Analyze Imported Keys for PQC Migration
Validate your legacy keys and get PQC migration recommendations in 3 minutes
Quick Start: Analyze Compatibility
Estimated time: 3 minutes What you'll achieve: Validate imported key and get PQC algorithm recommendation Requirements: AnkaSecure API access, imported key from previous step
Step 1/2: Analyze imported RSA key (1 minute)
# Analyze key imported from AWS/Azure/PKCS#12
curl -X POST https://api.ankatech.co/migration/analyze \
-H "Authorization: Bearer $TOKEN" \
-d '{
"keyId": "my-imported-rsa-key"
}'
✅ Success: Detailed compatibility report:
{
"keyId": "my-imported-rsa-key",
"currentAlgorithm": "RSA_4096",
"securityLevel": "NIST_L3",
"status": "ACTIVE",
"certificateValid": true,
"expiresIn": "365 days",
"quantumResistant": false,
"migrationRecommendation": {
"targetAlgorithm": "ML_KEM_1024",
"targetSecurityLevel": "NIST_L5",
"rationale": "Upgrade from L3 to L5 for maximum security",
"estimatedPerformance": "+17% latency (acceptable)",
"compatibilityIssues": []
}
}
Key insight: RSA-4096 → ML-KEM-1024 (security upgrade + quantum resistance)
Step 2/2: Get detailed migration path (2 minutes)
# Request step-by-step migration plan
curl -X POST https://api.ankatech.co/migration/plan \
-H "Authorization: Bearer $TOKEN" \
-d '{
"sourceKeyId": "my-imported-rsa-key",
"strategy": "RECOMMENDED"
}'
✅ Success: Actionable migration plan:
{
"phases": [
{
"phase": 1,
"action": "Generate composite key",
"command": "POST /keys/composite {classical:RSA_4096, pqc:ML_KEM_1024}",
"timeline": "5 minutes",
"risk": "Low"
},
{
"phase": 2,
"action": "Re-encrypt data",
"estimatedFiles": 1000,
"estimatedTime": "10 minutes",
"risk": "Low (no plaintext exposure)"
},
{
"phase": 3,
"action": "Retire RSA key",
"timeline": "After data expiration (10 years)",
"risk": "None"
}
],
"totalTimeline": "1 day (including testing)",
"costEstimate": "$30 (configuration only)"
}
🎯 Result: Clear migration roadmap with timelines and cost
What's next? - Execute migration: Convert operations guide - Understand algorithm mapping: Classical to PQC equivalence - Bulk analysis: Analyze 1000s of keys
What Analyze Operations Check
1. Certificate Validation
Validates X.509 certificate structure and integrity:
- ✅ Structure: Valid ASN.1 encoding, required fields present
- ✅ Key binding: Private key matches certificate public key
- ✅ Expiration: Check notBefore and notAfter dates
- ✅ Chain verification: Validate signatures up to root CA
- ✅ Revocation: Check CRL or OCSP (if configured)
Output: ACTIVE, EXPIRED, or INVALID status
Example: Expired certificate analysis:
Response:
{
"status": "EXPIRED",
"expirationDate": "2024-12-31T23:59:59Z",
"allowedOperations": ["decrypt", "verify"], // Read-only
"blockedOperations": ["encrypt", "sign"], // Write blocked
"recommendation": "Import with validationMode=IMPORT_ONLY for legacy data decryption"
}
Use case: Decrypt archived data encrypted with expired certificate
2. Algorithm Compatibility
Maps classical algorithms to equivalent PQC algorithms:
Compatibility matrix:
| Classical Algorithm | Security Level | Recommended PQC | PQC Security Level | Notes |
|---|---|---|---|---|
| RSA-2048 | NIST L1 (112-bit) | ML-KEM-512 | NIST L1 (128-bit) | Security upgrade |
| RSA-3072 | NIST L2 (128-bit) | ML-KEM-768 | NIST L3 (192-bit) | Security upgrade |
| RSA-4096 | NIST L3 (152-bit) | ML-KEM-1024 | NIST L5 (256-bit) | Security upgrade |
| ECDSA-P256 | NIST L1 (128-bit) | ML-DSA-44 | NIST L2 (128-bit) | Equivalent |
| ECDSA-P384 | NIST L3 (192-bit) | ML-DSA-65 | NIST L3 (192-bit) | Equivalent |
| ECDSA-P521 | NIST L5 (256-bit) | ML-DSA-87 | NIST L5 (256-bit) | Equivalent |
| Ed25519 | NIST L1 (128-bit) | ML-DSA-65 | NIST L3 (192-bit) | Security upgrade |
Rule: AnkaSecure recommends equal or higher security level for PQC migration
Example query:
