Editing Glossary of cryptographic keys (section)

{{Short description|none}}
[[File:Enigma keylist 3 rotor.jpg|thumb|Key list for a German World War II [[Enigma machine]]]]
This glossary lists types of [[key (cryptography)|key]]s as the term is used in [[cryptography]], as opposed to [[key (lock)|door locks]]. Terms that are primarily used by the U.S. [[National Security Agency]] are marked ''(NSA)''. For classification of keys according to their usage see [[cryptographic key types]].

* '''40-bit key''' - key with a [[40-bit encryption|length of 40 bits]], once the upper limit of what could be [[export of cryptography|exported]] from the U.S. and other countries without a license. Considered very insecure. ''See''  [[key size]] for a discussion of this and other lengths.
* '''Authentication key''' - Key used in a keyed-hash message authentication code, or [[HMAC]].
* '''Benign key''' - (NSA) a key that has been protected by encryption or other means so that it can be distributed without fear of its being stolen. Also called '''BLACK key'''.
* '''Content-encryption key (CEK)''' a key that may be further encrypted using a KEK, where the content may be a message, audio, image, video, executable code, etc.
* '''Crypto ignition key''' An NSA key storage device ([[KSD-64]]) shaped to look like an ordinary physical key.
* '''Cryptovariable''' - NSA calls the output of a [[stream cipher]] a key or key stream. It often uses the term '''cryptovariable''' for the bits that control the stream cipher, what the public cryptographic community calls a [[key (cryptography)|key]].
* '''Data encryption key (DEK)''' used to encrypt the underlying data.
* '''Derived key''' - keys computed by applying a predetermined [[hash algorithm]] or [[key derivation function]] to a [[password]] or, better, a [[passphrase]].
* '''DRM key''' - A key used in [[digital rights management]] to protect media
* '''Electronic key''' - (NSA) key that is distributed in electronic (as opposed to paper) form. ''See'' [[EKMS]].
* '''[[Ephemeral key]]''' - A key that only exists within the lifetime of a communication session.
* '''Expired key''' - Key that was issued for a use in a limited time frame ([[cryptoperiod]] in NSA parlance) which has passed and, hence, the key is no longer valid.
* '''[[Firefly (key exchange protocol)|FIREFLY key]]''' - (NSA) keys used in an NSA system based on [[public key cryptography]].
* '''[[Key derivation function]] (KDF)''' - function used to derive a key from a secret value, e.g.  to derive KEK from Diffie-Hellman key exchange.{{Citation needed|date=May 2016}}
* '''Key encryption key (KEK)''' - key used to protect MEK keys (or DEK/TEK if MEK is not used).
* '''Key production key (KPK)''' -Key used to initialize a keystream generator for the production of other electronically generated keys.
* '''Key fill''' - (NSA) loading keys into a cryptographic device. ''See'' [[fill device]].
* '''Master key''' - key from which all other keys (or a large group of keys) can be derived. Analogous to a [[key (lock)|physical key]] that can open all the doors in a building.
* '''Master encryption key (MEK)''' -  Used to encrypt the DEK/TEK key.
* '''Master key encryption key (MKEK)''' -  Used to encrypt multiple KEK keys. For example, an HSM can generate several KEK and wrap them with an MKEK before export to an external DB - such as OpenStack Barbican.<ref name="Openstack - Barbican HSM integration">{{Cite web|url=https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/15/html/manage_secrets_with_openstack_key_manager/barbican_hardware_security_module_hsm_integration|title = Chapter 5. Barbican Hardware Security Module (HSM) Integration Red Hat OpenStack Platform 15}}</ref>
[[File:NSA DIANA one time pad.tiff|thumb|A sample NSA [[one-time pad]]]]
* '''[[One time pad]] (OTP or OTPad)''' - keying material that should be as long as the [[plaintext]] and should only be used once. If truly random and not reused it's the most secure encryption method. ''See'' [[one-time pad]] article.
* '''[[One-time password|One time password]] (OTP)''' - One time password based on a prebuilt single use code list or based on a mathematical formula with a secret seed known to both parties, uses event or time to modify output (see TOTP/HOTP).
* '''[[Paper key]]''' - (NSA) keys that are distributed in paper form, such as printed lists of settings for [[rotor machine]]s, or keys in [[punched card]] or [[paper tape]] formats. Paper keys are easily copied. ''See'' [[Walker spy ring]], ''RED key''.
* '''Poem key''' - Keys used by [[Office of Strategic Services|OSS]] agents in World War II in the form of a poem that was easy to remember. ''See'' [[Leo Marks]].
* '''Public/private key''' - in [[public key cryptography]], separate keys are used to encrypt and decrypt a message. The encryption key ('''public key''') need not be kept secret and can be published. The decryption or '''private key''' must be kept secret to maintain confidentiality. Public keys are often distributed in a signed [[public key certificate]].
* '''[[Public key infrastructure]]''' - (PKI) a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage [[Public key infrastructure|public-key encryption]].
* '''Pre-placed key''' - (NSA) large numbers of keys (perhaps a year's supply) that are loaded into an encryption device allowing frequent key change without refill.
* '''RED key''' - (NSA) symmetric key in a format that can be easily copied, e.g. ''paper key'' or unencrypted ''electronic key''. Opposite of ''BLACK'' or ''benign key''.
* '''Revoked key''' - a public key that should no longer be used, typically because its owner is no longer in the role for which it was issued or because it may have been compromised. Such keys are placed on a [[certificate revocation list]] or '''CRL'''.
* '''[[Session key]]''' - key used for one message or an entire communications session. ''See traffic encryption key.''
* '''[[Symmetric-key algorithm|Symmetric key]]''' - a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality.
* '''Traffic encryption key (TEK)/data encryption key (DEK)''' - a symmetric key that is used to encrypt messages. TEKs are typically changed frequently, in some systems daily and in others for every message. See ''session key''. DEK is used to specify any data form type (in communication payloads or anywhere else).
* '''Transmission security key (TSK)''' - (NSA) seed for a [[pseudorandom number generator]] that is used to control a radio in [[frequency hopping]] or [[direct-sequence spread spectrum]] modes. ''See'' [[HAVE QUICK]], [[SINCGARS]], [[electronic warfare]].
* '''Seed key''' - (NSA) a key used to initialize a cryptographic device so it can accept operational keys using benign transfer techniques. Also a key used to initialize a [[pseudorandom number generator]] to generate other keys.
* '''Signature key''' - [[public key cryptography]] can also be used to electronically sign messages. The private key is used to create the electronic signature, the public key is used to verify the signature. Separate public/private key pairs '''must''' be used for signing and encryption. The former is called '''signature keys'''.
* '''Stream key''' - the output of a [[stream cipher]] as opposed to the key (or ''cryptovariable'' in NSA parlance) that controls the cipher
* '''Training key''' - (NSA) un[[classified information|classified]] key used for instruction and practice exercises.
* '''Type 1 key''' - (NSA) keys used to protect [[classified information]]. ''See'' [[Type 1 product]].
* '''Type 2 key''' - (NSA) keys used to protect sensitive but unclassified (SBU) information. ''See'' [[Type 2 product]].
* '''Vernam key''' - Type of key invented by [[Gilbert Vernam]]  in 1918. ''See stream key''.
* '''Zeroized key''' - key that has been erased (see [[zeroisation]].)