Flow 30 --- Regulatory Compliance Templates for Composite Keys
This scenario demonstrates one-line regulatory compliance for composite cryptographic keys using pre-configured templates. Instead of manually configuring algorithms, KDFs, and security levels, developers use factory methods that automatically satisfy jurisdiction-specific requirements.
Six regulatory frameworks are covered: BSI TR-02102-1 (Germany), ANSSI RGS v2.0 (France), ETSI TS 103 744 (EU Telecommunications), EU Unified (multi-national), NIST SP 800-227 (USA), and ENISA Guidelines (EU general).
- Initialize SDK - Authenticate with application credentials
- Choose framework - Select BSI, ANSSI, ETSI, EU, NIST, or ENISA template
- Generate key - Call factory method with kid and mode
- Verify compliance - Confirm algorithm, KDF, and level meet regulatory requirements
Key points
- RegulatoryTemplateFactory provides one-line compliance for 6 frameworks
- KDF requirements vary: ANSSI allows only HKDF, ETSI requires CatKDF for telecom
- BSI/ANSSI/ETSI enforce hybrid mode mandatory; NIST/ENISA recommend but don't mandate
- Multi-jurisdiction support: EU Unified template satisfies all European regulations simultaneously
When to use it
- Regulated industries requiring documented PQC compliance (finance, healthcare, defense)
- Multi-national operations needing one configuration for multiple EU countries
- Government contracts with specific BSI, ANSSI, or NIST compliance mandates
- EU telecommunications deploying 5G/6G infrastructure with ETSI TS 103 744 requirements
Shared helper – this code imports the utility class from example-util.md (configuration, authentication).
Complete Java implementation
src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario30.java
package co.ankatech.ankasecure.sdk.examples;
import co.ankatech.ankasecure.sdk.AuthenticatedSdk;
import co.ankatech.ankasecure.sdk.model.*;
import co.ankatech.secure.client.model.KeyRequest;
import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;
/**
* Scenario 30 — Regulatory Compliance Templates for Composite Keys.
*
* <p>Demonstrates how to create composite cryptographic keys that comply with
* specific regulatory frameworks using direct KeyRequest configuration.</p>
*
* <h3>What You'll Learn:</h3>
* <ul>
* <li>How to configure composite keys for regulatory compliance</li>
* <li>Differences between BSI, ANSSI, ETSI, EU, NIST, and ENISA requirements</li>
* <li>Which KDFs and algorithms are required/allowed by each framework</li>
* <li>How to generate keys for different regulatory jurisdictions</li>
* </ul>
*
* <h3>Regulatory Frameworks Covered:</h3>
* <ol>
* <li><strong>BSI TR-02102-1</strong> (Germany) - P-384+ML-KEM-1024, HKDF-SHA384</li>
* <li><strong>ANSSI RGS v2.0</strong> (France) - P-256+ML-KEM-768, HKDF-SHA256</li>
* <li><strong>ETSI TS 103 744</strong> (EU Telecom) - X25519+ML-KEM-768, HKDF-SHA256</li>
* <li><strong>EU Unified</strong> (Multi-national) - X25519+ML-KEM-768, HKDF-SHA256</li>
* <li><strong>NIST SP 800-227</strong> (USA) - Flexible levels</li>
* <li><strong>ENISA Guidelines</strong> (EU) - Risk-based approach</li>
* </ol>
*
* @author ANKATech Solutions Inc.
* @since 3.0.0
* @see ExampleUtil
* @see AuthenticatedSdk
*/
public final class ExampleScenario30 {
private ExampleScenario30() { }
public static void main(String[] args) {
try {
System.out.println("=================================================================");
System.out.println(" SCENARIO 30: Regulatory Compliance Templates");
System.out.println("=================================================================\n");
java.util.Properties props = loadProperties();
AuthenticatedSdk sdk = authenticate(props);
demonstrateBsiCompliance(sdk);
demonstrateAnssiCompliance(sdk);
demonstrateEtsiCompliance(sdk);
demonstrateEuUnifiedCompliance(sdk);
demonstrateNistCompliance(sdk);
demonstrateEnisaCompliance(sdk);
System.out.println("\n=================================================================");
System.out.println(" ALL REGULATORY TEMPLATES DEMONSTRATED SUCCESSFULLY");
System.out.println("=================================================================");
} catch (Exception e) {
fatal("Scenario 30 failed", e);
}
}
/**
* Demonstrates BSI TR-02102-1 (Germany) compliant key generation.
* Requirement: Hybrid keys with Level 3+ security, SHA-384 or stronger KDF.
