# Session key

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Session_key
> Markdown URL: https://mediated.wiki/source/Session_key.md
> Source: https://en.wikipedia.org/wiki/Session_key
> Source revision: 1341098745
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Short description|Single-use key in hybrid cryptosystems}}
{{Refimprove|date=December 2009}}
A ''' session key''' is a single-use [symmetric key](/source/symmetric_key) used for [encrypting](/source/encrypting) all [message](/source/message)s in one [communication session](/source/Session_(computer_science)). A closely related term is '''content encryption key''' ('''CEK'''), '''traffic encryption key''' ('''TEK'''), or '''[multicast](/source/multicast) key''' which refers to any key used for encrypting messages, contrary to other uses like encrypting other keys ('''key encryption key''' ('''KEK''') or '''key encryption has been made public key''').

Session keys can introduce complications into a system, yet they solve some real problems. There are two primary reasons to use session keys:

# Several cryptanalytic attacks become easier the more material encrypted with a specific key is available. By limiting the amount of data processed using a particular key, those attacks are rendered harder to perform.
# [Asymmetric encryption](/source/public_key_cryptography) is too slow for many purposes, and all [secret key algorithm](/source/symmetric_key_algorithm)s require that the key is securely distributed. By using an asymmetric algorithm to encrypt the secret key for another, faster, symmetric algorithm, it's possible to improve overall performance considerably. This is the process used by [TLS](/source/Transport_Layer_Security)<ref>{{cite web |url=https://www.cloudflare.com/learning/ssl/what-is-a-session-key/ |title=What is a session key? Session keys and TLS handshakes |access-date=2024-08-21}}</ref> and by [PGP](/source/Pretty_Good_Privacy).<ref>OpenPGP http://tools.ietf.org/html/rfc9580</ref>

Like all [cryptographic keys](/source/cryptographic_keys), session keys must be chosen so that they cannot be predicted by an attacker, usually requiring them to be chosen randomly. Failure to choose session keys (or any key) properly is a major (and too common in actual practice) design flaw in any crypto system.{{Citation needed|date=March 2011}}

==See also==
* [Ephemeral key](/source/Ephemeral_key)
* [Random number generator](/source/Random_number_generator)
* [List of cryptographic key types](/source/List_of_cryptographic_key_types)
* [One-time pad](/source/One-time_pad)
* [Perfect forward secrecy](/source/Perfect_forward_secrecy)

==References==
{{Reflist}}

{{DEFAULTSORT:Session Key}}
Category:Key management

---
Adapted from the Wikipedia article [Session key](https://en.wikipedia.org/wiki/Session_key) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Session_key?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
