

• Asymmetric Encryption Service
• Handles cryptographic operations involving public/private key encryption, digital signatures, and signature validation.

• Supports post-quantum cryptographic algorithms such as Kyber, Dilithium, Falcon, Sphinx, as well as classical algorithms like RSA and ECC.

• Key Management Service

• Manages key creation, storage, rotation, import/export, and retrieval.
• Uses BouncyCastle KeyStore for secure key storage.
• In SaaS mode, keys reside in the Ankatech Private Tenant.

• In On-Premise mode, keys reside within the customer's infrastructure (inside the container or externalized securely).

• Symmetric Encryption Service

• Responsible for encryption/decryption operations using shared secret keys.
• Supports AES encryption at 128, 192, and 256-bit key sizes.

---

2. Deployment Models

ANKA Secure API is designed to run in multiple environments:

2.1. SaaS Mode (Ankatech Private Tenant)

• The API is hosted in Ankatech's private cloud.
• Clients access the APIs through RapidAPI or SecureCoreCLI.
• Keys are stored securely in BouncyCastle KeyStore (cloud-based storage).
• The AnkaSecure License Server validates licenses in real-time.

2.2. On-Premise Mode

• The customer deploys ANKA Secure API within their private infrastructure (Docker, Kubernetes, or any supported environment).
• Key Management remains inside the customer’s environment, ensuring full control over cryptographic keys.
• The system only connects to AnkaSecure License Server periodically to validate the license and synchronize credit usage.
• Encryption and cryptographic operations do not depend on the SaaS version and work independently.

---

3. Communication Flows

3.1. SecureCoreCLI Workflow

1. The user executes a CLI command for encryption, key generation, or signing.
2. SecureCoreCLI sends a REST request to ANKA Secure API.
3. ANKA Secure API processes the request and executes the operation.
4. The response is returned to CLI.

3.2. Authentication and License Validation

1. On startup, ANKA Secure API authenticates with AnkaSecure License.
2. If valid, it retrieves available credits and permissions and stores them locally.
3. During operation, the local copy of credits is used, reducing real-time dependency on the License Server.
4. Usage reports are sent to the AnkaSecure License Server asynchronously, ensuring no impact on performance.

---

4. Benefits of the Architecture

4.1. Scalability & Flexibility

✅ Supports SaaS and On-Premise deployments.
✅ Easily deployable with Docker and Kubernetes.

4.2. Security & Post-Quantum Cryptography

✅ Uses Kyber, Dilithium, Falcon, Sphinx, ASRCA for post-quantum resilience.
✅ Stores keys in BouncyCastle KeyStore for maximum security.

4.3. Optimized License Management

✅ License validation only happens at startup, reducing unnecessary API calls.
✅ Asynchronous reporting of credit usage, ensuring uninterrupted operations.

---

5. Decision Matrix: SaaS vs. On-Premise

Requirement	SaaS (Ankatech Cloud)	On-Premise
No customer infrastructure required	✅ Yes	❌ No
Compliance with strict security regulations	❌ Limited	✅ Full control
Fast deployment	✅ Immediate	❌ Requires setup
Customer controls key storage	❌ No	✅ Yes
Handles large cryptographic workloads	✅ Scales automatically	✅ Customer-managed scaling

---

6. Additional References

• ANKA Secure API Overview
  components/anka_api/overview.md
• Key Concepts
  key_concepts.md
• Encryption & Digital Signatures
  components/anka_api/security/encryption.md
• Key Management
  components/anka_api/security/key_management.md

---

7. Conclusion

ANKA Secure API provides a flexible, high-security cryptographic solution that supports both SaaS and On-Premise deployments. Its post-quantum cryptography capabilities, combined with efficient key management and licensing strategies, make it an ideal choice for organizations requiring advanced security and compliance.

For further details, refer to the individual API documentation and implementation guides.