Classification of Cryptographic Keys

A cryptographic key  is just a random string consisting of hundreds or thousands of ones and zeroes (i.e., binary digits, or “bits”).

Symmetric key encryption algorithms use a single symmetric key for both encryption and decryption, whereas asymmetric key encryption algorithms (aka public key algorithms) use two different but related keys for encryption and decryption.

Cryptographic keys may be either static (designed for long term usage) or ephemeral (designed to be used only for a single session or transaction). The crypto-period (i.e., lifetime) of static keys may vary from days to weeks, months, or even years depending on what they are used for.

The length of a key must align with the algorithm that will use it. Symmetric keys may have a lesser length compared to assymetric keys.

key length should be chosen based on a number of factors, such as:

  • The algorithm being used
  • The strength of security required
  • The amount of data being processed with the key
  • The crypto-period of the key

Common functions for cryptographic keys

  • Data Encryption Key to encrypt the data.
  • Authentication Key to authenticate the originator or the origination of the data.
  • Digital Signature Key provides assurance about the integrity and originator of the associated data and also the signature is valid or not.
  • Key Encryption Key (aka Key Wrapping Key or Key Transport Key) used to transport another key or wrap arooud the key.
  • Master Key is a symmetric key that is used to encrypt multiple subordinate keys. Secured via HSM.
  • Root Key is the topmost key in a Public Key Infrastructure (PKI) hierarchy. Used to authenticate and sign digital certificates.

KMS are used to ensure keys are

  • generated to the required length using a high-quality random data source
  • well protected (generally using an HSM)
  • managed only by authorized personnel in accordance with defined policies
  • used only for the functions they were intended for
  • updated according to their crypto-period
  • deleted when no longer required
  • fully auditable to provide evidence of correct (or incorrect) usage

Source: Classification of Cryptographic Keys



About the Author


24 years of experience in various layers of software. Primarily experienced in system side software design and development on server management software. Interested in linux development in x86 and arm architecture.