Exchanging Session Keys

To send another user an encrypted message, you must send that user the session key that was used to perform the encryption. There are two ways to approach this:

• The sending user can create a random session key, encrypt it by using the receiver's public key, and send the encrypted key (key blob) to the receiver. This approach is discussed in the following section.
• The sending and receiving users can mutually agree on a session key by exchanging several messages back and forth. The users can then use this session key to send and receive encrypted messages. See Sample Three-Phase Exchange Protocol for a sample three-phase key exchange protocol that can be used for this purpose. Designing one of these protocols is fairly difficult and should only be attempted by an experienced cryptographer.

Note  The procedure described in the following section assumes that the users (or CryptoAPI clients) already possess their own set of public/private key pairs and have also obtained each other's public keys.