To generate an authenticated and encrypted connection between two users on a nonsecure network, the users can exchange a set of messages to negotiate a pair of encryption keys. One key is used by the sender to encrypt messages and the other is used by the receiver. This protocol ensures that both users are currently active and are sending messages directly to each other. In other words, this protocol prevents replay and man-in-the-middle attacks.
Note This section assumes that both users involved already possess their own set of public/private key pairs and that they have also obtained each other's public keys.
It is further assumed that the users have already exchanged human-readable user names. This is generally done at the same time the public keys are exchanged, because the user name is included as part of each certificate. When necessary, the public key data can be used as the user name, although this is not recommended. All that really matters, though, is that each user's user name be tightly bound to his or her public key and that both users agree on what their respective user names are.