Key Management Overview
Introduction to Crypto-Agility
Anka Secure API implements the concept of crypto-agility, allowing for seamless adaptation to evolving cryptographic standards. This ensures that all cryptographic operations can transition to new algorithms as threats emerge, particularly in the era of quantum computing.
All cryptographic keys in the system, regardless of type, follow a standardized JSON model. This enables uniform management, monitoring, and integration across the platform.
Key Model Structure
All keys are represented using the following JSON structure:
{
"modelVersion": "v1.0",
"kid": "myKyberKey234",
"uuid": "2ba1f7e6-cb8e-4d03-80b1-6428437ea828",
"kty": "ML-KEM",
"alg": "ML-KEM-768",
"publicKey": "<BASE64_ENCODED_PUBLIC_KEY>",
"privateKey": "<BASE64_ENCODED_PRIVATE_KEY>",
"keyOps": [
"encrypt",
"decrypt"
],
"exportable": true,
"createdAt": "2025-03-17T00:37:44.141666770Z",
"expiresAt": "2030-05-31T23:59:59Z",
"softLimitExpiration": "2029-12-31T23:59:59Z",
"usageCount": 11,
"lastUsedAt": "2025-03-19T16:55:54.575028225Z",
"softUsageLimit": 40000,
"maxUsageLimit": 50000,
"status": "active",
"nextKid": "null",
"previousKid": "null",
"hash": "b08dca00c20162e618d4a5a0459e68ee8f4f90d9cb7c48882afb1f98006f5f39"
}
Key Model Fields
modelVersion: Specifies the format version of the key model.kid: Unique identifier for the key.uuid: System-generated UUID for key tracking.kty: Key type (e.g., ML-KEM, RSA, EC, etc.).alg: Specific algorithm used (e.g., ML-KEM-768, RSA-2048, etc.).publicKey: Base64-encoded public key.keyOps: Defines permitted operations (e.g., encrypt, decrypt, sign, verify).exportable: Indicates if the key can be exported.createdAt: Timestamp of key creation.expiresAt: Hard expiration date.softLimitExpiration: Suggested expiration before absolute invalidation.usageCount: Number of times the key has been used.lastUsedAt: Timestamp of last usage.softUsageLimit: Recommended maximum number of usages before rotation.maxUsageLimit: Hard limit on the number of usages before expiration.status: Current state of the key (e.g., active, revoked, expired).nextKid: Reference to the next key in a rotation sequence.previousKid: Reference to the previous key in a rotation sequence.hash: Hash of the key for integrity verification.
Supported Key Algorithms
The list of supported cryptographic algorithms can be retrieved via:
Endpoint:
Available Algorithms
| Key Type | Algorithm |
|---|---|
| ML-KEM | ML-KEM-512 |
| ML-KEM | ML-KEM-768 |
| ML-KEM | ML-KEM-1024 |
| DILITHIUM | Dilithium2 |
| DILITHIUM | Dilithium3 |
| DILITHIUM | Dilithium5 |
| FALCON | FALCON-512 |
| FALCON | FALCON-1024 |
| EC | EC-256 |
| EC | EC-384 |
| EC | EC-521 |
| RSA | RSA-1024 |
| RSA | RSA-2048 |
| RSA | RSA-4096 |
| RSA | RSA-8192 |
| SPHINCS+ | SPHINCS+-SHA2-128F |
| SPHINCS+ | SPHINCS+-SHA2-128S |
| SPHINCS+ | SPHINCS+-SHA2-192F |
| SPHINCS+ | SPHINCS+-SHA2-192S |
| SPHINCS+ | SPHINCS+-SHA2-256F |
| SPHINCS+ | SPHINCS+-SHA2-256S |
| SPHINCS+ | SPHINCS+-SHAKE-128F |
| SPHINCS+ | SPHINCS+-SHAKE-128S |
| SPHINCS+ | SPHINCS+-SHAKE-192F |
| SPHINCS+ | SPHINCS+-SHAKE-192S |
| SPHINCS+ | SPHINCS+-SHAKE-256F |
| SPHINCS+ | SPHINCS+-SHAKE-256S |
| AES | AES-128 |
| AES | AES-192 |
| AES | AES-256 |
Conclusion
Anka Secure API provides a crypto-agile key management solution that supports both classical and post-quantum cryptography algorithms. By maintaining a standardized key model, the system ensures scalability, compliance, and security across all cryptographic operations.
For further details, refer to the Key Generation & Retrieval section.