Compromised cryptographic keys have a devastating effect on any organization — just ask the major Android device manufacturers whose keys were used to distribute malware. Here’s what to know about cryptographic keys, how they work, and how to keep yours secure.
Encryption secures everything from the credit card transactions you use to buy items online to the health information you share with your doctor. It’s an intricate system that relies on cryptographic keys to help keep that information secure.
But what are cryptographic keys, and how do we use them? We’ll explore the roles of cryptographic keys in modern communications and what you can do to secure them.
Let’s hash it out.
What Is a Cryptographic Key? A 90-Second Overview of Cryptographic Keys
A cryptographic key is a string of characters (often random or mathematically generated) that’s paired with a cryptographic algorithm to secure data. Algorithms are mathematical formulas that carry out multiple important cryptographic functions. Two of the most common functions involving cryptographic keys are data encryption and decryption:
- Encryption uses a cryptographic key to scramble plaintext (readable) data into unreadable gibberish (called ciphertext). This protects the data’s confidentiality from prying eyes.
- Decryption enables a person with the correct cryptographic key to recalculate the original data from the gibberish ciphertext. This way, they — and only they — can read the message.
When a secret cryptographic key gets exposed or compromised, it means that whatever it’s used to secure is now at risk of compromise.
Throughout nearly the last nearly 4,000 years of human history, there’ve been many instances of using cryptographic keys to communicate secret information. This includes everything from ancient Egyptian tomb inscriptions to activities associated with the United Kingdom’s Government Communications Headquarters (GCHQ) after World War I. One of the best-known (and simplest) examples of cryptographic key applications is the Caesar Shift Cipher. This basic substitution cipher “shifts” the alphabet by a set number of spaces (e.g., A becomes D, and N becomes P). In this case, the “key” would be knowing how many spaces to shift to decrypt the message.
A common example of encryption can be seen when you log in to your favorite website. If you see the secure padlock icon, it means that you’re accessing a site that’s secured with public key cryptography using SSL/TLS.
Cryptographic Keys Are Lumped Into Two General Categories: Symmetric and Asymmetric
Different methods of cryptography involve the use of one or two cryptographic keys. Let’s explore them both before we dive into their uses.
Symmetric Keys = A Single Private Key That Decrypts and Decrypts Data
Symmetric encryption uses a single key, known as a symmetric key. Both the sender and the recipient need to have a copy of the key to encrypt and decrypt data. As such, this private key has to be kept secret so that no unintended third parties could use it to decrypt their secret messages. When you encrypt and decrypt data using a single key, it’s known as symmetric encryption, symmetric cryptography, or private key cryptography.
Imagine you’ve just completed a home renovation, a project that included replacing all of your interior and exterior doors with door locks you bought at a local hardware store. As such, each door you install would have its own separate lock, requiring a separate key to open it. (This would be a bit closer to asymmetric encryption because each key would only fit its corresponding lock — but we’ll dive more into that in just a few moments.)
However, using a symmetric key is like re-keying all of your home’s door locks so that a single key can open them. This is great for convenience because you only need one key, but it also means you have to go to great lengths to keep that key safe. Otherwise, everything inside your home will be compromised if someone gets their hands on that key.
One of the tricky aspects of symmetric keys is that they require the two communicating parties to meet up in a secure way so they each have a copy of the key. (Think of those stereotypical clandestine spy meetups you see in movies or read in books.) This isn’t too bad if you’re in the same geographic area as the other party. But what if you need to share sensitive information now but don’t have the time to meet to exchange keys? Or, what happens when you’re trying to communicate securely with someone who’s located in another state, country, or side of the world? You’ll be plumb out of luck.
Within the last century, the rise of digital communications changed the landscape of communications. Now, you can be using a phone in the United States and communicate nearly instantaneously with someone regardless of their geographic location. You can enter your information in a web form and send it instantaneously across the internet to someone on the other side of the world.
However, there’s a drawback: If you’re sending that data in plaintext, it isn’t secure and can be intercepted by nosy or malicious third parties.
To avoid this security risk, you and the person you’re communicating with need a way to securely communicate using encryption. But this would require exchanging your symmetric key, right? Yes. And this is where public key cryptography comes into play…
Asymmetric Keys = Separate Keys to Encrypt & Decrypt Data (And Enable Authentication)
In modern cryptography, another type of cryptographic key is an asymmetric key—a pair of two different but related keys. A public key is publicly known and doesn’t have to be kept secret. It’s linked to a private key, which is kept secret.
Asymmetric cryptographic keys (asymmetric = not identical) are generated in mathematically related pairs containing one public key and one private key. In public key encryption:
- The public key, which is available to virtually everyone, is used to encrypt the data.
