anavem.
Back to Glossary
P

PKF (Public Key Fingerprint)

A PKF (Public Key Fingerprint) is a short, unique hash derived from a public key, used to verify its authenticity and integrity.

What is a Public Key Fingerprint (PKF)?

A Public Key Fingerprint (PKF) is a cryptographic hash (digest) generated from a public key. It provides a concise and human-verifiable representation of the key, making it easier to compare, validate, and trust cryptographic identities. Instead of checking a long public key, users or systems compare fingerprints to ensure they are referring to the same key.

Why PKFs matter

PKFs are important because they:

  • Help verify the authenticity of public keys
  • Reduce the risk of man-in-the-middle (MitM) attacks
  • Enable secure key verification in distributed systems
  • Are easier to compare than full public keys
  • Support trust establishment without central authorities

PKFs are commonly used in secure communications and identity verification.

How a PKF is generated

A PKF is created by:

  1. Taking the raw public key
  2. Applying a cryptographic hash function (e.g., SHA-256)
  3. Producing a fixed-length fingerprint (hexadecimal or Base64)

Example (simplified): SHA-256(public_key) → fingerprint

The same public key will always produce the same fingerprint.

Common PKF formats

Public key fingerprints may be displayed as:

  • Hexadecimal strings
  • Base64-encoded values
  • Colon-separated byte pairs (legacy formats)

Modern systems typically use SHA-256-based fingerprints.

PKF vs certificate fingerprint

These concepts are related but distinct:

  • Public Key Fingerprint (PKF): hash of the public key only
  • Certificate fingerprint: hash of the entire certificate

A certificate change may alter the certificate fingerprint while the PKF remains the same if the public key is unchanged.

PKF in real-world use

PKFs are commonly used in:

  • SSH key verification (first connection trust prompts)
  • TLS certificate pinning and validation
  • PGP and secure email systems
  • Secure messaging and key exchange
  • DevOps and infrastructure automation

They are often exchanged out-of-band to establish trust.

Security considerations

While PKFs are secure representations:

  • Users must verify fingerprints through trusted channels
  • Weak or deprecated hash algorithms should be avoided
  • Fingerprints do not provide secrecy - only identification
  • Trust depends on correct initial verification

A verified PKF strengthens trust but does not replace proper key management.

Common misconceptions

  • "A fingerprint encrypts the key"
  • "Fingerprints must be kept secret"
  • "Any hash algorithm is sufficient"
  • "PKFs eliminate the need for certificates"