# What PQC algorithm for my RSA-3072 key?
curl https://api.ankatech.co/migration/recommend \
-d '{"algorithm":"RSA_3072"}'
Response:
{
"sourceAlgorithm": "RSA_3072",
"sourceSecurityLevel": "NIST_L2",
"recommendedPQC": "ML_KEM_768",
"pqcSecurityLevel": "NIST_L3",
"upgrade": true,
"reason": "ML-KEM-768 provides higher security (L3 vs L2)"
}
3. Security Analysis
Detects weak or deprecated algorithms:
Checks performed: - ✅ Key size: Minimum 2048 bits for RSA, 256 bits for ECDSA - ✅ Signature algorithm: Reject MD5, SHA-1 (deprecated) - ✅ Expiration risk: Flag keys expiring within 90 days - ✅ NIST compliance: Check FIPS 186-4 conformance
Example: Weak key detected:
Response:
{
"status": "INVALID",
"securityIssues": [
{
"severity": "CRITICAL",
"issue": "RSA-1024 below minimum key size (2048 bits)",
"recommendation": "Cannot migrate. Generate new RSA-4096 or ML-KEM-1024 key."
}
],
"migrationAllowed": false
}
Action: Cannot import weak keys (security policy enforcement)
4. Performance Estimation
Predicts migration impact (re-encryption time, throughput):
Example: Analyze RSA-2048 migration:
curl -X POST https://api.ankatech.co/migration/estimate \
-d '{
"sourceKeyId": "rsa-2048-key",
"targetAlgorithm": "ML_KEM_1024",
"dataVolume": "10000 files",
"avgFileSize": "1KB"
}'
Response:
{
"estimatedTime": "8 minutes",
"throughput": "~1,250 files/minute",
"performanceImpact": {
"encryptionLatency": "+0ms (3ms vs 3ms)",
"decryptionLatency": "-4ms (7ms vs 11ms, 36% faster!)",
"storageOverhead": "+5% (JWE envelope)"
},
"recommendation": "Migration beneficial (faster decrypt, quantum-resistant)"
}
Insight: ML-KEM actually FASTER than RSA for decryption!
Algorithm Compatibility Matrix
Encryption Algorithms
Direct migration paths (classical → PQC):
# RSA-2048 → ML-KEM-512 (security equivalent)
RSA-2048 (L1, 112-bit) → ML-KEM-512 (L1, 128-bit) ✅ Security UPGRADE
# RSA-3072 → ML-KEM-768 (security equivalent)
RSA-3072 (L2, 128-bit) → ML-KEM-768 (L3, 192-bit) ✅ Security UPGRADE
# RSA-4096 → ML-KEM-1024 (security equivalent)
RSA-4096 (L3, 152-bit) → ML-KEM-1024 (L5, 256-bit) ✅ Security UPGRADE
Performance comparison:
RSA-4096 decrypt: 11ms (1KB payload)
ML-KEM-1024 decrypt: 7ms (1KB payload)
Improvement: 36% faster with ML-KEM!
