Skip to content

Platform Overview

AnkaSecure is an enterprise-grade post-quantum cryptography platform providing quantum-resistant encryption, digital signatures, and key management through REST APIs, SDKs, and CLI tools.

Platform Capabilities

Core Cryptographic Operations

Encryption & Decryption:

  • ✅ Post-quantum algorithms (ML-KEM, FrodoKEM, HQC, SABER, BIKE, NTRU, Classic McEliece)
  • ✅ Classical algorithms (RSA, AES, ChaCha20, Camellia, ARIA, SEED)
  • ✅ Hybrid cryptography (combine classical + PQC for defense-in-depth)
  • ✅ Streaming support (multi-gigabyte files via chunked processing)

Digital Signatures:

  • ✅ Post-quantum signatures (ML-DSA, FALCON, SLH-DSA, XMSS, LMS)
  • ✅ Classical signatures (RSA-PSS, ECDSA, SM2, GOST)
  • ✅ Compact formats (JWS RFC 7515, detached-JWS for streaming)
  • ✅ Stateless operations (no signature counter management)

Key Management:

  • ✅ Key generation (125 algorithms supported: 84 simple + 41 composite)
  • ✅ Key import (PKCS#12, PKCS#7, PEM, JWK)
  • ✅ Key rotation (automatic algorithm transition)
  • ✅ Key lifecycle (generation → active → rotating → revoked → deleted)
  • ✅ HSM support (PKCS#11 compatible)

Migration & Interoperability:

  • ✅ Re-encryption (RSA → ML-KEM without decrypting)
  • ✅ Re-signing (RSA → ML-DSA signature format conversion)
  • ✅ Format conversion (PKCS#7 → JOSE/JWE)
  • ✅ Public-key utilities (encrypt/sign with external public keys)

The Five Pillars of Crypto Agility Orchestration

ANKASecure's architecture is built on five foundational pillars that enable enterprise-grade cryptographic evolution:

Pillar Capability Business Value
1. Crypto-Agility Transition algorithms without code changes Algorithm migration in minutes, not months
2. Cryptographic Sovereignty Flexible deployment (SaaS, Enterprise, Private Cloud) Data residency and governance control
3. Frictionless Modernization Zero-downtime key rotation, re-encrypt/re-sign Legacy system migration without rewrites
4. Policy-Driven Governance Centralized algorithm policies, compliance templates Consistent enforcement across all applications
5. Regulatory Compliance 23 policy templates, tamper-proof audit trails Regional and industry compliance by design

Key Principle: Applications declare cryptographic intent (e.g., "encrypt with key X"), and the platform handles algorithm selection, policy enforcement, and lifecycle management. This decoupling enables organizations to respond to evolving threats and regulations without application changes.

Deployment Models

AnkaSecure is available in three deployment models to meet diverse customer requirements:

SaaS (Software-as-a-Service)

Overview: Fully managed cloud platform

Benefits:

  • Rapid deployment: Start encrypting data in <1 hour
  • Automatic updates: Platform maintained by AnkaTech
  • Elastic scaling: Automatically scales with your workload
  • High availability: 99.9% uptime SLA
  • Multi-region: Deploy in preferred geographic region

Customer Responsibilities:

  • API integration (SDK or REST API)
  • Tenant configuration (users, applications, keys)
  • Compliance validation (HIPAA, PCI-DSS, GDPR)

Ideal For:

  • Fast time-to-market (startups, agile teams)
  • Variable workloads (seasonal peaks)
  • Limited DevOps resources

Contact sales@ankatech.co to get started with SaaS.

