Join Log in
Score:1
vquest avatar Crypto

What qualifies as a key?

us flag
vquest

For my own project and the fun of it I have created an algorithm that turns plain text into cipher by interacting between entered text and a given password. My question is, in this instance, does the password count as what is known as a key, or is a key something entirely different?

43
1 + 1
DannyNiu avatar
vu flag
DannyNiu
A [post from meta](https://crypto.meta.stackexchange.com/q/1481/36960) recommended for new people designing cryptosystems.
0
Reply
Score:1
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

Usually, in modern cryptography, the key is randomized within a specific domain. For symmetric encryption, for instance, the key consists of 128 to 256 random bits, which is the minimum number of bits to get (close to) 128 to 256 bits of security. An RSA private key on the other hand is created from 2 or more randomly chosen prime numbers.

For classical ciphers the key space commonly consists of a number of specific symbols making up an alphabet. The English ABC is one of these alphabets. However, unless the password was generated at random, it is still probably best to think of it as a password. The reason for this is that a non-randomly chosen password has less strength than expected from a key of the same size. I'd not be surprised that in the classical sense the term key and password were used interchangeably (but I'm not a historian).

In modern cryptography we have algorithms called password-based key derivation functions (or, more simply, password hashes) that create a key from a password. Those are generally needed to create a more secure key from the password. Of course, if the password is really weak then such a PBKDF can only do so much.

Both passwords and (symmetric) keys can be considered secrets, in case you are looking for a common term. So no, a key is not something entirely different.

+ 4
vquest avatar
us flag
vquest
Thanks. I'm not really looking for a common term as such. I'm wondering where it stands legally. The US Encryption Export laws come into play when selling software if a key is greater than a 56 bit key. If a password doesn't constitute a key, then it doesn't come into play. As you say, a humanly made-up password is nowhere as a secure as a generated key, but that might not mean anything in regards to the law.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Well, IANAL, but as this seems to be made to create a cipher and used to provide confidentiality I would probably err on the safe side. Note that questions about legality are considered off topic here (as IANAL counts for most if not all of our user base).
0
Reply
SAI Peregrinus avatar
si flag
SAI Peregrinus
https://www.bis.doc.gov/index.php/documents/new-encryption/1654-flowchart1/file Choice 1 (the item is publicly available source code) plus [Kerckhoffs's principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) means that most real-world cryptography these days isn't subject to the export restriction, if (and only if) the appropriate report notice is filed with the BIS and NSA. IANAL, and I am not YOUR lawyer, so this is not legal advice. Avoid secret algorithms, they're almost never secure and mean you need to fill out much more paperwork.
1
Reply
vquest avatar
us flag
vquest
Thanks again, Maarten. I'm not really looking for legal opinion. I'm just trying to clarify what's what in my own mind. I think I can safely say that the password is a key. Whether or not it's a 56 bit key is entirely down to the length then? I'm aware of the advice for people to not create their own algorithm, but I'm not trying to reinvent anything. I know that industrial grade encryption is massively superior, but for its purpose I think that my algorithm will have it's use. And the user will be able to use 256 AES encryption to backup too if they choose.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.