Flow 31 --- Security Level Matching and Validation
This scenario demonstrates NIST security level consistency in composite cryptographic keys. Composite keys combine classical and post-quantum components that must operate at the same security level to prevent weakest-link vulnerabilities.
Shows valid Level 3 and Level 5 matches, plus client-side validation detecting mismatched configurations (e.g., RSA-2048 Level 1 + ML-KEM-1024 Level 5).
- Choose security level - Select Level 3 (standard) or Level 5 (classified)
- Build with auto-selection - CompositeKeyBuilder auto-selects matching algorithms
- Validate match - Client-side validation ensures both components at same level
- Handle mismatch errors - Demonstrates detection of Level 1 vs Level 5 mismatch
Key points
- Why matching matters: Security = MIN(classical, PQC) → weakest-link vulnerability if mismatched
- Auto-selection: CompositeKeyBuilder auto-selects algorithms at chosen level (X25519+ML-KEM-768 for Level 3)
- Client-side validation: Fail-fast error detection with detailed messages before HTTP request
- NIST tolerance: Allows ±2 level difference; this example uses 4-level gap to trigger validation error
When to use it
- Security architects enforcing consistent security levels across hybrid implementations
- Government/defense deployments requiring Level 5 (256-bit) for classified data
- Compliance validation ensuring algorithm pairs meet NIST SP 800-227 recommendations
- Client-side validation implementing fail-fast checks before calling AnkaSecure API
Shared helper – this code imports the utility class from example-util.md (configuration, authentication).
Complete Java implementation
src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario31.java
package co.ankatech.ankasecure.sdk.examples;
import co.ankatech.ankasecure.sdk.AuthenticatedSdk;
import co.ankatech.ankasecure.sdk.model.*;
import co.ankatech.secure.client.model.KeyRequest;
import java.util.List;
import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;
/**
* Scenario 31 — Security Level Matching for Composite Keys.
*
* <p>Demonstrates how to discover and select hybrid algorithms at specific
* NIST security levels using the algorithm catalog.</p>
*
* <h3>What You'll Learn:</h3>
* <ul>
* <li>How to query the algorithm catalog for hybrid algorithms</li>
* <li>How to filter by security level (1, 3, 5)</li>
* <li>How to create composite keys with specific security requirements</li>
* <li>Understanding algorithm compatibility</li>
* </ul>
*
* <h3>NIST Security Levels:</h3>
* <ul>
* <li><strong>Level 1:</strong> 128-bit (X25519+ML-KEM-512)</li>
* <li><strong>Level 3:</strong> 192-bit (X25519+ML-KEM-768, P-384+ML-KEM-768)</li>
* <li><strong>Level 5:</strong> 256-bit (P-384+ML-KEM-1024)</li>
* </ul>
*
* @author ANKATech Solutions Inc.
* @since 3.0.0
*/
public final class ExampleScenario31 {
private ExampleScenario31() { }
public static void main(String[] args) {
try {
System.out.println("=================================================================");
System.out.println(" SCENARIO 31: Security Level Matching");
System.out.println("=================================================================\n");
java.util.Properties props = loadProperties();
AuthenticatedSdk sdk = authenticate(props);
demonstrateLevel1HybridKey(sdk);
demonstrateLevel3HybridKey(sdk);
demonstrateLevel5HybridKey(sdk);
System.out.println("\n=================================================================");
System.out.println(" ALL SECURITY LEVELS DEMONSTRATED SUCCESSFULLY");
System.out.println("=================================================================");
} catch (Exception e) {
fatal("Scenario 31 failed", e);
}
}
/**
* Creates a Level 1 (128-bit) hybrid key by querying the algorithm catalog.
*/
private static void demonstrateLevel1HybridKey(AuthenticatedSdk sdk) throws Exception {
System.out.println("[1/3] LEVEL 1 (128-BIT SECURITY)");
System.out.println(" Querying algorithm catalog for Level 1 hybrid algorithms...\n");
// Find hybrid algorithms at Level 1
AlgorithmFilter filter = AlgorithmFilter.builder()
.withCategory(AlgorithmInfo.Category.HYBRID)
.withMinSecurityLevel(1)
.withMaxSecurityLevel(1)
.withKeyOps("encrypt", "decrypt")
.withStatus(AlgorithmInfo.Status.RECOMMENDED)
.build();
List<AlgorithmInfo> level1Hybrids = sdk.getSupportedAlgorithms(filter);
if (level1Hybrids.isEmpty()) {
System.out.println(" ⚠ No Level 1 hybrid algorithms available");
return;
}
// Select first recommended algorithm
AlgorithmInfo selected = level1Hybrids.get(0);
System.out.println(" Found: " + level1Hybrids.size() + " hybrid algorithm(s)");
System.out.println(" Selected: " + selected.getAlg());
System.out.println(" Key Type: " + selected.getKty());
System.out.println(" Security Level: " + selected.getSecurityLevel());
// Create key with selected algorithm
KeyRequest request = new KeyRequest()
.kid("level1_hybrid_" + System.currentTimeMillis())
.kty(selected.getKty())
.alg(selected.getAlg())
.kdf("HKDF-SHA256");
KeyMetadata metadata = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + metadata.getKid());
System.out.println(" Algorithm: " + metadata.getAlg());
System.out.println(" KDF: " + metadata.getKdf() + "\n");
}
/**
* Creates a Level 3 (192-bit) hybrid key.