On-Premise (Enterprise)

Overview: Self-hosted deployment with full control

Benefits:

  • Full control: Deploy in your data center or private cloud
  • Data sovereignty: Data never leaves your infrastructure
  • Air-gapped: Supported for classified/sensitive environments
  • Customization: Integrate with existing HSMs, identity providers
  • Compliance: Meet strict regulatory requirements (FedRAMP High, DoD Impact Level)

AnkaTech Services:

  • Professional services for installation and configuration
  • Architecture consulting and capacity planning
  • Integration support (HSM, identity providers, monitoring)
  • Ongoing support and maintenance

Ideal For:

  • Government and defense (FedRAMP, DoD)
  • Healthcare (HIPAA, air-gapped PHI)
  • Finance (PCI-DSS, data residency)
  • Enterprises with strict data sovereignty requirements

Contact: sales@ankatech.co for on-premise deployment

Private Cloud

Overview: Managed deployment in customer's private cloud environment

Benefits:

  • Hybrid model: Cloud-like operations with on-premise data sovereignty
  • Managed service: AnkaTech handles platform maintenance and updates
  • Customer infrastructure: Deploy within customer VPC/network
  • Compliance: Data residency within customer's cloud tenancy
  • Flexibility: Supports AWS, Azure, GCP private regions

Shared Responsibilities:

  • AnkaTech: Platform management, updates, security patches, monitoring
  • Customer: Infrastructure provisioning, network configuration, HSM integration

Ideal For:

  • Organizations wanting SaaS convenience with data sovereignty
  • Regulated industries requiring data residency (GDPR, data localization)
  • Multi-cloud strategies with regional deployments
  • Organizations with existing private cloud investments

Contact: sales@ankatech.co for private cloud deployment

Platform Architecture

High-Level Architecture

┌─────────────────────────────────────────────────────────────┐
│                     Client Applications                      │
│  (Your services, web apps, mobile apps, scripts)            │
└────────────┬────────────────────────────────┬───────────────┘
             │                                 │
             ├─── Java SDK                     │
             ├─── CLI Tools                    │
             └─── REST API (HTTPS)             │
                           │                   │
             ┌─────────────┴───────────────────┴──────────────┐
             │         AnkaSecure Platform (SaaS/On-Prem)     │
             │                                                 │
             │  ┌────────────────────────────────────────┐    │
             │  │  Authentication & Authorization        │    │
             │  │  (JWT validation, API keys, RBAC)      │    │
             │  └───────────────┬────────────────────────┘    │
             │                  │                              │
             │  ┌───────────────┴────────────────────────┐    │
             │  │    Core Cryptographic Services         │    │
             │  │                                         │    │
             │  │  • Encryption/Decryption (Compact,     │    │
             │  │    Streaming)                          │    │
             │  │  • Digital Signatures (JWS, Detached)  │    │
             │  │  • Key Management (Generation,         │    │
             │  │    Rotation, Import)                   │    │
             │  │  • Migration (Re-encrypt, Re-sign)     │    │
             │  └───────────────┬────────────────────────┘    │
             │                  │                              │
             │  ┌───────────────┴────────────────────────┐    │
             │  │    Cryptographic Key Storage           │    │
             │  │  (Multi-tenant keystores, HSM support) │    │
             │  └────────────────────────────────────────┘    │
             │                                                 │
             └─────────────────────────────────────────────────┘

Key Components

1. API Gateway:

  • HTTPS endpoint (TLS 1.2/1.3)
  • Rate limiting and DoS protection
  • Request routing and load balancing

2. Authentication Service:

  • User authentication (username/password)
  • Application authentication (API keys)
  • JWT token issuance and validation
  • Session management

3. Core API:

  • Encryption/decryption operations (Compact JWE, Streaming JWET)
  • Digital signature operations (Compact JWS, Detached-JWS)
  • Key management (generate, import, rotate, revoke)
  • Migration utilities (re-encrypt, re-sign, convert)

4. Admin API:

  • Tenant management (multi-tenant provisioning)
  • User management (RBAC, permissions)
  • Application management (API key generation)
  • Policy management (algorithm availability, key lifecycle)

5. Key Storage:

  • Multi-tenant keystores (logical isolation)
  • HSM integration (PKCS#11 compatible)
  • Key backup and recovery

