Stay organized with collections
Save and categorize content based on your preferences.
Tink keys consist of both key material and metadata. The
section on tagging ciphertexts
explains how Tink also
allows to prefix ciphertexts with a 5-byte string derived from the ID, which
means that the key also depends on the ID it has in the keyset.
Therefore, to create a new key, Tink uses in general the following ingredients:
An object describing all parameters
The ID of the new key
Uniform, cryptographically secure randomness
Example
Consider for example HMAC (RFC 2014).
To specify an HMAC computation in Tink, one needs to provide the following
information, which form the key:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eTink keys comprise key material and metadata, including parameters like hash function and output length, but exclude key material randomness and key ID.\u003c/p\u003e\n"],["\u003cp\u003eCreating a new key in Tink involves using parameters, a unique key ID, and cryptographically secure random data.\u003c/p\u003e\n"],["\u003cp\u003eKey parameters in Tink encompass information used for key creation, such as hash function, output length, and key material length, but exclude the actual key material.\u003c/p\u003e\n"],["\u003cp\u003eA complete Tink key combines its parameters, key material, and a unique ID, enabling secure cryptographic operations.\u003c/p\u003e\n"]]],["Tink keys comprise key material and metadata, including a prefix derived from the key ID. To create a key, Tink uses parameters, the key's ID, and randomness. Key parameters consist of information used to create the key, excluding the key material and ID. For HMAC, parameters include key material length, hash function, output length (if truncated), and how to derive the prefix from the ID. These parameters, with the key material and ID, define the full key.\n"],null,["| In Tink, the **parameters** of a key consist of the information which was used to create the key. This does not include the *key material randomness* and the *key ID*.\n\nTink [keys](/tink/design/keys) consist of both key material and metadata. The\nsection on tagging ciphertexts\n[explains](/tink/design/keysets#key_identifiers_in_ciphertexts) how Tink also\nallows to prefix ciphertexts with a 5-byte string derived from the ID, which\nmeans that the key also depends on the ID it has in the keyset.\n\nTherefore, to create a new key, Tink uses in general the following ingredients:\n\n- An object describing all **parameters**\n- The ID of the new key\n- Uniform, cryptographically secure randomness\n\nExample\n\nConsider for example HMAC ([RFC 2014](https://www.rfc-editor.org/rfc/rfc2104)).\nTo specify an HMAC computation in Tink, one needs to provide the following\ninformation, which form the key:\n\n- The key material of HMAC.\n- The hash function to be used.\n- The output length of the HMAC (see ([RFC 2014, Section\n 5](https://www.rfc-editor.org/rfc/rfc2104#section-5))) - if truncated.\n- The Tink specific [prefix with which every tag\n starts](/tink/design/keysets#tagging_ciphertexts) (if any).\n\nThe corresponding parameters consist of all this information, except the actual\nkey material. More specifically:\n\n- The length of the key material.\n- The hash function used.\n- The output length of the HMAC - if truncated.\n- A specification of how to find the prefix from the ID.\n\nTogether with the key material and the ID, this forms the full key. See also\nmore details on how these objects are [implemented](/tink/design/key_objects)."]]
