Session keys can introduce complications into a system, yet they solve some real problems. There are two primary reasons to use session keys:
Generating an MD5 from a unique ID is naive and reduces much of the value of unique IDs, as well as providing significant (attackable) stricture on the MD5 domain. That's a deeply broken thing to do. The correct approach is to use the unique ID on its own; it's already geared for non-collision. Now, this key can be either used as an encryption key or a MAC key. It simply has to be a symmetric and valid for a particular session. In context of TLS, people usually use the term session keys for the four keys derived from the Master Secret (client write MAC key, server write MAC key, client write encryption key, and server write encryption.
Several cryptanalytic attacks become easier the more material encrypted with a specific key is available. By limiting the amount of data processed using a particular key, those attacks are rendered harder to perform.
asymmetric encryption is too slow for many purposes, and all secret key algorithms require that the key is securely distributed. By using an asymmetric algorithm to encrypt the secret key for another, faster, symmetric algorithm, it's possible to improve overall performance considerably. This is the process used by PGP and GPG.[1]
Like all cryptographic keys, session keys must be chosen so that they cannot be predicted by an attacker, usually requiring them to be chosen randomly. Failure to choose session keys (or any key) properly is a major (and too common in actual practice) design flaw in any crypto system.[citation needed]
See also[edit]
Php Generate Session Key
References[edit]
Php Generate Unique Session Key Studio
^OpenPGP Message Format http://tools.ietf.org/html/rfc4880
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Session_key&oldid=945043730'