6. Audit & Monitoring:

  • Comprehensive audit logging (all operations)
  • Health checks and metrics
  • Correlation ID tracing (request flow)

Security Architecture

Defense-in-Depth

An AnkaSecure implements 5 security layers:

Layer 1 - Transport Security:

  • TLS 1.2/1.3 encryption for all communications
  • Certificate validation (prevents MITM attacks)
  • HSTS enforced (HTTP Strict Transport Security)

Layer 2 - Authentication:

  • JWT token validation (4 mandatory claims: iss, aud, exp, nbf)
  • API key authentication (service-to-service)
  • mTLS support (optional, for high-security environments)

Layer 3 - Authorization:

  • Role-based access control (RBAC)
  • Multi-tenant isolation (tenant data segregation)
  • Principle of least privilege

Layer 4 - Application Security:

  • OWASP REST API Security (100% compliant)
  • Input validation (schema enforcement)
  • Security headers (Cache-Control, X-Frame-Options, CSP, HSTS)
  • Rate limiting (dual-layer protection)

Layer 5 - Data Security:

  • Encryption at rest (AES-256-GCM for database)
  • Post-quantum cryptographic algorithms
  • HSM-backed key storage (optional)
  • Audit logging (tamper-proof logs)

Multi-Tenancy

Tenant Isolation Model

AnkaSecure provides logical multi-tenancy with strict isolation:

Data Isolation:

  • ✅ Separate keystore per tenant
  • ✅ Tenant-scoped database queries (no cross-tenant data access)
  • ✅ JWT claims include tenant ID validation

Resource Isolation:

  • ✅ Per-tenant rate limiting (fair resource allocation)
  • ✅ Per-tenant quotas (API calls, key generation, storage)
  • ✅ Independent tenant lifecycle (provision, suspend, delete)

Security Isolation:

  • ✅ Tenant-specific API keys (cannot access other tenants)
  • ✅ Tenant-specific users and roles (RBAC per tenant)
  • ✅ Tenant-specific audit logs (compliance-ready)

Learn more about multi-tenancy →

Integration Methods

1. Java SDK

Best For: Java/JVM applications, Spring Boot, microservices

Features:

  • Native Java API (no OpenAPI complexity)
  • Connection pooling and retry logic
  • Type-safe operations (compile-time validation)
  • 28 integration flow examples

SDK Documentation →

2. CLI Tools

Best For: Scripting, automation, CI/CD pipelines, DevOps

Features:

  • Cross-platform (Windows, macOS, Linux)
  • 25 commands (key generation, encryption, signing, migration)
  • Interactive and batch modes
  • Suitable for air-gapped environments

CLI Documentation →

3. REST API

Best For: Any language, microservices, polyglot architectures

Features:

  • OpenAPI 3.0 specification
  • Standard HTTP methods (GET, POST, PUT, PATCH, DELETE)
  • JSON request/response (Base64-encoded payloads)
  • Comprehensive error codes (27 error types)

API Documentation →

Supported Algorithms

AnkaSecure supports 125 cryptographic algorithms (84 simple + 41 composite combinations) across 28 algorithm families:

Post-Quantum Cryptography:

  • 21 KEM algorithms (ML-KEM, HQC, FrodoKEM, BIKE, SABER, NTRU, Classic McEliece)
  • 11 signature algorithms (ML-DSA, FALCON, SLH-DSA, XMSS, LMS)

Classical Cryptography:

  • 19 symmetric AEAD (AES-GCM, ChaCha20, Camellia, ARIA, SEED, SM4)
  • 8 asymmetric encryption (RSA, ECDH)
  • 10 classical signatures (ECDSA, RSA-PSS, SM2, GOST)
  • 14 symmetric MACs (HMAC, CMAC, KMAC)

Standards Compliance:

