Glossary of cryptographic keys

Last updated October 19, 2023

This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA). For classification of keys according to their usage see cryptographic key types.

40-bit key - key with a length of 40 bits, once the upper limit of what could be exported from the U.S. and other countries without a license. Considered very insecure. See key size for a discussion of this and other lengths.
authentication key - Key used in a keyed-hash message authentication code, or HMAC.
benign key - (NSA) a key that has been protected by encryption or other means so that it can be distributed without fear of its being stolen. Also called BLACK key.
content-encryption key (CEK) a key that may be further encrypted using a KEK, where the content may be a message, audio, image, video, executable code, etc.
crypto ignition key An NSA key storage device (KSD-64) shaped to look like an ordinary physical key.
cryptovariable - NSA calls the output of a stream cipher a key or key stream. It often uses the term cryptovariable for the bits that control the stream cipher, what the public cryptographic community calls a key.
data encryption key (DEK) used to encrypt the underlying data.
derived key - keys computed by applying a predetermined hash algorithm or key derivation function to a password or, better, a passphrase.
DRM key - A key used in Digital Rights Management to protect media
electronic key - (NSA) key that is distributed in electronic (as opposed to paper) form. See EKMS.
ephemeral key - A key that only exists within the lifetime of a communication session.
expired key - Key that was issued for a use in a limited time frame (cryptoperiod in NSA parlance) which has passed and, hence, the key is no longer valid.
FIREFLY key - (NSA) keys used in an NSA system based on public key cryptography.
Key derivation function (KDF) - function used to derive a key from a secret value, e.g. to derive KEK from Diffie-Hellman key exchange.^{[ citation needed ]}
key encryption key (KEK) - key used to protect MEK keys (or DEK/TEK if MEK is not used).
key production key (KPK) -Key used to initialize a keystream generator for the production of other electronically generated keys.
key fill - (NSA) loading keys into a cryptographic device. See fill device.
master key - key from which all other keys (or a large group of keys) can be derived. Analogous to a physical key that can open all the doors in a building.
master encryption key (MEK) - Used to encrypt the DEK/TEK key.
master key encryption key (MKEK) - Used to encrypt multiple KEK keys. For example, an HSM can generate several KEK and wrap them with an MKEK before export to an external DB - such as OpenStack Barbican.^[1]

one time pad (OTP or OTPad) - keying material that should be as long as the plaintext and should only be used once. If truly random and not reused it's the most secure encryption method. See one-time pad article.
one time password (OTP) - One time password based on a prebuilt single use code list or based on a mathematical formula with a secret seed known to both parties, uses event or time to modify output (see TOTP/HOTP).
paper key - (NSA) keys that are distributed in paper form, such as printed lists of settings for rotor machines, or keys in punched card or paper tape formats. Paper keys are easily copied. See Walker spy ring, RED key.
poem key - Keys used by OSS agents in World War II in the form of a poem that was easy to remember. See Leo Marks.
public/private key - in public key cryptography, separate keys are used to encrypt and decrypt a message. The encryption key (public key) need not be kept secret and can be published. The decryption or private key must be kept secret to maintain confidentiality. Public keys are often distributed in a signed public key certificate.
public key infrastructure - (PKI) a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
pre-placed key - (NSA) large numbers of keys (perhaps a year's supply) that are loaded into an encryption device allowing frequent key change without refill.
RED key - (NSA) symmetric key in a format that can be easily copied, e.g. paper key or unencrypted electronic key. Opposite of BLACK or benign key.
revoked key - a public key that should no longer be used, typically because its owner is no longer in the role for which it was issued or because it may have been compromised. Such keys are placed on a certificate revocation list or CRL.
session key - key used for one message or an entire communications session. See traffic encryption key.
symmetric key - a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality.
traffic encryption key (TEK)/data encryption key (DEK) - a symmetric key that is used to encrypt messages. TEKs are typically changed frequently, in some systems daily and in others for every message. See session key. DEK is used to specify any data form type (in communication payloads or anywhere else).
transmission security key (TSK) - (NSA) seed for a pseudorandom number generator that is used to control a radio in frequency hopping or direct-sequence spread spectrum modes. See HAVE QUICK, SINCGARS, electronic warfare.
seed key - (NSA) a key used to initialize a cryptographic device so it can accept operational keys using benign transfer techniques. Also a key used to initialize a pseudorandom number generator to generate other keys.
signature key - public key cryptography can also be used to electronically sign messages. The private key is used to create the electronic signature, the public key is used to verify the signature. Separate public/private key pairs must be used for signing and encryption. The former is called signature keys.
stream key - the output of a stream cipher as opposed to the key (or cryptovariable in NSA parlance) that controls the cipher
training key - (NSA) unclassified key used for instruction and practice exercises.
Type 1 key - (NSA) keys used to protect classified information. See Type 1 product.
Type 2 key - (NSA) keys used to protect sensitive but unclassified (SBU) information. See Type 2 product.
Vernam key - Type of key invented by Gilbert Vernam in 1918. See stream key.
zeroized key - key that has been erased (see zeroisation.)

Related Research Articles

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients.

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

<span class="mw-page-title-main">Brute-force attack</span> Cryptanalytic method for unauthorized users to access data

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for encrypting messages, contrary to other uses like encrypting other keys.

Articles related to cryptography include:

Cryptography, the use of codes and ciphers to protect secrets, began thousands of years ago. Until recent decades, it has been the story of what might be called classical cryptography — that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids. In the early 20th century, the invention of complex mechanical and electromechanical machines, such as the Enigma rotor machine, provided more sophisticated and efficient means of encryption; and the subsequent introduction of electronics and computing has allowed elaborate schemes of still greater complexity, most of which are entirely unsuited to pen and paper.

In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems, and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems.

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

CipherSaber is a simple symmetric encryption protocol based on the RC4 stream cipher. Its goals are both technical and political: it gives reasonably strong protection of message confidentiality, yet it's designed to be simple enough that even novice programmers can memorize the algorithm and implement it from scratch. According to the designer, a CipherSaber version in the QBASIC programming language takes just sixteen lines of code. Its political aspect is that because it's so simple, it can be reimplemented anywhere at any time, and so it provides a way for users to communicate privately even if government or other controls make distribution of normal cryptographic software completely impossible.

The National Security Agency took over responsibility for all U.S. Government encryption systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified, but much more about its early systems have become known and its most modern systems share at least some features with commercial products.

Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

<span class="mw-page-title-main">Fill device</span> Module used to load cryptographic keys into encryption machines

A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

The following outline is provided as an overview of and topical guide to cryptography:

References

↑ "Chapter 5. Barbican Hardware Security Module (HSM) Integration Red Hat OpenStack Platform 15".

Schneier, Bruce. Applied Cryptography, Second Edition, John Wiley & Sons, 1996. ISBN 0-471-11709-9
National Information Assurance (IA) Glossary, Committee on National Security Systems, CNSS Instruction No. 4009, 2010.
Link 16 Joint Key Management Plan, CJCSM 6520.01A, 2011

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Openstack_-_Barbican_HSM_integration-1] "Chapter 5. Barbican Hardware Security Module (HSM) Integration Red Hat OpenStack Platform 15".

[1]

Glossary of cryptographic keys

See also

Related Research Articles

References