AI-generated Key Takeaways
-
Tink keys comprise key material and metadata, including parameters like hash function and output length, but exclude key material randomness and key ID.
-
Creating a new key in Tink involves using parameters, a unique key ID, and cryptographically secure random data.
-
Key parameters in Tink encompass information used for key creation, such as hash function, output length, and key material length, but exclude the actual key material.
-
A complete Tink key combines its parameters, key material, and a unique ID, enabling secure cryptographic operations.
Tink keys consist of both key material and metadata. The section on tagging ciphertexts explains how Tink also allows to prefix ciphertexts with a 5-byte string derived from the ID, which means that the key also depends on the ID it has in the keyset.
Therefore, to create a new key, Tink uses in general the following ingredients:
- An object describing all parameters
- The ID of the new key
- Uniform, cryptographically secure randomness
Example
Consider for example HMAC (RFC 2014). To specify an HMAC computation in Tink, one needs to provide the following information, which form the key:
- The key material of HMAC.
- The hash function to be used.
- The output length of the HMAC (see (RFC 2014, Section 5)) - if truncated.
- The Tink specific prefix with which every tag starts (if any).
The corresponding parameters consist of all this information, except the actual key material. More specifically:
- The length of the key material.
- The hash function used.
- The output length of the HMAC - if truncated.
- A specification of how to find the prefix from the ID.
Together with the key material and the ID, this forms the full key. See also more details on how these objects are implemented.