Verdict: ML-KEM migration is win-win (faster + quantum-resistant)
Signature Algorithms
Direct migration paths:
# ECDSA-P256 → ML-DSA-44 (security equivalent)
ECDSA-P256 (L1, 128-bit) → ML-DSA-44 (L2, 128-bit) ✅ Equivalent
# ECDSA-P384 → ML-DSA-65 (security equivalent)
ECDSA-P384 (L3, 192-bit) → ML-DSA-65 (L3, 192-bit) ✅ Equivalent
# ECDSA-P521 → ML-DSA-87 (security equivalent)
ECDSA-P521 (L5, 256-bit) → ML-DSA-87 (L5, 256-bit) ✅ Equivalent
# Ed25519 → ML-DSA-65 (security upgrade)
Ed25519 (L1, 128-bit) → ML-DSA-65 (L3, 192-bit) ✅ Security UPGRADE
Signature size trade-off:
ECDSA-P256 signature: ~64 bytes
ML-DSA-44 signature: ~2,420 bytes (38× larger)
Trade-off: Larger signatures for quantum resistance
Recommendation: ML-DSA acceptable for most use cases (2KB overhead negligible for documents)
Bulk Analysis Workflow
Analyze All Imported Keys
Scenario: Imported 500 keys from legacy systems, need migration assessment
Bulk analysis request:
curl -X POST https://api.ankatech.co/migration/analyze/bulk \
-H "Authorization: Bearer $TOKEN" \
-d '{
"filter": {"source":"IMPORTED"},
"includeRecommendations": true
}'
Response: Summary report
{
"totalKeys": 500,
"byStatus": {
"ACTIVE": 450,
"EXPIRED": 40,
"INVALID": 10
},
"byAlgorithm": {
"RSA-2048": 200,
"RSA-4096": 150,
"ECDSA-P256": 100,
"ECDSA-P384": 50
},
"migrationSummary": {
"canMigrate": 490,
"blocked": 10, // Weak algorithms (RSA-1024, MD5 signatures)
"recommendations": {
"ML_KEM_1024": 350, // For RSA keys
"ML_DSA_65": 140 // For ECDSA keys
}
}
}
Action items: Migrate 490 keys (98% can transition), reject 10 weak keys
Export Analysis Report
Generate CSV for planning:
curl https://api.ankatech.co/migration/analyze/export \
-H "Authorization: Bearer $TOKEN" \
-d '{"format":"CSV"}'
CSV output:
keyId,algorithm,securityLevel,status,expiresIn,recommendedPQC,migrationPriority
rsa-key-001,RSA-4096,NIST_L3,ACTIVE,365d,ML_KEM_1024,HIGH
ecdsa-key-002,ECDSA-P256,NIST_L1,ACTIVE,180d,ML_DSA_44,MEDIUM
expired-key-003,RSA-2048,NIST_L1,EXPIRED,-500d,ML_KEM_512,LOW
Use case: Import to Excel, prioritize migrations, track progress
Migration Readiness Assessment
Compatibility Check Results
After analysis, keys categorized as:
Category 1: Ready to Migrate ✅ - Active certificates (not expired) - Strong algorithms (RSA ≥ 2048, ECDSA ≥ 256) - No blocking issues
Action: Proceed to conversion immediately
Example: 450 out of 500 keys (90%)
Category 2: Conditional Migration ⚠️ - Expired certificates (can decrypt old data, cannot encrypt new) - Soon-to-expire (< 90 days) - Non-standard algorithms (El Gamal, DSA)
Action: Use IMPORT_ONLY mode, migrate with restrictions
Example: 40 out of 500 keys (8%)
Category 3: Blocked ❌ - Weak algorithms (RSA-1024, MD5 signatures) - Corrupted certificates - Unsupported key types
Action: Cannot migrate, must generate new keys
Example: 10 out of 500 keys (2%)
Security Analysis Details
Expiration Risk Assessment
AnkaSecure flags keys nearing expiration:
| Days Until Expiry | Risk Level | Recommendation |
|---|---|---|
| > 365 days | ✅ Low | Migrate at normal priority |
| 90-365 days | ⚠️ Medium | Migrate soon (before expiration) |
| 30-90 days | 🔴 High | Migrate immediately |
| < 30 days | 🔴 Critical | Emergency migration or renewal |
| Expired | ⚠️ Legacy | Import with IMPORT_ONLY mode |
Example: Expiration analysis:
Response:
{
"expiresIn": "45 days",
"riskLevel": "HIGH",
"recommendation": "Migrate to PQC within 30 days OR renew certificate",
"urgency": "HIGH_PRIORITY"
}
Weak Algorithm Detection
AnkaSecure rejects algorithms below minimum security:
Rejected algorithms: - ❌ RSA-1024 (too weak, < 2048 minimum) - ❌ MD5 signatures (cryptographically broken) - ❌ SHA-1 signatures (deprecated per NIST SP 800-131A) - ❌ DES, 3DES (obsolete symmetric algorithms)
Example error:
{
"keyId": "old-weak-key",
"status": "INVALID",
"issues": [
{
"severity": "CRITICAL",
"code": "WEAK_KEY_SIZE",
"message": "RSA-1024 below minimum 2048 bits",
"resolution": "Generate new RSA-4096 or ML-KEM-1024 key"
}
],
"migrationAllowed": false
}
Action: Must generate new key (cannot import weak keys)
PQC Migration Recommendations
Recommended Algorithm Mappings
AnkaSecure automatically recommends optimal PQC algorithm:
For Encryption Keys
RSA keys → ML-KEM:
RSA-2048 (112-bit) → ML-KEM-512 (128-bit) +16% security
RSA-3072 (128-bit) → ML-KEM-768 (192-bit) +50% security
RSA-4096 (152-bit) → ML-KEM-1024 (256-bit) +68% security
Recommendation: Always upgrade to ML-KEM-1024 (maximum security, minimal overhead)
For Signing Keys
ECDSA keys → ML-DSA:
ECDSA-P256 (128-bit) → ML-DSA-44 (128-bit) Equivalent
ECDSA-P384 (192-bit) → ML-DSA-65 (192-bit) Equivalent
ECDSA-P521 (256-bit) → ML-DSA-87 (256-bit) Equivalent
Ed25519 keys → ML-DSA:
Recommendation: Match security level or upgrade for long-term signatures
Custom Recommendations
Override automatic recommendations if you have specific requirements:
curl -X POST https://api.ankatech.co/migration/analyze \
-d '{
"keyId": "rsa-key-001",
"preferredPQC": "ML_KEM_768", # Override (not ML_KEM_1024)
"reason": "Performance-critical application"
}'
Response:
{
"autoRecommendation": "ML_KEM_1024",
"yourPreference": "ML_KEM_768",
"comparison": {
"security": "L3 vs L5 (ML_KEM_768 lower)",
"performance": "6ms vs 7ms decrypt (ML_KEM_768 faster)",
"suitability": "Acceptable for performance-critical apps"
},
"approved": true
}
Use case: Performance-critical systems where 1ms latency matters
Bulk Analysis Workflow
Analyze 1000s of Keys
Step 1: Request bulk analysis job
curl -X POST https://api.ankatech.co/migration/jobs/analyze-all \
-H "Authorization: Bearer $TOKEN" \
-d '{
"filter": {"imported": true},
"parallelism": 10
}'
Response: Job ID
Step 2: Monitor progress
Response:
{
"jobId": "analyze-job-12345",
"status": "IN_PROGRESS",
"progress": "450/500 keys analyzed (90%)",
"eta": "1 minute"
}
Step 3: Download results
curl https://api.ankatech.co/migration/jobs/analyze-job-12345/results \
-H "Authorization: Bearer $TOKEN" > analysis-report.json
Performance: ~100 keys/minute (parallel analysis)
Migration Risk Assessment
Risk Levels by Migration Type
Low Risk ✅ (proceed immediately): - RSA-4096 → ML-KEM-1024 (security upgrade, faster decrypt) - ECDSA-P384 → ML-DSA-65 (equivalent security) - Active certificates (> 1 year validity)
Medium Risk ⚠️ (plan carefully): - RSA-2048 → ML-KEM-512 (older standard, but acceptable) - Expired certificates (decrypt-only operations) - Large data volumes (> 100K files to re-encrypt)
High Risk 🔴 (expert assistance recommended): - Custom algorithms (non-standard) - Complex certificate chains (5+ intermediates) - Multi-key PKCS#12 (10+ keys)
Contact support for high-risk migrations: [email protected]
