Skip to content

Key Rotation & Revocation

Overview

Anka Secure follows a crypto-agile approach to key management, ensuring that cryptographic keys can be rotated and revoked securely. The system is designed to minimize security risks while maintaining continuity for cryptographic operations.

Key lifecycle management in Anka Secure includes:

  • Key Revocation: Marking a key as revoked, preventing further use.
  • Key Rotation (Planned): Automatically generating a new key (nextKid) when a key reaches its soft expiration or usage limit.

Both mechanisms leverage the key chain model, which includes:

  • previousKid: Reference to the earlier key version.
  • nextKid: Reference to the newly generated key in case of rotation.

Key Revocation

Revocation ensures that a key is permanently disabled and can no longer be used for cryptographic operations. Once revoked, the key:

  • Cannot be used for encryption or decryption.
  • Remains stored for auditing purposes.
  • Can be linked to a new key through key rotation.

Revoking a Key

To revoke a key, use the following API:

API Endpoint:

POST /api/key-management/keys/{kid}/revoke

Response:

HTTP/1.1 200 OK

Note: The API follows Beautiful API principles, meaning the response body is omitted.

Example: Revoking a Key

POST /api/key-management/keys/myKyberKey1234/revoke

After revocation, the key's status changes to:

{
  "kid": "myKyberKey1234",
  "status": "revoked",
  "revokedAt": "2025-03-19T23:34:38.633885485Z"
}

Key Rotation (Upcoming)

Key rotation ensures that cryptographic keys are regularly replaced to maintain security and compliance. Anka Secure's key model is designed for rotation, with built-in support for:

  • Soft Expiration (softLimitExpiration): Triggers key rotation before hard expiration.

  • Usage-Based Rotation (softUsageLimit): Automatically rotates the key when usage limits are reached.

  • Key Linking (nextKid, previousKid): Maintains continuity between key versions.

Planned Key Rotation Flow

  1. When a key nears its soft expiration or usage limit, a new key is generated.

  2. The nextKid field is updated to reference the new key.

  3. The newly generated key contains a previousKid reference to the old key.

  4. Encryption operations switch to the new key while allowing decryption with both.

Example: Key Rotation Model

Before rotation:

{
  "kid": "myKyberKey1234",
  "status": "active",
  "softLimitExpiration": "2029-12-31T23:59:59Z",
  "nextKid": null
}

After rotation:

{
  "kid": "newKyberKey5678",
  "status": "active",
  "previousKid": "myKyberKey1234",
  "nextKid": null
}

Key Rotation API (Future Implementation)

POST /api/key-management/keys/{kid}/rotate

Expected Behavior:

  • Generates a new key with the same parameters.

  • Updates the nextKid field of the previous key.

  • Links the old key using previousKid.

Summary

  • Key Revocation is fully implemented via /api/key-management/keys/{kid}/revoke.

  • Key Rotation is designed but not yet implemented.

  • The system supports seamless key transitions using previousKid and nextKid fields.

  • Beautiful API principles are applied, keeping interactions minimal and intuitive.

Anka Secure's crypto-agile design ensures that key management is future-proof, scalable, and secure.