This glossary lists types of

key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (map ...

s as the term is used in

cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...

, as opposed to door locks. Terms that are primarily used by the U.S.

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

are marked ''(NSA)''. For classification of keys according to their usage see

cryptographic key types A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. Cryptographic keys are grouped into cryptographic key types according to the functions they perf ...

. * 40-bit key - key with a length of 40 bits, once the upper limit of what could be

exported An export in international trade is a good produced in one country that is sold into another country or a service provided in one country for a national or resident of another country. The seller of such goods or the service provider is an ...

from the U.S. and other countries without a license. Considered very insecure. ''See'' key size for a discussion of this and other lengths. * authentication key - Key used in a keyed-hash message authentication code, or

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...

. * benign key - (NSA) a key that has been protected by encryption or other means so that it can be distributed without fear of its being stolen. Also called BLACK key. * content-encryption key (CEK) a key that may be further encrypted using a KEK, where the content may be a message, audio, image, video, executable code, etc. * crypto ignition key An NSA key storage device ( KSD-64) shaped to look like an ordinary physical key. * cryptovariable - NSA calls the output of a

stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...

a key or key stream. It often uses the term cryptovariable for the bits that control the stream cipher, what the public cryptographic community calls a

. * data encryption key (DEK) used to encrypt the underlying data. * derived key - keys computed by applying a predetermined hash algorithm or

key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...

to a password or, better, a passphrase. * DRM key - A key used in

Digital Rights Management Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures (TPM) such as access control technologies can restrict the use of proprietary hardware and copyrighted works. ...

to protect media * electronic key - (NSA) key that is distributed in electronic (as opposed to paper) form. ''See'' EKMS. *

ephemeral key A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once, within a single session (e.g., in broadcast applications) where the sender generate ...

- A key that only exists within the lifetime of a communication session. * expired key - Key that was issued for a use in a limited time frame (

cryptoperiod A cryptoperiod is the time span during which a specific key (cryptography), cryptographic key is authorized for use. Common government guidelines range from 1 to 3 years for asymmetric cryptography, and 1 day to 7 days for symmetric cipher traffic ...

in NSA parlance) which has passed and, hence, the key is no longer valid. * FIREFLY key - (NSA) keys used in an NSA system based on

public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

. * Key derivation function (KDF) - function used to derive a key from a secret value, e.g. to derive KEK from Diffie-Hellman key exchange. * key encryption key (KEK) - key used to protect MEK keys (or DEK/TEK if MEK is not used). * key production key (KPK) -Key used to initialize a keystream generator for the production of other electronically generated keys. * key fill - (NSA) loading keys into a cryptographic device. ''See'' fill device. * master key - key from which all other keys (or a large group of keys) can be derived. Analogous to a physical key that can open all the doors in a building. * master encryption key (MEK) - Used to encrypt the DEK/TEK key. * master key encryption key (MKEK) - Used to encrypt multiple KEK keys. For example, an HSM can generate several KEK and wrap them with an MKEK before export to an external DB - such as OpenStack Barbican. *

one time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a rand ...

(OTP or OTPad) - keying material that should be as long as the

plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...

and should only be used once. If truly random and not reused it's the most secure encryption method. ''See''

one-time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...

article. * one time password (OTP) - One time password based on a prebuilt single use code list or based on a mathematical formula with a secret seed known to both parties, uses event or time to modify output (see TOTP/HOTP). * paper key - (NSA) keys that are distributed in paper form, such as printed lists of settings for rotor machines, or keys in punched card or

paper tape Five- and eight-hole punched paper tape Paper tape reader on the Harwell computer with a small piece of five-hole tape connected in a circle – creating a physical program loop Punched tape or perforated paper tape is a form of data storage ...

formats. Paper keys are easily copied. ''See''

Walker spy ring Walker or The Walker may refer to: People *Walker (given name) *Walker (surname) *Walker (Brazilian footballer) (born 1982), Brazilian footballer Places In the United States *Walker, Arizona, in Yavapai County *Walker, Mono County, California * ...

