Skip to content

Platform Overview

AnkaSecure is an enterprise-grade post-quantum cryptography platform providing quantum-resistant encryption, digital signatures, and key management through REST APIs, SDKs, and CLI tools.

Platform Capabilities

Core Cryptographic Operations

Encryption & Decryption: - ✅ Post-quantum algorithms (ML-KEM, FrodoKEM, HQC, SABER, BIKE, NTRU, Classic McEliece) - ✅ Classical algorithms (RSA, AES, ChaCha20, Camellia, ARIA, SEED) - ✅ Hybrid cryptography (combine classical + PQC for defense-in-depth) - ✅ Streaming support (multi-gigabyte files via chunked processing)

Digital Signatures: - ✅ Post-quantum signatures (ML-DSA, FALCON, SLH-DSA, XMSS, LMS) - ✅ Classical signatures (RSA-PSS, ECDSA, SM2, GOST) - ✅ Compact formats (JWS RFC 7515, detached-JWS for streaming) - ✅ Stateless operations (no signature counter management)

Key Management: - ✅ Key generation (79 algorithms supported) - ✅ Key import (PKCS#12, PKCS#7, PEM, JWK) - ✅ Key rotation (automatic algorithm transition) - ✅ Key lifecycle (generation → active → rotating → revoked → deleted) - ✅ HSM support (PKCS#11 compatible)

Migration & Interoperability: - ✅ Re-encryption (RSA → ML-KEM without decrypting) - ✅ Re-signing (RSA → ML-DSA signature format conversion) - ✅ Format conversion (PKCS#7 → JOSE/JWE) - ✅ Public-key utilities (encrypt/sign with external public keys)

Deployment Models

AnkaSecure is available in two deployment models to meet diverse customer requirements:

SaaS (Software-as-a-Service)

Overview: Fully managed cloud platform

Benefits: - ✅ Rapid deployment: Start encrypting data in <1 hour - ✅ Automatic updates: Platform maintained by AnkaTech - ✅ Elastic scaling: Automatically scales with your workload - ✅ High availability: 99.9% uptime SLA - ✅ Multi-region: Deploy in preferred geographic region

Customer Responsibilities: - API integration (SDK or REST API) - Tenant configuration (users, applications, keys) - Compliance validation (HIPAA, PCI-DSS, GDPR)

Ideal For: - Fast time-to-market (startups, agile teams) - Variable workloads (seasonal peaks) - Limited DevOps resources

Get started with SaaS →

On-Premise (Enterprise)

Overview: Self-hosted deployment with full control

Benefits: - ✅ Full control: Deploy in your data center or private cloud - ✅ Data sovereignty: Data never leaves your infrastructure - ✅ Air-gapped: Supported for classified/sensitive environments - ✅ Customization: Integrate with existing HSMs, identity providers - ✅ Compliance: Meet strict regulatory requirements (FedRAMP High, DoD Impact Level)

AnkaTech Services: - Professional services for installation and configuration - Architecture consulting and capacity planning - Integration support (HSM, identity providers, monitoring) - Ongoing support and maintenance

Ideal For: - Government and defense (FedRAMP, DoD) - Healthcare (HIPAA, air-gapped PHI) - Finance (PCI-DSS, data residency) - Enterprises with strict data sovereignty requirements

Contact: sales@ankatech.co for on-premise deployment

Platform Architecture

High-Level Architecture

┌─────────────────────────────────────────────────────────────┐
│                     Client Applications                      │
│  (Your services, web apps, mobile apps, scripts)            │
└────────────┬────────────────────────────────┬───────────────┘
             │                                 │
             ├─── Java SDK                     │
             ├─── CLI Tools                    │
             └─── REST API (HTTPS)             │
                           │                   │
             ┌─────────────┴───────────────────┴──────────────┐
             │         AnkaSecure Platform (SaaS/On-Prem)     │
             │                                                 │
             │  ┌────────────────────────────────────────┐    │
             │  │  Authentication & Authorization        │    │
             │  │  (JWT validation, API keys, RBAC)      │    │
             │  └───────────────┬────────────────────────┘    │
             │                  │                              │
             │  ┌───────────────┴────────────────────────┐    │
             │  │    Core Cryptographic Services         │    │
             │  │                                         │    │
             │  │  • Encryption/Decryption (Compact,     │    │
             │  │    Streaming)                          │    │
             │  │  • Digital Signatures (JWS, Detached)  │    │
             │  │  • Key Management (Generation,         │    │
             │  │    Rotation, Import)                   │    │
             │  │  • Migration (Re-encrypt, Re-sign)     │    │
             │  └───────────────┬────────────────────────┘    │
             │                  │                              │
             │  ┌───────────────┴────────────────────────┐    │
             │  │    Cryptographic Key Storage           │    │
             │  │  (Multi-tenant keystores, HSM support) │    │
             │  └────────────────────────────────────────┘    │
             │                                                 │
             └─────────────────────────────────────────────────┘