  • ✅ NIST FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA)
  • ✅ NSA CNSA 2.0 (8 approved algorithms)
  • ✅ 14 international standards (BSI, ANSSI, CRYPTREC, etc.)
  • ✅ 20+ policy templates (by region/regulation)

Complete algorithm catalog →

Scalability & Performance

Performance Characteristics

Throughput (5 MB payload):

  • Symmetric encryption: 74-87 MB/s (AES-GCM, ChaCha20)
  • Post-quantum encryption: 82-86 MB/s (ML-KEM-768/1024)
  • Post-quantum signatures: 56-59 MB/s (ML-DSA-65/87)

Latency (5 MB payload):

  • Encryption: 60-95ms (algorithm-dependent)
  • Signing: 80-100ms (algorithm-dependent)
  • Network: +20-100ms (SaaS round-trip)

Complete performance benchmarks →

Scalability

Concurrent Operations:

  • Single instance: 1000+ operations/second
  • Horizontal scaling: Deploy multiple instances for higher throughput
  • Load balancing: Distribute requests across instances

Multi-Tenant Capacity:

  • Supports thousands of tenants per deployment
  • Per-tenant quotas and rate limiting
  • Fair resource allocation across tenants

Security & Compliance

Security Posture

AnkaSecure achieves industry-leading security compliance:

  • OWASP REST API Security: 100% compliant
  • NIST Post-Quantum Cryptography: All standardized algorithms
  • NSA CNSA 2.0: Approved for National Security Systems
  • Zero Trust Architecture: Never trust, always verify

Regulatory Support

AnkaSecure supports compliance with:

  • Healthcare: HIPAA, HITECH (PHI encryption)
  • Finance: PCI-DSS, SOX, GLBA (cardholder data protection)
  • Government: FedRAMP, FISMA (federal information systems)
  • Data Privacy: GDPR, CCPA, LGPD (personal data protection)

Data Flow

Typical Request Flow

1. Client Application
   ↓ (HTTPS request with JWT/API key)
2. API Gateway
   ↓ (Authentication & rate limiting)
3. Authentication Service
   ↓ (JWT validation, token claims)
4. Core Cryptographic Service
   ↓ (Algorithm execution, key lookup)
5. Key Storage
   ↓ (Retrieve tenant-specific keys)
6. Cryptographic Operation
   ↓ (Encrypt/decrypt/sign/verify)
7. Response
   ↓ (JSON with encrypted payload, metadata)
8. Client Application

Request Correlation:

  • Every request receives a unique correlation ID
  • Trace requests across services via audit logs
  • Troubleshoot issues by correlation ID

Key Features

1. Algorithm Agility

Crypto-Agility: Transition between algorithms without code changes

Example: Migrate from RSA-2048 to ML-KEM-768 

// Re-encrypt existing ciphertext without decrypting
ReencryptRequest request = ReencryptRequest.builder()
    .ciphertext(rsaCiphertext)           // RSA-encrypted data
    .targetKeyId("ml-kem-key")           // New ML-KEM key
    .build();

ReencryptResponse response = client.reencrypt(request);
// Returns ML-KEM-encrypted ciphertext (no plaintext exposure)

Benefits:

  • 🔄 Smooth migration path from classical to PQC
  • 🔄 Algorithm rotation without downtime
  • 🔄 Respond to cryptographic vulnerabilities quickly

2. Streaming Operations

Large File Support: Encrypt/decrypt/sign multi-gigabyte files without memory constraints

How it Works:

  • Client uploads/downloads data in chunks (configurable size)
  • Platform processes each chunk independently
  • Supports files up to terabytes in size

Use Cases:

  • Video encryption (media streaming, Netflix-style)
  • Database backup encryption (multi-GB SQL dumps)
  • Log file signing (tamper-proof audit logs)

Streaming API documentation →

3. Hybrid Cryptography

Combine classical + post-quantum algorithms for defense-in-depth:

