Tink keys consist of both key material and metadata. The
section on tagging ciphertexts
explains how Tink also
allows to prefix ciphertexts with a 5-byte string derived from the ID, which
means that the key also depends on the ID it has in the keyset.
Therefore, to create a new key, Tink uses in general the following ingredients:
An object describing all parameters
The ID of the new key
Uniform, cryptographically secure randomness
Example
Consider for example HMAC (RFC 2014).
To specify an HMAC computation in Tink, one needs to provide the following
information, which form the key:
[null,null,["Last updated 2024-11-14 UTC."],[[["Tink keys comprise key material and metadata, including parameters like hash function and output length, but exclude key material randomness and key ID."],["Creating a new key in Tink involves using parameters, a unique key ID, and cryptographically secure random data."],["Key parameters in Tink encompass information used for key creation, such as hash function, output length, and key material length, but exclude the actual key material."],["A complete Tink key combines its parameters, key material, and a unique ID, enabling secure cryptographic operations."]]],["Tink keys comprise key material and metadata, including a prefix derived from the key ID. To create a key, Tink uses parameters, the key's ID, and randomness. Key parameters consist of information used to create the key, excluding the key material and ID. For HMAC, parameters include key material length, hash function, output length (if truncated), and how to derive the prefix from the ID. These parameters, with the key material and ID, define the full key.\n"]]