1. In cryptography, the value needed to encrypt and/or decrypt something. It is usually a number or a short string less than 20 characters long. Contrast: People are confused as to the difference between a key and a password. A key is a large number whereas a password is simply a series of letters (and possibly digits and punctuation). Since cryptography only uses keys, the password is generally converted to a number through the use of an appropriate mathematical function, like a hash. Public/private keys present a special difficulty in that they contain extremely large, unwieldy numbers that are protected by a separate password. Contrast: There are two types of keys: symmetric keys use the same key for both encryption and decryption asymmetric (aka. public/private key) are produced in pairs, where one key encrypts, but a mirror key must be used to decrypt the message, and somebody with one key cannot figure out the other key. Contrast: A common question deals with the difference between 40-bit and 128-bit encryption in web browsers like Netscape. The answer is that the most obvious way to break the encryption and read the plain text is to simply try all possible keys. A 40-bit key has roughly one trillion (1,000,000,000,000) combinations. It could take your computer several weeks to try all these combinations. The implication: the average person only needs a few weeks to decrypt any message you send across the wire with a 40-bit browser, should they manage to sniff it from the wire. Every extra bit of key length means the key will take twice as long to crack. Therefore, if a system takes one week to crack a 40-bit key, it will take two weeks to crack a 41-bit key. Therefore, a 128-bit key will take 2^(128-40) times longer to crack than a 40-bit key (i.e. 309,485,009,821,345,068,724,781,056 times longer). Example: The following table shows the relative difficulty in cracking keys (circa year 2000). Bits Difficulty 8 paper and pencil (puzzle appears in Sunday paper) 16 tiny computer 32 your desktop computer 40 a few computers and a fair amount of time 56 custom hardware 64 distributed.net (a hundred thousand machine cranking away for a couple of years) 80 government agencies (NSA, CIA) 128 not crackable at the current time 256 quantum computers Key point: Moore's Law breaks all cryptosystems, eventually. This, and only this, is why DES has become obsolete. Note: 40-bit and 128-bit keys mean the RC4 algorithm used within web-browsers to talk to web servers via SSL. The U.S. restricts export of all software whose keys are greater than 40-bits in order to be able to spy on foreigners (ostensibly only in a military engagement). Key point: You can classify keys according to their lifetimes: In PKI, "session keys" are randomly generated and last only the lifetime of the connection. The public/private keys are used to exchange them so that people eavesdropping on the wire cannot figure out what they are. Longer term keys are often based upon a hash of a password and are explicitly generated by the user. An example would be a user who encrypts a file with a key. Key point: The Kerckhoff principle states that cryptography should be based upon the assumption that the enemy will discover all the details of your system. Therefore, all the security of the system should be held within the key. Not only that, the idea is that the details of the system should be actively published and publicized in the hopes that people will analyze the system, discover them, and publish the weaknesses before the enemy gets a chance to. All the best cryptosystems have been well published and analyzed in public forums. From Hacking-Lexicon