Session Key
What is Session Key?
Session KeyA short-lived symmetric key used to protect a single communication session and then discarded.
A session key is a symmetric key — usually AES-128/256 or ChaCha20 — used to provide confidentiality, integrity, and authenticity for the data exchanged during a single session, and then destroyed when the session ends. Session keys are typically derived from a longer-term shared secret or key-exchange output via a KDF such as HKDF, so a single handshake (TLS, SSH, WireGuard, IPsec, Signal) can produce distinct keys for each direction and purpose (encryption, MAC, key update). Their short lifetime and ephemeral nature limit the amount of data exposed if a session key is compromised, and combined with ephemeral Diffie-Hellman they provide perfect forward secrecy for past traffic.
● Examples
- 01
TLS 1.3 derives client_application_traffic_secret and server_application_traffic_secret session keys with HKDF.
- 02
Signal generates a fresh AES-256 message key for each chat message via the Double Ratchet algorithm.
● Frequently asked questions
What is Session Key?
A short-lived symmetric key used to protect a single communication session and then discarded. It belongs to the Cryptography category of cybersecurity.
What does Session Key mean?
A short-lived symmetric key used to protect a single communication session and then discarded.
How do you defend against Session Key?
Defences for Session Key typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Session Key?
Common alternative names include: Ephemeral key, Per-session key.