A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any symmetric key that is used to encrypt traffic messages. Typically TEKs are changed frequently, in some systems daily and in others for every message.
Session keys introduce complexities in a cryptosystem. However, they also help with some real problems, which is why they are used. There are two primary reasons for using session keys:
- First, several cryptanalytic attacks are made easier as more ciphertext encrypted with a specific key is available. By limiting the number of messages encrypted using a single key, those attacks are made more difficult.
- Second, many otherwise good encryption algorithms require that keys be distributed securely before encryption can be used. All symmetric secret key algorithms have this undesirable property. There are other algorithms which don't require secure distribution of secret keys, but they are too slow to be practical for encrypting long messages (see Public-key cryptography). By using one of these "asymmetric" algorithms to distribute an encrypted secret key for another, faster, symmetric-key algorithm, it's possible to improve overall performance considerably.
Like all cryptographic keys, session keys must be chosen so that they are unpredictable by an attacker. In the usual case, this means that they must be chosen randomly. Failure to choose session keys (or any key) properly is a major drawback in any cryptosystem.