Skip to content

Key Management Overview

ANKA Secure supports a range of symmetric and asymmetric cryptographic algorithms, including both traditional (RSA, ECC) and post-quantum (PQC) options. All keys—regardless of their algorithm—are managed centrally by the KeyManagementService, which provides a unified approach for generating, storing, and retrieving cryptographic keys.

1. Supported Algorithms

1.1 Symmetric Algorithms

  • AES (Advanced Encryption Standard)
    • Key sizes: 128, 192, 256 bits
    • Usage: Encryption of data at rest or in transit using a shared secret key

1.2 Asymmetric Algorithms (Traditional)

  • RSA
    • Typical key sizes: 1024, 2048, 4096
    • Usage: Encryption/decryption, digital signatures (with PKCS#1 v1.5 or OAEP padding)
  • ECC (Elliptic Curve Cryptography)
    • Curves typically include P-256, P-384, P-521
    • Usage: Digital signatures (ECDSA), key exchange (ECDH)
    • Advantages: Smaller key sizes than RSA at comparable security levels

1.3 Asymmetric Algorithms (Post-Quantum / PQC)

ANKA Secure incorporates several post-quantum cryptography (PQC) algorithms, aligned with NIST’s standardization process (Round 3/4). Some examples include:

  • CRYSTALS-Kyber
    • Type: KEM (Key Encapsulation Mechanism)
    • Status: Selected by NIST for standardization (primary KEM)
    • Usage: Encryption and key exchange. We store the private key and public key as separate entries in the keystore (alias + _pub).
  • CRYSTALS-Dilithium
    • Type: Digital signature scheme
    • Status: Selected by NIST for standardization (primary signature)
    • Usage: Authenticating messages in a post-quantum setting
  • Falcon
    • Type: Digital signature scheme
    • Status: NIST backup candidate for signature, recognized for smaller signature sizes
    • Usage: Signature operations with a more compact signature size than Dilithium
  • SPHINCS+
    • Type: Stateless hash-based digital signature scheme
    • Status: NIST alternative candidate (also standardized as an optional scheme)
    • Usage: Signature operations. In ANKA Secure, keys are stored as “secret” entries to accommodate Java keystore constraints.

Note: For more details on specific algorithms (param sets, how they’re generated, how they’re stored), see key_management_use.md. For more insights on the current state of standardization, visit NIST’s PQC Pages.

2. Centralized Key Handling via KeyManagementService

All cryptographic keys in ANKA Secure are managed centrally through the KeyManagementService. This includes:

  1. Generation of keys (symmetric and asymmetric).
  2. Import/Export of public and private key material (e.g., PKCS#12 imports).
  3. Storage in the appropriate keystore (via KeyStoreProvider).
  4. Retrieval for encryption, decryption, signing, or other operations.

2.1 Why Centralized?

  • Consistency: A single point of entry for generating and storing keys ensures uniform handling of security policies, error handling, and auditing.
  • Extensibility: Future algorithms can be added by extending KeyManagementService and the supporting registry classes (e.g., AsymmetricAlgorithmRegistry).
  • Security: One service enforces best practices for key generation (e.g., strong random sources, parameter selection, usage logging).

3. Crypto-Agile Design

ANKA Secure is crypto-agile, meaning it can adapt to new algorithms and cryptographic standards with minimal changes:

  1. Parameterization:
    • The system reads configuration (e.g., application.yaml) to select providers at runtime.
  2. Modular Registry:
    • Classes like AsymmetricAlgorithmRegistry map algorithm names (e.g., "RSA-2048", "Kyber512") to the correct key generation logic.
  3. Future-Ready:
    • If new algorithms (e.g., future NIST PQC candidates or custom ciphers) are needed, you only modify or add code in KeyManagementService and its associated registries—no extensive rewrites across the entire application.

4. References & Additional Reading

  1. Key Store Providers – Explains how our BouncyCastle-based .bks file and other potential providers (AWS KMS, etc.) work.
  2. Key Management Service Usage – Detailed description of how each algorithm (RSA, ECC, Dilithium, Falcon, Kyber, SPHINCS+) is generated, stored, and retrieved.
  3. datasheet.html – Additional details on algorithm support, performance benchmarks, and general product info.
  4. NIST Post-Quantum Cryptography Project – Official page for up-to-date standardization status of PQC algorithms.