The fastest way to get CISSP Certified. Join our bootcamp
Public-key fingerprints help us to verify that public keys haven’t been tampered with. This is especially useful when the keys have been sent over an insecure channel. Before we dive in too deep on fingerprints, let’s take a quick step back and discuss public keys more generally.
What are public keys?
Public keys play a critical role in asymmetric encryption. Public keys are the openly shareable component of a keypair. The other part is the private key, which is mathematically linked to the public key but must be kept a secret by the owner. Due to the strange math that hold these two keys together, we can share the public key with anyone who we wish to communicate securely.
This allows us to solve the key distribution problem, which plagued us for the whole history of cryptography. In essence, if we wanted to communicate securely with someone, we already needed to have a secure channel through which we could share the symmetric key that would encrypt our communications. Often, this meant that we had to share the keys in person.
The invention of public-key cryptography changed everything,and it gave us a way to securely communicate with anyone in the world, even if we had never previously met and we didn’t have a pre-existing secure channel.
What do we use public-key fingerprints for?
One of the main uses for public-key fingerprints is to verify keys that are sent over an insecure channel. It’s roughly analogous to how we verify software that we download over the Internet. Due to the threat of man-in-the-middle attacks (MITM), the developers will take a hash of the software’s code and post it publicly. Once we download the software, we can verify whether it is legitimate by producing our own hash from the code we downloaded. If this hash matches the one that the developer posted, then the software hasn’t been tampered with. If it doesn’t match, we should not trust the software.
One main benefit of a public-key fingerprint is that they are substantially smaller than the keys themselves. As an example, NIST currently recommends a minimum of 2048-bit RSA keys for digital signatures and authentication. Even 4096-bit RSA keys are becoming more common. In certain situations, a hash of these large keys can be easier to work with than the keys themselves, like if you have to verify a key over the phone. It’s much easier to verify a 256-bit hash than a 2048 or 4096-bit key.
How are public-key fingerprints created?
In the case of an OpenPGP (Open Pretty Good Privacy) Version 6, the public-key fingerprint is created by taking the following details for a given public key:
- The 0x9B octet
- 4-octet packet length
- The entire public-key packet (this includes things like the version number, a timestamp, the algorithm used, and the key material)
This is then run through the SHA-2-256 hash function to give us a 256-bit hash. This 256-bit hash is the public key fingerprint.
Key IDs vs fingerprints
Another common term that you may come across is a key ID. While a key ID is similar to a public-key fingerprint, they are not cryptographically equivalent. In the case of an OpenPGP (Open Pretty Good Privacy) Version 6, the key ID is the high-order 64- its of the fingerprint, not the entire 256-bit fingerprint. Because the key ID is just a 64-bit string, there are far greater chances of collisions with the key ID than the 256-bit public-key fingerprint. This means that key IDs should never be used in situations where a collision could be abused by an attacker.
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Win a FREE Security+ Exam
Enter to win a $370 Security+ exam and kickstart your cybersecurity career!
Or share this with someone who might be interested.
Act fast—promotion ends July 31, 2025.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
