A session key is a key used for encryption of a single message or communication session.

Session keys introduce complication in a crypto system, normally an undesirable end. However, they also help with some real problems, which is why they are used. There are two primary reasons for session keys.

  • First, several cryptanalytic attacks are made easier as more material encrypted with a specific key is available. By limiting the material processed using a particular key, all of those attacks are made more difficult.
  • Second, no encryption algorithm has all desirable properties. For instance, many otherwise good algorithms require that conventional keys be distributed securely before encryption can be used. All secret key encryption algorithms have this undesirable property. There are several algorithms which don't require secure distribution of secret keys, but they are all too slow to be practical. These are the asymmetric key algorithms. By using one of them to distribute an encrypted secret key for another, faster, algorithm, it's possible to improve overall performance (convenience and speed) considerably.

Like all cryptographic keys, session keys must be chosen so that they are unpredictable by an attacker. In the usual case, this means that they must be chosen randomly. Failure to chose seesion keys (or any key) properly is a major (and too common in actual practice) design flaw in any crypto system.

See also: perfect forward secrecy