"Authentication keys" are usually obtained from the maintainer of the software repository. The maintainer will often place a copy of the authentication key on a public key server such as www.keyserver.net. The key can then be retrieved using the command.
Apt-get package management uses public key cryptography to authenticate downloaded packages.
Debian does an excellent job of explaining Secure apt on this wiki page.
What follows is a short summary of the key acquisition and verification process gleaned from Debian's wiki page.
Basic Concepts Public key cryptography is based on pairs of keys, a public key and a private key. The public key is given out to the world; the private key must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It's also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. No one who doesn't have the private key can forge such a signature.
gpg (GNU Privacy Guard) is the tool used in secure apt to sign files and check their signatures.
apt-key is a program that is used to manage a keyring of gpg keys for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg (not to be confused with the related but not very interesting/etc/apt/trustdb.gpg). apt-key can be used to show the keys in the keyring, and to add or remove a key.
Each time you add another apt repository to /etc/apt/sources.list, you'll also have to give apt its key if you want apt to trust it. Once you have obtained the key, you can validate it by checking the key's fingerprint and then signing this public key with your private key. Y