Once you have a wordpress.com username and password, you log in at wordpress.com and there is spot to retrieve your key. WordPress.com looks all different to me today, but the key is stored in there somewhere. Just look around.
Once you have that, enter it in your config.php and start blocking spam.