In cryptography, a weak key is a key which when used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that if one generates a random key to encrypt a message weak keys are very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.
Contents 
The block cipher DES has a few specific keys termed "weak keys" and "semiweak keys". These are keys which cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key).
In operation, the secret 56bit key is broken up into 16 subkeys according to the DES key schedule; one subkey is used in each of the sixteen DES rounds. The weak keys of DES are those which produce sixteen identical subkeys. This occurs when the key bits are:^{[1]}
If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:
Using weak keys, the outcome of the Permuted Choice 1 (PC1) in the DES key schedule leads to round keys being either all zeros, all ones or alternating zeroone patterns.
Since all the subkeys are identical, and DES is a Feistel network, the encryption function is selfinverting; that is, encrypting twice produces the original plaintext.
DES also has semiweak keys, which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs K_{1} and K_{2}, and they have the property that:
where E_{K}(M) is the encryption algorithm encrypting message M with key K. There are six semiweak key pairs:
There are also 48 possibly weak keys that produce only four distinct subkeys (instead of 16). They can be found in ^{[2]}
These weak and semiweak keys are not considered "fatal flaws" of DES. There are 2^{56} (7.21 × 10^{16}, about 72 quadrillion) possible keys for DES, of which four are weak and twelve are semiweak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semiweak keys when the keys are generated. They are very few, and easy to recognize. Note, however, that DES is not recommended for general use since all keys can be bruteforced in about a day for a onetime hardware cost on the order of some new cars.
The goal of having a 'flat' keyspace (ie, all keys equally strong) is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has weak keys which are unknown does not inspire much trust.
The two main countermeasures against inadvertently using a weak key:
A large number of weak keys is a serious flaw in any cipher design, since there will then be a (perhaps too) large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in interest of 'efficiency'.
However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a mode of operation intended to construct a secure cryptographic hash function (eg DaviesMeyer).
In cryptography, a weak key is a key which when used with a specific cipher, makes the cipher behave in some undesirable way, and simplifies breaking (cracking) the ciphertext.
Weak keys usually represent a very small fraction of the overall key space, which means that if someone generates a random key to encrypt a message, it is a rare condition that weak keys will cause a security problem. However, it is considered a good design for a cipher to have no weak keys ("quality chiper"). A cipher with no weak keys is said to have a flat, or linear, key space.
