This article describes the functions and properties of the various cryptographic key types used for securing digital communications. Recommended crypto-periods are also discussed.
Categories and types of cryptographic keys
Just as there are different types of household keys for the car, front door of the house, garage door, etc., keys also serve different functions in the world of digital communications. One should get an understanding of these different key functions are before any meaningful work can be done with cryptographic key management.
In general, cryptographic keys are categorized according to their properties and usage. A key may have one of three properties: Symmetric, Public or Private. Keys can be grouped as Asymmetric key pairs, which consist of one private and one public key.
Difference between Asymmetric and Symmetric keys
Algorithms for symmetric keys use a single key for both encryption and decryption. Algorithms for asymmetric keys use different keys for encryption and decryption. Symmetric key algorithms have the advantage in that they are much faster than asymmetric algorithms, and can handle thousands of keys with very little computing overhead. The main disadvantage is that at least one key has to be transmitted to the receiving end, which means there is a possibility of it being intercepted and tampered with. This problem is solved by using asymmetric keys, as a message can be sent or received with a public key, while the other end (sender or receiver) uses a personal private key, depending on the key's purpose, such as assuring confidentiality, authentication, tamper detection, etc.
Using asymmetric keys for confidentiality
For example, to maintain confidentiality, a message can be encrypted with a public key as it is sent, which means that anyone can intercept it and analyze its contents. But only the intended receiver with a private key that corresponds to the public key can decode the message. While the public key can be sent back and forth among recipients, the private key is fixed to one location, and won’t be sent anywhere.
Using asymmetric keys for authentication
To maintain authentication, the sender encrypts his/her identity on a message with a personal private key as it is sent, which acts as a signature, to verify the source of the message. In this case, the receiving end uses a public key to check the message, and find out who sent it. Since the decryption is done with a public key, anyone can check who sent the message.
Cryptographic keys for long term or single usage
Keys can also have the property that they can be static (designed for long term usage) or ephemeral (designed to be used only for a single session or management transaction). This distinction is mainly applies to the Ephemeral Key Agreement Key (explained below) since the other key types are generally designed for long crypto-periods (usually 1 -2 years). Some key types that may need shorter crypto-periods (from a few days to a few weeks) are Symmetric authentication keys, Data Encryption keys, Key-Wrapping keys, Private Key-Transport keys, RNG keys, and Authorization keys.
Description of the 10 basic types of cryptographic keys
Cryptographic keys can be classified in 10 different categories, as outlined below. Each key is designed for one specific purpose, and shouldn’t be mistaken for other key types. The cryptographic algorithms for each key type are described according to their properties (Symmetric, Public or Private):
- Authentication Key (Symmetric, Public or Private)
Symmetric authentication keys are used with symmetric key algorithms to provide assurance of the integrity and source of messages, communication sessions, documents, or stored data.
A private (or public) authentication key is the private (or public) key of an asymmetric key pair that is used with a public-key algorithm to provide assurance as to the integrity and source of information and the identity of the originating entity when executing an authentication mechanism or when establishing an authenticated communication session.
- Authorization Key (Symmetric, Public or Private)
Symmetric authorization keys are used to provide privileges to an entity using a symmetric cryptographic method. The same authorization key is used by the entity responsible for monitoring and granting access privileges for authorized entities and by the entity seeking access to resources.
A private authorization key is the private key of an asymmetric key pair that is used to provide privileges to an entity.
A public authorization key is the public key of an asymmetric key pair that is used to verify privileges for an entity that knows the associated private authorization key.
- RNG Key (Symmetric, Public or Private)
RNG stands for “Random Number Generation”, and these keys are keys used to generate random numbers.
- Static Key Agreement Key (Symmetric, Public or Private)
Symmetric Key Agreement Keys are used to establish other keys (e.g., Key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors) using a symmetric key-Agreement algorithm.
Private (public) static key agreement keys are the private (public) keys of asymmetric key pairs that are used to establish other keys (e.g., key wrapping keys, data encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
- Ephemeral Key Agreement Key (Public or Private)
Private (or public) ephemeral Key-Agreement keys are the private (or public) keys of asymmetric key pairs that are used only once in a transaction to establish one or more keys (e.g., key-Wrapping keys, data-encryption keys, or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
- Signature Key (Public or Private)
A public Signature-Verification key is the public key of an asymmetric key pair that is used by a public-Key algorithm to verify digital signatures that are intended to provide source authentication, integrity protection of data, and non-repudiation of messages, documents or stored data.
Private signature keys are the private keys of asymmetric (public) key pairs that are used by public-Key algorithms to generate digital signatures with possible long-term implications. When properly handled, private signature keys can be used to provide source authentication, integrity protection and non-repudiation of messages, documents or stored data
- Key Transport Keys (Public or Private)
Private Key-Transport keys are the private keys of asymmetric key pairs that are used to decrypt keys that have been encrypted with the associated public key using a public-Key algorithm.
Public Key-transport keys are the public keys of asymmetric key pairs that are used to encrypt keys using a Public-key algorithm.
Key Transport keys are usually used to establish other keys (e.g., key-Wrapping keys, data-encryption keys or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors).
The symmetric form of a Transport Key is KEK (Key encrypting key) for Wrapping Keys.
- Data Encryption/Decryption Key (Symmetric)
A symmetric data encryption/decryption keys are used to protect stored data, messages or communications sessions. These keys are primarily used with symmetric key algorithms to apply confidentiality protection to information.
- Key Wrapping Key (Symmetric)
Symmetric Key-wrapping keys are used to encrypt other keys using symmetric-key algorithms. Key-wrapping keys are also known as key-encrypting keys.
- Master Key (Symmetric)
A symmetric master key is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.
One should be cautious that each cryptographic key is used for the particular purpose it is designed for. If the same key is used for other purposes (which often occurs), much damage or loss of security may result. Although there are instances when one key can be used for multiple services. For example, one digital signature can provide assurance of the identity of the originating entity, non-repudiation, source authentication, and integrity protection.
In a key management system, each cryptographic key should be labeled with one of the listed categories (or types).
References and further reading
- A Framework for Designing Cryptographic Key Management Systems (2013) by Elaine Barker, Miles Smid, Dennis Branstad, and Santosh Chokhani
- Recommendation for Key Management – Part1: General (Revision 3) (2002) by Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid
- Key Management workshop (2001)