, ''RED key''. * poem key - Keys used by

OSS OSS or Oss may refer to: Places * Oss, a city and municipality in the Netherlands * Osh Airport, IATA code OSS People with the name * Oss (surname), a surname Arts and entertainment * ''O.S.S.'' (film), a 1946 World War II spy film about ...

agents in World War II in the form of a poem that was easy to remember. ''See''

Leo Marks Leopold Samuel Marks, (24 September 1920 – 15 January 2001) was an English writer, screenwriter, and cryptographer. During the Second World War he headed the codes office supporting resistance agents in occupied Europe for the secret Special ...

. * Public/private key - in

, separate keys are used to encrypt and decrypt a message. The encryption key (public key) need not be kept secret and can be published. The decryption or private key must be kept secret to maintain confidentiality. Public keys are often distributed in a signed

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...

. * pre-placed key - (NSA) large numbers of keys (perhaps a year's supply) that are loaded into an encryption device allowing frequent key change without refill. * RED key - (NSA) symmetric key in a format that can be easily copied, e.g. ''paper key'' or unencrypted ''electronic key''. Opposite of ''BLACK'' or ''benign key''. * revoked key - a public key that should no longer be used, typically because its owner is no longer in the role for which it was issued or because it may have been compromised. Such keys are placed on a

certificate revocation list In cryptography, a certificate revocation list (or CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted". CRLs are no longer ...

or CRL. * session key - key used for one message or an entire communications session. ''See traffic encryption key.'' * symmetric key - a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality. * traffic encryption key (TEK)/data encryption key (DEK) - a symmetric key that is used to encrypt messages. TEKs are typically changed frequently, in some systems daily and in others for every message. See ''session key''. DEK is used to specify any data form type (in communication payloads or anywhere else). * transmission security key (TSK) - (NSA) seed for a pseudorandom number generator that is used to control a radio in frequency hopping or direct-sequence spread spectrum modes. ''See'' HAVE QUICK, SINCGARS,

electronic warfare Electronic warfare (EW) is any action involving the use of the electromagnetic spectrum (EM spectrum) or directed energy to control the spectrum, attack an enemy, or impede enemy assaults. The purpose of electronic warfare is to deny the opponen ...

. * seed key - (NSA) a key used to initialize a cryptographic device so it can accept operational keys using benign transfer techniques. Also a key used to initialize a pseudorandom number generator to generate other keys. * signature key -

can also be used to electronically sign messages. The private key is used to create the electronic signature, the public key is used to verify the signature. Separate public/private key pairs must be used for signing and encryption. The former is called signature keys. * stream key - the output of a

as opposed to the key (or ''cryptovariable'' in NSA parlance) that controls the cipher * training key - (NSA) un

classified Classified may refer to: General *Classified information, material that a government body deems to be sensitive *Classified advertising or "classifieds" Music *Classified (rapper) (born 1977), Canadian rapper *The Classified, a 1980s American roc ...

key used for instruction and practice exercises. * Type 1 key - (NSA) keys used to protect

classified information Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...

. ''See''

Type 1 product The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary (CNSSI No. 4009, 2010) which used to define ...

. * Type 2 key - (NSA) keys used to protect sensitive but unclassified (SBU) information. ''See'' Type 2 product. * Vernam key - Type of key invented by Gilbert Vernam in 1918. ''See stream key''. * zeroized key - key that has been erased (see

zeroisation In cryptography, zeroisation (also spelled zeroization) is the practice of erasing sensitive parameters (electronically stored data, cryptographic keys, and critical security parameters) from a cryptographic module to prevent their disclosure if t ...

References

* Schneier, Bruce. ''Applied Cryptography'', Second Edition, John Wiley & Sons, 1996. {{ISBN, 0-471-11709-9
National Information Assurance (IA) Glossary, Committee on National Security Systems, CNSS Instruction No. 4009, 2010.

Link 16 Joint Key Management Plan, CJCSM 6520.01A, 2011
Cryptographic keys Cryptographic keys Key management Cryptographic keys Cryptographic keys

See also

References