Skip to content

Encryption and Digital Signatures

ANKA Secure provides comprehensive support for encryption and digital signatures across a variety of cryptographic algorithms. This document explains how the platform handles:

  1. Symmetric Encryption (AES/GCM)
  2. Asymmetric (Hybrid) Encryption (RSA, ECC, Kyber, etc.)
  3. Digital Signatures (RSA/ECC, Dilithium, Falcon, SPHINCS+)
  4. Streaming vs. Non-Streaming (in-memory) operations

All these operations integrate with the central KeyManagementService for key retrieval and usage reporting.

1. Symmetric Encryption

1.1 Overview

  • Algorithm: AES in GCM mode (AES/GCM/NoPadding).
  • Key Storage: Symmetric keys are generated, stored, and retrieved through the KeyManagementService.
  • Data Formats:
    • In-memory encryption/decryption with byte arrays.
    • Stream-based encryption/decryption for files or large data.

1.2 In-Memory Encryption & Decryption

public byte[] encryptBytesSymmetric(String alias, byte[] data);
public byte[] decryptBytesSymmetric(String alias, byte[] encryptedData);
  1. Retrieve the symmetric key by alias.
  2. Encrypt (or decrypt) using AES/GCM.
  3. Format: [IV length (1 byte)] + [IV bytes] + [ciphertext].

Example Usage

byte[] ciphertext = symmetricEncryptionService.encryptBytesSymmetric("myAesKey", plaintext);
byte[] decrypted   = symmetricEncryptionService.decryptBytesSymmetric("myAesKey", ciphertext);

Common Use Cases: Small or moderate-sized data that fits comfortably in memory, such as JSON documents or short messages.

1.3 Stream-Based Encryption & Decryption

public void encryptFileSymmetric(String alias, String inputFile, String outputFile);
public void decryptFileSymmetric(String alias, String inputFile, String outputFile);
1. Streaming approach reads from inputFile and writes ciphertext to outputFile without loading the entire file into memory. 2. Uses CipherOutputStream or CipherInputStream for on-the-fly encryption/decryption. 3. Supports large files or data streams beyond in-memory thresholds.

Advantages:

  • Handles arbitrarily large files without excessive memory usage.
  • Good for big data scenarios, e.g., video or large backups.

2. Asymmetric (Hybrid) Encryption

2.1 Overview

ANKA Secure supports a hybrid approach for asymmetric encryption:

  1. Ephemeral AES Key is generated for data encryption (AES/GCM).
  2. Wrapped (or unwrapped) with the asymmetric algorithm (RSA, ECC, Kyber, etc.).

This approach avoids direct large data encryption with RSA or PQC keys.

2.2 Non-Streaming (In-Memory) Encryption & Decryption

public byte[] encryptData(String alias, byte[] data);
public byte[] decryptData(String alias, byte[] encryptedData);
- For smaller data that can be loaded into memory.

  • Output Format (encryptData):

    • [wrappedKeyLength (2 bytes)] + [wrappedKey] + [IV length (1 byte)] + [IV] + [AES ciphertext]

  • Keys:

    • Public Key alias for encryption
    • Private Key alias for decryption

2.3 Stream-Based Encryption & Decryption

public void encryptAsymmetric(String alias, InputStream dataIn, OutputStream dataOut);
public void decryptAsymmetric(String alias, InputStream dataIn, OutputStream dataOut);
- Suitable for large files.

Process:

  1. Generate ephemeral AES key.

  2. Wrap AES key with alias's public key; write key + IV to output.

  3. Stream plaintext or ciphertext via CipherOutputStream / CipherInputStream.

File-Level Convenience

public void encryptFile(String alias, String inputFile, String outputFile);
public void decryptFile(String alias, String inputFile, String outputFile);

  • Chooses in-memory vs. streaming based on file size (IN_MEMORY_THRESHOLD).

  • Useful for large file encryption without intermediate temp files.

