Score:1

How are cryptographic tokens and secret keys different?

cn flag

Can someone throw light on the differences between tokens and secret keys? I understand that "tokens" are crypto artefacts "introduced" into a system by an external party in order to authenticate whereas keys can be either generated on the device (for. eg a key pair in case of asymmetric cryptography & corresponding public key can be used externally to authenticate) or a secret symmetric key can be imported or generated on device and shared with an external party for authentication. Are tokens then "wrapped" secret keys? How are they structurally dfferent to keys( a string of random bits)?

Thanks

Paul Uszak avatar
cn flag
You specifically mean tokens in the sense of message authentication (MAC/HMAC)? A version 4 UUID is also a kinda token, and cryptographically generated too.
tweet avatar
cn flag
I was looking from a device authentication perspective
Score:0
vu flag

Are tokens then "wrapped" secret keys?

Tokens encode information needed to authenticate someone and/or authorize some action. These information are protected by a secret key, but public-key-based tokens aren't excluded.

At least that's how my organization use cryptographic tokens.

How are they structurally dfferent to keys (a string of random bits)?

Tokens are structured (i.e. having format), keys are unstructured (symmetric) or structured according to the algorithm (public-key).

tweet avatar
cn flag
IF symmetric key based tokens are used, then does it not restrict the device holding the token to be authenticated only by the party which also shares this secret? As in, from a security perspective it only makes sense to have a one-one authentication right? Probably the person who put the secret into the device is the only one who can authenticate it? I somehow think PKI would be behind such authentication and tokens should be "more" PKI based?? What application does a token have? Terminology wise tokens are only for authentication?
DannyNiu avatar
vu flag
@tweet Token can be either symmetric-key based or public-key based, this is an engineering choice, my organization just happen to choose symmetric key. Token have many applications, an exhausive listing would be overly verbose for this answer, authentication and authorization are the best-known applications of it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.