Session keys have to be human readable to allow people to type them in. However, the entropy of the session keys (the randomness) of the keys is then badly compromised since the keys tend to come from real words. To increase the distribution of keys over the space of possible keys, most applications generate the actual session key from the input string by running a hash function over the key such as the MD5 digest function. Whilst this doesn't increase security, it requires attackers to compute an MD5 of every string they want to try.
At which point in the protocol stack to encrypt is yet to be determined - until the IP security architecture described is in place, the current Mbone applications will use the ad hoc approach to encryption discussed in RTP.
Next: IP Security Architecture Up: Security and Policy in Previous: Policy Routing of Multicast Jon CROWCROFT