2.4 Handling Kyber or RSA/ECC

  • Kyber:
    • Public key stored under alias + "_pub".
    • Private key under alias.
    • Both as SecretKeyEntry objects.
    • Hybrid encryption uses Kyber to wrap the ephemeral AES key.
  • RSA / ECC:
    • Public key in X.509 certificate or standard PublicKey object.
    • Private key in PrivateKeyEntry.

3. Digital Signatures

3.1 Overview

ANKA Secure supports both traditional (RSA, ECC) and post-quantum (Dilithium, Falcon, SPHINCS+) signature algorithms. The platform can:

  • Sign data using a private key (or PQC SecretKey if stored that way).
  • Verify data with a public key.
  • Do so in-memory or streaming.

3.2 In-Memory Signing & Verification

public byte[] signData(String alias, byte[] data);
public boolean verifySignatureBoolean(String alias, byte[] data, byte[] signature);

  1. Sign: Creates a Signature instance (e.g., "SHA256withRSA" or "SPHINCSPLUS").

  2. Verify: Rebuilds or retrieves the public key from the alias (or _pub for PQC 'Sphincs+ Only').

PQC Differences:

  • For SPHINCS+, the private key is stored as a SecretKey in the keystore.
  • The code reconstructs a PrivateKey or PublicKey object at runtime for the signature operation.

3.3 Stream-Based Signing & Verification

public void signData(String alias, InputStream dataIn, OutputStream signatureOut);
public boolean verifySignatureBoolean(String alias, InputStream dataIn, InputStream signatureIn);

  • Processes data in chunks with a Signature object.

  • Avoids loading entire files or streams into memory.

  • Great for large logs, video, or big data streams.

File-Level Methods

public void signFile(String alias, String inputFile, String outputSignatureFile);
public boolean verifySignatureBoolean(String alias, String inputFile, String signatureFile);
  • Convenience methods that open file streams and delegate to streaming signature logic.

4. Special Operations

4.1 Re-Sign Data

public void reSignDataStream(String oldAlias, byte[] oldSignature, String newAlias, InputStream dataIn, OutputStream newSignatureOut);

  1. Verifies the old signature (using oldAlias's public key).

  2. If valid, signs the same data with newAlias (private key).

  3. Useful for signature rotation (e.g., from RSA to Dilithium).

In-Memory Version

public byte[] reSignData(String oldAlias, byte[] oldSignature, String newAlias, byte[] dataIn);

  • Loads dataIn into a ByteArrayInputStream.

  • Produces newSignature in a ByteArrayOutputStream.

4.2 Re-Encrypt Data

public void reencryptDataStream(String oldAlias, String newAlias, InputStream oldCipherIn, OutputStream newCipherOut);
1. Decrypts with oldAlias private key. 2. Encrypts result with newAlias public key. 3. Streams data end-to-end without storing intermediate plaintext.

In-Memory & File-Level

public byte[] reencryptData(String oldAlias, String newAlias, byte[] encryptedData);
public void reencryptFile(String oldAlias, String newAlias, String inputFile, String outputFile);

  • Similar concept for a file or byte array.

  • Great for rotating encryption from RSA to Kyber or vice versa.

5. Streaming vs. In-Memory

  1. In-Memory:
    • Simpler API for smaller data (encrypted or signed in one shot).
    • Entire data must fit into RAM.
  2. Streaming:
    • Works on large files/streams.
    • Uses CipherInputStream, CipherOutputStream, or Signature updated in loops.
    • Preferred for big data to avoid memory overhead.

6. Summary & Further Reading

  • Key Takeaway: ANKA Secure provides a unified API for symmetric and asymmetric encryption, plus digital signatures, both in-memory and via streaming.
  • PQC Integration: Kyber (KEM), Dilithium, Falcon, and SPHINCS+ are seamlessly supported, often stored as SecretKey objects requiring special handling.
  • License & Usage Reporting: All operations call UsageReporterUtil internally, tracking algorithm usage and data sizes.
  • Next Steps: