During the Session Key Change process, the DNP3 master generates a new pair of Session Keys and sends an encrypted copy of those Session Keys to the outstation. The DNP3 master encrypts the Session Keys using another key, the Update Key, and a Key Wrap algorithm. The Update Key permits the DNP3 master to change the Session Keys even after a Session Key is compromised.
Session Keys are changed on a regular basis to maintain security. The DNP3 master also initiates a Session Key Change whenever it re-establishes communications with an outstation.