4. The Extended Master Secret
4. The Extended Master Secret
When the extended master secret extension is negotiated in a full handshake, the master_secret is computed as
master_secret = PRF(pre_master_secret, "extended master secret",
session_hash)
[0..47];
The extended master secret computation differs from that described in [RFC5246] in the following ways:
-
The "extended master secret" label is used instead of "master secret".
-
The
session_hashis used instead of theClientHello.randomandServerHello.random.
The session_hash depends upon a handshake log that includes ClientHello.random and ServerHello.random, in addition to ciphersuites, key exchange information, and certificates (if any) from the client and server. Consequently, the extended master secret depends upon the choice of all these session parameters.
This design reflects the recommendation that keys should be bound to the security contexts that compute them [SP800-108]. The technique of mixing a hash of the key exchange messages into master key derivation is already used in other well-known protocols such as Secure Shell (SSH) [RFC4251].
Clients and servers SHOULD NOT accept handshakes that do not use the extended master secret, especially if they rely on features like compound authentication that fall into the vulnerable cases described in Section 6.1.