API Server Overview
Introduction
The AnkaSecure API Server is the core of the cryptographic infrastructure, providing secure, scalable, and efficient encryption and key management. It supports multiple deployment models, allowing integration into cloud, on-premise, and hybrid environments.
Architecture
The API Server is designed with modular components, ensuring security, performance, and compliance with enterprise standards.
flowchart TD
subgraph A["AnkaSecure System"]
C["API Endpoints"]
end
subgraph F["Storage & Security"]
G["Key Store"]
I["Audit Logs"]
end
%% Customer Applications y CLI
B["Customer Applications"] --- K["CLI"]
B -- REST API Calls --> C
K -- REST API Calls --> C
%% Conexiones de API Endpoints
C -- Key Management & Crypto Ops --> G
C -- "Hardware-based security" --> H["HSM - Secure Vault (Amazon KMS, Azure Vault, Hashicorp, etc )"]
C -- Tracks API usage & security events --> J["Monitoring System (Dynatrace, Datadog, Grafana, etc))"]
%% Key Store hacia HSM
G -- Stores encryption keys --> H
%% Audit Logs y Event Correlation
C -- Logging & Compliance --> I
I -- "Feeds correlation systems" --> L["Event Correlation / SIEM (Splunk, elastic, etc)"]
%% Base de datos
D["Database"]
C --> DCore Components
🔹 API Endpoints
The primary interface of AnkaSecure, exposing RESTful services for:
-
Key Management: Generate, import, retrieve, and revoke cryptographic keys.
-
Encryption & Decryption: Secure data protection with post-quantum security.
-
Signing & Verification: Digital signatures for document integrity.
-
Audit Logging: Tracks all API requests for compliance.
-
Monitoring & Usage Metrics: Logs system activity for observability.
🔹 Authentication & Authorization
-
Uses JWT-based authentication to secure API access.
-
Implements OAuth2.0-style access control with RBAC (Role-Based Access Control).
-
Supports multi-tenant environments.
🔹 Crypto Engine
The Crypto Engine is the core of AnkaSecure's cryptographic operations, supporting post-quantum cryptography (PQC) alongside classical cryptographic algorithms for encryption, signing, and key management.
Supported Cryptographic Algorithms
AnkaSecure supports a wide range of cryptographic algorithms, categorized as follows:
🔹 Post-Quantum Encryption (PQC)
| Key Type | Algorithm |
|---|---|
| ML-KEM (Kyber) | ML-KEM-512, ML-KEM-768, ML-KEM-1024 |
🔹 Post-Quantum Digital Signatures
| Key Type | Algorithm |
|---|---|
| Dilithium | Dilithium2, Dilithium3, Dilithium5 |
| Falcon | FALCON-512, FALCON-1024 |
| SPHINCS+ (SHA2 Variants) | SPHINCS+-SHA2-128F, SPHINCS+-SHA2-128S, SPHINCS+-SHA2-192F, SPHINCS+-SHA2-192S, SPHINCS+-SHA2-256F, SPHINCS+-SHA2-256S |
| SPHINCS+ (SHAKE Variants) | SPHINCS+-SHAKE-128F, SPHINCS+-SHAKE-128S, SPHINCS+-SHAKE-192F, SPHINCS+-SHAKE-192S, SPHINCS+-SHAKE-256F, SPHINCS+-SHAKE-256S |
🔹 Classical Public-Key Cryptography
| Key Type | Algorithm |
|---|---|
| RSA | RSA-1024, RSA-2048, RSA-4096, RSA-8192 |
| Elliptic Curve (EC) | EC-256, EC-384, EC-521 |
🔹 Symmetric Cryptography
| Key Type | Algorithm |
|---|---|
| AES (Advanced Encryption Standard) | AES-128, AES-192, AES-256 |
Post-Quantum Readiness
- ML-KEM (Kyber) for secure key exchange replacing RSA/ECDH.
- Dilithium, Falcon, and SPHINCS+ for digital signatures, ensuring long-term security against quantum attacks.
- Hybrid cryptography allowing classical and PQC interoperability.
Key Management & Security
- All keys are securely stored and managed in the built-in key store or external HSM solutions (AWS KMS, Azure Vault, HashiCorp, etc.).
- Key rotation and expiration policies can be enforced per security compliance requirements.
Why Post-Quantum Cryptography?
✔ Protects against quantum attacks, unlike RSA or ECC.
✔ NIST PQC standardization compliance (ML-KEM, Dilithium, Falcon).
✔ Interoperability with existing cryptographic infrastructure.
✔ Supports hybrid cryptography for seamless migration.
For more details on key management, refer to the Key Management Section.