Are these terms interchangeable? I understand that there are public and private keys. Is the session secret just a private session key?
Asked
Active
Viewed 1,182 times
1 Answers
1
Session Key: An encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers
Throughout each session, each message is encrypted with the recipient's public key and decrypted using private key.
In context of cryptography there is NO such official terminology "session secret" I am aware of. It could be in context of a framework or library however, which is express in this case I assume.
"It's used to encrypt the session cookie so that you can be reasonably (but not 100%) sure the cookie isn't a fake one" Importance of session secret key in Express web framework
Community
- 1
- 1
Himalay Majumdar
- 3,883
- 14
- 65
- 94
-
Session keys are negotiated via key agreement protocols. Not sent backwards and forwards, and certainly not with each message, whcuh would be both pointless and extremely inefficient. SSL officially uses the concept of 'session secrets'. Answer is completely incorrect. – user207421 Mar 19 '17 at 23:32
-
Thank you, I do agree partially and hence taken off "this key is transmitted along". I am however yet to see your definition of "session secrets? Could you please share link to official SSL docs describing "session secrets"? In many open source projects such as Express "session secrets" are used to encrypt session cookies. – Himalay Majumdar Mar 21 '17 at 17:37