Key Components

1. API Gateway: - HTTPS endpoint (TLS 1.2/1.3) - Rate limiting and DoS protection - Request routing and load balancing

2. Authentication Service: - User authentication (username/password) - Application authentication (API keys) - JWT token issuance and validation - Session management

3. Core API: - Encryption/decryption operations (Compact JWE, Streaming JWET) - Digital signature operations (Compact JWS, Detached-JWS) - Key management (generate, import, rotate, revoke) - Migration utilities (re-encrypt, re-sign, convert)

4. Admin API: - Tenant management (multi-tenant provisioning) - User management (RBAC, permissions) - Application management (API key generation) - Policy management (algorithm availability, key lifecycle)

5. Key Storage: - Multi-tenant keystores (logical isolation) - HSM integration (PKCS#11 compatible) - Key backup and recovery

6. Audit & Monitoring: - Comprehensive audit logging (all operations) - Health checks and metrics - Correlation ID tracing (request flow)

Security Architecture

Defense-in-Depth

An AnkaSecure implements 5 security layers:

Layer 1 - Transport Security: - TLS 1.2/1.3 encryption for all communications - Certificate validation (prevents MITM attacks) - HSTS enforced (HTTP Strict Transport Security)

Layer 2 - Authentication: - JWT token validation (4 mandatory claims: iss, aud, exp, nbf) - API key authentication (service-to-service) - mTLS support (optional, for high-security environments)

Layer 3 - Authorization: - Role-based access control (RBAC) - Multi-tenant isolation (tenant data segregation) - Principle of least privilege

Layer 4 - Application Security: - OWASP REST API Security (100% compliant) - Input validation (schema enforcement) - Security headers (Cache-Control, X-Frame-Options, CSP, HSTS) - Rate limiting (dual-layer protection)

Layer 5 - Data Security: - Encryption at rest (AES-256-GCM for database) - Post-quantum cryptographic algorithms - HSM-backed key storage (optional) - Audit logging (tamper-proof logs)

Multi-Tenancy

Tenant Isolation Model

AnkaSecure provides logical multi-tenancy with strict isolation:

Data Isolation: - ✅ Separate keystore per tenant - ✅ Tenant-scoped database queries (no cross-tenant data access) - ✅ JWT claims include tenant ID validation

Resource Isolation: - ✅ Per-tenant rate limiting (fair resource allocation) - ✅ Per-tenant quotas (API calls, key generation, storage) - ✅ Independent tenant lifecycle (provision, suspend, delete)

Security Isolation: - ✅ Tenant-specific API keys (cannot access other tenants) - ✅ Tenant-specific users and roles (RBAC per tenant) - ✅ Tenant-specific audit logs (compliance-ready)

Learn more about multi-tenancy →

Integration Methods

1. Java SDK

Best For: Java/JVM applications, Spring Boot, microservices

Features: - Native Java API (no OpenAPI complexity) - Connection pooling and retry logic - Type-safe operations (compile-time validation) - 28 integration flow examples

SDK Documentation →

2. CLI Tools

Best For: Scripting, automation, CI/CD pipelines, DevOps

Features: - Cross-platform (Windows, macOS, Linux) - 25 commands (key generation, encryption, signing, migration) - Interactive and batch modes - Suitable for air-gapped environments

CLI Documentation →

3. REST API

Best For: Any language, microservices, polyglot architectures

Features: - OpenAPI 3.0 specification - Standard HTTP methods (GET, POST, PUT, PATCH, DELETE) - JSON request/response (Base64-encoded payloads) - Comprehensive error codes (27 error types)

