21

This article is intended to be a simplified explanation sans drill-down for people wanting to understand these concepts/terms.

What are DEK, KEK and MEK/Master key?

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
Erez
  • 333
  • 1
  • 2
  • 5
  • Totally confusing - isn't the DEK the same as the MEK? Surely only 2 keys are required, the AES256 key on the drive and the key held externally to encrypt the DEK/MEK? –  Mar 02 '16 at 11:43

3 Answers3

17

Secure Storage

DEK: Data Encryption Key
KEK: Key Encryption Key

Master Key: Generally will describe one of the two above keys. Depending on the scheme in which it is implemented.

This type of encryption scheme is often used for secure storage. Microsoft Windows is known to use this type of encryption scheme to protect user credentials and other types of data that are secured for a user.

Microsoft generates a Key Encryption Key using the user's password. This KEK is then used to encrypt what they call the Master Key. The Master Key is really a Data Encryption Key. It will be used to encrypt any data that is put in the user's protected storage.

Key management for Full Disk Encryption will also work the same way. The FDE software will randomly generate a DEK, then use the user's password/keyfile/smart card to create a KEK in order to encrypt the DEK. This mechanism allows the user to change their password without having to decrypt and re-encrypt the entire volume. Instead, the DEK is just re-encrypted with the new KEK.

Secure Protocols

Master keys as you hear them used in SSL/TLS or SSH are different. Generally speaking the shared secret with be mixed with a secure algorithm so that both parties can generate a Master Key. The Master Key is then used to generate the Encryption Keys, Integrity Keys, and Initialization Vectors for both sides of communication. Here is how those keys are derived for SSL/TLS.

Community
  • 1
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
2

This article is intended to be a simplified explanation sans drill-down for people wanting to understand the concept terms.

The terms are used in symmetric key cryptography.

DEK - Data Encryption Key The key used to encrypt the data

e.g. Key: 1234 with AES 128 as encryption algorithem - 1234 is the DEK

KEK - Key Encryption Key

e.g. Encrypt (from DEK above) 1234 with 9999; 9999 is the KEK

Master Key or MEK - Master Encryption Key

This key is used to encrypt/decrypt DEK and KEK in transit; usually used for KEK not for DEK.

Erez
  • 333
  • 1
  • 2
  • 5
  • So you encrypt DEK with KEK which was encrypted under MEK? Personally, I've never seen this constuction (you've got a sample reference mentioning all threee acronyms?). The usual procedure is to agree on a shared secret (using DH), derive a key from this and use this for bulk encryption. – SEJPM Jul 14 '15 at 12:37
  • you use MEK agree on MEK then use it to distribute KEK. – Erez Jul 15 '15 at 08:34
  • Many card systems use such a scheme, including such widespread & commonplace applications as bank cards and public transport. – inopinatus Mar 12 '21 at 21:13
-1

imagine scenario of bank locker system where u have one key and bank staff have another key when two put together your locker gets opened here mek is bank staff key and dek is your key.

Lokesh
  • 1
  • 1
  • 5
    No, What you described is secret sharing, not DEK or KEK – kelalaka Feb 13 '21 at 18:19
  • @kelalaka honestly, it looks like basic auth, where your key is login, and bank key is password. – TEH EMPRAH Mar 04 '21 at 16:21
  • @TEHEMPRAH it doesn't answer the question. I'm not the downvoter by the way. – kelalaka Mar 04 '21 at 16:26
  • If you want to use a locker system analogy, then the correct explanation for KEK-DEK would be: a) imagine you have two rooms with lockers (room1 & room2). b) the locker in the room1 contains the key for the locker in room2. c) the key from the locker in room2 gives access to the data. The critical point here is having two separate rooms (= separate key management systems) to store KEK & DEK. – Valentin Balaschenko Sep 01 '22 at 14:47