*/
private static void demonstrateLevel3HybridKey(AuthenticatedSdk sdk) throws Exception {
System.out.println("[2/3] LEVEL 3 (192-BIT SECURITY)");
System.out.println(" Querying algorithm catalog for Level 3 hybrid algorithms...\n");
AlgorithmFilter filter = AlgorithmFilter.builder()
.withCategory(AlgorithmInfo.Category.HYBRID)
.withMinSecurityLevel(3)
.withMaxSecurityLevel(3)
.withKeyOps("encrypt", "decrypt")
.withStatus(AlgorithmInfo.Status.RECOMMENDED)
.build();
List<AlgorithmInfo> level3Hybrids = sdk.getSupportedAlgorithms(filter);
if (level3Hybrids.isEmpty()) {
System.out.println(" ⚠ No Level 3 hybrid algorithms available");
return;
}
AlgorithmInfo selected = level3Hybrids.get(0);
System.out.println(" Found: " + level3Hybrids.size() + " hybrid algorithm(s)");
System.out.println(" Selected: " + selected.getAlg());
System.out.println(" Security Level: " + selected.getSecurityLevel());
KeyRequest request = new KeyRequest()
.kid("level3_hybrid_" + System.currentTimeMillis())
.kty(selected.getKty())
.alg(selected.getAlg())
.kdf("HKDF-SHA256");
KeyMetadata metadata = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + metadata.getKid());
System.out.println(" Algorithm: " + metadata.getAlg() + "\n");
}
/**
* Creates a Level 5 (256-bit) hybrid key.
*/
private static void demonstrateLevel5HybridKey(AuthenticatedSdk sdk) throws Exception {
System.out.println("[3/3] LEVEL 5 (256-BIT SECURITY)");
System.out.println(" Querying algorithm catalog for Level 5 hybrid algorithms...\n");
AlgorithmFilter filter = AlgorithmFilter.builder()
.withCategory(AlgorithmInfo.Category.HYBRID)
.withMinSecurityLevel(5)
.withMaxSecurityLevel(5)
.withKeyOps("encrypt", "decrypt")
.withStatus(AlgorithmInfo.Status.RECOMMENDED)
.build();
List<AlgorithmInfo> level5Hybrids = sdk.getSupportedAlgorithms(filter);
if (level5Hybrids.isEmpty()) {
System.out.println(" ⚠ No Level 5 hybrid algorithms available");
return;
}
AlgorithmInfo selected = level5Hybrids.get(0);
System.out.println(" Found: " + level5Hybrids.size() + " hybrid algorithm(s)");
System.out.println(" Selected: " + selected.getAlg());
System.out.println(" Security Level: " + selected.getSecurityLevel());
KeyRequest request = new KeyRequest()
.kid("level5_hybrid_" + System.currentTimeMillis())
.kty(selected.getKty())
.alg(selected.getAlg())
.kdf("HKDF-SHA512"); // Stronger KDF for Level 5
KeyMetadata metadata = sdk.generateKey(request);
System.out.println("\n ✅ Generated: " + metadata.getKid());
System.out.println(" Algorithm: " + metadata.getAlg() + "\n");
}
}
Running the example
Expected output
=================================================================
SCENARIO 31: Security Level Matching
=================================================================
[1/3] VALID: Level 3 Matching (RECOMMENDED)
Use Case: Standard production (95% of deployments)
Configuration:
- Classical: X25519 (Level 3 - 192-bit)
- PQC: ML-KEM-768 (Level 3 - 192-bit)
- Security Match: ✅ BOTH Level 3
- Performance: ⚡⚡⚡ Excellent
- Compliance: ✅ BSI, ANSSI, ETSI, NIST
✅ Level 3 key generated: level3_auto_1735425600000
Status: ACTIVE
[2/3] VALID: Level 5 Matching (HIGH SECURITY)
Use Case: Government, defense, classified data
Configuration:
- Classical: RSA-4096 (Level 5 - 256-bit)
- PQC: ML-KEM-1024 (Level 5 - 256-bit)
- Security Match: ✅ BOTH Level 5
- KDF: HKDF-SHA512 (auto-selected for Level 5)
- Performance: ⚠️ Slower (acceptable for high-security)
- Use Case: Top Secret / TS-SCI data
✅ Level 5 key generated: level5_classified_1735425600100
Status: ACTIVE
[3/3] INVALID: Security Level Mismatch (DETECTED)
Demonstrating client-side validation error
Configuration (INVALID):
- Classical: RSA-2048 (Level 1 - 128-bit)
- PQC: ML-KEM-1024 (Level 5 - 256-bit)
- Security Match: ❌ MISMATCH (1 != 5, diff = 4)
- Allowed: ±2 levels difference (per NIST SP 800-227)
✅ Validation correctly detected mismatch:
Error: [Security level mismatch detected]
Reason: NIST SP 800-227 allows up to ±2 security level
difference, but this example has 4 levels difference (1 vs 5),
which would create an unacceptable weak point in the hybrid key.
=================================================================
SECURITY LEVEL MATCHING DEMONSTRATED SUCCESSFULLY
=================================================================
Where next?
© 2025 ANKATech Solutions INC. All rights reserved.