- The private key, which must be protected and kept secret, is used to decrypt the ciphertext.
A common analogy you’ll see online that’s used to describe the role of separate keys in asymmetric encryption is a mailbox where you have one key to deposit items (public key) and a separate key to remove them (private key).
Using these two cryptographic keys enables two parties to create a secure, encrypted connection. Think of when you connect to a website. The server and client use asymmetric keys to securely exchange information that’s used to establish symmetric session keys. These symmetric keys, which require fewer resources to compute, make data exchanges faster at scale.
To learn more about how public-private key pairs work in various cryptographic uses, check out our other article that looks at the topic more in depth.
But why bother switching to symmetric encryption at all? Can’t you just use asymmetric keys the whole time? Technically, yes, you could use asymmetric encryption alone to communicate securely on open channels. However, the resources required to make this happen for popular websites would be too costly to do when dealing with thousands or millions of connections. This is why we use asymmetric keys to exchange symmetric key-encrypted sessions to promote scalability.
Check out this recent comparative cost analysis of asymmetric and symmetric applications by researchers at the Institute of Electrical and Electronic Engineers (IEEE). Spoiler alert: Their research shows a “58% saving in global energy costs of public key-based applications” through symmetric key system adoptions.
A Quick Comparison of Symmetric and Asymmetric Keys
Symmetric Keys | Asymmetric Keys | |
What Is It | A single secret that must be protected and not shared. | Two keys — one that’s shared publicly (public key) and one that’s kept secret (private key). |
What It Does | Encrypts and decrypts data for storage and/or in secure channels. | Used for encryption, description, and authentication, usually over insecure channels like the internet. |
Key Sizes (Using AES and RSA Keys as Examples) | AES key sizes are smaller in size (256 bits is the most common size). These keys are calculated in various ways with varying levels of entropy, such as by using a random number generator (RNG). | RSA key sizes are larger keys (1024 bits, 2048 bits, 3072 bits, 7680 bits, 15360 bits, etc.) that are calculated using massive prime numbers. |
Uses and Applications | Encrypt at-rest data on servers and internal digital storage applications. | Encrypt in-transit data in open (insecure) channels. |
Processing Speeds | Faster to process than asymmetric encryption keys because symmetric keys are smaller. | Slower than symmetric encryption keys because they are larger. |
Where You’ll Find It | Stored on authorized devices and internal (non-public) servers. | Asymmetric public keys are integrated with digital certificates or sent with digitally signed and encrypted emails, documents, and software. The private keys are stored securely. |
Cryptographic Keys Also Can Be Identified By Their Uses and Applications
Sometimes, cryptographic keys are referred to with regard to the roles they play in cryptographic processes. We won’t get into all of them because they vary depending on the type of cryptographic processes you’re performing, but here’s a quick overview of several examples:
- Session keys — These keys are used to encrypt data during individual sessions (e.g., connections to a website or web app).
- HMAC keys — These keys are used to create the digital signatures used in hash-based message authentication codes.
- Data encryption keys (DEKs) — These keys enable you to encrypt data at rest on your server. DEKs also can be master keys.
- Key encryption keys (KEKs) — These keys, also called key wrapping keys, are used to encrypt other cryptographic keys that perform at-rest and in-transit data encryption. This means they can be symmetric or asymmetric, depending on the task.
- Traffic encryption keys (TEKs) — These cryptographic keys are used to encrypt data in transit against man-in-the-middle attacks and other interception methods.
- Master keys — The meaning of a “master key” differs depending on its usage. It’s also called a key-derivation key because it’s used in part to calculate other keys using key-derivation methods.
Large Keys Are More Secure (But Less Scalable) Than Smaller Ones
Generally speaking, the bigger the key, the more secure it is. For example, a 256-bit AES symmetric key is stronger than a 128-bit symmetric key, and a 3078-bit RSA asymmetric key is more secure than a 2048-bit asymmetric key. Larger keys help thwart brute force attackers who try to guess your key because it would be virtually impossible to guess all possible combinations using modern computer resources.
Let’s quickly compare public and private keys.
