So What Does A Modern Encryption Key Look Like?
So What Does A Modern Encryption Key Look Like?
So what does an encryption key look like these days? Well it depends on whether your a computer or a human. For a computer it is just a bunch of 1’s and 0’s, but for humans we are not so good at interpreting binary. We also need a bit more information about they key, such as when it was created.
And so the JSON format is often used to view a key, and Google Tink is a great place to view the key. With this we can define a symmetric key, and where we give the key and ID, and then define the key type (as we can use a range of encryption methods). In the following we use an AES GCM key: [link]
{ "primaryKeyId": 1331912396, "key": [{ "keyData": { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "keyMaterialType": "SYMMETRIC", "value": "GhBpskWWTrE27e2w67X4TzfS" }, "outputPrefixType": "TINK", "keyId": 1331912396, "status": "ENABLED" }]}
The key is “GhBpskWWTrE27e2w67X4TzfS”. The hexadecimal format is:
1A1069B245964EB136EDEDB0EBB5F84F37D2
and which is 36 hex characters, and which is 144 bits. This gives 128 bits for the key, and a few extra bits for some parameters.
For a MAC (Message Authentication Code), we use a shared secret key, and then can use this to check the signature of the message [
{ "primaryKeyId": 1331912396, "key": [{ "keyData": { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "keyMaterialType": "SYMMETRIC", "value": "GhBpskWWTrE27e2w67X4TzfS" }, "outputPrefixType": "TINK", "keyId": 1331912396, "status": "ENABLED" }]}
In a digital signing, we use a key pair (a public key and a private key). The private key is used to sign for a message, and then public key proves the signer. In this case we create an Elliptic Curve key pair on the sender side [link]:
{ “primaryKeyId”: 438545957, “key”: [{ “keyData”: { “typeUrl”: “type.googleapis.com/google.crypto.tink.EcdsaPrivateKey”, “keyMaterialType”: “ASYMMETRIC_PRIVATE”, “value”: “Ek0SBggDEAIYAhohAP4v0pziVF9He/fn8BgApUHOu2Y1TkMcejrYC4U24M3xIiBAf0AIU72H5uVIP1S6ULGLaDf4td3/RIb4F58z2Md/khogJsuTDxaY/Q0CmENKlTQIOCXEZ+qvdAW0Rkvix6Wehl4=” }, “outputPrefixType”: “TINK”, “keyId”: 438545957, “status”: “ENABLED” }]}
We then extract the public key to prove the signing:
{ “primaryKeyId”: 438545957, “key”: [{ “keyData”: { “typeUrl”: “type.googleapis.com/google.crypto.tink.EcdsaPublicKey”, “keyMaterialType”: “ASYMMETRIC_PUBLIC”, “value”: “EgYIAxACGAIaIQD+L9Kc4lRfR3v35/AYAKVBzrtmNU5DHHo62AuFNuDN8SIgQH9ACFO9h+blSD9UulCxi2g3+LXd/0SG+BefM9jHf5I=” }, “outputPrefixType”: “TINK”, “keyId”: 438545957, “status”: “ENABLED” }]}
The hexadecimal format is this is 12060803100218021A2100FE2FD29CE2545F477BF7E7F01800A541CEBB66354E431C7A3AD80B8536E0CDF12220407F400853BD87E6E5483F54BA50B18B6837F8B5DDFF4486F8179F33D8C77F92, and which is 154 hexadecimal characters (616 bits — which is made up of a 512 bit public key and a few extra bytes to define the format of the key).
And in many applications, we use a hybrid approach, where we can protect the symmetric key with a key pair. In the following we use ECIES encryption to protect the symmetric key we create, and then use the public key[link]. The private key is then used to decrypt the symmetric key:
{ “primaryKeyId”: 1992984960, “key”: [{ “keyData”: { “typeUrl”: “type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey”, “keyMaterialType”: “ASYMMETRIC_PUBLIC”, “value”: “EkQKBAgCEAMSOhI4CjB0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5jcnlwdG8udGluay5BZXNHY21LZXkSAhAQGAEYARohAOaHVTjvjhpGaHv5mhuXz3Nc+Mb7RE5sMyAsv7YCB8UjIiAOaSLbqRE7ddVM14kWiNoPWB/U2MNluwLlAjw39zwAlw==” }, “outputPrefixType”: “TINK”, “keyId”: 1992984960, “status”: “ENABLED” }]}
So there you go, your encryption keys can be viewed in Json. Nice!