3

I have read that a session key is symmetric, and it is encrypted by recipient's public key;

When "Bob" receives a message, does he decrypt it with his private key and he's then in possession of an encrypted message and a session key, which he then uses to decrypt the message?

If my understanding is correct, anyone in possession of Bob's private key can easily determine the session key and decrypt the message. Or did I misunderstand this?

AviD
  • 72,138
  • 22
  • 136
  • 218
Vũ Đức Lộc
  • 39
  • 1
  • 1
  • 2
  • 1
    Yes, anyone in possession of Bob's private key would be able to decrypt the session key. However this isn't really a problem with the system, but rather an indication that Bob is misusing it. It is up to Bob to keep his "private" key private. If Bob goes around leaking his private key, he has no place getting mad that others can decrypt messages meant for him - that's just how it works! – loneboat Aug 11 '15 at 16:37
  • The session key is *not* encrypted with the public key, or with anything else. It is never transmitted at all. @loneboat It isn't a problem with the system because it isn't *part* of the system. – user207421 Mar 26 '18 at 23:35

2 Answers2

7

What is a session key?

A session key is a single-use symmetric key used for encrypting all messages in one communication session.

Scenario:

Alice would like to establish a secure communication with Bob. But she cannot provide the key in plain text, otherwise someone sniffing the communication might be able to decrypt the information later on. What does she do?

Solution:

She sends a symmetric key securely by making use of an asymmetric algorithm. Why not simply doing all the communication with asymmetric algorithm? Because symmetric is way faster!

Implementation:

  1. Alice generates a symmetric key
  2. Alice encrypts an e-mail including the symmetric key by using Bob's public key and send it to him
  3. Bob, the only one who can decrypt the message since he has the respective private key, is able to securely get the symmetric key.
  4. Communication can now be sent by Alice and read by Bob
  • If Bob get the symmetric key,now the communication use only the symmetric key for encrypt and decrypt??....and the asymmetric key in this situation is just for key exchange process? – Vũ Đức Lộc Aug 12 '15 at 03:34
  • Communications of the common people are normally of fairly low volume. I employed my own coding to encrpt and decrypt messages of 10000 characters with RSA alone, with measured cpu time of 2 and 4 sec respectively, which is IMHO practically acceptable. – Mok-Kong Shen Aug 12 '15 at 08:38
  • This is not what SSL/TLS does. The session key is *not* encrypted with the public key, or with anything else. It is never transmitted at all. – user207421 Mar 26 '18 at 23:36
5

If my understanding is correct, anyone in possession of Bob's private key can easily determine the session key and decrypt the message.

Only Bob should have access to Bob's Private Key, hence no one else would be able to decrypt the encrypted session key.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
kevino_17
  • 77
  • 2
  • If no one can have Bob private key,so no one can decrypt the message so why we should use session key to protect the message ?? – Vũ Đức Lộc Aug 11 '15 at 09:51
  • Because using a symmetric session key to encrypt all messages sent back and forth is much faster. OpenPGP, for instance, uses this system. – dr_ Aug 11 '15 at 10:29
  • To clarify when someone says much faster we're talking roughly 2-3 orders of magnitude. AES in CBC mode encrypts (slower direction) at roughly 109 MiB=109*2^20 bytes=~109 MB per second. 2k rsa encrypts at roughly 1MB per second and encryption in RSA is about a 40 times faster then decryption. – DRF Aug 11 '15 at 13:22
  • This is not what SSL/TLS does. The session key is *not* encrypted with the public key, or with anything else. It is never transmitted at all. – user207421 Mar 26 '18 at 23:36