Encrypted communication sessions are used to secure communication between to programs communicating over an open network such as the Internet. Many encrypted communication sessions utilize a session key for the encryption of the data for that communication session. The session key is used as an parameter of the encryption and decryption algorithms at each computer participating in the communication session to prevent a third party from intercepting and decrypting the data in the communication session. A session key is used once for the specific communication session and then discarded to minimize the possibility that a malicious third party would be able to determine the session key.
Session keys are utilized to thwart certain types of cryptanalytic attacks, but in turn present a risk, because the communicating programs must agree on or share the session key over the open network. The session keys are used, because cryptanalytic attacks are made easier over time as more data is encrypted with the same key. Thus, switching session keys with each communication session limits the duration of time that the same key is used to encrypt data.
A secret key is often shared between the communicating computers and programs. The secret key is delivered by a secure method such as direct local input by an administrator or through a similar system. The session keys protect the secret key by minimizing its direct use in encryption that may expose it to cryptanalytic attacks.
Many bulk encryption algorithms require the use of a shared key that is secure. Secret key algorithms have this property. This type of encryption is often the most practical, especially for encrypting large amounts of data efficiently. Secret key algorithms rely on both secret keys and session keys.
Session keys must be chosen such that they are not predictable by a third party. Typically, this involves the generation of a random number or sequence as part of the process. However, the generation of random values can result in predictable results, because random value generation is often based on stored sequences of values in a computer system. If this stored sequence is known by a third party it can undermine the security of the encryption by making the session keys predictable.