I have a C++ client/server application where the client and server are my executable. Each time a connection is made between the client and server, I generate a new encryption key for that session and I wish to transmit this session key and encrypt this session key using a static key that is built into both the client and server.
However, running strings on my executable reveals the static key.
How can I hide the embedded static key in my client and server application so that they are not easily extracted and thus allowing someone to decode my session key.
His method of exchanging keys "ensures" the client is valid and not an impostor. Just securely exchanging keys using D-H won't do that. In order to get the same functionality he'll need to implement a PKI system. SSL/TLS was built for this purpose which underneath it will do what he needs.
You'll need to create a CA for your server and sign client certificates to ensure that they are who they say they are.