RFC 7627

Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension, September 2015

Canonical URL:
https://www.rfc-editor.org/rfc/rfc7627.txt
File formats:
Plain TextPDF
Status:
PROPOSED STANDARD
Updates:
RFC 5246
Authors:
K. Bhargavan, Ed.
A. Delignat-Lavaud
A. Pironti
A. Langley
M. Ray
Stream:
IETF
Source:
tls (sec)

Cite this RFC: TXT  |  XML

DOI:  10.17487/RFC7627

Discuss this RFC: Send questions or comments to tls@ietf.org

Other actions: Find Errata (if any)  |  Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the server certificate. Consequently, it is possible for an active attacker to set up two sessions, one with a client and another with a server, such that the master secrets on the two sessions are the same. Thereafter, any mechanism that relies on the master secret for authentication, including session resumption, becomes vulnerable to a man-in-the-middle attack, where the attacker can simply forward messages back and forth between the client and server. This specification defines a TLS extension that contextually binds the master secret to a log of the full handshake that computes it, thus preventing such attacks.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Download PDF Reader



Search RFCs
Advanced Search
×