API Documentation →

Supported Algorithms

AnkaSecure supports 78 cryptographic algorithms across 28 algorithm families:

Post-Quantum Cryptography: - 21 KEM algorithms (ML-KEM, HQC, FrodoKEM, BIKE, SABER, NTRU, Classic McEliece) - 11 signature algorithms (ML-DSA, FALCON, SLH-DSA, XMSS, LMS)

Classical Cryptography: - 19 symmetric AEAD (AES-GCM, ChaCha20, Camellia, ARIA, SEED, SM4) - 8 asymmetric encryption (RSA, ECDH) - 10 classical signatures (ECDSA, RSA-PSS, SM2, GOST) - 14 symmetric MACs (HMAC, CMAC, KMAC)

Standards Compliance: - ✅ NIST FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA) - ✅ NSA CNSA 2.0 (8 approved algorithms) - ✅ 14 international standards (BSI, ANSSI, CRYPTREC, etc.) - ✅ 20+ policy templates (by region/regulation)

Complete algorithm catalog →

Scalability & Performance

Performance Characteristics

Throughput (5 MB payload): - Symmetric encryption: 74-87 MB/s (AES-GCM, ChaCha20) - Post-quantum encryption: 82-86 MB/s (ML-KEM-768/1024) - Post-quantum signatures: 56-59 MB/s (ML-DSA-65/87)

Latency (5 MB payload): - Encryption: 60-95ms (algorithm-dependent) - Signing: 80-100ms (algorithm-dependent) - Network: +20-100ms (SaaS round-trip)

Complete performance benchmarks →

Scalability

Concurrent Operations: - Single instance: 1000+ operations/second - Horizontal scaling: Deploy multiple instances for higher throughput - Load balancing: Distribute requests across instances

Multi-Tenant Capacity: - Supports thousands of tenants per deployment - Per-tenant quotas and rate limiting - Fair resource allocation across tenants

Security & Compliance

Security Posture

AnkaSecure achieves industry-leading security compliance:

  • OWASP REST API Security: 100% compliant
  • NIST Post-Quantum Cryptography: All standardized algorithms
  • NSA CNSA 2.0: Approved for National Security Systems
  • Zero Trust Architecture: Never trust, always verify

Security & Compliance →

Regulatory Support

AnkaSecure supports compliance with:

  • Healthcare: HIPAA, HITECH (PHI encryption)
  • Finance: PCI-DSS, SOX, GLBA (cardholder data protection)
  • Government: FedRAMP, FISMA (federal information systems)
  • Data Privacy: GDPR, CCPA, LGPD (personal data protection)

Regulatory frameworks →

Data Flow

Typical Request Flow

1. Client Application
   ↓ (HTTPS request with JWT/API key)
2. API Gateway
   ↓ (Authentication & rate limiting)
3. Authentication Service
   ↓ (JWT validation, token claims)
4. Core Cryptographic Service
   ↓ (Algorithm execution, key lookup)
5. Key Storage
   ↓ (Retrieve tenant-specific keys)
6. Cryptographic Operation
   ↓ (Encrypt/decrypt/sign/verify)
7. Response
   ↓ (JSON with encrypted payload, metadata)
8. Client Application

Request Correlation: - Every request receives a unique correlation ID - Trace requests across services via audit logs - Troubleshoot issues by correlation ID

Key Features

1. Algorithm Agility

Crypto-Agility: Transition between algorithms without code changes

Example: Migrate from RSA-2048 to ML-KEM-768 

// Re-encrypt existing ciphertext without decrypting
ReencryptRequest request = ReencryptRequest.builder()
    .ciphertext(rsaCiphertext)           // RSA-encrypted data
    .targetKeyId("ml-kem-key")           // New ML-KEM key
    .build();

ReencryptResponse response = client.reencrypt(request);
// Returns ML-KEM-encrypted ciphertext (no plaintext exposure)

Benefits: - 🔄 Smooth migration path from classical to PQC - 🔄 Algorithm rotation without downtime - 🔄 Respond to cryptographic vulnerabilities quickly