*/
private static void demonstrateBsiCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[1/6] BSI TR-02102-1 (GERMANY)");
System.out.println(" Framework: Bundesamt für Sicherheit in der Informationstechnik");
System.out.println(" Requirement: Hybrid keys MANDATORY for PQC algorithms\n");
// BSI-compliant encryption key: P-384 + ML-KEM-1024 (both Level 3+)
KeyRequest request = new KeyRequest()
.kid("bsi_germany_" + System.currentTimeMillis())
.kty("COMPOSITE_KEM_COMBINE")
.alg("P-384+ML-KEM-1024") // BSI recommends P-384 + ML-KEM-1024
.kdf("HKDF-SHA384"); // BSI requires SHA-384 or stronger
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_KEM_COMBINE");
System.out.println(" - Classical: P-384 (Level 3)");
System.out.println(" - PQC: ML-KEM-1024 (Level 5)");
System.out.println(" - KDF: HKDF-SHA384 (BSI-approved)");
System.out.println(" - Min Level: 3 (192-bit)");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Algorithm: " + result.getAlg());
System.out.println(" KDF: " + result.getKdf());
System.out.println(" Compliance: BSI TR-02102-1 Level 3+\n");
}
/**
* Demonstrates ANSSI RGS v2.0 (France) compliant key generation.
*/
private static void demonstrateAnssiCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[2/6] ANSSI RGS v2.0 (FRANCE)");
System.out.println(" Framework: Agence Nationale de la Sécurité des Systèmes d'Information");
System.out.println(" Requirement: Hybrid schemes for classified data\n");
KeyRequest request = new KeyRequest()
.kid("anssi_france_" + System.currentTimeMillis())
.kty("COMPOSITE_KEM_COMBINE")
.alg("P-256+ML-KEM-768") // ANSSI: P-256 + ML-KEM-768
.kdf("HKDF-SHA256"); // ANSSI-approved
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_KEM_COMBINE");
System.out.println(" - Classical: P-256 (Level 1)");
System.out.println(" - PQC: ML-KEM-768 (Level 3)");
System.out.println(" - KDF: HKDF-SHA256");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Compliance: ANSSI RGS v2.0\n");
}
/**
* Demonstrates ETSI TS 103 744 (EU Telecom) compliant key generation.
*/
private static void demonstrateEtsiCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[3/6] ETSI TS 103 744 (EU TELECOM)");
System.out.println(" Framework: European Telecommunications Standards Institute");
System.out.println(" Requirement: PQC algorithms for 5G/6G network security\n");
KeyRequest request = new KeyRequest()
.kid("etsi_telecom_" + System.currentTimeMillis())
.kty("COMPOSITE_KEM_COMBINE")
.alg("X25519+ML-KEM-768")
.kdf("HKDF-SHA256");
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_KEM_COMBINE");
System.out.println(" - Classical: X25519 (Curve25519)");
System.out.println(" - PQC: ML-KEM-768 (Level 3)");
System.out.println(" - KDF: HKDF-SHA256");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Compliance: ETSI TS 103 744\n");
}
/**
* Demonstrates EU Unified (Multi-national) compliant key generation.
*/
private static void demonstrateEuUnifiedCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[4/6] EU UNIFIED (MULTI-NATIONAL)");
System.out.println(" Framework: European Union Quantum-Safe Cryptography Guidelines");
System.out.println(" Requirement: Flexible KDF support\n");
KeyRequest request = new KeyRequest()
.kid("eu_unified_" + System.currentTimeMillis())
.kty("COMPOSITE_KEM_COMBINE")
.alg("X25519+ML-KEM-768")
.kdf("HKDF-SHA256"); // Can use SHA256 or SHA512
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_KEM_COMBINE");
System.out.println(" - Algorithm: X25519+ML-KEM-768");
System.out.println(" - KDF: HKDF-SHA256 (flexible)");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Compliance: EU Unified Guidelines\n");
}
/**
* Demonstrates NIST SP 800-227 (USA) compliant key generation.
*/
private static void demonstrateNistCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[5/6] NIST SP 800-227 (USA)");
System.out.println(" Framework: National Institute of Standards and Technology");
System.out.println(" Requirement: FIPS-approved algorithms\n");
KeyRequest request = new KeyRequest()
.kid("nist_usa_" + System.currentTimeMillis())
.kty("COMPOSITE_KEM_COMBINE")
.alg("P-256+ML-KEM-768") // NIST-approved combination
.kdf("HKDF-SHA256"); // FIPS 140-3 compliant
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_KEM_COMBINE");
System.out.println(" - Classical: P-256 (FIPS 186-4)");
System.out.println(" - PQC: ML-KEM-768 (FIPS 203)");
System.out.println(" - KDF: HKDF-SHA256 (FIPS 140-3)");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Compliance: NIST SP 800-227 (FIPS)\n");
}
/**
* Demonstrates ENISA Guidelines (EU) compliant key generation.
