In many cryptographic libraries, keys are often identified by only some byte
sequences. Consider for example OpenSSL functions such as EVP_EncryptInit_ex,
which apart from the key bytes, also needs the IV for computation; or the
javax.crypto method Cipher.init, which takes both a key sequence and an
AlgorithmParameterSpec. Such functions are often difficult to use correctly
and passing the wrong parameters can have serious consequences.
Tink aims to be different, and expects a key to always consist of both the key
material and the metadata (the parameters).
A full AEAD key for example specifies in exact detail how encryption and
decryption works - it specifies the two functions \(\mathrm{Enc}\) and
\(\mathrm{Dec}\), and how the ciphertext is encoded (e.g. initialization vector,
followed by the encryption, followed by the tag).
An AES key in Tink is not only a byte sequence of length 128, 192 or 256 bits,
but it also stores the corresponding algorithm specifications needed to compute
the key, in the form of a parameters object. Hence, a
full AES-EAX key and a full AES-GCM key are different objects in Tink.
[null,null,["Last updated 2024-11-14 UTC."],[[["In Tink, a Key is a cryptographic object encompassing both key material and metadata, ensuring clear and complete functionality specification."],["Unlike traditional libraries, Tink Keys include necessary parameters like IV and algorithm specifications, simplifying usage and mitigating potential errors."],["Tink Keys fully define cryptographic operations, including encryption, decryption, and ciphertext encoding, as exemplified by AEAD keys."],["Different key types with distinct algorithm specifications, like AES-EAX and AES-GCM, are treated as separate objects within Tink."],["Tink incorporates Keys into Keysets, enabling key rotation and enhanced security practices."]]],["Tink's **Key** includes both key material and metadata, defining its functionality. Unlike other libraries that only use byte sequences, Tink requires complete parameter specifications. A full AEAD key defines encryption and decryption processes, along with ciphertext encoding. AES keys in Tink include algorithm specifications, making different AES types distinct objects. Keys in Tink exist as parts of a set of keys called a Keyset, allowing key rotation.\n"]]
