I am reading specifications from my client that focuses on the topic of security. In these specs, the term key material has appeared many times.
I used Google to look for what the term means. Unfortunately few posts explain what it means.
What is the difference between key and key material, if any?
Key material is the “mathematical” key, as opposed to metadata about the key such as the key type, its name in a database, its usage policy, etc.
In the context of key management, and in particular of programming interfaces that manipulate cryptographic keys, the term key can mean multiple things. It can refer to the actual bytes or numbers that are used in cryptographic computations: this is key material. It can also refer to the name (or label, identifier, index, …) of a cryptographic key in a key storage database. It can refer to an object in a system which supports requests such as “encrypt” and “decrypt”, and which may have associated metadata such as the key type (“this is an AES key”) and usage policies (“this key may only be used for AES-GCM, only on Tuesdays and only by users with the Grand Vizir privilege”).
In the context of information security, key material is the aspect of a key that requires especially confidential storage. Typically, the metadata about a key has low sensitivity and can be stored, manipulated and displayed with ordinary precautions. Key material (except for public keys) is more sensitive and requires additional precautions: avoid storing copies in a cache, require additional authentication before viewing or extracting, refuse copying to unencrypted storage, etc.
For example, the top Google hit for “key material” for me right now is “Importing key material in AWS Key Management Service”.
An AWS KMS customer master key (CMK) is a logical representation of a master key. In addition to the CMK identifiers and other metadata, a CMK contains the key material used to encrypt and decrypt data.
When you create a CMK in AWS, you have a choice of letting AWS generate the key material randomly, or importing your own key material. In either case, you pass metadata such as identifiers as parameters to the key creation request.
Another example: PKCS#11 does not consistently use the term “key material”, but it uses it (without a formal definition) in the context of key objects. For an RSA private key, the key material consists of the (RSA-specific) attributes modulus, public exponent, private exponent, etc. For a secret key, the key material is a single byte array which PKCS#11 calls “key value”. Other key attributes, such as the key type, start and end date, usage policies “derive”, “encrypt”, “verify”, etc. are key metadata, not key material.
If you have a smartcard containing a decryption key, and you know the PIN that allows you to use the smartcard, then you have access to the key, in the sense that you can use the key for its intended purpose. But unless the smartcard is configured to allow extracting the key, you don't have access to the key material itself: only the smartcard has the key material.
It is impossible to give a definitive answer given missing context, I believe however I can provide some useful information from my own lecture of cryptography-related literature.
As I believe most people understand it, when the difference is made between a key and key material, the former refers to a cryptographic key in a given format as can be readily used by a given piece of cryptographic software, while the latter either refers to the key, but in a more generalized sense or to data, such as passphrases, shared secrets, pseudo-random or truly random from which the key may be derived. Key material might also refer to a set of related keys used within a particular system.
This question on Information Security Stack Exchange might also prove useful.
