So What Does A Modern Encryption Key Look Like?

So what does an encryption key look like these days? Well it depends on whether your a computer or a human. For a computer it is just a…

So What Does A Modern Encryption Key Look Like?

So what does an encryption key look like these days? Well, it depends on whether your a computer or a human. For a computer, it is just a bunch of 1’s and 0’s, but for humans, we are not so good at interpreting binary. We also need a bit more information about the key, such as when it was created.

And so the JSON format is often used to view a key, and Google Tink is a great place to view the key. With this we can define a symmetric key, and where we give the key and ID, and then define the key type (as we can use a range of encryption methods). In the following we use an AES GCM key: [link]

{
    "primaryKeyId": 1331912396,
    "key": [{
        "keyData": {
            "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
            "keyMaterialType": "SYMMETRIC",
            "value": "GhBpskWWTrE27e2w67X4TzfS"
        },
        "outputPrefixType": "TINK",
        "keyId": 1331912396,
        "status": "ENABLED"
    }]
}

The key is “GhBpskWWTrE27e2w67X4TzfS”. The hexadecimal format is:

1A1069B245964EB136EDEDB0EBB5F84F37D2

and which is 36 hex characters, and which is 144 bits. This gives 128 bits for the key and a few extra bits for some parameters.

For a MAC (Message Authentication Code), we use a shared secret key and then can use this to check the signature of the message [here]. Again in this case we are generating a 128-bit AES GCM key:

{
    "primaryKeyId": 1331912396,
    "key": [{
        "keyData": {
            "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
            "keyMaterialType": "SYMMETRIC",
            "value": "GhBpskWWTrE27e2w67X4TzfS"
        },
        "outputPrefixType": "TINK",
        "keyId": 1331912396,
        "status": "ENABLED"
    }]
}

In a digital signing, we use a key pair (a public key and a private key). The private key is used to sign for a message, and then the public key proves the signer. In this case, we create an Elliptic Curve key pair on the sender side [link]:

{
 “primaryKeyId”: 438545957,
 “key”: [{
 “keyData”: {
 “typeUrl”: “type.googleapis.com/google.crypto.tink.EcdsaPrivateKey”,
 “keyMaterialType”: “ASYMMETRIC_PRIVATE”,
 “value”: “Ek0SBggDEAIYAhohAP4v0pziVF9He/fn8BgApUHOu2Y1TkMcejrYC4U24M3xIiBAf0AIU72H5uVIP1S6ULGLaDf4td3/RIb4F58z2Md/khogJsuTDxaY/Q0CmENKlTQIOCXEZ+qvdAW0Rkvix6Wehl4=”
 },
 “outputPrefixType”: “TINK”,
 “keyId”: 438545957,
 “status”: “ENABLED”
 }]
}

We then extract the public key to prove the signing:

{
 “primaryKeyId”: 438545957,
 “key”: [{
 “keyData”: {
 “typeUrl”: “type.googleapis.com/google.crypto.tink.EcdsaPublicKey”,
 “keyMaterialType”: “ASYMMETRIC_PUBLIC”,
 “value”: “EgYIAxACGAIaIQD+L9Kc4lRfR3v35/AYAKVBzrtmNU5DHHo62AuFNuDN8SIgQH9ACFO9h+blSD9UulCxi2g3+LXd/0SG+BefM9jHf5I=”
 },
 “outputPrefixType”: “TINK”,
 “keyId”: 438545957,
 “status”: “ENABLED”
 }]
}

The hexadecimal format is this is 12060803100218021A2100FE2FD29CE2545F477BF7E7F01800A541CEBB66354E431C7A3AD80B8536E0CDF12220407F400853BD87E6E5483F54BA50B18B6837F8B5DDFF4486F8179F33D8C77F92, and which is 154 hexadecimal characters (616 bits — which is made up of a 512 bit public key and a few extra bytes to define the format of the key).

And in many applications, we use a hybrid approach, where we can protect the symmetric key with a key pair. In the following we use ECIES encryption to protect the symmetric key we create and then use the public key[link]. The private key is then used to decrypt the symmetric key:

{
 “primaryKeyId”: 1992984960,
 “key”: [{
 “keyData”: {
 “typeUrl”: “type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey”,
 “keyMaterialType”: “ASYMMETRIC_PUBLIC”,
 “value”: “EkQKBAgCEAMSOhI4CjB0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5jcnlwdG8udGluay5BZXNHY21LZXkSAhAQGAEYARohAOaHVTjvjhpGaHv5mhuXz3Nc+Mb7RE5sMyAsv7YCB8UjIiAOaSLbqRE7ddVM14kWiNoPWB/U2MNluwLlAjw39zwAlw==”
 },
 “outputPrefixType”: “TINK”,
 “keyId”: 1992984960,
 “status”: “ENABLED”
 }]
}

And there’s a method that allows you to authenticate your encryption using additional data, such as the sequence number of a data packet or the TCP port used. This is named authenticated encryption with associated data (AEAD), and here’s an example key using AES-SIV [here]:

{
    "primaryKeyId": 1428191678,
    "key": [{
        "keyData": {
            "typeUrl": "type.googleapis.com/google.crypto.tink.AesSivKey",
            "keyMaterialType": "SYMMETRIC",
            "value": "EkAFkhmlhYkmClmpz/vGzojJVgA/IQIMSty7rL8TXxyu9m/W0ZtzCddmSLFj7r8V/R0CywJ89KxdMVzdR+GDQH2w"
        },
        "outputPrefixType": "TINK",
        "keyId": 1428191678,
        "status": "ENABLED"
    }]
}

So there you go, your encryption keys can be viewed in Json. Nice!