2. Streaming Operations

Large File Support: Encrypt/decrypt/sign multi-gigabyte files without memory constraints

How it Works: - Client uploads/downloads data in chunks (configurable size) - Platform processes each chunk independently - Supports files up to terabytes in size

Use Cases: - Video encryption (media streaming, Netflix-style) - Database backup encryption (multi-GB SQL dumps) - Log file signing (tamper-proof audit logs)

Streaming API documentation →

3. Hybrid Cryptography

Combine classical + post-quantum algorithms for defense-in-depth:

Example: Hybrid encryption 

Encrypt with RSA-2048 + ML-KEM-768
→ Adversary must break BOTH algorithms to decrypt
→ Future-proof against quantum AND classical attacks

Benefits: - 🛡️ Defense-in-depth (double encryption) - 🛡️ Gradual migration path (maintain classical compatibility) - 🛡️ Regulatory compliance (some regulations lag behind PQC)

4. Policy-Based Algorithm Management

Policy Templates: Pre-configured algorithm sets aligned with regulations

Example: Enforce NIST-approved algorithms only 

KeyGenerationRequest request = KeyGenerationRequest.builder()
    .algorithm("ML-KEM-768")
    .policy("NIST_APPROVED")  // Only NIST-standardized algorithms allowed
    .build();

Available Policies: - NIST_APPROVED (USA federal) - BSI_COMPLIANT (Germany) - CRYPTREC (Japan) - CHINA_GMT_COMPLIANT (China) - PCI_DSS (Finance) - 15+ more regional/industry policies

Policy templates →

Platform Services

Core API

Endpoints: - /api/v1/crypto/encrypt - Compact JWE encryption (≤5 MB) - /api/v1/crypto/decrypt - Compact JWE decryption - /api/v1/crypto/sign - Compact JWS signing (≤5 MB) - /api/v1/crypto/verify - Compact JWS verification - /api/v1/crypto/stream/* - Streaming operations (>5 MB) - /api/v1/key-management/* - Key lifecycle operations

Complete API reference →

Admin API

Endpoints: - /api/admin/tenants/* - Multi-tenant management - /api/admin/users/* - User provisioning and RBAC - /api/admin/applications/* - API key generation - /api/admin/policies/* - Algorithm availability policies

Access: Admin API requires elevated privileges (platform admin or tenant admin)

Authentication API

Endpoints: - /api/v1/auth/login - User/application authentication - /api/v1/auth/refresh - JWT token refresh - /api/v1/auth/logout - Session termination

Token Lifetime: 1 hour (configurable per tenant)

Audit & Monitoring

Audit Logging

What's Logged: - ✅ Authentication events (login, logout, failed attempts) - ✅ Cryptographic operations (encrypt, decrypt, sign, verify) - ✅ Key management (generation, rotation, revocation) - ✅ Administrative actions (tenant creation, user updates)

Log Format: Structured JSON with: - Timestamp (ISO 8601) - Correlation ID (trace requests) - Tenant ID and user ID - Operation type and outcome (success/failure) - Algorithm and key used - Duration (milliseconds)

Retention: Configurable (default 90 days, up to 7 years for compliance)

Health & Monitoring

Health Endpoints: - /actuator/health - Overall service health - /actuator/metrics - Performance metrics

Metrics Available: - Request rate (operations/second) - Error rate (errors/second, percentage) - Latency (p50, p95, p99 percentiles) - Resource utilization (CPU, memory)

Integration: Prometheus, Grafana, Datadog, New Relic, custom monitoring

Standards & Protocols

API Standards

  • REST: RESTful API design principles
  • OpenAPI 3.0: Machine-readable API specification
  • RFC 7807: Problem Details for HTTP APIs (error format)

Cryptographic Standards

  • RFC 7516: JSON Web Encryption (JWE)
  • RFC 7515: JSON Web Signature (JWS)
  • RFC 7518: JSON Web Algorithms (JWA)
  • NIST FIPS 203/204/205: Post-Quantum Cryptography

Security Standards

  • OWASP REST API Security: 100% compliant
  • NIST SP 800-53: Security controls for federal systems
  • ISO 27001: Information security management
  • SOC 2: Service organization controls

Documentation Version: 3.0.0 Last Updated: 2025-12-26