This glossary lists types of keys as the term is used in

cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...

, as opposed to door locks. Terms that are primarily used by the U.S.

National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

are marked ''(NSA)''. For classification of keys according to their usage see

cryptographic key types A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. Cryptographic keys are grouped into cryptographic key types according to the functions they perf ...

. * 40-bit key - key with a length of 40 bits, once the upper limit of what could be

exported An export in international trade is a good produced in one country that is sold into another country or a service provided in one country for a national or resident of another country. The seller of such goods or the service provider is a ...

from the U.S. and other countries without a license. Considered very insecure. ''See''

key size In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest known a ...

for a discussion of this and other lengths. * Authentication key - Key used in a keyed-hash message authentication code, or

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a se ...

. * Benign key - (NSA) a key that has been protected by encryption or other means so that it can be distributed without fear of its being stolen. Also called BLACK key. * Content-encryption key (CEK) a key that may be further encrypted using a KEK, where the content may be a message, audio, image, video, executable code, etc. * Crypto ignition key An NSA key storage device ( KSD-64) shaped to look like an ordinary physical key. * Cryptovariable - NSA calls the output of a

stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream ( keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystrea ...

a key or key stream. It often uses the term cryptovariable for the bits that control the stream cipher, what the public cryptographic community calls a key. * Data encryption key (DEK) used to encrypt the underlying data. * Derived key - keys computed by applying a predetermined

hash algorithm A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable-length output. The values returned by a hash function are called ''hash values'', ...

key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...

to a

password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...

or, better, a

passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...

. * DRM key - A key used in

digital rights management Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures, such as access control technologies, can restrict the use of proprietary hardware and copyrighted works. DRM ...

to protect media * Electronic key - (NSA) key that is distributed in electronic (as opposed to paper) form. ''See''

EKMS The Electronic Key Management System (EKMS) is a United States National Security Agency led program responsible for Communications Security ( COMSEC) key management, accounting, and distribution. Specifically, EKMS generates and distributes electr ...

. *

Ephemeral key A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once, within a single session (e.g., in broadcast applications) where the sender generat ...

- A key that only exists within the lifetime of a communication session. * Expired key - Key that was issued for a use in a limited time frame (

cryptoperiod A cryptoperiod is the time span during which a specific cryptographic key is authorized for use. Common government guidelines range from 1 to 3 years for asymmetric cryptography, and 1 day to 7 days for symmetric cipher traffic keys. Factors to co ...

in NSA parlance) which has passed and, hence, the key is no longer valid. * FIREFLY key - (NSA) keys used in an NSA system based on

public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...

. *

Key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...

(KDF) - function used to derive a key from a secret value, e.g. to derive KEK from Diffie-Hellman key exchange. * Key encryption key (KEK) - key used to protect MEK keys (or DEK/TEK if MEK is not used). * Key production key (KPK) -Key used to initialize a keystream generator for the production of other electronically generated keys. * Key fill - (NSA) loading keys into a cryptographic device. ''See''

fill device A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated. Older mechanical encryption systems, such as rotor machine ...

. * Master key - key from which all other keys (or a large group of keys) can be derived. Analogous to a physical key that can open all the doors in a building. * Master encryption key (MEK) - Used to encrypt the DEK/TEK key. * Master key encryption key (MKEK) - Used to encrypt multiple KEK keys. For example, an HSM can generate several KEK and wrap them with an MKEK before export to an external DB - such as OpenStack Barbican. *

One time pad The one-time pad (OTP) is an encryption technique that cannot be cracked in cryptography. It requires the use of a single-use pre-shared key that is larger than or equal to the size of the message being sent. In this technique, a plaintext is ...

(OTP or OTPad) - keying material that should be as long as the

plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...

and should only be used once. If truly random and not reused it's the most secure encryption method. ''See''

one-time pad The one-time pad (OTP) is an encryption technique that cannot be Cryptanalysis, cracked in cryptography. It requires the use of a single-use pre-shared key that is larger than or equal to the size of the message being sent. In this technique, ...

article. * One time password (OTP) - One time password based on a prebuilt single use code list or based on a mathematical formula with a secret seed known to both parties, uses event or time to modify output (see TOTP/HOTP). * Paper key - (NSA) keys that are distributed in paper form, such as printed lists of settings for

rotor machine In cryptography, a rotor machine is an electro-mechanical stream cipher device used for encrypting and decrypting messages. Rotor machines were the cryptographic state-of-the-art for much of the 20th century; they were in widespread use from ...

s, or keys in

punched card A punched card (also punch card or punched-card) is a stiff paper-based medium used to store digital information via the presence or absence of holes in predefined positions. Developed over the 18th to 20th centuries, punched cards were widel ...

paper tape Five- and eight-hole wide punched paper tape Paper tape reader on the Harwell computer with a small piece of five-hole tape connected in a circle – creating a physical program loop Punched tape or perforated paper tape is a form of data st ...

formats. Paper keys are easily copied. ''See''

Walker spy ring Walker or The Walker may refer to: People *Walker (given name) * Walker (surname) * Walker (Brazilian footballer) (born 1982), Brazilian footballer Places In the United States * Walker, Arizona, in Yavapai County *Walker, Mono County, Californi ...