Public key:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfyxkfwlj+QmitT4lVxrQLHAuJLRl2oIvy+J3I1cuWbyJWXfcmwzc99HRPL6qvfT3IdkJphxok1KZZf6r38v5HpUacSbLyHfi3s0JjclM09HvzuqWqHe1BJhP14RTIaa2ZVcZZvnFOm91U7VSR3lVFVOBFcfJYGTlvIVtXo57KYKYdwsZmiMlNZ3Zr8BX9gqY/Vl7sgjm9tJhBlpDFHCA0/v1jFlsYgddbOXl8ar7Dhp6VyOFG7ifahjmb7rUjzBvIVm7BG7Ds3IFkNvJAXVzfqqW/Zvru73X0AYOGwE5KWbjYN04JwErNI+2JDpk8d6gJrxb/MT6xXjEBuwc/s1mQIDAQAB
Private key:
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd/LGR/CWP5CaK1PiVXGtAscC4ktGXagi/L4ncjVy5ZvIlZd9ybDNz30dE8vqq99Pch2QmmHGiTUpll/qvfy/kelRpxJsvId+LezQmNyUzT0e/O6paod7UEmE/XhFMhprZlVxlm+cU6b3VTtVJHeVUVU4EVx8lgZOW8hW1ejnspgph3CxmaIyU1ndmvwFf2Cpj9WXuyCOb20mEGWkMUcIDT+/WMWWxiB11s5eXxqvsOGnpXI4UbuJ9qGOZvutSPMG8hWbsEbsOzcgWQ28kBdXN+qpb9m+u7vdfQBg4bATkpZuNg3TgnASs0j7YkOmTx3qAmvFv8xPrFeMQG7Bz+zWZAgMBAAECggEADz17G6wJK5JErYvR1watSfZbsvJmyYZvBZJeaCoy0ae+oCDtpyoM5JabV2lhCPETPOjKnnaCL7fo/1fj1N4eDppGXlWa6rcHy3q9ExqqugJh1264BjorNqX3P5ehb5JkiazA1wRtDDVoHJWYOY9qufHorr6AwKt5Q0xjD7iUseFDN1jsnAQcbl1kifTcc9lbkSv9+zyBmzVQCSVifITe39YmBBCtGJWbC2+aCs2shcO7XOZrDjYABqlYRP7O1XXo0dJYnvat9EnLMTRwQZZwCXhavn+Iyrt2Odd3Vil3w5jSdIOiXivq2C9suZ5c8HIiAepm1Fvu7evo2OfUxTu9CQKBgQDtGN0wn5LUrcI0AO/FNNUobG+wYr7u4QnuucbwP+j9aF7Eo6LrPdgZw4o4DwMTP/rOC/2lNy4RyhQ6Y8CZ7ehxmZLTkCPeGaKRyzm6Z2fq0x3fielqIH9L3SeIgDnTwTxjJ9/Jq5UOvFsj5a1u6+6W9Z0iqDDVGAb+aWa+ic85iwKBgQCqlTL6mtRni1P2pfm8la3p+SjurJKwFaXlLbd6QphptYud8ox81JnCDeTMXUkXHcYwNRarxkqGKqe43j2oHj7XEmEGJUqOXG/9uUa2CBGVIy2b0EIEFnvw8Tj9T13EFi+3p48ksg9C33Jzv9Kcebjhb3B0h6rJuRu9LXEXSaKJ6wKBgQCkCVXPNDgECQuZqyQ4TmtDgnJrmIX9A5k5nzKyOaVa3YDjj0tCchE3EgBo9InuIY/GSql8SwcGq8b+9tDkLqNpJRVeZhVKrnW5ZN9VxgExiErcw6/ICx/HPwUA/aYEiWbcO1QrVRjVjx+HYHpziawSqW/D8JWIeQ0tq4K4ROQoLQKBgE8DFL3ngYMEkjuo3WhwnEHH2yHSZY+SN2lUJ6xFtHsiUC0078XSY/XyoYvXmcdPT0F9FaczDcnfcBi9OCnq+Ih+Rtql40bVojoP26TtT9eYl8OYTzu9fmM4GIGchX4SGMAkqLUClPcQsN7UdyVrbCtfhuMzA/Sz/Rk/NybmQJdJAoGAOR1qIyDpjal8YE/SeK+pI5ZAosADIW3zSPNrGxSbX8kqtdqTDODtP0JgXWfBuB7B2OM6SiV4AID0y/XRGmmyCD3tom7P/s3HnwUt5LxUhVgQ0Ufcw4IkfScNHVTfXBgu1aVN7eLPQMmfM+Inh7z4Gdcbf/xW2KyOdBFcI7Y8ZKE=
Big difference.
If you compare a symmetric key with an asymmetric key, then you might be surprised to learn that key sizes aren’t equal in terms of their security strength. For example, a 256-bit AES symmetric key is more secure than a 3072-bit RSA asymmetric key. In its “Recommendation for Key Management: Part 1,” the National Institute of Standards and Technology (NIST) lists an AES 256-bit key as being roughly equivalent to a 15360-bit RSA key. Furthermore, since asymmetric encryption requires the use of two keys, it’s slower than symmetric encryption, which only requires one.
Cryptographic keys are essential tools for protecting sensitive data, and their proper management is a critical aspect of information security. In the following article, we will explore the role of cryptographic keys in safeguarding data and discuss best practices for securing them.