Example: Hybrid encryption 

Encrypt with RSA-2048 + ML-KEM-768
→ Adversary must break BOTH algorithms to decrypt
→ Future-proof against quantum AND classical attacks

Benefits:

  • 🛡️ Defense-in-depth (double encryption)
  • 🛡️ Gradual migration path (maintain classical compatibility)
  • 🛡️ Regulatory compliance (some regulations lag behind PQC)

4. Policy-Based Algorithm Management

Policy Templates: Pre-configured algorithm sets aligned with regulations

Example: Enforce NIST-approved algorithms only 

KeyGenerationRequest request = KeyGenerationRequest.builder()
    .algorithm("ML-KEM-768")
    .policy("NIST_APPROVED")  // Only NIST-standardized algorithms allowed
    .build();

Available Policies:

  • NIST_APPROVED (USA federal)
  • BSI_COMPLIANT (Germany)
  • CRYPTREC (Japan)
  • CHINA_GMT_COMPLIANT (China)
  • PCI_DSS (Finance)
  • 15+ more regional/industry policies

Policy templates →

Platform Services

Core API

Endpoints:

  • /api/v1/crypto/encrypt - Compact JWE encryption (≤5 MB)
  • /api/v1/crypto/decrypt - Compact JWE decryption
  • /api/v1/crypto/sign - Compact JWS signing (≤5 MB)
  • /api/v1/crypto/verify - Compact JWS verification
  • /api/v1/crypto/stream/* - Streaming operations (>5 MB)
  • /api/v1/key-management/* - Key lifecycle operations

Complete API reference →

Admin API

Endpoints:

  • /api/admin/tenants/* - Multi-tenant management
  • /api/admin/users/* - User provisioning and RBAC
  • /api/admin/applications/* - API key generation
  • /api/admin/policies/* - Algorithm availability policies

Access: Admin API requires elevated privileges (platform admin or tenant admin)

Authentication API

Endpoints:

  • /api/v1/auth/login - User/application authentication
  • /api/v1/auth/refresh - JWT token refresh
  • /api/v1/auth/logout - Session termination

Token Lifetime: 1 hour (configurable per tenant)

Audit & Monitoring

Audit Logging

What's Logged:

  • ✅ Authentication events (login, logout, failed attempts)
  • ✅ Cryptographic operations (encrypt, decrypt, sign, verify)
  • ✅ Key management (generation, rotation, revocation)
  • ✅ Administrative actions (tenant creation, user updates)

Log Format: Structured JSON with:

  • Timestamp (ISO 8601)
  • Correlation ID (trace requests)
  • Tenant ID and user ID
  • Operation type and outcome (success/failure)
  • Algorithm and key used
  • Duration (milliseconds)

Retention: Configurable (default 90 days, up to 7 years for compliance)

Health & Monitoring

Health Endpoints:

  • /actuator/health - Overall service health
  • /actuator/metrics - Performance metrics

Metrics Available:

  • Request rate (operations/second)
  • Error rate (errors/second, percentage)
  • Latency (p50, p95, p99 percentiles)
  • Resource utilization (CPU, memory)

Integration: Prometheus, Grafana, Datadog, New Relic, custom monitoring

Standards & Protocols

API Standards

  • REST: RESTful API design principles
  • OpenAPI 3.0: Machine-readable API specification
  • RFC 7807: Problem Details for HTTP APIs (error format)

Cryptographic Standards

  • RFC 7516: JSON Web Encryption (JWE)
  • RFC 7515: JSON Web Signature (JWS)
  • RFC 7518: JSON Web Algorithms (JWA)
  • NIST FIPS 203/204/205: Post-Quantum Cryptography

Security Standards

  • OWASP REST API Security: 100% compliant
  • NIST SP 800-53: Security controls for federal systems
  • ISO 27001: Information security management
  • SOC 2: Service organization controls

Documentation Version: 3.0.0
Last Updated: 2026-03-31