Validation Modes
Strict Validation (Production)
Mode: validationMode: "STRICT"
Behavior: - ❌ Reject expired certificates - ❌ Reject weak algorithms - ❌ Reject untrusted certificate chains - ✅ Only import production-ready keys
Use case: Production environments (enforce security standards)
curl -X POST https://api.ankatech.co/migration/analyze \
-d '{
"keyId": "prod-key-001",
"validationMode": "STRICT"
}'
Import-Only Mode (Legacy Data)
Mode: validationMode: "IMPORT_ONLY"
Behavior: - ✅ Allow expired certificates (decrypt-only operations) - ✅ Allow about-to-expire certificates - ❌ Still reject weak algorithms - ⚠️ Restrict to read operations (no new encryptions)
Use case: Decrypt archived data from 2020 (certificate expired in 2023)
curl -X POST https://api.ankatech.co/migration/analyze \
-d '{
"keyId": "expired-key-001",
"validationMode": "IMPORT_ONLY"
}'
Result: Key imported with status: EXPIRED, can decrypt old data only
Analyze Operations API Reference
Analyze Single Key
Endpoint: POST /api/migration/analyze
Request:
{
"keyId": "my-key-001",
"includeChainValidation": true,
"includePQCRecommendations": true,
"includePerformanceEstimate": true
}
Response fields: - status: ACTIVE, EXPIRED, INVALID - certificateValid: true/false - expiresIn: "365 days" or "EXPIRED" - securityLevel: NIST_L1/L2/L3/L5 - migrationRecommendation: {targetAlgorithm, rationale} - performanceEstimate: {latency, throughput} - compatibilityIssues: [] (empty if compatible)
Analyze Multiple Keys
Endpoint: POST /api/migration/analyze/bulk
Request:
Response: Array of analysis results (one per key)
Get Migration Recommendation
Endpoint: GET /api/migration/recommend?algorithm=RSA_4096
Response:
{
"sourceAlgorithm": "RSA_4096",
"recommendedPQC": "ML_KEM_1024",
"securityLevelUpgrade": true,
"performanceImpact": "Neutral (similar speed)",
"quantumResistant": true
}
Troubleshooting
Issue: "Certificate chain verification failed"
Symptom:
Causes: 1. Missing intermediate certificates 2. Self-signed certificate (no CA) 3. Untrusted root CA
Fixes:
For self-signed certificates:
# Use IMPORT_ONLY mode (skip chain validation)
curl -X POST https://api.ankatech.co/migration/analyze \
-d '{"keyId":"self-signed-key","validationMode":"IMPORT_ONLY"}'
For missing intermediates: - Re-import PKCS#12 with full chain (leaf + intermediates + root)
Issue: "Unsupported algorithm"
Symptom:
Cause: Legacy algorithm not in AnkaSecure's 81-algorithm catalog
Unsupported algorithms: - DSA (legacy, replaced by ECDSA/Ed25519) - El Gamal (legacy, replaced by RSA) - RC4, IDEA (obsolete symmetric)
Fix: Cannot migrate, must generate new key with supported algorithm
What's Next?
Ready to convert your keys? - 🚀 Analyze your key (3-minute test) - 📥 Download analysis toolkit (bulk analysis scripts) - 📊 Migration readiness report (500-key analysis) - 📧 Request expert analysis (complex scenarios)
After analysis: - Convert operations - Re-encrypt and re-sign data - Migration strategy - Complete migration roadmap - Algorithm comparison - Choose optimal PQC algorithm
Compatibility resources: - Algorithm matrix - Classical to PQC mapping - Performance impact - Speed comparison - Security levels - NIST level equivalence
Have questions? Email [email protected] or join our community forum
Last updated: 2026-01-07 | Version: 3.0.0