Session authentication may describe various techniques for securing electronic communications between two computing devices, such as a server device and a client device, using a unique session key (e.g., a session identifier (ID)). Selecting a session key that cannot be guessed is thus an important element of preventing attacks whereby a perpetrator derives the session key and then uses it to intercept communications by tapping into the communication path between the server device and the client device. This security concern is amplified in high volume session authentication systems designed to authenticate multiple sessions between multiple computing devices, such as multiple server devices and multiple client devices, at any given time.
Generating session IDs to be used in session authentication often relies upon the use of pseudo-random number generation. While often referred to as “random number generation,” in truth it has historically been difficult to generate truly random numbers, and tools for “random” number generation have usually employed procedures whose outputs can be reproduced if certain underlying inputs are known. And while historically such pseudo-random number generation has been sufficient to generate session IDs that prevent malicious access, methods relying upon pseudo-random number generation are becoming increasingly susceptible to attack as the availability of computing power has increased. If a perpetrator has access to a user's device or information related to a user's session such as the user's access time, there are now often sufficient computing resources for a malicious attacker to perform a brute force attack exploiting the patterns inherent in traditional pseudo-random number generation techniques. In this way, a user's session may be compromised by an attacker who is able to replicate the user's session key. As alluded to above, this vulnerability has emerged by virtue of the new technical problems posed by the growing computing resources available today, because perpetrators have a greater ability to determine the method by which a session key is pseudo-randomly generated, replicate the method to generate the same session key, and then break into a user's session.