经常在不同的场合, 如Keyladder , RSA, DRM 等等文章中看到session key,但是一直没有一个清晰的理解. 很迷惑什么时候的key可以称之为session key. 后面在一处看到关于session key的描述中, 觉得描述的非常好, 能够很好的解决我的很疑惑.
A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers. Session keys are sometimes called symmetric keys, because the same key is used for both encryption and decryption. A session key may be derived from a hash value, using the CryptDeriveKey function (this method is called a session-key derivation scheme). Throughout each session, the key is transmitted along with each message and is encrypted with the recipient's public key. Because much of their security relies upon the brevity of their use, session keys are changed frequently. A different session key may be used for each message.
我们知道对称加密的速度非常快,但是会有key交换的问题。 而使用非对称加密,不存在交换key的问题, 但是加密又很慢。所以一般都是结合这两种加密方式的优点进行安全传输。
基本步骤可以描述为 :
Bob : Confidential.bin --> AES Encrypt --> Generate HASH --> RAS public key Encrypt AESKey&HASH
Tim : RAS private key Decrypt AESKey&HASH --> Verify AES encrypted data --> Decrypt Confidential.bin
这个过程中AES Encrypt key就可以称之为session key. 因为这把key可以每次都换也没关系, 这次跟下次不一样也是可以的。其本质就是对称加密的key, 只是叫法不一样。