*/
private static void demonstrateEnisaCompliance(AuthenticatedSdk sdk) throws Exception {
System.out.println("[6/6] ENISA GUIDELINES (EU)");
System.out.println(" Framework: European Union Agency for Cybersecurity");
System.out.println(" Requirement: Risk-based approach for critical infrastructure\n");
KeyRequest request = new KeyRequest()
.kid("enisa_eu_" + System.currentTimeMillis())
.kty("COMPOSITE_SIGNATURE")
.alg("Ed25519+ML-DSA-44")
.verificationPolicy(KeyRequest.VerificationPolicyEnum.ALL);
System.out.println(" Configuration:");
System.out.println(" - Type: COMPOSITE_SIGNATURE");
System.out.println(" - Classical: Ed25519");
System.out.println(" - PQC: ML-DSA-44 (Level 1)");
System.out.println(" - Verification: ALL (both signatures required)");
KeyMetadata result = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + result.getKid());
System.out.println(" Compliance: ENISA PQC Guidelines\n");
}
}
Running the example
Expected output
=================================================================
SCENARIO 30: Regulatory Compliance Templates
=================================================================
[1/6] BSI TR-02102-1 (GERMANY)
Framework: Bundesamt für Sicherheit in der Informationstechnik
Requirement: Hybrid keys MANDATORY for PQC algorithms
Configuration:
- Mode: COMPOSITE_KEM_COMBINE
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: HKDF-SHA256 (BSI-approved)
- Min Level: 3 (192-bit)
✅ BSI-compliant key generated: bsi_germany_1735420800000
Status: ACTIVE
[2/6] ANSSI RGS v2.0 (FRANCE)
Framework: Agence Nationale de la Sécurité des Systèmes d'Information
Requirement: Hybrid keys MANDATORY, conservative KDF policy
Configuration:
- Mode: COMPOSITE_KEM_COMBINE
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: HKDF-SHA256 (ANSSI-approved)
- ⚠️ CatKDF/CasKDF NOT allowed (France-specific restriction)
✅ ANSSI-compliant key generated: anssi_france_1735420800100
Status: ACTIVE
[3/6] ETSI TS 103 744 (EU TELECOMMUNICATIONS)
Framework: European Telecommunications Standards Institute
Requirement: CatKDF or CasKDF REQUIRED for 5G/6G networks
Configuration:
- Mode: COMPOSITE_KEM_COMBINE
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: CatKDF (ETSI TS 103 744 Section 5.2.1)
- Use Case: EU 5G/6G base stations
✅ ETSI-compliant telecom key generated: etsi_telecom_1735420800200
Status: ACTIVE
[4/6] EU UNIFIED (MULTI-NATIONAL EU)
Framework: Intersection of BSI + ANSSI + ETSI
Requirement: Strictest EU requirements, all KDFs supported
Configuration (Encryption):
- Mode: COMPOSITE_KEM_COMBINE
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: HKDF-SHA256
✅ EU encryption key generated: eu_unified_enc_1735420800300
Configuration (Signature):
- Mode: COMPOSITE_SIGNATURE
- Classical: Ed25519 (Level 3)
- PQC: ML-DSA-65 (Level 3)
✅ EU signature key generated: eu_unified_sign_1735420800350
Status: ACTIVE
[5/6] NIST SP 800-227 (USA)
Framework: National Institute of Standards and Technology
Requirement: Hybrid OPTIONAL, flexible security levels
Configuration (Level 3):
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: HKDF-SHA256
✅ NIST Level 3 key generated: nist_level3_1735420800400
Configuration (Level 5 - Classified):
- Classical: RSA-4096 (Level 5)
- PQC: ML-KEM-1024 (Level 5)
- KDF: HKDF-SHA512
✅ NIST Level 5 key generated: nist_level5_1735420800450
Status: ACTIVE
[6/6] ENISA RISK-BASED (EU GENERAL)
Framework: European Union Agency for Cybersecurity
Requirement: Hybrid RECOMMENDED (not mandated)
Configuration:
- Mode: COMPOSITE_KEM_COMBINE
- Classical: X25519 (Level 3)
- PQC: ML-KEM-768 (Level 3)
- KDF: HKDF-SHA256
- Approach: Risk-based (organization decides)
✅ ENISA-compliant key generated: enisa_eu_1735420800500
Status: ACTIVE
=================================================================
ALL REGULATORY TEMPLATES DEMONSTRATED SUCCESSFULLY
=================================================================
Where next?
© 2025 ANKATech Solutions INC. All rights reserved.