8. Cryptographic Computations

8.1. Computing the Master Secret

For all key exchange methods, the same algorithm is used to convert the pre_master_secret into the master_secret. The pre_master_secret should be deleted from memory once the master_secret has been computed.

master_secret = PRF(pre_master_secret, "master secret",
                    ClientHello.random + ServerHello.random)
                    [0..47];

The master secret is always exactly 48 bytes in length. The length of the premaster secret will vary depending on key exchange method.

8.1.1. RSA

When RSA is used for server authentication and key exchange, a 48-byte pre_master_secret is generated by the client, encrypted under the server's public key, and sent to the server. The server uses its private key to decrypt the pre_master_secret. Both parties then convert the pre_master_secret into the master_secret, as specified above.

RSA-encrypted premaster secret message structure:

struct {
    ProtocolVersion client_version;
    opaque random[46];
} PreMasterSecret;

client_version

The latest (highest) version supported by the client. This is used to detect version rollback attacks.

random

46 securely-generated random bytes.

8.1.2. Diffie-Hellman

A conventional Diffie-Hellman computation is performed. The negotiated key (Z) is used as the pre_master_secret, and is converted into the master_secret, as specified above. Leading bytes of Z that contain all zero bits are stripped before it is used as the pre_master_secret.

Note: Diffie-Hellman parameters are specified by the server and may be either ephemeral or contained within the server's certificate.

For complete computation details and information on other key exchange algorithms, please refer to the full text of Section 8 of RFC 5246.

8.1. Computing the Master Secret​

8.1.1. RSA​

8.1.2. Diffie-Hellman​

8.1. Computing the Master Secret

8.1.1. RSA

8.1.2. Diffie-Hellman