{"draft":"draft-ietf-tls-session-hash-06","doc_id":"RFC7627","title":"Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension","authors":["K. Bhargavan, Ed.","A. Delignat-Lavaud","A. Pironti","A. Langley","M. Ray"],"format":["ASCII","HTML"],"page_count":"15","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Transport Layer Security","abstract":"The Transport Layer Security (TLS) master secret is not\r\ncryptographically bound to important session parameters such as the\r\nserver certificate.  Consequently, it is possible for an active\r\nattacker to set up two sessions, one with a client and another with a\r\nserver, such that the master secrets on the two sessions are the\r\nsame.  Thereafter, any mechanism that relies on the master secret for\r\nauthentication, including session resumption, becomes vulnerable to a\r\nman-in-the-middle attack, where the attacker can simply forward\r\nmessages back and forth between the client and server.  This\r\nspecification defines a TLS extension that contextually binds the\r\nmaster secret to a log of the full handshake that computes it, thus\r\npreventing such attacks.","pub_date":"September 2015","keywords":[],"obsoletes":[],"obsoleted_by":[],"updates":["RFC5246"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC7627","errata_url":null}