PGP key ID.
A shortened key identifier derived from the tail of the fingerprint — 8 hex characters for short IDs, 16 hex for long IDs. Useful as a compact label, dangerous as a primary identifier, because short key IDs have been collided in real attacks.
A PGP key ID is the last 8 or 16 hex characters of a key's fingerprint. "Short key ID" is 8 hex (32 bits); "long key ID" is 16 hex (64 bits). The full fingerprint is 40 hex (160 bits) and is the only truly safe identifier.
What it is.
Historical OpenPGP tools needed a way to refer to a key in compact form — fingerprints are 40 characters, too long to fit in a key listing or to read aloud. The key ID was the answer: truncate the fingerprint to the last few characters and use that as a shorthand.
There are two flavors. A short key ID is the last 8 hex characters (32 bits of fingerprint). A long key ID is the last 16 hex characters (64 bits). Both are deterministic — the same key always produces the same key ID — but neither contains enough entropy to be collision-resistant against a motivated attacker.
Why it matters (the collision problem).
In 2014, the Evil 32 project demonstrated practical short-key-ID collisions: generating a fresh key whose short key ID matches the short key ID of a target key took roughly four seconds on commodity hardware. The attacker could then upload the colliding fake key to keyservers; anyone looking up the target by short key ID could pull down the attacker's key instead.
Long key IDs (64 bits) are harder to collide but not infeasible — within reach of a well-resourced attacker, and getting easier every year as hardware improves. Only the full 160-bit fingerprint is considered cryptographically safe for identification today.
The practical rule: never publish a short key ID as your identity. Use the full fingerprint. When tools display short or long key IDs, they're convenience labels, not identity proofs.
Related terms
Get PGPony
Free OpenPGP encryption for iOS and Android. No accounts, no tracking.