This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA):
- 40-bit key - key with a length of 40 bits, once the upper limit of what could be exported from the U.S. and other countries without a license. Considered very insecure. See key size for a discussion of this and other lengths.
- benign key - (NSA) a key that has been protected by encryption or other means so that it can be distributed without fear of its being stolen. Also called BLACK key.
- cryptovariable - NSA calls the output of a stream cipher a key or key stream. It often uses the term cryptovariable for the bits that control the stream cipher, what the public cryptographic community calls a key.
- electronic key - (NSA) key that is distributed in electronic (as opposed to paper) form. See EKMS.
- key encryption key (KEK) - key used to protect other keys (e.g. TEK, TSK).
- key fill - (NSA) loading keys into a cryptographic device. See AN/CYZ-10.
- master key - key from which all other keys (or a large group of keys) can be derived. Also a physical key that can open all the doors in a building.
- one-time pad - keying material that is as long as the plaintext and only used once. See one-time pad article.
- Public/private key - in public key cryptography, separate keys are used to encrypt and decrypt a message. The encryption key (public key) need not be kept secret and can be published. The decryption or private key must be kept secret to maintain confidentiality. Public keys are often distributed in a signed public key certificate.
- pre-placed key- (NSA) large numbers of keys (perhaps a year's supply) that are loaded into an encryption device allowing frequent key change without refill.
- RED key - (NSA) symmetric key in a format that can be easily copied, e.g. paper key or unencrypted electronic key. Opposite of BLACK or benign key.
- revoked key - a public key that should no longer be used, typically because its owner is no longer in the role for which it was issued or because it may have been compromised. Such keys are placed on a certificate revocation list or CRL.
- symmetric key - a key that is used both to encrypt and decrypt a message. Symmetric keys are typically used with a cipher and must be kept secret to maintain confidentiality.
- traffic encryption key (TEK) - a symmetric key that is used to encrypt messages. TEKs are typically changed frequently, in some systems daily and in others for every message.
- seed key - (NSA) a key used to initialize a cryptographic device so it can accept operational keys using benign transfer techniques. Also a key used to initialize a pseudorandom number generator to generate other keys.
- signature key - public key cryptography can also be used to electronically sign messages. The private key is used to create the electronic signature, the private key is used to verify the signature. In many cases separate public/private key pairs are used for signing and for message security. The former are called signature keys.
- stream key - the output of a stream cipher as opposed to the key (or cryptovariable in NSA parlance) that controls the cipher
- training key - (NSA) unclassified key used for instruction and practice exercises.
- Type 2 key - (NSA) keys used to protect sensitive but unclassified (SBU) information. See Type 2 product.
- zeroized key - key that has been erased.
See also