Glossary

  • Tink is a cryptographic library that provides a consistent and safe way to perform cryptographic operations across multiple programming languages.

  • It uses primitives like AEAD, MAC, Digital Signatures, and more to manage underlying algorithms, and keysets to handle key management and rotation.

  • Tink offers flexibility with key types to balance security, performance, and size needs.

  • Developers can use the registry (soon to be deprecated) or Tinkey, a command-line tool, for managing cryptographic keys.

  • Plaintext and Ciphertext represent the data before and after encryption, respectively, and are fundamental concepts within cryptography.

Asymmetric key encryption: A cryptographic system that uses paired keys—public and private—to encrypt and decrypt data. Public keys are used to encrypt data and may be shared. Private keys are used to decrypt data, and are only known to the owner.

Ciphertext: The result of encryption performed on plaintext using an algorithm. Ciphertext is not understandable until it has been converted back into plaintext using a key.

Consistency: Means that Tink behaves "the same" in all programming languages. For example, Tink provides evaluation consistency, which means that for a given keyset, if primitive creation succeeds in two languages, the primitives behave the same.

Key: A piece of information (for example, a string) required to encrypt or decrypt data. See Key objects for how they're represented.

Keyset & keyset handle: Tink uses keysets for managing keys. A keyset is essentially a set of keys that facilitate key rotation. Noteworthy properties of a keyset are:

  • Each key in a keyset has a unique ID, which is unique within a keyset. This ID is usually added as a prefix to each produced ciphertext, signature or tag to indicate which key was used (see how Tink tags ciphertexts for more info).
  • Only one key at a time in a keyset is primary. A primary key in a keyset is the key "in use" at the moment.
  • All the keys in a keyset must be implementations of the same primitive (such as AEAD), but can have different key types (for example, an AES-GCM and XCHACHA20-POLY1305 key).

Each Tink implementation provides APIs to create or edit keysets. However, we recommend using Tinkey our CLI tool.

Users operate over a keyset using keyset handles. A keyset handle limits the exposure of the actual sensitive key material. It also abstracts a keyset allowing users to obtain a primitive that "wraps" the entire keyset. For example, you can get an AEAD primitive of a keyset with N keys; encryption and decryption with the obtained primitive then uses the primary key in the keyset.

Key management system (KMS): A system used to manage cryptographic keys, including their generation, storage, use, rotation, destruction, and replacement.

Key type: A key type implements a specific primitive. Most primitives have several key types to choose from depending on your requirements for security, runtime, and space. For example, AES128_GCM is an AEAD that is fast and effective for most needs. See more at Supported key types by language.

Parameters: Fully describes the information required to create a key, excluding the key material and the key ID. See Parameters objects for how they're represented.

Plaintext: The intelligible input form of an encrypted text or of its elements.

Primitive: Tink uses primitives as cryptographic building blocks that manage an underlying algorithm so users can perform cryptographic tasks safely. A primitive defines the details of a cryptographic algorithm and the key type.

Registry: A global entity in Tink that knows how to generate new keys and primitives. Also see the guidance on debugging registration errors.

Symmetric key encryption: A cryptographic algorithm that uses the same key to encrypt plaintext and decrypt ciphertext.