, ''RED key''. * Poem key - Keys used by

OSS OSS or Oss may refer to: Places * Oss, a city and municipality in the Netherlands * Osh Airport, IATA code OSS People with the name * Oss (surname), a surname Arts and entertainment * ''O.S.S.'' (film), a 1946 World War II spy film about ...

agents in World War II in the form of a poem that was easy to remember. ''See''

Leo Marks Leopold Samuel Marks, (24 September 1920 – 15 January 2001) was an English writer, screenwriter, and cryptographer. During the Second World War he headed the codes office supporting resistance agents in occupied Europe for the secret Special ...

. * Public/private key - in

, separate keys are used to encrypt and decrypt a message. The encryption key (public key) need not be kept secret and can be published. The decryption or private key must be kept secret to maintain confidentiality. Public keys are often distributed in a signed

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...

. *

Public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...

- (PKI) a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage

public-key encryption Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

. * Pre-placed key - (NSA) large numbers of keys (perhaps a year's supply) that are loaded into an encryption device allowing frequent key change without refill. * RED key - (NSA) symmetric key in a format that can be easily copied, e.g. ''paper key'' or unencrypted ''electronic key''. Opposite of ''BLACK'' or ''benign key''. * Revoked key - a public key that should no longer be used, typically because its owner is no longer in the role for which it was issued or because it may have been compromised. Such keys are placed on a

certificate revocation list In cryptography, a certificate revocation list (CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted". Publicly trusted C ...

or CRL. *

Session key A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for ...

- key used for one message or an entire communications session. ''See traffic encryption key.'' *

Symmetric key Symmetric-key algorithms are algorithms for cryptography that use the same Key (cryptography), cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transforma ...

- a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality. * Traffic encryption key (TEK)/data encryption key (DEK) - a symmetric key that is used to encrypt messages. TEKs are typically changed frequently, in some systems daily and in others for every message. See ''session key''. DEK is used to specify any data form type (in communication payloads or anywhere else). * Transmission security key (TSK) - (NSA) seed for a

pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random number generation, random n ...

that is used to control a radio in

frequency hopping Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly changing the carrier frequency among many frequencies occupying a large spectral band. The changes are controlled by a code known to both transmitter ...

direct-sequence spread spectrum In telecommunications, direct-sequence spread spectrum (DSSS) is a spread-spectrum modulation technique primarily used to reduce overall signal interference. The direct-sequence modulation makes the transmitted signal wider in bandwidth tha ...

modes. ''See'' HAVE QUICK,

SINCGARS Single Channel Ground and Airborne Radio System (SINCGARS) is a VHF combat network radio (CNR) used by U.S. and allied military forces. In the CNR network, the SINCGARS’ primary role is voice transmission between surface and airborne comman ...

, electronic warfare. * Seed key - (NSA) a key used to initialize a cryptographic device so it can accept operational keys using benign transfer techniques. Also a key used to initialize a

to generate other keys. * Signature key -

can also be used to electronically sign messages. The private key is used to create the electronic signature, the public key is used to verify the signature. Separate public/private key pairs must be used for signing and encryption. The former is called signature keys. * Stream key - the output of a

as opposed to the key (or ''cryptovariable'' in NSA parlance) that controls the cipher * Training key - (NSA) un

classified Classified may refer to: General *Classified information, material that a government body deems to be sensitive *Classified advertising or "classifieds" Music *Classified (rapper) (born 1977), Canadian rapper * The Classified, a 1980s American ro ...

key used for instruction and practice exercises. * Type 1 key - (NSA) keys used to protect

classified information Classified information is confidential material that a government deems to be sensitive information which must be protected from unauthorized disclosure that requires special handling and dissemination controls. Access is restricted by law or ...

. ''See'' Type 1 product. * Type 2 key - (NSA) keys used to protect sensitive but unclassified (SBU) information. ''See''

Type 2 product The U.S. National Security Agency (NSA) used to rank cryptographic products or algorithms by a certification called product types. Product types were defined in the National Information Assurance Glossary (CNSSI No. 4009, 2010) which used to define ...

. * Vernam key - Type of key invented by

Gilbert Vernam Gilbert Sandford Vernam (April 3, 1890 – February 7, 1960) was a Worcester Polytechnic Institute 1914 graduate and AT&T Bell Labs engineer who, in 1917, invented an additive polyalphabetic stream cipher and later co-invented an automated ...

in 1918. ''See stream key''. * Zeroized key - key that has been erased (see

zeroisation In cryptography, zeroisation (also spelled zeroization) is the practice of erasing sensitive parameters (electronically stored data, cryptographic keys, and critical security parameters) from a cryptographic module to prevent their disclosure if ...

References

* Schneier, Bruce. ''Applied Cryptography'', Second Edition, John Wiley & Sons, 1996.
National Information Assurance (IA) Glossary, Committee on National Security Systems, CNSS Instruction No. 4009, 2010.

Link 16 Joint Key Management Plan, CJCSM 6520.01A, 2011
{{Glossaries of computers

Cryptographic keys A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...

Key management

Wikipedia glossaries using unordered lists

See also

References